
What Apple should tell you when you lose your iPhone - walterbell
https://medium.com/@joonaski/this-is-what-apple-should-tell-you-when-you-lose-your-iphone-8f07cf73cf82#.t3ss245xk
======
chrissnell
Find My IPhone should allow the owner of a stolen phone to make it so that the
phone cannot be turned off by the power switch on the device itself. For
non-4G/non-LTE devices, It should also aggressively look for open access
points and attempt to associate with them and phone home to Apple servers with
location info. Activating stolen mode should also put the phone into a power
conservation mode to keep it alive and phoning home as long as possible.

~~~
flashman
What a great idea - make an iPhone as adversarial towards thieves as possible,
so stealing one becomes a huge personal risk. Maybe even add a stealth version
of Lost Mode, so the phone works in a sort of guest mode (without access to
your data) but is furiously spying on the user in the background.

~~~
sdenton4
Throw it into low power mode, but with loud alarm noises at random
intervals... Annoy the thieves into giving it back...

~~~
corobo
or more likely annoy the thieves until they launch it into a river.

~~~
amazon_not
That's still a net benefit. If theives learn that stolen iPhones are both
annoying and unprofitable then they'll stop stealing them. Especially if they
know the iPhones are being tracked and that they are at risk of being caught.

------
philip1209
I had the same thing happen when my phone was stolen. To my knowledge, it was
never powered on after it was stolen (because iCloud never registered a ping).

I received a variety of phishing attempts over email, but most surprisingly -
I received phishing iMessages too. They were all eerily good.

My assumption was that police reports were being scraped. I wonder if this
data is available unencrypted on the phone or sim card

Edit: Here are some of the messages I received - I forgot that they had my
name too: [http://imgur.com/a/NmIt4](http://imgur.com/a/NmIt4)

~~~
Shank
Or they could just pop the sim card out and power it on. Without wifi, iCloud
will never hit it.

~~~
Matt3o12_
And then what? Not use the iPhone ever again, because if you want to restore
it, you have to logout of iTunes, which requires an internet connection?

~~~
Xylakant
scrap it for parts.

------
chrischen
The sad thing is it really shouldn't be this hard to identify spoofed email
addresses.

I feel like we've gone backwards in UX with Inbox app and mobile email clients
that hide the email by default.

~~~
0x0
"Friendly" email headers are the new "hide known file extensions" :(

~~~
duaneb
Why does it display the name of anyone not in your contacts? Seems trivial to
abuse. Hi, I'm Barack Obama, and I'm looking for a donation to prevent
terrorism and child porn.

~~~
nitrogen
You completely changed your comment, so I'm responding to the original text:

 _> I keep my file extensions hidden because if that's all between me and a
virus I'm already fucked. It's also a sign I need to move operating systems._

Showing extensions doesn't just guard against viruses, it also allows you to
know what file type a file is, without having to memorize every icon on your
system. You can also rename files to a different extension if you need to.

~~~
Fiahil
You can also use your favorite terminal emulator, and stop worrying about
icons, file extensions, and "clicking on the wrong one".

~~~
TeMPOraL
Except that on systems that have the concept of "file extension", those
extensions are used to determine how to open a file by default. If you're
using Linux you don't care either way, but on Windows, even if on a terminal
emulator, you have to care _anyway_.

~~~
duaneb
I don't know what to say other than The Windows brand was permanently damaged
from the ability to install a virus by double clicking a .jpeg. For years. UAC
should have arrived with NT.

------
barnaclejive
From article comments: "If your phone is locked, how did they get your iCloud
email address? " "As said, I’m guessing they googled my name (available via
the Medical ID functionality) and found an email address for me."

How does phishing like this scale? I would think the vast majority of the time
the thief is going to have no idea what the email or phone number of the
victim is. Seems like a pretty elaborate scam for something that relies on
stealing phones where Medical ID is enabled.

Is there some other way that the thief would be able to easily contact the
victim by email or text?

Even with Medical ID enabled, that only shows name, DOB, medications.. I would
think for most people that still isn't going to be enough info to get an email
and phone number from by googling.

Not saying it isn't possible, I just think that it seems odd that the
difficulty of making the scam work seems out of balance with the polish of it.

~~~
dunham
If you have a contact card set up, ask Siri "What is my name", then click on
the mail icon. It will present all of your email addresses. (This works for me
when I activate siri with my pinkie finger, which isn't a registered
fingerprint.)

~~~
developer2
This is the reason why I disable Siri from being used on the locked screen.
It's barely inconvenient to have to unlock with fingerprint before being able
to activate Siri, and the amount of information you can grab from a "locked"
phone via Siri is scary.

