#370680 - 19/03/2018 13:04
iPhone security
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
My wife had her iPhone 8 stolen last week. Within 20 minutes of it being stolen we'd received an email saying that the account password had been changed and Find my Phone had been disabled.
She didn't have a pass code on it. I don't have a pass code on mine either. This is handy for me at work as others can take my calls if I happen to be on another call.
My brother died last year and it was really handy that he didn't have a pass code on his as it was the only way to access his gmail account to which no one else had the password to. He also had lots of contacts that were only stored on his phone.
So:
1. Would the thief have been hindered by there being a pass code set on the phone? They managed to reset the account password quite easily. 2. If a pass code/touch ID was set how do you deal with the owner passing away? I'm assuming it would be almost impossible to get Apple to unlock it.
Any advice appreciated
|
Top
|
|
|
|
#370681 - 19/03/2018 13:11
Re: iPhone security
[Re: tahir]
|
veteran
Registered: 25/04/2000
Posts: 1529
Loc: Arizona
|
I have my important passwords, account numbers, etc, in my safe along with my Will and other important papers.
I suppose I should probably give my brother the combination to the safe, though.
|
Top
|
|
|
|
#370682 - 19/03/2018 15:00
Re: iPhone security
[Re: Tim]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
I suppose I should probably give my brother the combination to the safe, though. Might be an idea
|
Top
|
|
|
|
#370683 - 19/03/2018 16:18
Re: iPhone security
[Re: tahir]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
The short answer is that passcodes are a very good idea. Ultimately, you cannot prevent your phone from being stolen, but you can prevent them from getting at any of the phones' contents. All a thief can do is a factory reset and even then, the wireless carrier might be willing to blackball the phone's serial number and effectively brick it. Some advice from Apple here.
|
Top
|
|
|
|
#370684 - 19/03/2018 16:54
Re: iPhone security
[Re: tahir]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
Is a pass code really that impregnable? Quick google shows an app that says it can bypass pass codes I assume that anyone who is stealing iPhones has access to tools to unlock/erase them otherwise what would be the point?
Edited by tahir (19/03/2018 16:55)
|
Top
|
|
|
|
#370685 - 19/03/2018 18:13
Re: iPhone security
[Re: tahir]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
Google has a way to send specific instructions to email addresses of your choosing if you don't log in for a set amount of time. Otherwise I'd recommend instructions in a will as suggested already.
As for other people taking your calls at work...that's a weird setup you guys have there...
*edit*
I should also note that I can't think of a scenario where you couldn't just have a PIN code and share it with the people who might need to get into the phone...
Edited by Dignan (19/03/2018 18:15)
_________________________
Matt
|
Top
|
|
|
|
#370686 - 19/03/2018 18:20
Re: iPhone security
[Re: tahir]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
Apple does some clever tricks, like artificially slowing down the guess rate if you have enough failed attempts. This feature led to whole FBI vs. Apple standoff over the San Bernadino shooter's iPhone. Once stolen, somebody can always factory reset your phone. The sorts of bypasses you linked to are exactly the sort of thing that Apple and others occasionally bump into and work diligently to fix. This is in part why it's so important to install security updates regularly, since they will address all sorts of things like this.
|
Top
|
|
|
|
#370687 - 19/03/2018 20:13
Re: iPhone security
[Re: DWallach]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Apple does some clever tricks, like artificially slowing down the guess rate if you have enough failed attempts. I don't consider this a "clever trick", I consider it to be a standard baseline level of security that all password and PIN systems should implement in order to be considered useful at all. Any password or PIN system that doesn't implement this is completely insufficient, and I am aghast any time that I see one which gets defeated because the slowdown wasn't implemented.
|
Top
|
|
|
|
#370688 - 19/03/2018 21:00
Re: iPhone security
[Re: tahir]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
Okay, the *really* clever trick is that the slowdown is enforced deep in their custom hardware. You can't just reboot it and get back to full speed.
|
Top
|
|
|
|
#370690 - 19/03/2018 21:24
Re: iPhone security
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
This thread makes me wonder about the generalized case of what Tahir brought up in the original post question. If a pass code/touch ID was set how do you deal with the owner passing away? In my adult lifetime I have seen: - Widespread access to networking technology become the norm. - The beginning of the internet. - The concept of personal online privacy and security come into being. - The beginning of cloud computing. - Widespread practice of storing personal information and communications in distributed online systems. I haven't died yet. In fact, we're still at the point where the number of people who have died since these things became true is still pretty small, relatively speaking. My feeling is that this isn't yet a well covered area in terms of "best practices". I'm wondering what we should be doing about this? Both at a personal level and as a culture/species? Like, should I be giving my passwords to loved ones now?
