[nashashmi]

My cousin’s phone was stolen in San Francisco. My mom’s phone was hooked up to the same account. Somehow the thief was able to change the account password and email account to something else. Now my mom cannot reset her phone because she doesn’t have access to the thieves account.

[lxgr]

> Somehow the thief was able to change the account password and email account

That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication. And the passcode can be shoulder surfed by the thief...

"Stolen device protection" was developed as a response to a wave of such thefts: https://support.apple.com/en-us/120340

It seems like a good step forward but still not perfect, and I believe it's not on by default.

On the other side, with Advanced Data Protection, it seems shockingly easy to permanently lock oneself out of an iCloud account: As far as I understand, there is absolutely no way to recover an account protected that way if the recovery code is lost – not even by deleting all data currently stored on it and starting from scratch (e.g. from a local backup).

Given the fact that an iCloud account doesn't only contain a big pile of data, but access to some purchased products and services (subscriptions, app purchases, iTunes songs, the Apple Card etc.), that seems like a pretty big oversight.

[XorNot]

Admittedly we in security do a very poor job on equipping users with useful threat models: i.e. the number of times people either don't turn on any sort of security, or turn on extremely aggressive security but don't write down and store a recovery code is too damn high.

[crote]

And it's made even worse by companies not wanting to deal with meatspace. Secure account recovery isn't too difficult if you're willing to do ID verification in physical stores, but no tech company wants to do that.

[nativeit]

> That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication

Doesn't this require at least one other device to allow access and provide a one-time code?

I can't log in to iCloud in a browser, update payment information, or do anything even remotely sensitive with just one device and my screen lock mechanism(s).

EDIT: I stand corrected. On a device that's designated as "trusted" you can indeed change the password using only the screen unlock using the instructions at https://support.apple.com/en-us/102656

[seec]

In the end, locking a hardware device to an online account is just stupid. They marketed it as a tool to prevent theft (and recover if lost) but in reality, it has not prevented theft at all (if anything it has increased as the phones value has ballooned).

Apple is the only one who truly profits the most from this "innovation".

I have had an iPad stolen, and while I could track, it definitely didn't make any difference.