iCloud account can be taken over with only iPhone passcode

iphone passcode

The security of the iCloud account depends on six digits.

In a recent report by the Wall Street Journals it is pointed out that there is a new trend in iPhone theft: the iPhone passcode of the device is spied out before the theft .

That means someone is standing behind you in such a way that when you enter the numerical code, it can be recognized. Since most choose the six-digit number code, this is not difficult to remember and also quite easy to recognize, since the digits always have the same position on the screen.

Anyone who thinks now: well, the iPhone is gone, but I can still delete it via iCloud, thinks not completely wrong, but only has minutes. This is due to a failure in Apple’s way of changing the iCloud account password.

iCloud password can be changed without the current password!

Do you want to deregister the iPhone from iCloud in the settings (Settings > Your name > last option) or Find my (Settings > Your name > Find my) the iPhone asks for the current iCloud password for security reasons. But this doesn’t happen if you want to change the password yourself! And that’s the gateway for thieves.

password security ios
enter iphone passcode
icloud change password

These go to Settings > Your Name > Password & Security and change the password for your iCloud account there in just a few minutes. Check out the option if you don’t believe it. The iPhone only asks for the iPhone passcode, which was previously spied out, but not for the current iCloud password!

Data, memories, money: all gone.

So you’re rid of everything immediately: All data on the iPhone, all data in the iCloud including all photos. Since this happens right after the theft, there is no way to erase the iPhone, which is almost bearable. But since the iCloud password has been changed, all data in the iCloud is also gone. Everything.

But it gets even worse: if you have online banking apps, they have an extra password for security. This can be saved in the iCloud password manager. If you use this password manager, all online banking apps are also freely accessible, since the thief with the new iCloud password is considered the regular owner and your accounts will be emptied.

In addition, all devices connected to the iCloud account can be deleted and blocked without further verification. Have fun proving to Apple that you are the rightful owner.

Tips: Increase security yourself

Many will now say: It’s your own fault if you let the security code be seen. Oh well. Sometimes there is no other way, because the iPhone does not recognize the new glasses correctly at the supermarket checkout. And sometimes the iPhone simply randomly asks for the code in between – which reduces security and does not increase it. The fundamental problem, however, is that Apple only allows you to take over the entire iCloud with the device code, which is actually only supposed to enable access to the iPhone. Not asking for the old one before changing the iCloud password is extremely insecure. Instead, the device code is requested, which the thief has just entered to get into the settings at all.

So what to do? The Wall Street Journal report suggests a few things, and we’ll add something as well.

  1. Make the passcode more complex: In Settings > Face ID & Password > Change Password you can switch from a six-digit numeric code to an alphanumeric one. This offers you long passwords with letters. This is much more secure, but increases the effort if Face ID doesn’t want to. Recommended if you have very important data on the iPhone
  2. Set banking apps so that they also have to be unlocked with a password before they can be used. Of course, the code should not be the same as the device code of the iPhone. In this way you can add a second level of security: the thieves can access all of the iCloud data, but at least they cannot use the banking apps.
  3. Absolutely don’t use Apple’s built-in password manager. After the iPhone has been stolen, it immediately releases the passwords to the thieves and thus also the banking apps if you save their passwords there. So it’s best to delete all passwords there.
  4. Use a different password manager instead, such as our favorite Bitwarden. This can be protected with a separate password. So all passwords are still practically usable, but are not exposed just because someone has observed the unlock code of the iPhone.
  5. Possibly use an old iPhone with a separate Apple ID for party nights. Keep in mind that the current trick not only gives you access to your iCloud data, it can also lock, delete and disable all other iPads, iMacs and MacBooks. Your entire infrastructure is vulnerable!
  6. Do not store photos on the iPhone that contain important data, such as your ID cards, important insurance data, etc. If at all, use an app for this, which in turn can be secured with a separate password.
  7. If you use iCloud photos, always make a proper backup on your Mac, so download the photos to an external SSD or hard drive. If the device code of your iPhone is known, all your memories are gone forever. There is no backup at Apple.
  8. If you need to enter the device code in public, cover the display with your other hand. Looks stupid, but Apple’s whole digital life currently depends on a few numbers.

Conclusion: Apple must introduce a basic password query

Given the widespread problems, it is imperative that Apple prompts for the current password when changing the iCloud password – as is the case on Macs or just about any other application in the world. We assume that Apple will not comment much on this fact and will introduce this change in one of the next iOS updates.

But even if this basic mistake is corrected, many of the tips above still apply. The most important thing: secure the banking apps with your own passwords and not use Apple’s password manager. And, if you’re fond of your memories, make manual backups of the iCloud Photo Library.

Leave a Reply

Your email address will not be published. Required fields are marked *