You could lose access to iCloud account data forever!

Start listening

There was a shocking article by Joanna Stern of the Wall Street Journal about how you are a simple bar trick away from losing access to all your photos (and some money) forever. All they need to do is steal your iPhone after seeing you type in your passcode, and they can lock you out of your account forever. 1. This is why we back up stuff and 2. There is a way to stop this. I’m not yet sure how vulnerable Android folks are to the same problem. If I’ve piqued your interest, this is the episode for you.

Here are two YouTube videos where the WSJ talks about this:


[00:00:00] W. Curtis Preston: If you’re an iPhone user that uses only iCloud to back up your iPhone, you’re going to want to


[00:00:25] W. Curtis Preston: to this week’s episode. Did you know that you’re a simple bar trick away from losing access to all of your photos forever and being a victim to thousands of dollars of crime? If you’re a surprise as I was, then you’re going to want to listen to this week’s episode.

And also by the way, I’m not sure Android folks are in the clear either. This is going to be a good show. hi, and welcome to Backup Central’s. Restore it All. Podcast. I’m your host, w Curtis Pres, AKA Mr. Backup. And I have with me a guy who keeps bringing me more problems. Uh,

[00:01:05] Prasanna Malaiyandi: this time?

[00:01:06] W. Curtis Preston: this, the, the, the thing that we’re doing the episode on, like, I didn’t even know it was a problem. And you brought, you know, and you brought me in and, and there there’s not, I don’t know if there’s really any good solutions to it.

I think it’s just, I think this is definitely, this is a, I think this is one where I think Apple needs to, needs to help, which we’re gonna, we’re gonna talk about, um, Uh, it’s one of these where, wow, I’m glad I found out about it now, so that we can do some things, um, you know, to, to do at least one thing to, to make it a little bit harder for someone to steal my information.

But, um, Yeah. So I don’t know. It’s just, you just keep coming up with these problems for me to solve. Um, and it’s just, you know, sometimes I got better things to do than to solve,

[00:01:59] Prasanna Malaiyandi: really though? Do you

[00:02:01] W. Curtis Preston: I don’t know? Do I, do I, I mean, I’m just, I’m very busy, like right now, well, I’m actually, the thing I’m most busy right now is trying to solve the last problem.

That you put in my head. Uh, I’m still working on that. Uh, which we’re

gonna talk about.

[00:02:19] Prasanna Malaiyandi: yep.

[00:02:20] W. Curtis Preston: Anyway, I’ll jump in before we get started on this week’s episode, throw out our disclaimer. You’re gonna hear a bunch of opinions and they’re ours, not necessarily our employers’.

And if you. Want to join the conversation. We definitely want to hear from you. You can, my dms are open, uh, at WC Preston on Twitter. Feel free to give me more problems to solve You know, Hey, how do, how do we solve this problem? If you’ve got questions, if you’ve got stuff you want us to talk about, uh, feel free to DM me. Uh, you can email me w Curtis Preston or you can, uh, go to LinkedIn, backup and you will find me

And also Radius, if you would please, uh, go to your favorite podcast or if you like what we’re doing, uh, then help other people find us and also tell your friends, you know, you’re like, Hey, there’s this really great podcast with these two fun guys that talk about, you know, some of the most boring topics in the world, but try to, try to make them interesting as much as we can.

So this episode, I gotta say, this woman that did this research, uh, there’s actually two part, and there is a YouTube video.

That she did, which, uh, we’ll put a link to it in the show description so that you can watch. I, I highly recommend that you watch Joanna Stern. Thank you. Uh, I was the one that wrote it, but I think I’m gonna have you describe the scenario.

[00:03:47] Prasanna Malaiyandi: Yeah, so basically she was reached out to by someone, a victim, and what had happened was he was at a bar and his phone got stolen. And the next day he went to try to sort of log in, change his password, all the rest, and he got locked out.

[00:04:06] W. Curtis Preston: Right.

[00:04:07] Prasanna Malaiyandi: he realized that there was a whole bunch of, I don’t know if it was like Venmo or PayPal or whatever else, but there was a whole bunch of.

Transactions, financial transactions. Right. Purchases made from his phone, and he had no way to access his phone. He was locked out of his Apple account. Right. He had no access to anything. He tried reaching out to Apple Support. They weren’t able to help him. He tried reaching out to Apple’s legal and escalating it.

They said, sorry, there’s nothing we can do to help you. He was willing to fly out to Apple or even. Like and show his like social security number, his driver’s license, all sorts of information to prove it was his account. And it was so important to him because on his phone he was using iCloud and he had a bunch of pictures of his eight year old daughter at, who’s currently eight years old, right.

