iPhone 12 iPhone stolen from hand while taking photo - They have my email address :(

[subjonas]

Depending on your iPhone model and what settings are in effect there's always some way to wake the phone up without unlocking it.

Sorry I’m unclear—you said it depends on the model and settings, so does that imply in some of those specific cases there is not a way to wake the phone without unlocking it? If so, what cases are those?

As she was crossing the street, someone on a motorcycle grabbed her phone and kept going. The phone was ripped out from the lanyard. If it wasn't, she could have been dragged on the ground for some distance and gotten hurt.

Good thing for both her and the motorcyclist. Otherwise if she was dragged, the motorcyclist would have been in just as much danger of being pulled off the bike.

That’s actually a good idea except if everybody did it the thieves would carry knives or scissors to cut the straps.

Of course thieves adapt, but we still have to make it as annoying for them as possible. They’re still humans, and humans don’t like even the tiniest of inconveniences.

 

[subjonas]

I think what is confusing you is my word passcode. This is what Apple calls the six digit number used to unlock the iPhone. It's called a PIN by some people. I'm not talking about the password that is used with your Apple ID to sign into your Apple account. What is going on here is thieves are watching people unlock their phone with the six digit numeric passcode then stealing the phone. With the passcode they can get into anything on the phone and even reset the Apple ID password.

Here's a MacRumors article on the subject

Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a...

www.macrumors.com

Wando64 was correct in everything they said. They were never talking about the Apple ID. They said the thief would need the device password (or passcode, can be numeric or alphanumeric) to access Keychain.

 

[subjonas]

The thing is, they wouldn’t NEED access to the keychain, they already have the keys to the kingdom for most people: access to their email account.

Using that they can request password resets for any account. (There are caveats here of course, I’m speaking generally).

That’s why it’s so, so critical to control not just your device but accounts or services that act as gateways to everything else in your digital life.

Well, having the Keychain would be having the keys to the kingdom. Having the email account would be having the key to the keys to the kingdom, but that key can be quickly taken away by changing the email password. And Keychain passwords are a list of all accounts with direct immediate access, email is nowhere near as convenient for the thief. Stolen email isn’t good either of course, but pretty manageable comparably.

 

[Puonti]

Sorry I’m unclear—you said it depends on the model and settings, so does that imply in some of those specific cases there is not a way to wake the phone without unlocking it?

No worries - I meant there's always a way to wake the iPhone up without unlocking it. The specific model and settings just determine what those ways are, and I didn't want to go into all the permutations.

 

[Jackbequickly]

Most cases with a hand strap might protect you from dropping your phone but highly unlikely it would stop a thief from taking your phone by force and leaving you with nothing but the strap.

 

[riverfreak]

Well, having the Keychain would be having the keys to the kingdom. Having the email account would be having the key to the keys to the kingdom, but that key can be quickly taken away by changing the email password. And Keychain passwords are a list of all accounts with direct immediate access, email is nowhere near as convenient for the thief. Stolen email isn’t good either of course, but pretty manageable comparably.

Sure, of course.

The first thing that happens in most account compromises is a change of email password. Following that is the addition of filters to forward email / delete problematic email notices so that an intruder can persist undetected after the password is changed.

 

[riverfreak]

Well, having the Keychain would be having the keys to the kingdom. Having the email account would be having the key to the keys to the kingdom, but that key can be quickly taken away by changing the email password. And Keychain passwords are a list of all accounts with direct immediate access, email is nowhere near as convenient for the thief. Stolen email isn’t good either of course, but pretty manageable comparably.

Also:

Don’t you have to enter the device password to see keychain entries? I don’t use it but it seems like even having access to an unlocked device isn’t sufficient to access Keychain entries (as it should be).

 

[BugeyeSTI]

Also:

Don’t you have to enter the device password to see keychain entries? I don’t use it but it seems like even having access to an unlocked device isn’t sufficient to access Keychain entries (as it should be).

