Your iPhone has a MAJOR security problem (5 tips to keep you safe)
VloĆŸit
- Äas pĆidĂĄn 20. 05. 2024
- The iPhone has a problem, and it's one that could impact absolutely any of the over 1 billion iPhone owners out there including you, it has the potential to be catastrophic if you're targeted, and Apple seem to be either reluctant, or unable to do much to fix it. In this video, I'm going to explain the problem to you, and give you 5 practical tips that you must be using to keep yourself safe.
đ Want the PDF for this video? Become a Channel Member!
Join via Buy Me a Coffee - geni.us/jAGpK
Join via Patreon - geni.us/a0o5
Join via CZcams - geni.us/GCSpFOJ
đ§ Want a FREE weekly dose of Tech News, Hints and Tips? Sign up for my newsletter!
eepurl.com/h7MWfv
âïž Getting value from these videos? Want to support the channel? Buy me a coffee! www.buymeacoffee.com/properho...
đ Get the items I use in my office - kit.co/ProperHonestTech/my-de...
đč Get my Video Production gear - kit.co/ProperHonestTech/my-vi...
As an Amazon Associate I earn from qualifying purchases.
đ WSJ iPhone Passcode video âą Appleâs iPhone Passcod...
Follow me on my socials!
Instagram - / properhonesttech
Twitter - / properhonesttec
Chapters;
0:00 - Intro
0:23 - The Problem
8:16 - What should you do?
12:33 - End - VÄda a technologie
đ§ Want a FREE weekly dose of Tech News, Hints and Tips? Sign up for my newsletter!
eepurl.com/h7MWfv
My iCloud account still has the old version of 2-Step Verification, the one with the old secret questions system. Whenever I attempt to go into any settings in my iCloud account, it asks for 2 random answers of the 3 tied to my account, in addition to entering the passcode for the account change itself.
Apple needs to bring back this extra verification in some form, an extra verification that pops up when attempting to access the iCloud account settings sub-menus.
There's an easy fix. Just use Face ID in public. Why use passcode when there are prying eyes everywhere? What's the point of Face ID if you don't want to use it?
@@reardelt Some people aren't tech savvy enough to use it, others might not want to give their face to Apple. Also there are a number of things that can trigger Face ID to be disabled and the device requires the passcode to unlock, and there are some apps that can ask for a passcode entry but not Face ID. Every person's circumstance is different, and there are a number of people who might, at one point or another, need to enter their passcode in public. Those are who these attackers target.
Apple needs to bring back asking for verification to access sensitive Apple ID settings from Apple devices.
@@Damariobros well. Face Id cannot be disabled unless you specifically disable it. There are no apps that reject using Face iD
Nine minutes into the video he says to go to settings, Face ID and passcode, change e passcode. My iPhone doesnât have that. Why?
The other thing that is important is to take a screen shot of the âaboutâ page, specifically the IMEI number(s) and keep that on some one elseâs phone. This is the number that the cell system uses to track where your phone. You send this number to the Police and they can see where your phone is and block it out of the cell system.
This used to be a thing we all should do but it is forgotten.
I am going to do what the previous commenter said too.
The IMEI number should be printed on a sticker on the box the phone shipped with. At least thatâs how it used to be, Iâm not sure if phones still have their EMEIs printed on the box
The problem is not the passcode, but that you can reset your apple-ID with it rather than to type in your apple-ID password.
That's because in the event that you forget you AppleID password you can still be able to access it
@@wisdomyaw03 in case you forgot, Apple should send you a link to change your password to your email. Like the rest of the sane world is doing.
@@wisdomyaw03 so instead of an SMS, it should be an email.
@@asadullahilyas There is the option for email as well but it's still coming to the same phone, right? So the point still stands
This is why Apple has brought in security keys for changing the Apple ID - to give a secure alternative for iPhone apps. But until itâs better supported by banks, it is rather expensive just for the Apple ID. Also itâs designed for adding to your keyring.
Why would you need or encourage someone to carry it on their person when it is best kept safe away from the iPhone?