But since she was a baby. And so he was like, I just want access to all of my pictures of my kid, right? Which was stored in that iCloud account that I am now currently locked out of.

[00:05:08] W. Curtis Preston: Yeah. And, and that, that core problem right there, you know, losing access to all this data that, in his case, irreplaceable, very precious data is, uh, The core problem behind the thing I was alluding to earlier, a a about, uh, backing up data that is on a device like an iPhone. And we’re, we’re gonna get to that in a minute.

But there, there’s a bigger problem here, and that is, you know, that you also mentioned is that, uh, because I saw other messages about people, uh, that had. Basically once the phone, once they, the, the attacker had physical access to the phone and their passcode, that they also did a bunch of, uh, unauthorized transactions.

Like I remember somebody saying $40,000 in Apple Pay transactions and so the, the core thing here is that the, the attacker, the thief, basically it’s, it’s an old school hack, but it requires two things. One is they need to observe you typing in your passcode in a public place. And then the second is then they need to steal your phone.

And the thing is, if you, if you think about that, both of those things are pretty easy to do. As an attacker, right? Meaning that in a public environment, right? So it’s very common. For you to, you know, some people want to use face ID to to log in, others want to use their passcode. Sometimes face ID doesn’t work.

And so you put it in your passcode. You’re not really thinking, I think at least the average person, maybe somebody that’s

[00:06:48] Prasanna Malaiyandi: Like, who’s around

[00:06:49] W. Curtis Preston: might, yeah, nobody’s thinking about who’s around me. Like, you should be thinking about, you know, you really should be thinking about the, um, it, it’s like you typing in a pin at an atm.

Right. You should be cut or typing in your pin at a PayPal or at a, a pay. What do you, what do you call that? The, you know,

[00:07:09] Prasanna Malaiyandi: of

[00:07:09] W. Curtis Preston: yeah. Point of sale. Thank you. Um, you, you typing in your pin number there, you should be thinking about privacy and hopefully you’re concealing it, but you should be having that same level of concern when you’re in public.

[00:07:21] Prasanna Malaiyandi: Mm-hmm.

[00:07:22] W. Curtis Preston: I think that two things. One is I think that people don’t think that way, number one and number two. In a bar, they might be slightly compromised mentally, so they might not be thinking about that. And

[00:07:41] Prasanna Malaiyandi: and I think there’s also another aspect there, Curtis, is I don’t think people realize. How connected phones are these days to like what access it has once someone gets access to your phone.

[00:07:55] W. Curtis Preston: Right,

[00:07:56] Prasanna Malaiyandi: People who have like financial account logins and apps on their phone. People who have, like you were talking about like Apple Pay and credit card information.

Right. And. Yeah, all of that stuff is on there. And people just don’t realize like the wealth of knowledge and that an attacker who compromises your phone can take. And I, the one thing I wanna talk about is like, people are probably thinking, oh, but they don’t have my apple ID password. How can they get access to my data and lock me out?

Right? And so, I think just briefly touching on that, right, so on your phone, once you have the passcode and once you have the phone, right, you can go to settings. Once you have the passcode, you can change the face id, you can reset the apple ID password directly from your phone. Right. And so what an attacker does is they go do those two things and now you’re locked out.

Now in most cases, you’re like, oh, I could just do like, forgot my password on Apple id and they’ll send me a code and I can log in. Well, now what they’re doing as well is there’s a concept in Apple called a recovery key, which is I think a 28 digit key that Apple creates. That if you, if you create that key, you can’t go, do I forgot my passcode anymore, cuz that doesn’t work.

[00:09:08] W. Curtis Preston: Well without the

[00:09:09] Prasanna Malaiyandi: do that, Yeah, without the key, right? That’s the only way you can get access. Just knowing the passcode is password isn’t enough.

And so what they’re doing is they’re creating this and Apple doesn’t give you a way to protect it easily, right? They kind of went the approach of let’s make the user experience very simple to regenerate these keys. And they didn’t realize that this is what attackers are doing. They lock you out of your account, they change your passcode, they create a recovery key, and now you as the victim, you have no access to anything with that apple.


[00:09:38] W. Curtis Preston: Yeah. So they change your passcode, they change your apple ID password, and they change the recovery key, right? Even if you have a recovery key, they change it and then they, they’re gonna do this. I’m guessing they’re gonna do this pretty quickly, but maybe they might not do it really quickly. Um, but I, I think that I, I don’t, well, I’m, I’m gonna say I definitely didn’t think that that was possible.

