[gorkish]

Summary:

Due to the complexity and recursive nature of modern digital authentication, it turns out that often all that is really really actually protecting a user's identity at the end of the day is a 4 digit PIN code that they happily type in front of anyone and everyone hundreds of times per day.

An attacker with knowledge of someone's PIN can use it to gain temporary access to a user's device, and then they have both auth factors necessary for a complete takeover of the account associated with the device, which is very often being used as the IdP for many other accounts and services. Commence lateral movement.

It's plainly evident to anyone with half a brain that a two factor scheme that authenticates the second factor with the first factor is not, in fact, a two factor scheme. When the first factor is so weak that it can be broken by looking at some smudges on the screen, well, here we are.

But consumers are idiots, and if you actually forced them to use proper authentication schemes then most people would simply lock themselves out of everything and lose all of their data permanently multiple times per year. As a practical matter, I don't really see a good way to overcome user irresponsibility.

[tinus_hn]

Does the video claim this is unique to Apple/iPhone in any way?

[ethanzh]

The journalist interviews a police chief in the video who claims "99% of these cases" involve an iPhone rather than Android

[crazygringo]

If that's true (the 99% claim), then I doubt that's for any technological reason.

Thieves would simply target people with iPhones because they're more likely to have money, and in particular people with the newest flagship iPhones.