[limitedsupply]

Not going to try to justify Apple but feel like a piece of info is missing from the post. How did they unlock the phone? Maybe the phone had no auth set up?

In general, it's expected that you should be able to update your own phone number in your iCloud account.

[probably_wrong]

Author here. We do not know for sure how they unlocked it, but the phone was locked with a numerical pin. My guess is that those numbers must have been easy to see on the screen based on the smudges alone. I wanted to ask for more details, but I decided against further traumatizing him with my (as far as he's concerned) pointless geeky questions.

Also, trivia for iPhone users: my brother used to have Face ID set up, but he disabled it because he couldn't figure out how to set up a second face and it was annoying when he needed to share the phone with his wife. So don't do that!

[nraynaud]

Buy pointing a gun at the owner?

[limitedsupply]

It would have been helpful to explain that instead of leaving everyone guessing. Being able to unlock the phone is one of if not the most important detail here.

[nraynaud]

It’s the first sentence.

[limitedsupply]

Are you sure? Want to re-read it one more time? The phone was _stolen_ at gun point, not unlocked. It looks like the password was later phished when author's brother clicked the fake Apple support link. So at that point they had access to both the password and the phone. But I am guessing, it's not clear how/what they did.

[nraynaud]

I’m not sure, it’s just the most logical and simple explanation.

To add some context, Argentina has a history of robbers asking people to do complex tasks at gun point, like withdrawing money, and other things during “secuestro express”.

[sitkack]

https://xkcd.com/538/

Lots of people keep talking about password codes, etc. You should be able to hand over your phone to an attacker and walk away knowing you and your data is safe.

At least don't use biometrics, they will cut off your thumb AND steal your iphone.

[schiffern]

That's fine. The issue is that criminals can use it to lock you out of Find My, etc.

[limitedsupply]

Would you prefer not being able to remove your own old phone from Find My?

There is a lot of disappointment expressed in the comments here but we need level-headed solutions, not just rage against things that are actually useful in 99.9999……% situations.

[b3morales]

Having a "re-enter your password to confirm" step is bog standard for critical actions like that. It would be no serious burden for a legitimate user, and an extra hurdle for a thief.

[Gigachad]

Seems like there are vanishingly few security measures which prevent the held at gunpoint scenario but still allow the user to do things.

[limitedsupply]

One fix that was mentioned in the comments that would have been easy to implement (and, frankly, bizarre it’s not implemented yet) is confirming password when performing such critical actions as removing or adding devices/telephone numbers.

[Gigachad]

I just tested this on my iphone and it absolutely asks you for a password before you can touch the icloud phone number. I suspect the victim was compelled to either enter or hand over this password when the phone was stolen. It's not out of the question that the brother forgot this happening consider how stressful the situation would have been.

This is essentially the famous xkcd "5 dollar wrench" problem https://xkcd.com/538/

[probably_wrong]

Author here.

Unfortunately I don't have an iPhone to check, but another comment [1] suggests that this may happen if you physically change SIMs. My brother said they didn't ask for his iCloud password, which makes sense: if they had the password then they wouldn't have needed the phishing step afterwards.

[1] https://news.ycombinator.com/item?id=34407683

[limitedsupply]

Thanks for testing this, Gigachad!

At this point I will just stop commenting on this post as it seems like either Apple already fixed this or some of the most critical information has been omitted by the author. So we are just guessing and raging for no reason.