I didn’t really think about. Right. Um, what happens if somebody gets my passcode? I rarely type my passcode in public. Well, let’s face it, I’m rarely in public, right? I’m, you know, I’m not hanging out in bars, right? I’m not hanging out in bars, uh, at this point, you know? Uh, but I think if, you know, a younger person might be hanging out in bars more often, and, um, the, just, just any bars or restaurants, right?

[00:10:25] Prasanna Malaiyandi: yeah, yeah. But, but, but here’s another point, right? So during the pandemic, my wife and I, we would go to go grocery shopping. And at the time we were ma we were wearing masks, right? And on our phone space Id doesn’t work. So of course, you pull out your phone, you need to look up like, Hey, what am I supposed to buy?

And you sit there and you have to type your passcode.

[00:10:42] W. Curtis Preston: right, right, right. And, and so

[00:10:45] Prasanna Malaiyandi: public place and people may not realize and be aware because it’s like, Hey, we’re just in a grocery store. Why does it matter? But it’s like, Nope, that’s yet another situation.

[00:10:53] W. Curtis Preston: Right, right. Yeah. Again, I don’t go to the grocery store. That’s what I say, like my wife does most of the shopping. My wife shops for my clothes. She says, you know, she’s great.

[00:11:06] Prasanna Malaiyandi: How about Costco?

[00:11:07] W. Curtis Preston: Costco. Okay. Okay. I’m a Costco

[00:11:09] Prasanna Malaiyandi: Right, and, and given you right, and knowing how you are with your phone, how many times have you sort of left your phone somewhere and walked away

[00:11:17] W. Curtis Preston: It’s never, I I’ve never lost my phone. I’ve never misplaced my phone. You’re spewing lies.

[00:11:22] Prasanna Malaiyandi: in public?

[00:11:23] W. Curtis Preston: I’m saying You’re spewing lies. Yeah. I, I’ve left, definitely left my phone. Yeah. So, so basically it, it’s a combination of they, so they wa they observed you. Typing in your passcode, and then you left your phone. You know, either they did a, they did a brush pass and, and, and did a pit pocket situation, or you laid it down on the bar, and then they stole your phone.

Right? And you may think, well, I would never leave my phone. I’m, I’m gonna say nonsense to that. I, even if you’re the least absent-minded person, Uh, you know, and also if you are in a bar situation

[00:12:00] Prasanna Malaiyandi: Or a crowded place.

[00:12:02] W. Curtis Preston: Any sort of crowded situation. A brush pass, uh, is extremely easy to do. Um, you know, if you’ve ever seen, you know, these movies that you, you see it sometimes in the movies, but if you are a good pickpocket, you can.

Literally, you know, and, and they, they just, they, they feel nothing, right? Um, but yeah, so that’s the two thing. The, the two things that you should be doing is protecting your passcode when you’re in public. And the other being, protecting your phone when you’re public. If you do either of those things successfully in a public place, you wouldn’t be subject to this.

But, um, the, the

[00:12:42] Prasanna Malaiyandi: Things happen.

[00:12:43] W. Curtis Preston: what’s that? But things happen, right? So we have, let’s see, three things, right? So three things that you should be looking at and let’s start with. What I think is the most basic one first, which is what should be, what should you be doing? If you have valuable photos on your phone Prasanna,

[00:13:01] Prasanna Malaiyandi: Or any valuable data, you should be backing it up.

Of course.

[00:13:05] W. Curtis Preston: be backing it up. Uh, right. If you have any data that’s valuable anywhere, you should be backing it up. And you say to me, you say to me, but Curtis, I have iCloud. What’s the response to that?

[00:13:17] Prasanna Malaiyandi: Well, a, I don’t use iCloud, but I will ask a question, but Curtis, you use iCloud.

[00:13:25] W. Curtis Preston: Yeah. So, okay, so, so two things. One is iCloud is not a backup. iCloud is a synchronization tool, okay? At best, iCloud is a second place to store exactly the same thing that’s on your phone. So if. Someone hacks your phone or hacks the iCloud account, they can delete one and it synchronizes and deletes the other.

That’s, it’s not a backup, it’s a synchronization tool. That’s, that’s a really important thing to understand. Number two, if you, as I do have the optimized storage option turned on, uh, what’s stored on your phone is actually a thumbnail of the image or video, and the actual image or video is up in the cloud, which means that.

The actual thing that you’re trying to protect, I think with this, with this, Victim that started this whole story, he probably would’ve taken the, the thumbnails and he would’ve

[00:14:17] Prasanna Malaiyandi: now.

[00:14:18] W. Curtis Preston: he would’ve been happy. But you know, you want those high-res versions and those are only in Apple, which means the data that most people really value if they turn on that option, which I think most people turn on cuz they don’t want to buy a 256 gigabyte iPhone.

