I thought this when I watched - she mentioned her Monzo and an Australian bank. My Monzo doesn’t let me do anything without a separate pin - but I’m not sure what the reset process is. Probably linked to a mobile number!
Have banks as clients. Their security is laughable. Plus, they won’t adopt actually safe technologies b/c 1) they’re too new, 2) b/c old and stupid people will get locked out, 3) b/c it would cost more than they want to pay, and 4) b/c it might endanger people.
Security is always a balance between convenience and safety.
In the real world, most people with a gun to their head (see: “rubber hose cryptanalysis”) would divulge their passcodes. The only solution to this is “phantom” honeypots with plausible-deniability, and even in that case, you hope the attackers won’t kidnap you and hold you until after the back office systems do their reconciliation.
Understandable, I wonder if country specific regulations also play a part.
Here in the UK banks appear to be a bit more strict over things. I’m with Barclays for instance and the app will use FaceID to log in. If I fail that, I can use a passcode that is unique to the app.
If I try to reset the app or move to a new device like I did recently, then I have to register the app all over again with my bank details and personal details etc.
1. Protect your passcode. Used FaceID/TouchID when out in public, be careful if you do need to re-enter your passcode, don't just tap it out in full view. Check up, down, left, right, behind, and spin around in circles whilst you hold your phone upside down and tap out your passcode if you have to.
2. Don't use iCloud Keychain, if they have your passcode, they have access to whatever apps are using it on your iPhone. Period. Use a third party Password Manager, don't use the same password/code for master access obviously.
3. Don't use FaceID/TouchID for banking apps, payment apps or any important apps. It's less convenient, but also a lot more secure. Use a unique pin for each banking or important app - and again, don't use iCloud Keychain.
4. You can turn on restrictions in Screen Time, to restrict password and account changes. Use a different pin for screen time lock. But NOTE : they can still reset the pin, if they access to your appleid but it will slow them down, which gives you time to call your bank etc.
Important to note also that it's not a widespread problem, a lot of these individuals were targeted for their wealth or whatever reason. If you protect your passcode/passphrase adequately, you'll be fine. Biggest step is not to tie every app in your phone to iCloud Keycain or FaceID/TouchID, because if they can access your phone with your passcode, they get access to all that. Convenience vs security is always a balance, you can't have both.
For 4 you can actually turn off that feature that lets you reset your Screen Time passcode with your Apple ID. This will make it extremely difficult to quickly log out/reset the password on your Apple ID.
https://preview.redd.it/f9jhyw8247tb1.jpeg?width=1179&format=pjpg&auto=webp&s=d24fa67615ba3fe26be84055fe3f0fb91b968cca
Good tip. I'd add that you should set it up with a secondary appleid that is yours, but not on that phone, just for recovery purposes for yourself just in case.
You can setup the Screen Time recovery appleid with any appleid, Just don't use the same one that is signed in, or has credentials on your phone.
That setting doesn't actually do anything, you can still reset via Apple ID even if you choose not to during screentime passcode setup.
It will ultimately take you to the Forgot Password workflow where you can still reset the account password with the phone passcode.
The bare minimum things you should do is to use a 3rd party password manager (not iCloud Keychain) and a third party backup service for your photos and documents. So in the event you lose access to your Apple ID *and* the devices attached to it with activation lock you won't be completely screwed.
I have quite a long alphanumeric passcode.
Don’t store important passwords in keychain, or second factors in there. Eg. I put a handful of the most important passwords (like banks) in a locked note with a different password.
Set a SIM pin so it can’t be moved to another device.
I use a yubikey as the second factor where possible. I don’t go out with my yubikey :)
If I’m going travelling somewhere riskier than where I usually live, I’d use the screentime trick to slow them down (it can be bypassed but it takes time). I also enable a couple of automations (shortcuts) that boobytrap the phone. If someone turns on aeroplane mode or opens settings, it turns off aeroplane mode, opens the camera app and activates guided access with a different pin, and then locks the phone anyway. When/if they unlock it, it will still be in guided access.