Scary indeed! Thank you so much for this video and your suggestions. Especially not being aware of the problem is the biggest danger.
Apple should bring back Touch ID as a secondary unlock system which can be on the side button, similar to the 10th gen iPad top button. Maybe starting with iPhone 15. Passcode should be used only as a last resort and that too when you are not in a crowd.
Yeah I've thought this for a while now. I know that the technology isn't there yet for under-display Face or Touch ID, but why not built into the power button?
It wouldn't work with a case though
Good point, although depends on the case (I have a Pitaka case that leaves the side buttons exposed).
@@levintage I don't think it is an insurmountable problem. Apple - the master of design - would have to do some testing and then provide the specs to the case manufacturers. And perhaps have the side button project 1 mm or so further out.
Adding TouchID to the iPhone doesn't prevent this situation by any means
Also, I have complained to Apple for ages that it makes no sense for a two factor code to be sent in a message to the device you request it on. It *should* be sent to your other devices excluding the one its requested on. Implementation of this would be easy - either a special category of message or, since they read the messages (are they encrypted?) so the system can know its a 2fa code they can pre-empt and disable delivery for such a message to the requesting device.
@@rorybraxton it isnt safe because the device could be stolen and broken into. Its tough for people who have only one apple device admittedly but many people have several. And given that Apple knows what devices you have it would be easy to work around for those people that *do* have multiple apple devices. In fact it would encourage people to buy additional devices, which you might not like bu5 apple surely would. You can blame people for not being deterministic automatons of course but that wont improve anything or change anybody.
@@josephfredbill thatâs an insanely dumb idea. You would never be able to do anything on the go if you donât have your iPad or MacBook with you. 2fa is there to prevent people from remotely hacking your account. Leaking your passwords and having your phone snatched is a very very rare occurrence and not fully preventable
@@rorybraxton so those who do have them stolen are unimportant because most people who called you hadnt had them stolen ? I dont mean to be rude but what you have written does no credit to Apple for who they choose to employ. Is that your logic - that what you dont see doesnt exist ? Dont answer that - thereâs no point in this interchange. You just want to be right - well logic and analysis does not support you.
@@rorybraxton so why are you arguing that being able to have 2FA codes sent not to the device on which they were requested where a user has more than one device on the grounds that âhaving your phone snatched is a very very rare occurrenceâ - your words. 1. Its not rare, 2. Its not an unimportant case. Sure users forget passwords, so what - that doesnt make 1 and 2 in my statement here false. Ok I just noticed there are two people here - I quoted you here from @astra1360âs response.
@@rorybraxton my apologies for reading @astra1360âs response as if it were yours. I agree its a tough problem. I still think that Apple could have a user-election (ie preference) to not have 2FA codes sent to the device on which it is requested where a user wants that. To @astra1360 - your response I percieve as both rude AND ignorant. If you want to choose to take that risk then do so but there is no need to impose it on everyone.
Fully support your suggestions. My rule of thumb is not to use passcode ever when in a public place. Even udring Covid I would rather wait for login until out of a group of strangers then while in it.
What I do not understand is: to access passwords on Safari on the computer you need the admin password but you do not on the phone. Why not use the admin password also on the phone
Thank you for this informative video. I donât imagine such a situation happening to me but I can never truly predict the future. I do alway use face id because of how convenient it is but it harms no one to take extra precautions to prevent the worst from happening.
Thanks for making valuable educational content! Really appreciate you, man.
I really feel safe when I listen to you and when there is a problem and I try to solve it calmly. You really help me with these videos. Thank you.
Thank you very much. Youâre really something. Your videos make difference. This is so very important and a lot of people need to listen/hear what you say. Please continue your good work. â€ïž
Great video, very well put together and explained, thanks!
Really good. A real eye opener and will be taking action this weekend.