Right. Um, and, uh, but it’s only stored in the cloud. So. It’s not, so, it is absolutely not a valid way to back up your iPhone. So, um,

[00:14:49] Prasanna Malaiyandi: uh, well, and if you get locked out like we’ve been talking

[00:14:53] W. Curtis Preston: and if Yeah, yeah. And if you get what the whole point of this story, right? If you get, if you get locked out of iCloud, if you get locked out of your Apple account, which is what will happen if your phone is stolen and they have the passcode.

If you get locked out, you won’t be able to access that iCloud version. Right. Um, and this is pretty big deal. So really what’s the only solution to that?

[00:15:18] Prasanna Malaiyandi: Back up your data to something other than iCloud.

[00:15:21] W. Curtis Preston: Right, right. Which, um, I’ll just, I’ll just quickly, um, throw this out. The, the, there’s two quick options that I’ve been, I’m experimenting with right now that so far appear to work and we’re gonna, but we’re gonna have, uh, another complete episode about this, uh, coming up. And that’s Google Photos. And, uh, a product called iDrive.

iDrive is a, just an independent backup product, I’d say between the two. So far, I like, I, I like the functionality provided by iDrive better. Uh, it’s also less expensive than Google Photos, but Google Photos is a little bit more of a full featured photo app, whereas iDrive is just a backup app. Um, but

[00:16:01] Prasanna Malaiyandi: but there’ll be a full episode on this.

[00:16:02] W. Curtis Preston: Yeah, there’ll be a full episode on that coming up. Uh, cuz I’m still, I’m still sort of researching that. I’m also looking, and also I’m, by the way, one of the things I like about the iDrive app is that it works for both, uh, iPhone and Android. Google Photos works for Android, but it has the same problem that iDrive or Photos does for iPhone users.

So I wanted a, an option for those. Um, yeah, so that’s, um, And it’s, it’s, it’s incredibly affordable. It’s not something, it’s incredibly affordable. It’s very non-invasive. Turn it on and, you know, set it and forget it. And if this was to happen to you, at least you wouldn’t lose access to all of your, um, specifically your photos and videos.

Right. Um,

[00:16:47] Prasanna Malaiyandi: So I have a do have a question. I know we will cover this later. If this scenario happened to you and you had the iDrive software installed on your phone, can an attacker go and delete all your data from the iDrive app on your phone?

[00:17:03] W. Curtis Preston: Uh, no. No, because specifically if they’ve got your phone, they only, they have a very limited, uh, set of functionality available on the phone. Uh, they would need your iDrive password and login to iDrive itself, the, the website, uh, to be able to delete old backups.

[00:17:24] Prasanna Malaiyandi: can I ask the next question? So then I don’t know how it works with Dashlane, but if someone was using like the iCloud key chain and they had access to your phone, they had your password, they changed your apple, uh, apple ID password. Could they get access to your iCloud key chain now

[00:17:47] W. Curtis Preston: Yeah.

[00:17:48] Prasanna Malaiyandi: and get access to any password store there?

[00:17:51] W. Curtis Preston: Yeah. Two,

[00:17:56] Prasanna Malaiyandi: Yeah. That, that, that,

[00:17:57] W. Curtis Preston: so. Yeah, I’m not a fan of Apples key chain, right? I mean, we, we’ve, you know, we’ve talked about, I’m glad you again, see, this is what I’m talking about. You’re just good at coming up with problems. But yeah, don’t, uh, this is why, you know, we talked about, you know, we’re, we’re full supporters of password managers.

Uh, we, we just did the, the last pass episode. And, um, you know, I just published it, which will go live just, uh, uh, uh, this weekend. But the, and if you haven’t checked that out, it’s basically the lessons that we learned from the last pass episode. But, um, the, um, I lost my train of thought. What were you asking me?

Oh, yeah. So we talk about, you know, yeah. So iCloud keychain and using your the Chrome password manager, still better than nothing, but it puts you at a real risk of. Other exploits, uh, because for example, if somebody can log into Chrome, they can export your passwords and they, you know, they can do whatever they want.

Same thing with iPhone. If they change your passcode, um, then they have access to the, to the key vault, and then they can use it to do other things. Now, I, I highly doubt that an attacker who’s just trying to steal money, uh, is gonna also want to go attack my photo backup. And iDrive, I don’t even think, I think they’re the.

Security by obscurity, uh, is in your favor, but it is possible, right? Um, yeah. Uh, but they can also log into, they could do more scary things like logging into your, uh, bank accounts and do things like that. Right? Um, but like, and, and that’s why with Dashlane, it requires me to put in my, um, My password or, uh, my face, um, uh, you know, so,

[00:19:43] Prasanna Malaiyandi: Wait, that’s it.