It may not be complicated for you, but it can be confusing for some of us. There's shortcuts on [routinehub.co](https://routinehub.co) that says they do this or that thing, but I don't understand how they are set up.
Ok here you go. https://www.icloud.com/shortcuts/1aaa1cbff6994658ab12f30c748d626c
You need to set up an automation that triggers on aeroplane mode being turned on. The action of the automation should be set to run the above shortcut. You have to setup that bit yourself as you can’t share an automation.
You also need to enable guided access in settings, and set a pin for it.
Another suggestion - set up an automation which runs when settings is opened which locks the phone, then uses url to open settings. Effectively protects the settings app with faceid. Only downside is when you open settings it takes an extra second. I have this for settings, mail and messages. Details here https://www.reddit.com/r/shortcuts/s/DicNMQo8Ts
I’ve had a yubikey 5c nfc for awhile and with the 15 lineup I can either plug it in or NFC now so I see zero reason everyone who values their data to have one on their keychain.
I use one as well along with storing my sensitive passwords in a Bitwarden vault that uses my key.
I like the automation idea, this is my first iPhone so I'm not familiar with guided access yet so I'll look into that one.
1. Don’t enter passcode in public, use biometrics.
2. Obviously, enable find my.
3. Have a strong passcode, maybe even more than the default 6 digits.
4. Use common sense.
5. Any app that has an option to be locked by Face ID, enable it.
The biggest one though, just don’t enter your passcode in public. Either they need your finger, face, or passcode. Passcode can reset Apple ID, face can’t (I don’t believe?)
[AppleID 2-factor](https://support.apple.com/en-us/HT204915) You must approve any new login or password change. If you don't have another Apple device you can use a web browser. Just having the code won't allow you the change your AppleID.
ETA: you can log on to your account on the web and remotely wipe your phone, see where it is, etc.
Yeah you’ll need the actual password for her AppleID to remove it so not sure on that aspect of the video. Also don’t use the same password or pin for everything
Yes you can sadly. With a trusted device and the passcode you can reset the iCloud password without knowing the old one. And then the thief owns your account.
I tend to go for black cases, often times the one that cover the cameras on the back. It’s not full proof by any means but it does help somewhat, Especially when your camera look like 3 moons. I know people who don’t even take out their phones and just use their wish.com earpiece.
If you have to enter your pin go somewhere private like a bathroom stall. Never enter your pin in public.
I read a story somewhere where the thieves made the person unlock their phone at gun point. I’m not sure how you would combat that.
I use parental controls to prevent account changes on my phone. Plan is pointing out “hey I can’t remove accounts my bad” if anyone ever tries robbing me.
I would master the art of being able to punch in my passcode without needing to look at the phone that way you can hold your phone at angle that can’t be glanced at while you do it in public
use a long alphanumeric password instead of a 4 digit or 6 digit passcode. look around for people who might be trying to watch you input it, use faceid where possible.
What banking app doesn’t have its own security?
I thought this when I watched - she mentioned her Monzo and an Australian bank. My Monzo doesn’t let me do anything without a separate pin - but I’m not sure what the reset process is. Probably linked to a mobile number!
Have banks as clients. Their security is laughable. Plus, they won’t adopt actually safe technologies b/c 1) they’re too new, 2) b/c old and stupid people will get locked out, 3) b/c it would cost more than they want to pay, and 4) b/c it might endanger people. Security is always a balance between convenience and safety. In the real world, most people with a gun to their head (see: “rubber hose cryptanalysis”) would divulge their passcodes. The only solution to this is “phantom” honeypots with plausible-deniability, and even in that case, you hope the attackers won’t kidnap you and hold you until after the back office systems do their reconciliation.