You are correct, without the devices passcode you can't view passwordspasscodes in keychain even if it's unlocked

 

[russell_314]

Wando64 was correct in everything they said. They were never talking about the Apple ID. They said the thief would need the device password (or passcode, can be numeric or alphanumeric) to access Keychain.

I think the confusion is people are using the terms passcode and password interchangeably. If he meant passcode then yes Wando is correct.

Device passcode: The numeric code used to unlock your iPhone. By default it is six numbers.

Apple ID password: This consists of upper and lowercase letters and at least one number. It's used along with your Apple ID to access your Apple account.

 

[Puonti]

Device passcode: The numeric code used to unlock your iPhone. By default it is six numbers.

It's not limited to being a numeric code, though. Yes, the official English term is "passcode" regardless of format, but I can understand someone talking about a "password" when it can also be that. Or a passphrase if you like your passcodes multi-worded.

 

[Nick232]

Huge thanks everyone for all your responses, I've really learned some tricks here that I will use going forward.

Think the best gems are only taking public photos while the phone is locked (which hadn't occured to me), also the trick to add a screen time password to disable account changes without a secondary pin. Its annoying that disabling control centre from the lock screen also disables access to other useful things (eg camera) otherwise I'd do that too.

Yes it was Santiago in Chile - apologies for the typo. Also I have learned to only run after a mobile phone thief for exact amount of time required for the screen to lock, and not to actually try to catch up with him - from what people tell me it's a relief I didn't

Anyway thanks for your advice guys, and I will be more careful and better prepared if it ever happens again!

 

[Nick232]

Also no I don't believe he ever oversaw my pin, I imagine he must have kept the phone from locking by swiping it during the chase until he had time to set the 'Auto-lock' time to never. Then he could read through all my stuff at his leisure

 

[subjonas]

Sure, of course.

The first thing that happens in most account compromises is a change of email password. Following that is the addition of filters to forward email / delete problematic email notices so that an intruder can persist undetected after the password is changed.

What do you mean, how can an intruder persist undetected after they change the password? The account owner would know immediately if they’re locked out of their email.

Also:

Don’t you have to enter the device password to see keychain entries? I don’t use it but it seems like even having access to an unlocked device isn’t sufficient to access Keychain entries (as it should be).

Yes it’s still secure unless you have the device passcode, but I wasnt speaking to how one gets access to it, only how disastrous it would be if a thief did.

 

[xbpr]

That’s actually a good idea except if everybody did it the thieves would carry knives or scissors to cut the straps.

Regarding the unlocked iPhone this is a good time to remind everybody to keep the phone locked during public photo sessions. Just swipe left or long press on the camera icon on the lock screen. [edit: remove the camera icon from the Home Screen to break the habit of unlocking the phone.]

I can't seem to activate the camera from the lock screen fast enough without face id unlocking the phone.

 

[subjonas]

I think the confusion is people are using the terms passcode and password interchangeably. If he meant passcode then yes Wando is correct.

Device passcode: The numeric code used to unlock your iPhone. By default it is six numbers.

Apple ID password: This consists of upper and lowercase letters and at least one number. It's used along with your Apple ID to access your Apple account.

I don’t think anyone else was confused though, because the keyword they used was “device password”. Passcode and password can be used interchangeably here because you can set an alphanumeric password/passcode to get into your phone, so it’s much more of a stretch for someone to interpret “device” to mean “Apple ID”.

 

[Clamjuice65]

Hello,

I had my phone stolen by professionals, would very much appreciate some technical insights into how vulnerable my data is (I know they have my phone number and email address) and what they might do next - huge thanks in advance


Long story, but here are the facts -

- Was on holiday in Santiago Chili, was taking a photo of my husband in a crowd, and iphone 12 mini was swiped from my hand while unlocked :{

- We both ran after him, with hindsight I was hoping the chase was longer than the 5 minutes it would take for the screen to lock. Thought it was 50/50

- Interestingly although we were shouting and pointing and the guy was suprisingly not running that fast, no one was helping - was told later it was probably a good job we didn't catch up with him :{

- As soon as we had given in, stopped and caught our breath I logged onto icloud on my husbands phone and put the stolen phone in lost mode. After a short deliberation I then went for full erase. It must have been at least 30 mins after the theft though as I needed to call my son in the UK for the 2-factor authentication code. Straight after I called EE, told them the phone had just been stolen and to please block my number (a few days later I arranged a replacement sim).