[00:19:45] W. Curtis Preston: what, well, you gotta have the phone.

[00:19:49] Prasanna Malaiyandi: Yeah. So they have your phone,

[00:19:51] W. Curtis Preston: Yeah. And then it,

[00:19:52] Prasanna Malaiyandi: they have your passcode. They can

change your face

[00:19:55] W. Curtis Preston: dash lane P passcode, the

[00:19:58] Prasanna Malaiyandi: It, it is

[00:19:59] W. Curtis Preston: dash lane Master password they would need.

[00:20:02] Prasanna Malaiyandi: okay, so you need to enter your dash lane password, and then also either a code or your face.

[00:20:08] W. Curtis Preston: no, you, you need the phone and the master password or the phone and my face?

[00:20:15] Prasanna Malaiyandi: Can they put a new face idea in?

[00:20:18] W. Curtis Preston: Um, I think when you, that’s a great question. Um, No. Okay. No. So yes, they could put in a new face, but when you do that, it, I’m, I’m sure we gotta check this,

[00:20:34] Prasanna Malaiyandi: I would hope. Yeah. I hope

[00:20:35] W. Curtis Preston: sure that when you put in a new face on face id, it deactivates anything that was using face id. And then you have to re reenable it, like in this case, dash lane. You would have to reenable face ID with, um,

[00:20:48] Prasanna Malaiyandi: W with the new

[00:20:49] W. Curtis Preston: with the new,

[00:20:50] Prasanna Malaiyandi: Yeah. And you’d have to enter

[00:20:51] W. Curtis Preston: have to put in the master password.

I don’t know that for a fact. Uh, but I believe it with all my heart right now because

[00:20:59] Prasanna Malaiyandi: hope so, yeah.

[00:21:00] W. Curtis Preston: I would hope so. Uh, Dar see again, giving me more problems. Uh, we gotta, we gotta go check that. Um, I’ll, I’ll, I’ll change my face ID to somebody else and see if it still works with, with Dashlane.

[00:21:16] Prasanna Malaiyandi: or just do it yourself. Yeah.

[00:21:18] W. Curtis Preston: Oh, I guess I could do a new face ID with my own face.

Right? Okay. I don’t have to use somebody else’s.

So good news and bad news. The good news is that. Dashlane at least did the right thing. So again, the worry here is that in this scenario, a hacker steals my phone and my passcode. They’re now in my phone, essentially as me. Face ID won’t let them into dash lane. And, uh, they don’t know my Dashlane password, so they can’t do that.

But what if they reenable face ID basically put their face in the place of mine? What would dash lane do? The really good news is that dash lane said, ah, no face ID is new since the last time. And so you need to put in your master password. That is great news. The bad news is Venmo and PayPal did not behave that way.

So using face ID on Venmo and PayPal. Didn’t seem to help. Uh, I, so first off. Just a reminder. I do believe strongly in password managers, I believe strongly in third party password managers like dash lane. And I think in this case, if you’re not using Dashlane, I would then go check with your password manager. Reenable face ID, basically putting a new face in there.

And then seeing what your password manager does. I’d love to hear back from you again, DME at WC Preston on Twitter.

[00:22:43] W. Curtis Preston: So, so, What’s our next one here? And that is, um, if your phone is ever misplaced or stolen immediately, not later this evening, but immediately borrow a friend’s phone, borrow a friend’s computer, go to the nearby web terminal, whatever.

You can log into your iCloud count immediately and put your phone as lost. Now, having said that, Um, that’s gonna be a problem if you’re on an unknown device, right? Because iCloud has mfa, right? So, um, hopefully you go ahead. What were you gonna say?

[00:23:29] Prasanna Malaiyandi: and, and this is where I think make sure on your iPhone you set up recovery contacts,

right? So you can assign in Apple right on your phone to say, okay, if I’m coming from a, if I. Coming from a device that I don’t, or unauthorized device, then I don’t, I’m not able to receive the two factor authentication.

So here are other people you can contact that I trust, and they’ll send them the code there, and then you can get it from them and use that to now access your Apple account.

[00:23:57] W. Curtis Preston: Right. Right. Um, and so, uh, you could basically call your, call your friend, wife, whatever, um, and say, Hey, I need you to really quickly log into my, you know, or authenticate me so that I can, um,

[00:24:11] Prasanna Malaiyandi: Yep. And it’s very simple. They just need an Apple device and they say, yep, the person is good to go. And then

[00:24:16] W. Curtis Preston: Right, so that you can log in and deactivate the phone or the, you know, put the phone is lost. Uh, cuz that’s the thing you wanna do really quickly. Um, so that the, and, and then what you’re hoping at that point is that the person hasn’t yet done the thing, right? If the moment they steal your phone, they immediately lock you out, then there’s not, there’s not much you’re gonna do.

