What I don’t understand and this article never mentions (which is either disingenuous or poor journalism) is how these hackers gained access to the Apple accounts.
The phone passcode/PIN and Apple account passwords are separate. If someone were to glean your PIN (as implied by the article), that does not give them access to your Apple account. It may give them access to your phone and almost everything on it, then further bad security practices may lead to them accessing the Apple account.
So these people either also got phished on top, or they had their Apple account password insecurely stored on their phone.
I’m not saying Apple couldn’t do more to help these people but having a platform to recover accounts with identity verification is also a vector of attack.
At what point is this just a failure of personal responsibility? The thief is to blame first and foremost, but Apple can’t force you to be educated on and make sound security practices.
IIRC, if you save passwords to your Google account, you can retrieve them using your device pass - whether that’s a swipe pattern, biometrics, or a PIN.
I get that this example is Apple but they could have a similar way.
Yeah I can see that happening. I don’t have a google account to test with, but I tested with Bitwarden and that appears safe. I have Face ID enabled for the application, and if it fails to detect my face, it doesn’t allow the use of a PIN/passcode. It’s either my face or the master password.
Edit: I’m curious what the behavior is with Apple Passwords. If it lets you access with just the phone PIN then I agree that’s a pretty big misstep by Apple.
What I don’t understand and this article never mentions (which is either disingenuous or poor journalism) is how these hackers gained access to the Apple accounts.
The phone passcode/PIN and Apple account passwords are separate. If someone were to glean your PIN (as implied by the article), that does not give them access to your Apple account. It may give them access to your phone and almost everything on it, then further bad security practices may lead to them accessing the Apple account.
So these people either also got phished on top, or they had their Apple account password insecurely stored on their phone.
I’m not saying Apple couldn’t do more to help these people but having a platform to recover accounts with identity verification is also a vector of attack.
At what point is this just a failure of personal responsibility? The thief is to blame first and foremost, but Apple can’t force you to be educated on and make sound security practices.
IIRC, if you save passwords to your Google account, you can retrieve them using your device pass - whether that’s a swipe pattern, biometrics, or a PIN.
I get that this example is Apple but they could have a similar way.
Yeah I can see that happening. I don’t have a google account to test with, but I tested with Bitwarden and that appears safe. I have Face ID enabled for the application, and if it fails to detect my face, it doesn’t allow the use of a PIN/passcode. It’s either my face or the master password.
Edit: I’m curious what the behavior is with Apple Passwords. If it lets you access with just the phone PIN then I agree that’s a pretty big misstep by Apple.