iPhone Vulnerability

[Neuk_]

My girlfriends mother keeps telling us how vulnerable iPhones are as a friend of hers had hers stolen and bank accounts emptied or substantial amounts withdrawn despite the friend using a password keeper app. I have done a bit of research but haven't found any way that someone would be able to access an iPhone that is passcode and/or fingerprint protected along with a password keeper app that is passcode and/or fingerprint protected.

Does anybody have any idea how someone would access an iPhone without having the passcode or fingerprint?

 

[Tsepz_GP]

My girlfriends mother keeps telling us how vulnerable iPhones are as a friend of hers had hers stolen and bank accounts emptied or substantial amounts withdrawn despite the friend using a password keeper app. I have done a bit of research but haven't found any way that someone would be able to access an iPhone that is passcode and/or fingerprint protected along with a password keeper app that is passcode and/or fingerprint protected.

Does anybody have any idea how someone would access an iPhone without having the passcode or fingerprint?

So my iPhone XS Max was stolen from me in a mugging recently, and I can tell you exactly how these guys managed to get into peoples accounts.

After my iPhone was stolen I did the usual stuff of logging into iCloud and putting it in Lost Mode and then sending an erase request, from there I removed the iPhone from my iCloud account immediately and then also calling Vodacom to Blacklist the phone and block the sim along with doing a SIM Swap at a Vodashop. I also removed it from my banking apps and Google account.

BUT, the criminals usually take your phone to syndicates who seem to specialize in Phishing scams. What happens is that the syndicate will try extract as much information as they can from your iPhone, they will get your number and your emergency contacts numbers, they will then begin sending Phishing SMS/Texts to those numbers, this is where people then make a mistake.

I was lucky enough to know all about this before my iPhone was stolen so I told everyone in my contacts to ignore any texts that claim that my iPhone has been located. The problem is that most people don’t know about this and so they fall for the text, the text has a link that claims to be an iCloud or AppleID website, many victims click the link and enter in their Apple ID and Password not knowing that they are on a fake webpage, from here the criminals pretty much get ALL that they need to login to your account and can then run rampant with your card details etc...

Here are the texts I was getting from the syndicate, they are very persistent, and they know that many of us will get a SIM Swap so you get texts like this for quite a while, it’s them trying to get you to give up your login details:

When your iPhone is lost my suggestion is that you do all the procedures of locking it out of all your accounts, iCloud, Banking, Google etc.... and accept that it is gone, these syndicates rely on people’s desperation to get their phone back because they know how much sentimental value sits in your phone from pictures, videos to texts etc.... They use this to Phish your details.

 

[Neuk_]

Thanks @Tsepz_GP, I can imagine something like you describe happening to people who don't know any better.

 

[SauRoNZA]

Yup no direct way of getting into it, assuming it's a decent pin code that is in use.

If the PIN code is compromised it's a lot simpler.

But likely the phishing scam is the way it's been done and not from the phone directly.

 

[Neuk_]

Yup no direct way of getting into it, assuming it's a decent pin code that is in use.

If the PIN code is compromised it's a lot simpler.

But likely the phishing scam is the way it's been done and not from the phone directly.

Thanks, that is what I thought, although I found at least one method that had quite a few steps that would allow someone in to an older iPhone/iOS. My girlfriends mother keeps going on about how we shouldn't use password keeper type apps because thieves can get in to them but can't explain how.

 

[SauRoNZA]

Thanks, that is what I thought, although I found at least one method that had quite a few steps that would allow someone in to an older iPhone/iOS. My girlfriends mother keeps going on about how we shouldn't use password keeper type apps because thieves can get in to them but can't explain how.

Usually not a good idea to people sprouting nonsense through their own lack of knowledge...even if they are family.

There is no need for any password keeper app other than iCloud Keychain when you use iOS.

But as always a proper PIN (6-8 digits) of randomized numbers is your primary security. 4 digits are not good enough.

 

[Neuk_]

Usually not a good idea to people sprouting nonsense through their own lack of knowledge...even if they are family.

There is no need for any password keeper app other than iCloud Keychain when you use iOS.

But as always a proper PIN (6-8 digits) of randomized numbers is your primary security. 4 digits are not good enough.

Yeah, she has a tendency to just repeat ad nauseam, one of the reasons she follows a vegetarian/vegan diet

Why do you say there is no need for a password keeper app? I have found mine very useful as I have so many passwords or passcodes to remember.

 

[CT_Biker]

Yeah, she has a tendency to just repeat ad nauseam, one of the reasons she follows a vegetarian/vegan diet

Why do you say there is no need for a password keeper app? I have found mine very useful as I have so many passwords or passcodes to remember.

iOS has a keychain that syncs between your Apple devices only - hence why @SauRoNZA is saying that there is no need for a 3rd part keychain app, he should should stated that there is no need for 3rd party application for this.

 

[SauRoNZA]

iOS has a keychain that syncs between your Apple devices only - hence why @SauRoNZA is saying that there is no need for a 3rd part keychain app, he should should stated that there is no need for 3rd party application for this.

Correct, I should have been more clear that there is no need for a third party application.

 

[Neuk_]

iOS has a keychain that syncs between your Apple devices only - hence why @SauRoNZA is saying that there is no need for a 3rd part keychain app, he should should stated that there is no need for 3rd party application for this.

Correct me if I am wrong, but keychain works on iOS or MacOS for storing usernames, passwords, etc. for apps accessed using iOS or MacOS?