- When we put the phone in lost mode, despite my protests my husband gave his genuine phone number on the lock screen message

- Approx one hour later my husband received a phishing text - pretending to be a message from icloud saying the device had been located and inviting me to log in to icloud to locate it. We were initially confused before realising the scam and didn't even click the link. Realised this must be a professional act to have got the ball rolling on the scam so quickly

- Felt sick. Picked up cheap replacement android phone for rest of trip

- When checking my email later, I noted the message that afternoon from 'Find My' saying '[iphone name] is being erased'. Basically breathed a massive sigh of relief, told myself not to be so massively stupid next time and decided to move on.


However 2 weeks later.........

- Was looking through my email 'junk mail' folder and found an email from the day of the theft that's made me really stressed... the email subject is literally "your device was found" - all lowercase, so obvious scam. The translated text says "[iphone name] was found near A.Indepencia 1833. Santiago at 19:28 The last known Location of your iPhone will be available for 24 hours" .. and then the obvious link for me to log into presumably a fake icloud page.

HOWEVER... Whats made my blood run cold is that the email has been sent to the *actual email address* of my icloud account (

I didn't think it was possible to access the full icloud email address from an iphone in Locked mode? We *definitely* did not include any emails in any lock messages.

So now I am reassessing the whole security situation which I thought I had got away with, and am now guessing they must have had access to my full unlocked phone for at least some period of time.


I'm wondering now who my adversary is and what I'm up against... is there anyone who could help me understand the following technical questions?


(1) - Am I right in my assumption that the only way they could have got my icloud email address from a passcode locked then icloud locked iphone, is... if it wasn't actually locked? (the email address was NOT included in the lock message)

(2) - If they did have full access to my unlocked phone on airplane mode, is it possible they could have used software to take a full image of everything on my phone (email/texts/photos) or does apple require the iphone pin to copy this? Do criminals have more sophisticated software than itunes that doesn't require a pin, or do I have any protection from apple from making it hard to copy data without a pin? I'm wondering what the chance is that they have an entire copy of my whole digital life for sophisticated scams months or years later

(3) - I recieved the email from 'FindMy' saying my phone had started to be erased, but never recieved one to say it was completed. Is one usually sent out on completion?

(4) - I don't use Apple Wallet or Keychain. Iphone has been lost mode & erased but not removed from icloud. Network provider has been notified of theft. Is there anything else I should be doing to protect myself?

(5) - What's the standard most popular next scam I should expect from the professionals if they did have full access to all my emails, contacts, photos etc?


I realise I was super stupid. Feel very sick. Will learn from this. Any tips to lessen the impact in advance if this ever happens again?


Huge thanks in advance

So sorry you going through this .

 

[subjonas]

I can't seem to activate the camera from the lock screen fast enough without face id unlocking the phone.

I was actually wondering about that (I use a Touch ID phone). Maybe you have to do it without actually bringing your phone up to your face, without looking?

 

[riverfreak]

What do you mean, how can an intruder persist undetected after they change the password? The account owner would know immediately if they’re locked out of their email.

Yes it’s still secure unless you have the device passcode, but I wasnt speaking to how one gets access to it, only how disastrous it would be if a thief did.

They persist in your information stream by adding forwards to your email, and filters to automatically delete (for example) emails that might alert you to account changes. These are things most people don’t check for routinely.

They don’t need access to your account once these are established.

 

[Puonti]

I can't seem to activate the camera from the lock screen fast enough without face id unlocking the phone.

Tilt the phone slightly sideways before the screen lights up so that your face is outside of the TrueDepth camera's field of view.

 

[mpavilion]

They persist in your information stream by adding forwards to your email, and filters to automatically delete (for example) emails that might alert you to account changes. These are things most people don’t check for routinely.