|
Top
|
|
|
|
#370691 - 19/03/2018 22:06
Re: iPhone security
[Re: DWallach]
|
old hand
Registered: 29/05/2002
Posts: 798
Loc: near Toronto, Ontario, Canada
|
Once stolen, somebody can always factory reset your phone. ... it's so important to install security updates regularly, since they will address all sorts of things like this. Not mentioned in the Apple Reset link, if the iPhone (user) has an iCloud account and Find My iPhone is enabled, the iPhone remains account locked even after reset. This is why, IIRC, it is imperative when buying a used iPhone that Find My iPhone be disabled prior to the buyer accepting it. If not disabled, the iPhone remains unusable even after being reset. More to the point, a fully reset iPhone would not have access to the original owner’s iCloud data, emails, SMS and iMessages, among other things. In my opinion an iPhone without a passcode is an enormous security risk. Touch ID allows for quick access by authorized people. There can be up to five fingerprints allowed, and it is common practice for a spouse’s fingerprint to be included. It is not necessary to unlock an iPhone to accept an incoming call. Just answer the phone normally. Always, always install all available updates for iPhone and iPad. And all app updates. Thee is no other reasonable choice. This is the way the world is now.
|
Top
|
|
|
|
#370692 - 19/03/2018 22:13
Re: iPhone security
[Re: tahir]
|
old hand
Registered: 29/05/2002
Posts: 798
Loc: near Toronto, Ontario, Canada
|
My wife had her iPhone 8 stolen last week. Within 20 minutes of it being stolen we'd received an email saying that the account password had been changed and Find my Phone had been disabled.
She didn't have a pass code on it. I don't have a pass code on mine either. This is handy for me at work as others can take my calls if I happen to be on another call.
So:
1. Would the thief have been hindered by there being a pass code set on the phone? They managed to reset the account password quite easily. ... Any advice appreciated If the device had a passcode active then the thief would not have been able to access/change all the other security settings * For most people their iPhone has access to EVERYTHING. Not only the usual email and text message content, but also PASSWORD RESET messages. Two factor security fails if the thief/hacker has your UNlocked iPhone in their hand. ALWAYS use a passcode lock. Always. Utilize Touch ID to allow quick access to the device - that is why it is there. Configure your password reset accounts carefully. Perhaps have a separate email account that your use ONLY for password resets, and do NOT include that account in the email app on the phone. Use web login for the ‘special’ email account if you need to actually reset a password. * There is a caveat. If the phone is configured to reveal incoming emails on the lock screen, it may be possible for the thief to leverage the displayed info to hack into the email account(s) via another computer, using the ‘password reset’ email contents shown on the lock screen. I have my own iPhone configured to not show the actual email content until the device is unlocked. I can see there are messages waiting, but contents not revealed. There is a similar setting for text messages.
|
Top
|
|
|
|
#370693 - 19/03/2018 22:42
Re: iPhone security
[Re: DWallach]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
Okay, the *really* clever trick is that the slowdown is enforced deep in their custom hardware. You can't just reboot it and get back to full speed. And importantly the main CPU and flash are no longer involved in checking the PIN/password. It is all done within the separate secure enclave processor, avoiding even more types of brute forcing attacks.
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370694 - 20/03/2018 02:14
Re: iPhone security
[Re: tfabris]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
I'm wondering what we should be doing about this? Both at a personal level and as a culture/species? Like, should I be giving my passwords to loved ones now? That would assume you don't change your passwords. Should something happen to me, a few months later the Google Inactive Account Manager will send an email to preset family members with two logins: one for Google and one for LastPass. When I change my password with those services I update my Inactive Account Manager as well.