 

[SauRoNZA]

Correct me if I am wrong, but keychain works on iOS or MacOS for storing usernames, passwords, etc. for apps accessed using iOS or MacOS?

Yeah works across their entire ecosystem.

MacOS, iOS/iPadOS and somewhat tvOS.

It talks to any app on those devices where the functionality has been enabled by the developer, but as of iOS13 it’s now also built into the keyboard to pull up the passwords menu if an app does it badly.

iOS is by far the more secure mobile platform.

 

[Tsepz_GP]

Thanks, that is what I thought, although I found at least one method that had quite a few steps that would allow someone in to an older iPhone/iOS. My girlfriends mother keeps going on about how we shouldn't use password keeper type apps because thieves can get in to them but can't explain how.

Did she explain to you what happened when the phones were stolen? and how the phones were protected? To me it sounds like they fell for the Phishing texts at some point.

There are so many variables to this. What iPhone was it? what iOS version was it on? how strong were the passwords etc... could all also be contributing to this. Also what password were they using for their password keeper app because therein could lie the biggest issue, if she was using similar passwords all across that could have compromised them as well, that is why Apple Keychain is such a great tool, as long as you know your AppleID password.

Many tech companies are actually trying to move away from Passwords and on to things like Keychain with biometric access, it makes a lot more sense.

 

[Neuk_]

Yeah works across their entire ecosystem.

MacOS, iOS/iPadOS and somewhat tvOS.

It talks to any app on those devices where the functionality has been enabled by the developer, but as of iOS13 it’s now also built into the keyboard to pull up the passwords menu if an app does it badly.

iOS is by far the more secure mobile platform.

Thanks, I see you can review what Username and Passwords it has stored, hence you saying there is no need for a similar third party app. I have a few usernames and passwords setup in keychain but the bulk are in a similar third party app at the moment.

 

[Neuk_]

Did she explain to you what happened when the phones were stolen? and how the phones were protected? To me it sounds like they fell for the Phishing texts at some point.

There are so many variables to this. What iPhone was it? what iOS version was it on? how strong were the passwords etc... could all also be contributing to this. Also what password were they using for their password keeper app because therein could lie the biggest issue, if she was using similar passwords all across that could have compromised them as well, that is why Apple Keychain is such a great tool, as long as you know your AppleID password.

Many tech companies are actually trying to move away from Passwords and on to things like Keychain with biometric access, it makes a lot more sense.

She doesn't know the detail except that we should all be very scared I don't work that way, I like to understand how things happen, hence this thread.

The password keeper app I use has both password and biometric access setup, my phone has a 6 digit passcode and biometric access setup but I do have a few accounts that sue the same password which I need to address. I have activated biometric access on as many apps as I can on my phone though.

 

[Tsepz_GP]

She doesn't know the detail except that we should all be very scared I don't work that way, I like to understand how things happen, hence this thread.

The password keeper app I use has both password and biometric access setup, my phone has a 6 digit passcode and biometric access setup but I do have a few accounts that sue the same password which I need to address. I have activated biometric access on as many apps as I can on my phone though.

LOL! I think we all have family members that do this, and when you try correct them they do not want to hear any of it, every tech enthusiasts worst nightmare. I have come to a point where I am just like "OH WOW, that is hectic" and leave it there, let them say what they want and move on. Cannot save em' all.

But yeah, your iPhone is secure, the weakest point of any tech device is the person who owns it, some of my friends are walking around with phones that do not even have a lock screen password, I have given up on them. My worry is how every one still has this mentality of: "a phone is just a phone", it only hits them after the "just a phone" gets stolen and then they realise just how exposed they are.

 

[Neuk_]

LOL! I think we all have family members that do this, and when you try correct them they do not want to hear any of it, every tech enthusiasts worst nightmare. I have come to a point where I am just like "OH WOW, that is hectic" and leave it there, let them say what they want and move on. Cannot save em' all.

But yeah, your iPhone is secure, the weakest point of any tech device is the person who owns it, some of my friends are walking around with phones that do not even have a lock screen password, I have given up on them. My worry is how every one still has this mentality of: "a phone is just a phone", it only hits them after the "just a phone" gets stolen and then they realise just how exposed they are.

Yeah, I generally do the same but I have a need to figure things out so sometimes I try and get more information purely to feed my curiosity. Especially in cases like this as I am somewhat neurotic when it comes to securing my personal property and information.

 

[Arthur]

A not insignificant number of people use an easily-established number as their phone PIN, eg last or first 6 digits (or 4 in Android) of their phone or ID number. Don't do that.

 

[SauRoNZA]

Many tech companies are actually trying to move away from Passwords and on to things like Keychain with biometric access, it makes a lot more sense.

Yup, we have a setup where you need your hardware key (or biometric on some newer laptops) to unlock your keychain combined with a reasonable password.

The idea being that you don’t ever need to change that password but also that you have absolutely no idea what any other password even is.

That extends to my phone where I need my hardware (via NFC) to log into any company services.

 

[Priapus]

There's zero chance they got into the phone. Unless they guessed the PIN number within 3 tries or so as after that it starts setting a timer on the lock screen and you have to wait before you can try again. Each wrong try increases the time.

As for password managers. I disagree with @SauRoNZA - I use 1Password and it works Bette than Apple's implementation. I use apps on the Mac that need a password and Apple's system, won't pic that up unless the developer as catered for it (A lot of times they don't). Also I keep other things in there like CC info which makes it hand to access when I need it.

 

[Nqindi]

iPhones have rock solid security. The best in the industry. The weakest link is usually the user.