They don’t need access to your account once these are established.

Can you give an example of what this would look like? Let’s say someone had access to my email for an hour or so, before I had the chance to change the password (locking them out)… what are the filters or forwards they could have set up that would continue to benefit them?

 

[Likeaboss7]

Very helpful thread. Got me thinking. If I was in public “alone “ and my unlocked iPhone got swiped/stolen from me, what do I do? Ask a friend or someone to borrow their phone. Go to iCloud.com and sign in. Need to know Apple ID and password to manually key it in. Important to memorize these as we assume it’s on our phones or auto filled with face or Touch ID. Then go to find my phone and lock it and remote erase it. Am I right in saying to erase it right away? Also good to write down the serial number in a safe place to give the police.
OP - sorry for your loss but thank you for posting.

 

[mpavilion]

Very helpful thread. Got me thinking. If I was in public “alone “ and my unlocked iPhone got swiped/stolen from me, what do I do? Ask a friend or someone to borrow their phone. Go to iCloud.com and sign in. Need to know Apple ID and password to manually key it in. Important to memorize these as we assume it’s on our phones or auto filled with face or Touch ID. Then go to find my phone and lock it and remote erase it. Am I right in saying to erase it right away? Also good to write down the serial number in a safe place to give the police.
OP - sorry for your loss but thank you for posting.

It’s a good point… I don’t have my current AppleID pw memorized.

 

[DeepIn2U]

The problem here is this is a social engineering exploit where people are observing the passcode. Don't use your passcode in public! Use FaceID...
The big fix for this till Apple does something is Don't use your passcode in public! Use FaceID... No the NSA isn't downloading your face and even if they are they can do it other ways.

The more times I see this specifically stated I get a bit VEXED! Y?

Because everyone saying this does NOT KNOW nor realize (or does NOT USE an iPhone)!

By random FaceID unlocks, especially after a reboot or if not used frequently (less than 10mins instances apart) and even so, the iPhone WILL PROMPT YOU TO ENTER your device unlock password in ORDER to use FaceID!

6 phones since iPhone X (briefly), and with iPhone 12 mini, 13 mini and the work iPhone 14 Pro - not to mention 3 GF as well lol (just to rule out un-provoked jealousy or nosey gf’s - every device with FaceID used this.

 

[Puonti]

@DeepIn2U On balance, my Face ID iPhones have never "randomly" asked for passcodes instead of unlocking with Face ID. There's always been a reason I can understand. I get it - from your perspective it might feel like others are giving bad advice, but consider that your experience is simply different from others' experiences.

"Don't use your passcode in public" is not bad advice. It's just missing context, which is that for these people - myself included - passcode prompts don't happen randomly. Maybe their faces / adornments / headwear / glasses are more Face ID friendly, maybe they use their phones in a way that makes it easier for Face ID to work right, maybe they have Apple Watches that help in those situations where the phone isn't quite sure it saw you, or maybe the environments in which they use their phones are easier on Face ID.

Some might even intentionally enter their passcode before going out just to avoid the time-based passcode check at an inopportune time.

It's unfortunate that you've had a lesser experience with Face ID. I hope it gets better.

 

[russell_314]

The more times I see this specifically stated I get a bit VEXED! Y?

Because everyone saying this does NOT KNOW nor realize (or does NOT USE an iPhone)!

By random FaceID unlocks, especially after a reboot or if not used frequently (less than 10mins instances apart) and even so, the iPhone WILL PROMPT YOU TO ENTER your device unlock password in ORDER to use FaceID!

6 phones since iPhone X (briefly), and with iPhone 12 mini, 13 mini and the work iPhone 14 Pro - not to mention 3 GF as well lol (just to rule out un-provoked jealousy or nosey gf’s - every device with FaceID used this.

I'm not sure what you mean? Yes if you reboot your iPhone it will require a passcode but that's not something you would normally do in public. Yes FaceID can fail and make you put in the passcode but it's rare for me. I guess if you have to do it then just watch around you. It's definly not something you should need to do frequently.