_________________________
Matt
|
Top
|
|
|
|
#370695 - 20/03/2018 02:35
Re: iPhone security
[Re: Dignan]
|
old hand
Registered: 29/05/2002
Posts: 798
Loc: near Toronto, Ontario, Canada
|
I'm wondering what we should be doing about this? Both at a personal level and as a culture/species? Like, should I be giving my passwords to loved ones now? That would assume you don't change your passwords. Should something happen to me, a few months later the Google Inactive Account Manager will send an email to preset family members with two logins: one for Google and one for LastPass. When I change my password with those services I update my Inactive Account Manager as well. During those ‘few months’ someone may need to access contact info for friends, business relationships, and generally let people know what happened. Several month delay may add to the difficulty. What those who ‘remain behind’ need is a map of what is where, how it fits together, and who is who. Do not make assumptions regarding who has survived you. Where is the money, investments, debts? Where are documents proving ownership, control, deeds? Who should be notified of what? Where this info is stored and how access is granted, should the need arise, is a old qestion. I have been in the position of executor for the estate of someone who had recently ‘cleaned up’ her papers. That is, there were almost none when I arrived at the house, several weeks after her death. No bills, no annual statements. Somehow her purse had also gone missing. I did not even know which bank(s) she had accounts at, let alone how much money was involved. Investments? No idea. Will - I had a copy of that. Which lawyer’s office might have the signed originals? And so on. Thankfully this was just before online accounts became common, and she did not have or use a computer. Another person I was executor for, she sent me a letter documenting all her investments, bank accounts, etc. However, a few years later she decided to change all that. She would send me a replacement document with all the new info. She died suddenly before the new document was created. So I had the old map, but no idea how much had changed. Took a lot of effort to track down every old investment and find out of it was still alive, or account closed. Then to find all the NEW investments, some of which had yet to mail out the first quarterly (or annual) report since she had signed up. I think I found them all. Wasn’t sure for quite a while though ...
Edited by K447 (20/03/2018 02:41)
|
Top
|
|
|
|
#370696 - 20/03/2018 02:40
Re: iPhone security
[Re: Dignan]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
The inactive account manager is really interesting. I hadn't known about its existence. That's pretty cool!
Not cool: The smallest settable interval is three months. For the reasons cited already in this BBS thread, I'd want it much shorter than that.
|
Top
|
|
|
|
#370698 - 20/03/2018 02:49
Re: iPhone security
[Re: K447]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
Where is the money, investments, debts? Where are documents proving ownership, control, deeds? Who should be notified of what? Woah woah woah, you've expanded the scope of this discussion quite a bit there. I never said that the Google Inactive Account Manager was my entire estate plan. That would be idiotic! There's no digital replacement for a will carried out by an attorney. I'm not sure how I'd include the things you mention in the Inactive Account Manager. This is for stuff like my web host login so that account could get shut down and stuff like that. I don't think my wife would have much interest in getting around to something like that in the first few months anyway...
_________________________
Matt
|
Top
|
|
|
|
#370699 - 20/03/2018 03:11
Re: iPhone security
[Re: tahir]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
Slightly tangental, but if you want others to have quick easy access to your phone, rather than forego the passcode, simply train the phone to recognize the other person's finger or thumbprint. That's what my wife and I have done on our phones and it doesn't really require any more time to quickly pick up her phone and get a piece of info for her if she needs me to.
_________________________
~ John
|
Top
|
|
|
|
#370700 - 20/03/2018 11:56
Re: iPhone security
[Re: JBjorgen]
|
veteran
Registered: 25/04/2000
Posts: 1529
Loc: Arizona
|
Slightly tangental, but if you want others to have quick easy access to your phone, rather than forego the passcode, simply train the phone to recognize the other person's finger or thumbprint. I don't know about the iPhone, but my phone allows 'emergency calling' while it is locked. While I haven't used it to test it out, it seems that feature is limited to dialing 911. I don't think answering calls requires an unlock, but I haven't paid enough attention to that.
Edited by Tim (20/03/2018 11:57)
|
Top
|
|
|
|
#370701 - 20/03/2018 12:31
Re: iPhone security
[Re: Dignan]
|
old hand
Registered: 29/05/2002
Posts: 798
Loc: near Toronto, Ontario, Canada
|
Where is the money, investments, debts? Where are documents proving ownership, control, deeds? Who should be notified of what? Woah woah woah, you've expanded the scope of this discussion quite a bit there. I never said that the Google Inactive Account Manager was my entire estate plan. That would be idiotic! There's no digital replacement for a will carried out by an attorney. I'm not sure how I'd include the things you mention in the Inactive Account Manager. This is for stuff like my web host login so that account could get shut down and stuff like that. I don't think my wife would have much interest in getting around to something like that in the first few months anyway... I was not suggesting that you were replying upon the Google delayed notification service entirely, or even primarily. In a general sense, it can be problematic to make assumptions about who will be ‘taking care’ of things after you are gone. If spouse is also gone, or perhaps disabled, whoever IS tasked with the immediate aftermath, and later on the wrap up efforts, may need the map. Sometimes by the time the event occurs, the chosen executor may be unwilling or unable to take the reigns. Structure things so that a complete stranger, properly authorized, would be able to pick up the map and work through the process. No assumptions about knowing anything about your relationships, assets, accounts or how things are linked. I will also mention that many legal authorizations you make while alive, will expire upon you death. For example, a second person (distinct from a joint account) authorized to access your banking, investment acounts, or other online account/service, that person may also be blocked the moment the service is notified of your death. The account can become 100% locked, neither your login nor theirs may work. They will now wait until they receive properly processed authority from the executor or other party. And that access may be limited. For example, they can read the email contents but perhaps not be able to send messages from the account. I have no idea how Google handles the process when notified, nor what restrictions occur.