Thanks for the amazing content. Finding it very helpful!!
yep; totally agree! I have very early on chosen an alphanumeric code with more than 12 digits & ciphers with special characters! It is sometimes a âbummerâ when my biometric doesnât work, but I feel itâs worth it! I also use a password manager rather than putting all my âeggsâ in keychain, but nevertheless use it now and again! I also use Proton mail and Signal on my phone! I try to maintain a step before to ensure to make as difficult as possible to not get âVirtuallyâ mugged! But I am well aware these are just improved steps to keep up to speed! Thanks for your Videos, I have picked up many tips from your channel! đđ
thanks for the sharing. just realize this weak point at my device
Just a simple security question to a well chosen answer would do the trick
7:18- you hit the nail on the head there. So true
Sound advice! Thank you!
Thanks for the great and important video. I changed everything here, based in your recommendations. I really appreciated it!
I found this video extremely helpful and i will be using the Face ID from now on going forward. Thank you
Enjoyed your video, your thoughts on security keys?
I set my iCloud sign in on a YubiKey. I also go into Screen Time and set not allow to account changes and a few other things and set up a different pin for screen time. That locks out my profile on device unless they know that pin.
Good data and advice, thanks!
Thank you for this video đ
Thanks for the information âșïž What if I use Advanced Data Protection? Wouldnât that help a lot?
great video tom! thank you for making such great content for us. I wanted to share an idea though... we do need an app lock feature on iPhones and there should be a feature that asks for a passcode whenever you try to turn off your iPhone. That way, if your phone is stolen and if you have an E-SIM, it would be nearly impossible for the thief to turn off your iPhone. And because of this you can easily trace the location of your iPhone. :).
Your iPhone is still traceable even if its turned off btw, they can only turn that off by tapping the "Allow this iPhone to be findable when turned off" after getting to the shut down screen and entering your passcode
Hard reset on devices is extremely important since occasionally these devices lock up or freeze. Without the ability to hard reset the device it's essentially bricked. Also any smart thief would drop the phone in a faraday bag making it invisible until the battery runs out or simply take out the battery.
Many thanks. Great advice.
Thank you for the info!
Thank you for sharing your knowledge about this topic very useful information that I didnât know about n I understand that It could happen to me or anyone n Iâm just glad to know about it now thanks again
*Excellent presentation!* đ„đ
_Hi Tom, I'm interested in what you think of these ideas..._
1.
Why don't Apple simply have a setting option where the phone needs double verification! (Face ID and Pin Code). It may be a slight inconvenience, but ladies whom get targeted most if they go to night clubs, can simply enable the feature before they go out.
2.
The other idea is if they own an Apple Watch, that the watch has a feature that if the phone is a distance more than say 20 feet away; that the phone will instantly "Lock Screen". (no matter what mode it's in). What do you think? đ
Another way to prevent this from happening or at least a method to slow them down is as follows.
Open Settings - Screen Time - Content & Privacy Restrictions - scroll down to Allow Changes - select donât allow changes to passwords & account changes.
Remember these guys probably know what they are doing but this should buy you enough time to be able to lock your phone and report it as stolen from the find my app.
Hopefully this doesnât happen to anyone here but itâs never to late to take these precautions.
Outstanding video! Got me to change my ways! Many thanks!
Brilliant and important video
Thanks Tom great and informative video cheers
Some fixes: to change iCloud password and pincode apple must mask for the password instead of only the pincode.
Or have an alternative more secure secondary pin thats only required when one wants to change critical details like pin and iCloud password.
Thank you very much for your videos, especially this one. I thought I was more secure than I am with my poor passcode.
Regarding secure files, I keep an encrypted disk image for my financial files. But I realize I want more of my files to be protected now.
If I move files from my iCloud documents into a disk image file, then delete them from the unencrypted documents folder, what happens to the backups? Would someone be able to get my deleted sensitive files from backups in iCloud?
I encrypt my Time Machine backups, and use an encrypted external drive when I can. What about my own backups in Time Machine? How long will my deleted files be recoverable there? Can I delete a file explicitly from my backups?
Thanks again.
I have a security background and as recently migrating from Android phone to iPhone. I noticed this vulnerability right away. Fortunately, I have always relied on third-party software for backup storage and password management, so will continue this approach. Made me acutely aware that now I have a target on my back as an iPhone user. Best thing to do is be very discrete about where and when you use this device - and change login method based on your vulnerability. Before going to a bar or on vacation, change to fingerprint or face recognition - you can always change it back later.