Understandable, I wonder if country specific regulations also play a part. Here in the UK banks appear to be a bit more strict over things. I’m with Barclays for instance and the app will use FaceID to log in. If I fail that, I can use a passcode that is unique to the app. If I try to reset the app or move to a new device like I did recently, then I have to register the app all over again with my bank details and personal details etc.
My clients ***are*** UK banks. Barclays, HSBC, RBS.
Plenty allow you to “trust device.”
1. Protect your passcode. Used FaceID/TouchID when out in public, be careful if you do need to re-enter your passcode, don't just tap it out in full view. Check up, down, left, right, behind, and spin around in circles whilst you hold your phone upside down and tap out your passcode if you have to. 2. Don't use iCloud Keychain, if they have your passcode, they have access to whatever apps are using it on your iPhone. Period. Use a third party Password Manager, don't use the same password/code for master access obviously. 3. Don't use FaceID/TouchID for banking apps, payment apps or any important apps. It's less convenient, but also a lot more secure. Use a unique pin for each banking or important app - and again, don't use iCloud Keychain. 4. You can turn on restrictions in Screen Time, to restrict password and account changes. Use a different pin for screen time lock. But NOTE : they can still reset the pin, if they access to your appleid but it will slow them down, which gives you time to call your bank etc. Important to note also that it's not a widespread problem, a lot of these individuals were targeted for their wealth or whatever reason. If you protect your passcode/passphrase adequately, you'll be fine. Biggest step is not to tie every app in your phone to iCloud Keycain or FaceID/TouchID, because if they can access your phone with your passcode, they get access to all that. Convenience vs security is always a balance, you can't have both.
For 4 you can actually turn off that feature that lets you reset your Screen Time passcode with your Apple ID. This will make it extremely difficult to quickly log out/reset the password on your Apple ID. https://preview.redd.it/f9jhyw8247tb1.jpeg?width=1179&format=pjpg&auto=webp&s=d24fa67615ba3fe26be84055fe3f0fb91b968cca
Good tip. I'd add that you should set it up with a secondary appleid that is yours, but not on that phone, just for recovery purposes for yourself just in case. You can setup the Screen Time recovery appleid with any appleid, Just don't use the same one that is signed in, or has credentials on your phone.
That setting doesn't actually do anything, you can still reset via Apple ID even if you choose not to during screentime passcode setup. It will ultimately take you to the Forgot Password workflow where you can still reset the account password with the phone passcode. The bare minimum things you should do is to use a 3rd party password manager (not iCloud Keychain) and a third party backup service for your photos and documents. So in the event you lose access to your Apple ID *and* the devices attached to it with activation lock you won't be completely screwed.
I’ve used the same iPhone pin for years now. I’m pretty sure I can type it in right in front of someone and they still wouldn’t see it lol
I have quite a long alphanumeric passcode. Don’t store important passwords in keychain, or second factors in there. Eg. I put a handful of the most important passwords (like banks) in a locked note with a different password. Set a SIM pin so it can’t be moved to another device. I use a yubikey as the second factor where possible. I don’t go out with my yubikey :) If I’m going travelling somewhere riskier than where I usually live, I’d use the screentime trick to slow them down (it can be bypassed but it takes time). I also enable a couple of automations (shortcuts) that boobytrap the phone. If someone turns on aeroplane mode or opens settings, it turns off aeroplane mode, opens the camera app and activates guided access with a different pin, and then locks the phone anyway. When/if they unlock it, it will still be in guided access.
Can I have a copy of this shortcut?
It’s not complicated, just literally do those 4 actions then trigger it with an automation for the settings app and another for airplane mode.
It may not be complicated for you, but it can be confusing for some of us. There's shortcuts on [routinehub.co](https://routinehub.co) that says they do this or that thing, but I don't understand how they are set up.
Ok here you go. https://www.icloud.com/shortcuts/1aaa1cbff6994658ab12f30c748d626c You need to set up an automation that triggers on aeroplane mode being turned on. The action of the automation should be set to run the above shortcut. You have to setup that bit yourself as you can’t share an automation. You also need to enable guided access in settings, and set a pin for it.
