I just wanted to share this in the hopes that someone at Apple sees this and to make others aware of the scam.<p>A friend of mine over the weekend mistakenly tried to help someone and they saw him enter his passcode.<p>The thieves took his phone and then shortly after his iCloud password was reset, making it impossible to access the phone or disable the phone via find my phone.<p>The perps then had access to all his accounts, started making fraudulent charges and likely accessing his data.<p>This was a huge privacy breach for him and apple is unable to do anything other than reset the iCloud password, which takes 24 hours. I am unsure if this will rectify the issue.<p>My friend made a mistake but nonetheless this could've been prevented by a simple security question or 2 factor authorization from another device.<p>I've included a number of other occurrences of this happening below.<p>I call on anyone who works at Apple to raise this issue up the chain of command.<p>And also to reaffirm the advice to never give your phone to a stranger, which I unfortunately had not given to this friend.<p>People who have had this issue:<p>https://www.reddit.com/r/applehelp/comments/t7hbxm/iphone_stolen_and_icloud_password_and_backup/<p>https://www.reddit.com/r/ios/comments/womh4g/iphone_stolen_icloud_password_and_trusted_phone/<p>https://www.reddit.com/r/ios/comments/ob19kv/iphone_stolen_apple_id_hacked_and_password/<p>https://www.reddit.com/r/applehelp/comments/wquqr8/my_iphone_was_stolen_and_it_seems_my_icloud/<p>https://www.reddit.com/r/ios/comments/pp0dua/iphone_stolen_thieves_changed_my_apple_id/<p>https://www.reddit.com/r/applehelp/comments/wrjif9/iphone_stolen_with_passcode_and_apple_id_password/
Definitely a good reminder to use a secure passcode for your phone. (And to definitely avoid the 4-digit pincode.)<p>I suppose realistically since your phone is almost always the "second factor" in 2FA, if your phone is stolen+compromised you're completely screwed. Do there exist 2FA solutions that don't become 1FA if it's just your phone?
After much digging, here is a way to prevent account changes from the device.<p>Steps:<p>1. Settings > Screen time > Use screen time pass code > Enter a different passcode to your main one that you will remember<p>2. Settings > Screen time > Content & Privacy Restrictions > Scroll down to Account changes > Don’t allow<p>This prevents account changes from the device, unless you have the second passcode.<p>This would not prevent a thief who was aware of this (they could attempt to disable screen time then request the second passcode), but it would prevent a pickpocket who happens to see your passcode being entered from changing your iCloud account details.
Reading through this and those links this seems like a significantly harmful vulnerability that’s being actively exploited.<p>I can’t imagine many people who _wouldn’t_ give up their phones passcode at gunpoint.<p>What options do we have to protect against this?<p>If your life is threatened a dummy passcode is likely to aggravate and make things worse.<p>Would MDM enrolment help here?<p>What are the gains here for the thieves?
Hardware that can be sold when unlocked, which needs iCloud changed — which the OP points out can be changed with just the device passcode.<p>Apps with FaceID (ie maybe your bank) would be safe, but they could also just force you to look at your phone.<p>Could there be a default 1 week countdown for removing activation lock? And automatically enable and broadcast via find my iPhone during that time?