Wait could you explain it ?
Thank you for a great video.
Many thanks for yet another calmly and concisely articulated informative video. How do you feel about using Screen Time -content and privacy restrictions - to allow/don't allow passcode changes and account changes as a security measure to be followed by iPhone owners until Apple figures out a way to sort out this issue?
Screen time passcode reset resets also Apple ID password so.... quite useless
Thanks
Tnx for this education!đ
Scary, but really helpful!
Scary stuff. Thanks making adjustments.
Thanks for letting us know. Canât wait to try this on somebody
Thank you!
Thanks for your sharing
Thanks for highlighting this. Lost a phone on a train some years back and, as far as I'm aware, it wasn't actually compromised as I've always used a 10 character alphanumeric code. By the time I'd got home to check, whoever had picked it up had already switched it off as Find My couldn't locate it (and never did subsequently). Battery was fully charged when I left home so switching it off it was a deliberate attempt to avoid detection.
Fair, but this may offer a false sense of security. If Iâm not mistaken, the WSJ piece mentioned that the thieves may have recorded the victim entering their passcode. So length and complexity will be of little deterrence/consequence. Just a heads up!
@@super-ibby I believe he said they record the PIN, and that complexity IS a deterrent because it's much harder to get a 10+ alphanumeric code right
@@super-ibby But lets be honest, if you are so consumed in your phone that you don't notice people around you recording you then at that point I mean, oh well. I mean yeah it's bad but you have to have some sort of awareness around you. Also this whole issue can be solved by just using Face or Touch ID while in public. Why are people so against biometric forms of identification
@@SisterFromAnotherPlanet not if its being video recorded.
@@mathmanchris666 because of the âIlluminatiâ lol
Thank you for this very useful information. It confirms some things that I already suspected ( I have /do no banking info on phone or in the cloud) & made solid suggestions about safety.
That's my approach as well. My phone is a Samsung, which I use ONLY for phoning and texting. My iPad is used only for emails and net surfing ...and my email programme is accessed via my browser, and I have to sign in and out of it every time. I don't carry ANY important data on either device. I do online banking, but ONLY from my desktop Mac at home. I don't use iCloud for anything at all. I try to keep my devices as separate from each other as possible. Apple doesn't like this, of course, and is constantly 'reminding' me to sign into the Cloud, to enable 2-factor authentication, etc. I've resisted thus far.
I think we've fallen too easily into the 'convenience' thing. I prefer not to keep all my eggs in one basket.
Wow đź. What a great vid. So much important info. Thanks đ heaps.
Odd for them to not require the existing password in full to change it.
I use Screentime restiction. Works like a charm
You can use screen time passcode to lock access to icloud settings and passcode settings, as well as a lot of other useful stuff. definitely recommend setting up screen time.
Great content, good job.
Very informative video, hopefully people will listen to you.
Great video. Thanks.
I read something after this made the news advising us to go into parental controls and privacy and enable the option that the iCloud password could not be changed unless you have a code that only you would know. It does create inconvenience because you canât select iCloud but you just go into that setting and key in your code. Does this look like a good option to you?
11:38 You have better options for storing data. Apps like Scanner Pro (I just happen to use this one myself) allow for additional passcodes, so your scans are safe. Also, Disk Decipher is a great option to have encrypted storage on your phone - or your NAS - that also works on your computer! Makes sharing sensitive data easy and safe!
FIDO Yubikey - Would adding it to ios prevent that or not much ?
Fantastic! Thanks
Itâs nice to see a video of what was in the proper weekly
It's not something I'm going to make a habit of, but I came away from writing last week's newsletter thinking 'this really needs a video'...
@@ProperHonestTech Well your videos are fine either way and itâs always so exciting when your newsletter comes out on fridays
Enjoyed the video
Biggest thing, and not that hard of a change, the access code to your Apple Device should be for access only. Not for changing passwords or settings. And Settings > Password should be behind a code/password/biometric that is NOT the access code. BTW - a lot of this also affects Android. Youâre not safe there either.