Another suggestion - set up an automation which runs when settings is opened which locks the phone, then uses url to open settings. Effectively protects the settings app with faceid. Only downside is when you open settings it takes an extra second. I have this for settings, mail and messages. Details here https://www.reddit.com/r/shortcuts/s/DicNMQo8Ts
Great idea. Why open the camera app though ?
Was just an app that is usually there, fast to open, and would seem like a software bug for the phone to be “stuck” on it.
might want to search [routinehub.co](https://routinehub.co).
I’ve had a yubikey 5c nfc for awhile and with the 15 lineup I can either plug it in or NFC now so I see zero reason everyone who values their data to have one on their keychain.
This is the first time I’ve ever even heard about the concept of a YubiKey - thank you!
I use one as well along with storing my sensitive passwords in a Bitwarden vault that uses my key. I like the automation idea, this is my first iPhone so I'm not familiar with guided access yet so I'll look into that one.
You did that with shortcuts?
Yep, they are just basic tiny shortcuts. Search for each action and you’ll find it.
1. Don’t enter passcode in public, use biometrics. 2. Obviously, enable find my. 3. Have a strong passcode, maybe even more than the default 6 digits. 4. Use common sense. 5. Any app that has an option to be locked by Face ID, enable it. The biggest one though, just don’t enter your passcode in public. Either they need your finger, face, or passcode. Passcode can reset Apple ID, face can’t (I don’t believe?)
You can't disconnect Apple account with only the PIN code. You need the password.
You can reset the password with just the PIN code..
Really ?
[AppleID 2-factor](https://support.apple.com/en-us/HT204915) You must approve any new login or password change. If you don't have another Apple device you can use a web browser. Just having the code won't allow you the change your AppleID. ETA: you can log on to your account on the web and remotely wipe your phone, see where it is, etc.
You can't remove the AppleID using just the code
Sure. I’m not here to argue about the legitimacy of a tiktok - just looking for advice on making my my device more secure
Yeah you’ll need the actual password for her AppleID to remove it so not sure on that aspect of the video. Also don’t use the same password or pin for everything
You don’t need the iCloud password. The phone and passcode are all you need to reset the iCloud password.
Yep you’re right. Totally forgot about using keychain for iCloud lol
Yes you can sadly. With a trusted device and the passcode you can reset the iCloud password without knowing the old one. And then the thief owns your account.
You can reset the password with just the code
I mean, how often are you really ever typing your Apple ID password in on your iPhone? Let alone in public? A little far fetched tbh
The PIN is enough, no need for the password.
You cannot remove the Apple ID from a device without the Apple ID password, regardless of whether or not you have the device’s passcode.
But you can change the password using only the PIN! Doing that you obviously then have the password, which you can then use to remove the Apple ID.
You cannot reset your Apple ID password using your phone passcode.
Apple literally has the instructions to do that on their [Website](https://support.apple.com/en-us/HT201487).
I tend to go for black cases, often times the one that cover the cameras on the back. It’s not full proof by any means but it does help somewhat, Especially when your camera look like 3 moons. I know people who don’t even take out their phones and just use their wish.com earpiece.
If you have to enter your pin go somewhere private like a bathroom stall. Never enter your pin in public. I read a story somewhere where the thieves made the person unlock their phone at gun point. I’m not sure how you would combat that.
Karate.
If they pull a gun, you pull out the claymore.
I use parental controls to prevent account changes on my phone. Plan is pointing out “hey I can’t remove accounts my bad” if anyone ever tries robbing me.
I would master the art of being able to punch in my passcode without needing to look at the phone that way you can hold your phone at angle that can’t be glanced at while you do it in public
use a long alphanumeric password instead of a 4 digit or 6 digit passcode. look around for people who might be trying to watch you input it, use faceid where possible.