But what’s the final thing, which is as far as I can tell, the best option in terms of preventing. The theft, uh, you want to talk about that?

[00:24:47] Prasanna Malaiyandi: yeah, and this is a feature which I don’t think many people actually know about, or those who know about it. Associate it with kits, right? It’s a feature Apple has called Screen Time, which allows you to sort of monitor how much usage, who’s using what apps, and typically use it for your kits, right?

So you can give your phone or your iPad to a kid. They could use certain apps within it, but they can’t get to like settings. They can’t. Load all content, right? It does content filtering and other things like that. But it also has a feature which allows you to say, okay, when I enable screen time and it’s my own device, I can also restrict certain content in certain privacy settings, if you will.

And one of those, when you enable it, is to not allow account changes or passcode changes

without, without asking for a different passcode. And I think that’s the key, right?

[00:25:38] W. Curtis Preston: Yeah, that’s the key. Yeah. So you, first thing you do is you, you, you create a screen time passcode, which is a, it’s only a four digit by the way. Create a screen time passcode. Uh, minus 77. 77, just so you know. Um, and then,

[00:25:52] Prasanna Malaiyandi: 6 66.

[00:25:54] W. Curtis Preston: um, and then, uh, so you create that, and then you go into, so you go into this app, it’s called Screen Time.

And by the way, that’s two words, screen time. Uh, not to be confused with FaceTime, which is one word. And then, um, you go into content and privacy restrictions, and then you scroll down to passcode changes and account changes and changes to don’t allow. Um, right. So basically if you are logged well, it means that whenever you’re logged into your phone and you want to change the passcode or account changes, you are going to need to enter the screen time passcode.

Don’t forget it. Um,

[00:26:31] Prasanna Malaiyandi: but if you forget it, it’s not the end of the world because you can still reset it. If you can log into your Apple ID on say a different device or on the web or

[00:26:41] W. Curtis Preston: Right, right, right. But yeah, that, that, if anything, this, this maybe just slows them down. It just slows them down, giving you time. Um, and they will be locked out if they enter the passcode, uh, incorrectly too many times.

[00:26:54] Prasanna Malaiyandi: Yep.

[00:26:55] W. Curtis Preston: Um, the, um,

[00:26:57] Prasanna Malaiyandi: Which I think it’s a good thing, but. I think like we talked about, right? For this option, I don’t think anyone knows about it. I didn’t know about this,

that they could be used in this way. Yeah.

[00:27:06] W. Curtis Preston: Yeah. Basically protecting you. Yeah. Somebody grabbing your device, changing it so that they can’t change the passcode, um, without this other passcode, right? And this is a passcode and this one never enter in public, right? Never, never, never enter this. This is a super secret passcode.

Um, Apple could do better here. They talk about this apple. Even if, like, I am a little disappointed to hear that even if you can prove that you are that person, right, uh, that apple will not, uh, get you back into your own account. Um, I, I don’t know if that’s, is this one of those things where. That this is a security feature that, in other words, like, like they can’t reset your passcode.

[00:27:56] Prasanna Malaiyandi: yeah. I think because at this point you’re sort of using device level key, right. That’s why once you create the recovery key, they can no longer do the reset because they don’t have the other half

[00:28:06] W. Curtis Preston: Right, right,

[00:28:08] Prasanna Malaiyandi: access the

[00:28:09] W. Curtis Preston: right. Um, Yeah, I, I, I think Apple needs a better option than what they currently have. Um, and now, and maybe with this coverage in Wall Street Journal, uh, maybe it will change that. So, um,

[00:28:26] Prasanna Malaiyandi: Or, or the other thing is if you can, I know this is kind of limited to Apple ecosystem, but some people have multiple devices, right? So just do a verify on a different device when you are like changing your recovery key, right? You do this in other places, right? Where it’s like pops up and so it’s like, Hey, so-and-so is asking do you authorize

[00:28:47] W. Curtis Preston: Right, right. Yeah. Um, I, I am curious to know to what degree, is this an iPhone problem or is this an, is this a also an Android problem?

