There have been numerous examples of people losing a lifetime’s worth of photos after being locked out of their iCloud account. The Apple account recovery process often proves impossible, especially in cases where an iPhone has been stolen and its owner forced to unlock it.
Just yesterday there was a fresh example, where an unlocked iPhone was stolen at gunpoint by seemingly tech-savvy thieves …
A developer described what happened to his brother.
My brother got his iPhone stolen at gunpoint […]
The first thing the thieves did (after running away, of course) was changing the phone number associated with the iCloud account. I do not know how they did this – it has been suggested that Apple will send a code to your phone, which the thieves obviously had. In any case, as soon as my brother tried to log into “Find my Phone” he was faced with a screen asking him to verify the phone number associated with the account, which was set to a number we do not know.
It didn’t matter that we still had the proper password for the iCloud account, nor that we still have control of the e-mail associated with the account. As far as Apple is concerned, if you don’t know the phone number (which, again, the thieves changed) you cannot access your iCloud account. This is a known issue with iCloud security.
The thieves then used a phishing attack to get his iCloud password. This let them disable Activation Lock and sell the phone – but they also changed the password, meaning he lost all access to his iCloud data. Notes, files, contacts, calendar, reminders, and – most devastatingly of all – photos and videos.
To be fair to Apple, this is an extreme case. A theft at gunpoint gave the thieves access to both physical possession of the phone, and the passcode (the report doesn’t say, but strongly implies he was forced to provide this). They were then tech-savvy enough to take immediate steps to change the phone number, and to use a reasonably-convincing phishing attack to obtain his iCloud password too.
While the blog post describes Apple’s support as “incompetent,” this is essentially a lose-lose situation for the company. Once a thief has physical possession of an unlocked 2FA device and the corresponding iCloud password, how can Apple Support tell whether the theft victim is indeed the rightful owner of the phone, or a scammer trying to gain access to the account?
Indeed, it doesn’t much matter what security protections are put in place by either Apple or iPhone owners: Once someone points a gun at you, it’s game over. They can simply demand that all protective measures are disabled.
Apple doesn’t even seem to have a consistent policy in place for this type of scenario, as different people report different responses from the company.
Apple account recovery – a proposal
If we were just talking about a device, then we could just shrug and say that there’s no real solution. But personal data is the kicker here – with photos and videos the big one.
For the vast majority of people these days, their smartphone is their only or primary camera. Our phones contain priceless memories. A toddler’s first steps. Anniversary celebrations. Once-in-a-lifetime holidays. Apple assures us that these are all safely backed up on iCloud, but if you lose access to your iCloud account, then you’re totally screwed.
Too many people – including victims of violent crime, who’ve had enough trauma already – find themselves in an endless loop with Apple Support. But if Apple creates a workaround route to recovery, that could then be exploited by scammers.
My proposal, then, is very simple. It wouldn’t work in all cases (like someone simply forgetting their passcode or iCloud password), but it would at least work with theft and scam victims.
To restore an iCloud account, Apple should require two things:
- A police crime reference number
- Government-issued photo ID
At that point, Apple accepts that you are the rightful owner of the account, and lets you reset the password. Note that a crime report could be made for a scam as well as a theft (as legally that’s fraud), so it would cover phishing victims too.
It wouldn’t be 100% safe. Someone could steal photo ID, and then file a fake police report. But that’s a pretty extreme scenario, and is deep into criminal territory likely to land someone in prison for way longer than simply stealing a phone. It’s extremely unlikely anyone would risk it unless they had a very strong motivation to target you very specifically.
What’s your view? Would you like to see this Apple account recovery option for theft victims? Please take our poll, and share your thoughts in the comments.
The post Apple account recovery needs an overhaul: Here’s a simple suggestion first appeared on 9to5mac.com