~~~
squeaky-clean
Is there no way to disable sensitive requests from the lock screen? My Android
phone has an option under voice settings to disable "Personal results" when
the phone is locked.

~~~
developer2
With Siri, it's all or nothing. Either it is enabled on the lock screen, or
completely inaccessible. It does have limits when enabled, where it will force
you to unlock before inquiring deeper into the system. I can't remember
exactly what kind of tasks I was able to accomplish with it enabled, but it
was too much for me were it to land into a thief's hands. In any case, with
the Touch ID it's barely an inconvenience to unlock before holding the home
button to activate Siri. It's like 1.5 presses of the home button rather than
a full 2. I'm not sure why they haven't put in the effort to allow you to hold
down the home button once to activate Siri with a read of the fingerprint.
They prioritized that action for Apple Pay. _shrug_

------
keyle
I don't see why Apple should have to tell you anything though. They can't
preemptively warn you of all possible scams post-stolen hardware.

That said I've had an iPad stolen from the seat pocket when I was asleep on a
long haul flight so I can sympathise and this scam particularly hits home.

~~~
BHSPitMonkey
It would be a nice thing to warn consumers about when marking the phone lost
and setting up the alerts.

------
eridius
This should also serve as a reminder to use a password vault (like 1Password
or LastPass or your browser's built-in functionality). If you use a password
vault, it's immediately obvious when you're at a phishing site because the
vault won't fill it in.

~~~
cgriswald
Unless your password vault uses regular expressions for matching URLs [0].

[0] -
[https://news.ycombinator.com/item?id=12171547](https://news.ycombinator.com/item?id=12171547)

------
tlb
Recently my laptop was stolen out of my car, so I engaged "Find My Mac" and
told it to wipe the disk.

A few days later I got an email "Cesar's Macbook Pro Has Been Found." My name
isn't Cesar -- that must be the thief or the guy who bought it from him. I
assume he re-formatted the disk and re-installed the OS and changed the
computer name before connecting to WiFi whereupon the call-home feature told
the machine to wipe itself.

It's a weird user experience to tell me the name of the new owner but nothing
else.

------
lucaspiller
On a side note, if you are travelling in Italy never leave anything valuable,
or anything that it looks like it could contain something valuable, in plain
view in a vehicle.

A few years ago I was on holiday in Italy and someone broke in to my car and
stole a suitcase which contained my laptop, passport and camera. Earlier this
year I was living in Rome for a few months and the amount of cars with smashed
windows I saw (to grab whatever was left on the seat) was staggering.

Even if you have insurance, it may not cover theft from an unattended motor
vehicle (at least mine didn't).

~~~
linkregister
What does this have to do with Italy? The same advice would be applicable in
any city. San Francisco experiences large amounts of car thefts. Broken glass
decorates the sidewalks of most streets > 4th in SoMa and in Nob Hill and
westward.

------
baliex
Another clue is that the map in the email is provided by Google Maps. I have a
feeling Apple might prefer to use their own!

------
wiradikusuma
"Also, wherever possible, use 2-factor authentication (usually password + a
code in an _SMS_ message)" \-- how's that gonna help when your _phone_ is
stolen?

~~~
hellcow
There's a setting for iOS that hides the contents of SMS messages on the lock
screen. With that, they'd at least need your pin. Hopefully you'd have some
printed out backup codes.

~~~
jethro_tell
You're not sending the message to the phone, you're sending it to the sim, in
the clear. Si I pop this some in my flip phone and receive the code.

~~~
metafunctor
Hmm, but you do need to know the PIN code for the SIM card in order to
register on the GSM network and receive the SMS? Or am I missing something?

I've changed my PIN to something quite long, so hopefully an attacker cannot
just pop the SIM card out of my iPhone and use it on another device.

~~~
lorenzhs
SIM PIN codes seem to have gone out of fashion. Neither my UK SIM nor my US
SIM, both bought within the last two years, had a PIN code out of the box. Of
course it's possible to set one but that's buried somewhere deep in the
phone's settings, so most people probably don't set one.

~~~
metafunctor
I didn't even know it's possible to have no PIN code on a SIM card!

Operators in Finland always give you PIN cards with a preset code like 0000 or
1234, and tell you to switch it in their quick start instructions. I'm sure
many people leave it as it is, though. Almost no-one seems to know you can
actually set it to be more than 4 digits.

This looks like an area that phone operating systems could fix – by making it
easy to change your PIN, and encourage using more than 4 digits for it.

~~~
pbhjpbhj
Is there anything to stop one from brute-forcing the PIN? It's just numbers,
what's the upper limit for length.

Ah, [http://www.techrepublic.com/article/pro-tip-protect-your-
and...](http://www.techrepublic.com/article/pro-tip-protect-your-android-sim-
card-with-sim-pin-lock/) suggests that you have 3 attempts, then there's a
separate system (PIN Unlock Key, PUK) which a comment notes gives 10 attempts.

I'm wondering if you can read the data straight off the card via some physical
means, attack that to get the PIN?

~~~
metafunctor
I'm guessing in most cases it's much easier to socially engineer the service
provider customer support, rather than attack the SIM hardware.

~~~
pbhjpbhj
You're probably right depending on the scale you're trying to crack the cards
at - went digging and found
[http://www.theregister.co.uk/2015/08/06/researchers_crack_si...](http://www.theregister.co.uk/2015/08/06/researchers_crack_sim_card_aes128_encryption_in_10_minutes_for_cloning/)
which was pertinent and interesting to me.

------
otoburb
If your iphone is locked, how about a log of the thumbprints that attempt to
open the phone sent to an escrow account that only Apple and you can open with
shared passwords?

The existence of the feature would hopefully act as one more trivial
inconvenience to deter more thieves.

~~~
snowwrestler
I don't think the TouchID sensor captures or stores actual images of
fingerprints in a way that is accessible to applications.

~~~
otoburb
On the one hand, that is somewhat reassuring for happy paths. For this
particular use-case, that's a bummer.

~~~
kevincox
It would probably be a significant security flaw.

Imagine you press it but for whatever reason it doesn't register. Now your
"incorrect" fingerprint is flying over the internet. With a bit of retouching
or guessing your original fingerprint can now be recovered.

...not that your fingerprints aren't all over your phone anyways...

------
mattkrea
show-iphone-location.com is one of the most obvious phishing URLs I've ever
seen.

~~~
Matsta
In New Zealand when you pay for something using a Visa card, you get
redirected to a "Verified by Visa" page which the domain is
"securesuite.co.uk".

That always looks incredibly dodgy to me, not sure why they don't use a
visa.com subdomain so it doesn't look like a phishing scam.

~~~
sirn
These pages are authorization page of an Access Control Server (ACS) in the
3-D Secure flow. Visa/MasterCard designed the scheme, but the spec is open (in
a somewhat limited sense), so anyone can implement the ACS as long as you're
qualified to see the spec and can get it certified. Banks are free to choose
the ACS vendor as long as it's certified. Many banks do provide ACS
authorization page at their own domain name, although a many of them just use
a third party service just like in your case.

------
computmaxer
Wonder if he would have caught it if the attacker had gotten a real SSL/TLS
certificate.

------
svachalek
The exact same thing happened to me, except it was a taxi in China. They kept
trying different scams on me (but similar to this one) for nearly a year
before it seems they gave up.

I reported most of it to Apple but (unsurprisingly I guess) it took forever to
actually convince the support representative that no, it was not actually
Apple trying to contact me. Finally they gave me an email address to forward
the evidence to, and I never heard about it again.

------
DoubleGlazing
I think the bigger takeaway from this is that there is just so much going on
with modern technology that we now have to consider the security risks of
every little helpful "feature".

For example...

    
    
      - Lock screen notifications..
      - Medical info feature.
      - Emergency numbers feature.
      - Lock screen wallpapers that might give something away.
      - Email clients with poor security and where they do have security each one works differently.
    

All this increases the attack surface giving attackers a few more
opportunities to exploit.

~~~
madawan
IMO the medical info feature isn't worth the risk. You can always just carry a
little card in your wallet. It would eliminate a huge attack surface.

------
known
[https://preyproject.com/](https://preyproject.com/)

~~~
cyberferret
+1 - I use Prey on all my laptops, desktops, tablets and phones (alongside
FindMyiPhone etc.).

~~~
qmr
Are you paying for the service or have you set up your own server?

------
shdon
That's a pretty scary story. Kudos to Kiminki for recognising it in time. For
once, I have to admit this is one I might have fallen for (if I had an iPhone,
that is).

------
tombert
This gets into semi-philosophical territory.

Fifteen years ago, if my phone was stolen, that sucked, but that was basically
the end of that. I buy a new phone, and move on with my life.

Nowadays if a phone is stolen, they have to have access to my email,
passwords, and effectively my entire identity, and it appears that that is
exactly what's happening.

Phones are awesome, but I think I'd rather lose an eight-hundred-dollar phone
than have someone get access to my email.

~~~
giarc
>Nowadays if a phone is stolen, they have to have access to my email,
passwords, and effectively my entire identity

Not if you use the simple passcode or TouchID.

~~~
tombert
You misread my comment. I said that they _have to have_ , because apparently I
like ambiguous wording.