Edited by K447 (20/03/2018 12:35)
|
Top
|
|
|
|
#370702 - 20/03/2018 13:40
Re: iPhone security
[Re: Dignan]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
As for other people taking your calls at work...that's a weird setup you guys have there... Very small office nowadays, and I don't really take many personal calls except from my wife who is known to all.
|
Top
|
|
|
|
#370703 - 20/03/2018 13:42
Re: iPhone security
[Re: tfabris]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
I'm wondering what we should be doing about this? Both at a personal level and as a culture/species? Like, should I be giving my passwords to loved ones now? Yeah, I guess part of the answer I'm looking for is at a higher level than just my iPhone.
|
Top
|
|
|
|
#370704 - 20/03/2018 13:43
Re: iPhone security
[Re: K447]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
There can be up to five fingerprints allowed, and it is common practice for a spouse’s fingerprint to be included I didn't know that, that'd work
|
Top
|
|
|
|
#370705 - 20/03/2018 13:48
Re: iPhone security
[Re: K447]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
During those ‘few months’ someone may need to access contact info for friends, business relationships, and generally let people know what happened. Several month delay may add to the difficulty.
What those who ‘remain behind’ need is a map of what is where, how it fits together, and who is who. Do not make assumptions regarding who has survived you. Exactly, I was in business with my two brothers, we tended to deal with separate areas; the brother who died dealt with all the banks and legals. He was a bit crap at putting stuff through his work email, or indeed using Outlook calendar, contacts etc and had lots of hard copy documents in random places. Having immediate access to most of his "stuff" via the iPhone was really useful.
|
Top
|
|
|
|
#370706 - 20/03/2018 13:50
Re: iPhone security
[Re: JBjorgen]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
Slightly tangental, but if you want others to have quick easy access to your phone, rather than forego the passcode, simply train the phone to recognize the other person's finger or thumbprint. That's what my wife and I have done on our phones and it doesn't really require any more time to quickly pick up her phone and get a piece of info for her if she needs me to. I have a wife and 3 kids, my brother sometimes accesses my phone at work, so need 6 ideally, but 5 is better than 1.
|
Top
|
|
|
|
#370707 - 20/03/2018 14:07
Re: iPhone security
[Re: K447]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
In a general sense, it can be problematic to make assumptions about who will be ‘taking care’ of things after you are gone. Again, not making assumptions. That's why I'm not putting all my eggs in the Google basket. Like I said, it's for stuff that isn't very important. And the system lets me notify more than one person for redundancy, so I'll update it as family relationships change. You may have missed the multiple times I've said that this isn't an alternative to an estate plan...
_________________________
Matt
|
Top
|
|
|
|
#370708 - 20/03/2018 14:08
Re: iPhone security
[Re: tahir]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
Slightly tangental, but if you want others to have quick easy access to your phone, rather than forego the passcode, simply train the phone to recognize the other person's finger or thumbprint. That's what my wife and I have done on our phones and it doesn't really require any more time to quickly pick up her phone and get a piece of info for her if she needs me to. I have a wife and 3 kids, my brother sometimes accesses my phone at work, so need 6 ideally, but 5 is better than 1. It will allow that many fingerprints. *edit* Can you program multiple faces for FaceID?
Edited by Dignan (20/03/2018 14:09)
_________________________
Matt
|
Top
|
|
|
|
#370709 - 20/03/2018 14:29
Re: iPhone security
[Re: Dignan]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
Can you program multiple faces for FaceID?
No.
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370710 - 21/03/2018 04:32
Re: iPhone security
[Re: tahir]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
I have a wife and 3 kids, my brother sometimes accesses my phone at work, so need 6 ideally, but 5 is better than 1.
Time to decide who you love the most and who's the black sheep of the family. At least they'll be mentally prepared when it's time to read the will
_________________________
~ John
|
Top
|
|
|
|
|
|