[00:28:59] Prasanna Malaiyandi: Ooh. I unfortunately haven’t interacted with the Android ecosystem in a

[00:29:03] W. Curtis Preston: Yeah, me neither. Um,

[00:29:06] Prasanna Malaiyandi: because I know Google has recovery keys, right? For Google accounts. I just don’t know if that applies on a Google

[00:29:14] W. Curtis Preston: I’m gonna have to pull out my, my backup Android device. I have one. Um, and just, and just see what happens, right? I. Um, but anyway, I, you know, I hope this is helpful to folks that, I mean the, the, you know, in terms of the topics that we cover, right? We, you know, we we’re concerned about you and your data, and so there are multiple ways to protect your data.

One of which is to, is to, uh, oh, there was one other, by the way, one other thing that we didn’t talk about, and that is when it talks about, um, payment methods that are on your phone. Make sure that whatever you connect as a payment method on your phone has protection built into it, for example, You know, visa cards, MasterCards, debit cards, um, these all have, and maybe Apple Pay itself, I don’t know if Apple Pay itself has protection built into it, but if you’re using, um, and, and, and you should look into that, right?

Because what happens if you get subject to this and then someone just takes. 40, you know, they charge $40,000 worth of stuff. Um, and then boom, your accounts wiped out and you can’t get that data back. So what I’m saying is, let’s, let’s assume Apple Pay doesn’t have any protections built into it. If you directly connect it to your checking account via the account number, uh, not your debit card, you have no protection.

If Apple Pay doesn’t provide any protection,

[00:30:45] Prasanna Malaiyandi: I think your bank account only does $50,

[00:30:48] W. Curtis Preston: think so. I think that that is only via, if they do it via debit card. Um, I don’t, I don’t know. Um, you know, we’re, we’re not financial, uh, advisors or whatever. Uh, look into, look into that, right. Uh, Venmo, PayPal, all of these things. Right? Um, what are the protections on them? I am curious. Um,

[00:31:14] Prasanna Malaiyandi: also consider what you do on your iPhone or on your phone, right? Ask yourself the question, do I really need that on my phone? Do I need access 24 by seven to my financial account on my phone? Like one of the things I do is, so I like with my bank that I can do mobile deposits, right?

And so, but to do that, I need the app. So what do I do? I install the app, I do my mobile deposit, I delete the app,

[00:31:39] W. Curtis Preston: But in the ca.

Oh, that’s interesting. That’s a little much. I mean, because at least with those apps, you need the pa, you need a separate passcode to get into those apps.

Um, but, but like, uh, like Venmo though, let’s see. If I go to Venmo, cuz I have Venmo, um, boom, I’m in Venmo,

[00:32:04] Prasanna Malaiyandi: Yep. no, passcode

[00:32:06] W. Curtis Preston: no passcode for Venmo.

Uh, and there’s no passcode for a, well, no Apple Pay. You need a, you need to put in.

[00:32:15] Prasanna Malaiyandi: Face

[00:32:16] W. Curtis Preston: fa face id, that’s what I normally use. But what’s your backup? It’s your passcode, isn’t it?

[00:32:22] Prasanna Malaiyandi: Changed. Yep.

[00:32:23] W. Curtis Preston: Hmm, hmm.

[00:32:25] Prasanna Malaiyandi: I wonder if anyone’s on threat modeling on this. Interesting.

[00:32:28] W. Curtis Preston: Um, yeah. But Venmo, uh, and PayPal, but PayPal. Because I have PayPal on my phone as well with PayPal. Uh, yeah. Okay. It just logged me in with face id. So with PayPal. With PayPal, I need to put in my PayPal password or face id. We really need to check out the face ID situation. Um, again, um, Oh, look, I just spent $203 at, uh, via PayPal

[00:33:00] Prasanna Malaiyandi: Oh, Costco.

[00:33:00] W. Curtis Preston: to buy?

No, to buy tickets to go see, um,

[00:33:04] Prasanna Malaiyandi: Oh.

[00:33:05] W. Curtis Preston: the musical six. It’s the, it’s the six wives of King Henry vii. So anyway, it’s a musical. It it, and it’s funny, it’s got, um, it’s got a modern take on it, but anyway, so I just, I just bought tickets to that to go see in July. I’m very excited about that. Um, no one cares anyways, so, but everybody’s like, well, this is kind, this is kind of the end. So, uh, we’ve come up with some new problems.

This is what I’m saying. Like I said in the beginning, you just gimme more problems. Uh, I.

[00:33:38] Prasanna Malaiyandi: Well, I think, I think it’s enough problems. It’s awareness.

[00:33:40] W. Curtis Preston: Awareness. Yeah. Yeah. Uh, be aware, uh, your phone is, uh, you know, it’s an, it’s an attack point. It’s an attack vector, right? Um, and there are, there are some things that you can do to prevent it, uh, number one, right? Don’t put your passcode in public and be really careful about what you do with your phone in public.