Regardless, I'm not disagreeing with you, I was just stating that the problem
stated in the article wouldn't have happened fifteen years ago

------
Edwardlam
Are u having doubt that your partner is cheat on you on facebook, whatsapp,
pinger, viber, hangout and more, and you want to get a proof of all is
cheating activities, i will strongly recommend globahacking@gmail.com is a
fast and reliable hacker you can count on for the job. he help me hack my wife
iphone now i can read all her messages. if you need such service send email to
globahacking@gmail.com you all should contact globahacking@gmail.com for all
your hacking jobs, I'm recommending him he his fast reliable less expensive
and truthful have done alot of works with him and he his just perfect

------
FabHK
I think it's conceivable that these phishing attempts are not targeted, in
order to unlock stolen/found iPhones, but scattered widely, in order to obtain
iCloud passwords.

FWIW, I've also received these phishy "Find My iPhone" notifications that my
phone was found, via SMS [1], and nearly fell for it (as I had lost a phone
months ago).

Apple Support did not seem to be surprised, and just explained how to report
spam.

Agree that these are potentially very effective, as users will be eager to log
in to retrieve their phones. As such, it is arguably incumbent on Apple to
explicit warn about them.

URL was www.apple.com.in1.at (Austria?), redirecting to iCloud.com.sign-
inc1.pw (Palau??).

[1]
[https://twitter.com/FabianLischka/status/758543021130457088](https://twitter.com/FabianLischka/status/758543021130457088)

------
ayuvar
Those are some impressively ballsy thieves. Obviously the street level guys
have kicked them up to an organization of some sort.

~~~
chrischen
Most likely they just buy iCloud locked iphones off eBay and then try to
unlock them.

------
jv0010
The 2fa that has finally been pushed out by Apple is a great security
precaution, however there will still be a large percentage that will not use
it. Due to the fact of not knowing what it is. I repair phones and customers
are just starting to cotton onto what find my iPhone is. There are even those
who have it activated and don't even know how to use it.

Finally from a precaution avoid inputting your email address in the lock
message. Also register an iCloud email. There is a better chance of apples
servers detecting this as a fraud email than any other email sever thus
(hoping) it will trash the bait like this.

------
bogomipz
Can someone explain what the MedicalID element in the story was and how it was
exploited on an iPhone. I am not familiar with this and it sounds like this
was the inflection point for the potential identity theft.

~~~
corobo
On an iPhone you can set up a record with your medical information (Your name,
blood type, allergies, next of kin, etc) which can be accessed without
unlocking the phone, presumably the idea behind it is if you've been in an
accident the attending medic can use that information to help treat you and
let people know what's happened

~~~
bogomipz
I see, thanks, how unfortunate that this was exploited.

------
Edwardlam
_i hate cheating Do you suspect your partner (husband
/wife/girlfriend/boyfriend) might be sneaking behind your back and having an
affair? _Do you want to hack; _Facebook, Twitter, Myspace, Instagram or any
Social Media?_ Phone, Whatsapp, BBM _Any Email_ Do you have an examination you
want and you want the questions hacked and leaked to you before the
examination? _Do you want to hack into you university or college portal to
change your grades /GPA? _Do you need the service of a PI to help investigate
someone online? *Do you want to hack-proof yourself and protect your online
accounts from being hacked? CONTACT: globahacking@gmail.com

------
tejaswiy
Is it not possible to flash the OS on lost phones anymore? Or were the thieves
after some data on the phone?

~~~
0x0
Nope. Activation lock is supposed to prevent that.

~~~
duaneb
What's the reasoning behind that? Kind of defeats the entire purpose of remote
wipe.

~~~
scott_karana
> Kind of defeats the entire purpose of remote wipe.

Hardly. The remote wipe will clear all of your private data. Seems like the
purpose is well met to me.

Activation Lock is there to prevent resale of stolen devices, which
simultaneously increases odds of return to you, and decreases odds of iOS
theft overall.

~~~
duaneb
Ahh, I've never heard the term before. I assumed it was the screen lock and
the activation prevention was in apple's servers.

------
Kiro
How does this work exactly? In my country people who break into cars are
usually drug addicts who in no way are capable of doing something like this.

~~~
belorn
They sell the phone cheap to someone, who then sell it almost as cheap to an
organization, which then have people who are capable of doing this.

------
endlessvoid94
How did the thief obtain the owner's email address and phone number?

~~~
hellogoodbyeeee
>As far as I can guess (and if the phone doesn’t reveal the iCloud email when
you turn it on), they used the “Medical ID” feature on the phone to see who it
belongs to and thanks to my strange name found me on wunderkraut.com along
with my email address and phone number (for sending the messages to) — in
fact, I did check the site analytics and found that my profile had one hit
from Google the next day the phone was stolen.

From the article