For Android it depends on the OEM. Samsung have countermeasures for a lot of these.
this is exactly why i loved touch id so much
Very helpful video!
Glad you made this Apple security warning. I am shocked that Apple is not doing anything to change it.
Why not use a two device identification to prevent ID theft. The 2nd device would have the deciding authentication confirmation factor. Or call Apple to give verbal answers to preset authentication questions.
and how exactly should this work when you only have a single iphone?
@@dornus336 Thereâs a very simple way to implement a solution: donât allow to change the iCloud password unless you have a secondary device or answer a security question. Thatâs how it should be from the beginning. Yes, a thief can still rob your iphone and if they get to see your PIN code, they could get to the main screen, but they wouldnât be able to lock you from your account or your photos and would not be able to unlock yourself from your own device. A friend of mine suffered this same kind of attack while on holidays and lost everything. All his photos and digital life connected to it, and Apple said to him they could do nothing to help him. That would really piss me off as I have more than 600GB of photos and videos and many personal documents there too, plus a lot of purchased apps. Security experts say that your security is only as safe as your weakest point. A simple 6 numbers code is a really weak point for your whole iCloud account.
So if I only use my iPad at home how do I set it up as the device to have the deciding authentication?
Or just make you input your AppleID password to change your password and to add new biometrics.
Apple has added the option to add physical keys that are required to change your Apple ID password. This is the highest security you can add. Itâs not promoted though but Iâve added 2 security keys to my phone.
When I am in a public place near to other people I never unlock my phone. Also, I very rarely take my phone out of its locking holster when near to other people. There are people who who devised ways to fool the face and finger print ID.
For any phone, if someone gets hold of your phone and they know the password this is a huge issue. Because they have your phone they can use the two step authentication with the phone number.
Thank you for this video. I do use Face ID but for other things I may key in an alphanumeric code. I will now make sure I shield these âeventsâ from prying eyes.
I am new to the iPhone was just wondering if it was possible to make it so that you only need a pass code to wake up the phone but a biometric access settings?
Thank You! đđ»
Iâve been using a six digit code on mine for years.
I decided to make a wait time between Face ID and passcode since it happened immediately. I am testing with a minute to see if I like it. I love the thumb print on the IPad but there is no option for wait time, it will only leave immediate as an option. Is there a way to change this? I have an IPad 9th generation.
Good info.
Very good video! Lots of people need to watch.
It would be helpful to have passcode numbers actively change their positions to make it more difficult to ID the numbers. I saw this years ago at a parking lot entrance.
Thank you. This scared međź. But I got valuable info from you. Thank you. I will use this I have a tinted screen cover on my iPhone too.
Also using a security screen protector helps also as you canât see from even a short distance . I have one and love it. Someone next to you canât see your screen.
Very good video - thanks.
Possible solution for Apple (which you may have better access to than most subscribers to your channel) - change the position of each character on the numeric keyboard for the passcode each time it is accessed. I have seen this done on a POS device which needed a PIN code. Would stop most people from copying the passcode as it is often the pattern of what is pressed rather than the number itself that is memorised. An easy software fix which would stop a percentage of these cases from arising (wouldnât stop the person who can remember a six digit passcode by numbers though đ)
what do you think of the new 'stolen device protection?
Great channel you have here Tom, and this video is very informative. A chain is only as strong as its weakest link, and Apple have one here, but surely to limit the damage that can be caused is to request your current Apple ID password if you want to change your Apple ID rather than the pin number you use to unlock your phone. That way at least you will not loose control of your Apple ID and you will still be able to remotely wipe the phone. Nobody enters thier Apple ID password in public, so that would render having your pin number useless as the legitimate owner will still be able to wipe their phone. Simple fix for Apple I would have thought unless I am missing something. Clive
What if you've forgotten your AppleID password?
@@wisdomyaw03 Well keep it safe somewhere else and you can always retrieve if you forgot. I would rather that than have all my personal info and bank accounts compromised
@@clivewuest8529 Well, while it's a great point, the thief in this case would still be able to access your icloud because they could login from the web, obtain SMS verification code sent to the same phone and change the password.