Number two, uh, is this, um, screen time feature? That you can, uh, put in place and well, I should have said this is number one. Number one, back up your stuff via something that isn’t iCloud or Google Photos if you use an Android. Um, and, uh, we’re gonna do another episode on that.

[00:34:19] Prasanna Malaiyandi: Yep. Oh, the other thing I wanted to mention, yeah. The one thing we didn’t touch upon, but it might be useful is if you do happen to use like an Apple watch, right? It does have a functionality to tell you when your phone goes missing, right? Or when it goes too far away. So that might at least help you notice ahead of

[00:34:37] W. Curtis Preston: you, with your Apple watch, um, say that your phone is lost?

[00:34:43] Prasanna Malaiyandi: I don’t know.

That’s another question we will

[00:34:45] W. Curtis Preston: can’t, you can. You can, if you are, uh, on wifi or you have a Apple phone or an Apple watch with a cell signal.

[00:34:56] Prasanna Malaiyandi: Cell phone.

[00:34:57] W. Curtis Preston: Yeah. Um, Because you have, you have iCloud, you have, um, f uh, fine mine. You had fine mine in there. Um, so yeah, so if you, if you do have, that’s a good point.

If you do have Apple Watch, uh, uh, then you could do that, right? Um, I like that feature. Um, you just lost your phone. I would immediately then go,

[00:35:18] Prasanna Malaiyandi: Where is he?

[00:35:19] W. Curtis Preston: yeah, I would immediately, yeah. Right. Um, all right. I’m gonna tell, I’m gonna tell a funny story really quickly because it involves, uh, my daughter and losing an iPhone.

In public, right? So my daughter, uh, don’t do this at home kids. My daughter, who’s, uh, let’s see, 28, um, she, she lost her phone at a bar and she, um, she pulled up on her husband’s phone. She pulled up the location of her phone. Have I told you this story yet?

[00:35:53] Prasanna Malaiyandi: Mm-hmm.

[00:35:53] W. Curtis Preston: you, okay, so this happened a couple months ago.

So she took, she, she pulled up the location of her phone, and so she saw that the location of her phone was now, um, several miles away at a house, uh, in, interestingly enough in, uh, the neighborhood where my brother-in-law lives, right? Which isn’t the nicest neighborhood. Okay. And so she goes over there and she knocks on the door of the

[00:36:22] Prasanna Malaiyandi: Wow.

[00:36:23] W. Curtis Preston: where her phone is pinging.

Okay? And, um, the mother. She, she knocked the, I think the mother was out in the front yard, right? So there, there’s a, there’s an older lady out in the front yard and she said, yeah, my phone is like pinging, um, you know, over here. And, um, and she’s like, well, I don’t know, you know, whatever. And so she calls her, she calls her, um, She said, well, you know, nobody here has your phone or whatever.

I think maybe she went inside or something, and then my daughter being like this innocent, like, what? I just don’t understand. Like it’s pinging, it’s pinging inside your house. Right. And my daughter, she wasn’t alone. She was with three Marines, but, but.

[00:37:07] Prasanna Malaiyandi: Yeah. Okay.

[00:37:09] W. Curtis Preston: But

[00:37:09] Prasanna Malaiyandi: That’s pretty gutsy.

[00:37:10] W. Curtis Preston: but they weren’t, they weren’t armed.

Right. So, so, so she’s like, yeah, I, it’s just, it’s ping. Is there anybody in the house maybe that you could ask that May, maybe they found my phone. So she goes in and she gets the, her son, the woman’s son is in the house. The woman’s son comes out and it’s the bouncer from the bar who helped them look for their phone. And it was like busted. And she got, she got her phone back and I’m like, please don’t do that. Please.

[00:37:47] Prasanna Malaiyandi: Yeah. It’s

like you’d

[00:37:48] W. Curtis Preston: you know,

[00:37:49] Prasanna Malaiyandi: Yeah.

[00:37:51] W. Curtis Preston: uh, you know, when, when, when, when my brother-in-law found out that, that my daughter had been, you know, in his words had been going, you know, knocking on doors in the hood to look for a stolen phone. Um, yeah, maybe she, maybe she was worried about this story. Um, somebody, yeah. Anyway, all right, well, um, nice chatting with you, Prasanna.

[00:38:19] Prasanna Malaiyandi: As always, Curtis, and yep. We’ll figure out some of these issues with face id.

[00:38:24] W. Curtis Preston: Yeah. And also, uh, you know, thanks for listening folks and listening to my silly stories. And be sure to subscribe so that you can restore it all.

Join the discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: