
This is what Apple should tell you when you lose your iPhone - dean
https://hackernoon.com/this-is-what-apple-should-tell-you-when-you-lose-your-iphone-8f07cf73cf82#.j5n1lsqmv
======
alain94040
Previous discussion (200+ comments):
[https://news.ycombinator.com/item?id=12222135](https://news.ycombinator.com/item?id=12222135)

~~~
michaelcampbell
Previous previous discussion discussion:
[https://news.ycombinator.com/item?id=12988291](https://news.ycombinator.com/item?id=12988291)

~~~
0xmohit
Now 1/4th of the comments here refer to the _previous discussions_.

------
lancewiggs
What Apple should really do is a lot more: 1: register the moment that the
phone was last held by the owner 2: provide continuous tracking data to the
owner 3: take photos periodically, including if medical information is
accessed 4: email the user with a standard "so you have lost your phone"
message 5: add the phone to blacklists on every telco it has a relationship
with 6: report the loss to police 7: send information to the owner and police
as soon as that phone accesses any network. Etc.

~~~
tedunangst
Remote detonate if not recovered within 24 hours.

~~~
erroneousfunk
Everyone has the ability to remotely wipe their phone, as long as it's
connected to the network. If it's not connected to the network, then not even
Apple can do anything (assuming they don't make some sort of dead man's
switch, which is a terrible default feature for all sorts of reasons...)

As a user, I prefer having the option to decide how sensitive and/or valuable
the data on my phone is, what the circumstances of losing my phone are, and
how long I'm willing to wait to get it back.

You were out of the country, without Internet access for a while, you have un-
synced vacation photos and not much else on the phone, and there's a strong
possibility you misplaced it? There's probably not a reason to ever wipe the
phone.

You had secret company data on your phone, without a passcode, and it was
ripped out of your hands? Can't wipe it fast enough.

While Apple should offer users advice, I wouldn't want them to ever take
action (filing police reports, taking photos, etc.) without my explicit
consent.

------
hbosch
Unfortunately, I think a ton of people today still would not know the
difference between a "green URL" and an unencrypted URL, or the fact that
"find-iphone-location.com" is phishy.

I used to work at a large, competent tech company whose 401k plan was managed
on a URL similar to "accessmy401k.com" \-- it seemed similarly phishy to me
but apparently enough people thought it was a good idea that this financial
institution decided to make it their online portal to actual 401ks. I often
see my less savvy friends going to places like "cheap-christmas-lights.net"
when they want cheap Christmas lights.

I appreciate what the big browsers do when it comes to showing secure
connections and highlighting the domain in certain cases, which is pretty much
as far as we allow them to go in order to stay in control of our own browsing
experiences, but part of me wishes it were a little bit more explicit. There
are for sure potential drawbacks... when my Mom said she was booking tickets
on "CheapOAir.com" I immediately thought it was a scammy site, but it's
actually legit. But a browser (especially a browser on an iPhone?) should be
able to see you're at "find-iphone-location.com" and maybe just assist the
user a little bit by saying "Hey, just so you know, this is not a legitimate
Apple/iPhone service" automatically.

~~~
pfg
Browsers do have mechanisms for filtering out known phishing (or malware)
sites (e.g. Google's Safe Browsing (used by Chrome, Firefox and (IIRC)
Safari), Microsoft's SmartScreen). Guessing based on the domain (without
having any actual phishing reports or something like that) would probably lead
to _tons_ of false positives, which would both annoy users and desensitize
them, so most people would click through the warning.

EV certificates can be a solution for some cases - knowing that "Apple, Inc.
[US]" is actually operating the site you're looking at is worth _something_ \-
but it isn't particularly meaningful in other cases - knowing that "CheapOAir,
Ltd. [US]" actually operates "CheapOAir.com" doesn't mean much, they could
still scam you.

------
hartator
I would say my bigger security takeaway from this is never use Medical ID!

------
jdpedrie
I've noticed that spear phishing attacks have become quite a bit more
sophisticated lately. This is a good example of it, but I've gotten emails
supposedly from Stripe, my bank (not a common one that would suggest a mass
attack), my credit card company, all quite convincing. At first glance I was
fooled, but thankfully figured them out before giving away my accounts. I've
since become more vigilant of course.

In none of these cases did my email provider figure out that the sender was
malicious.

~~~
empath75
this is why i never read email

------
kogepathic
Agree with everything the author said.

I'll also go further and say you should be using a password manager, so even
if you do end up getting scammed out of a login, they can't easily compromise
your other accounts (obviously this depends on the kind of account being
scammed).

Use a password manager and 2FA whenever possible!

~~~
mikeash
A password manager with autofill will also help you avoid getting scammed in
the first place. You may not notice that the domain is weird or the page is
unsecured, but your autofilling password manager will. Of course, you need to
listen to it when it says so, rather than trying to work around it!

------
libeclipse
Is this a repost? I feel that I've read this already, quite a while ago.

------
olliej
I would suspect that they needed your credentials so that they could get
around the activation lock so that they can sell your phone...

------
wodenokoto
How do they get phone number and email address?

~~~
aetherson
He speculates at the end of the article that they used the medical identify
feature and then Googled him (he apparently has a relatively unique name).