@@wisdomyaw03 mmm. Good point. Oh well prevention better than cure. Never enter your password in public at any time then and make is 6 digits or alpha numeric
@@clivewuest8529 That's đŻ exactly the point. The problem starts from your primary phone unlock password/passcode. The moment it leaves you, all your digital life is exposed. While we hope that in the future more advanced methods of preventing such occurrences are made, it's our duty to safeguard out own passwords.
So use the faceID an passcode would be the best correct!??
Would using a YubiKey for 2FA on your phone help? Presumably the thieves would need your YubiKey to change your Apple ID password. I havenât tried it though and I remember seeing on a crosstalk solutions video that they could add another YubiKey with only your pass code but Iâm not sure if thatâs still the case.
Dear Proper Honest Tech, Your knowledge and support is greatly appreciated. I will make changes as you recommend immediately! Please continue your support! Also Thankful I found your video.
2:21 ur actually right. Kind of, but the green screen is used by the 12 Pro instead.
Some phones allow set up lock SIM card if you completely power phone off, even if you entered passcode. - I dont know if thereâs a workaround. - I think you are out of luck if forget the unlock code. Inconvenient in emergency but at least some phones allow emergency calling by use of power or other buttons. - All possibilities depend on your phone, type of SIM or e-SIM, and operating system of device.
Do the Smart folders in Apple or Android allow you to create a separate passcode that is not stored on the phine or keychain?
Disabling passcode outright would be the best option as even in the rare case FaceID fails to work, connecting to a computer with ITunes where the iPhone has been backed up before will allow for full restore up to the backup date? I think on balance, the benefits of enhanced security & the avoidance of the pain of having to enter excessively long passcodes having to very rare instance of having to restore the iPhone to the latest backup date
Great video Tom! IMO, In order to change your iPhone passcode, Apple should require you to enter your Apple ID password.
You can choose that in settings!
@@SisterFromAnotherPlanet Where?
Wouldn't make a difference if your AppleID password is in your keychain, which it is for most people.
@@jamesosullivan7969 Mine only fills in with Face ID.
My passcode for years now has been a whole sentence and my friends always thought I was just being over protective, now there is this threat and they see more of a reason to have a longer password.
Mine is my favorite singer, my friends all know my favorite singer because I talk about her all the time. If I wrong one of them and they get my phone itâs all over, I canât burn any bridges.
@@tjwash5118 lol, keep those bridges intact my friend đ
Is it a good idea to use both Face ID and passcode as iPhone security?
Great video. I use FaceID or the fingerprint scanner on my iPad mini for this exact reason. Apple does need to give users the option to have additional layers of security enabled before an Apple ID password can be changed. Just a device password is not enough enough. This story is a perfect example of what can happen if that password is able to be changed too easily. If you donât know the old password, the only way it should be able to be reset is with a link sent to the iCloud email or at an Apple Store with government ID. It is smart to have a strong password and if you ever have to enter it in public, never enter it in a crowd and be hyper aware of who is around you.
I use Face ID exclusively but there are very few instances that Face ID fails for whatever reason and the phone prompts for the passcode. While I'm cautious about letting anyone see me enter it but dang I never realized how much damage someone could do knowing it. This is most certainly eye opening. Wow!
Thanks will subscribe
I use even if open you must put in Pin for open settings open Bank are not possible for have Bank id but when use my phone are fingerprint to my pincode are all apps important are pin code or my fingerprint so why can not do that have Sony Xperia 5 March III and can do that â
Does setting up security keys (like Yubikeys) would help?
Would it be better to use FaceID only, and disable Passcode?
Brilliant
What do you know about the Pegasus software?
I use Proton pass to do password storing
I think that if you have 2 separate codes would be best. One to get in and another for accessing info on the phone. It would be 2 codes you would need to remember.
A fingerprint sensor on the lock button would be a good feature. Failing that, adding a security key (like a Yubikey) for 2FA is more secure than SMS.
Thanks!
Thank you very much!