I didn't feel as if it was a ripoff. It didn't even register with me that you were referring to Vimeo until I read the comments. Slightly similar font with a different name altogether shouldn't count as ripoff in my opinion :)
That's just commodification of design; websites tend to exhibit very similar structures, styles, and design elements, so they're eventually bound to coincide at some point.
The logo is nothing more than the product name with a fancy italic font face; that's not even copyrightable. The similarity comes from having names with some matching letters.
Hi, What I meant was the special security feature that Apple introduced last year (I think, all the years feel the same since 2020…). You can opt out of any “apple-assisted support” for account recovery and you receive 28char unlock key to recover your account.
That's basically the old idea that a single point of failure/backup is not sufficient. It's not specific to Google, Apple, Microsoft, etc. One copy can get damaged, hijacked, erased by accident - so ideally keep 2 or more (encrypted) copies.
I think the information you added makes the majority of the discussion in this thread irrelevant. If the thieves phished the password in a separate attack and then used that to perform iCloud account hijacking - then that's a fairly expected outcome that is not unusual in the industry. Having both the password and the phone basically proves full ownership.
I empathize with your frustration, but realistically speaking, the outcome very likely would have been the same if he used any other phone from a major tech company.
I use a 4 digit unlock code, and every now and then I get curious and look to see if I have smudges over those numbers. I've never seen telltale smudges on mine. Of course MMV
> Having both the password and the phone basically proves full ownership.
The thieves changed the phone number immediately while they only obtained the password around 5 days after stealing the phone. Had Apple support been more... well, supportive, we would have been able to recover the account long before the thieves got the second factor. There was a big window of time in which Apple could have helped, but they chose to send us in circles instead.
As for "proving full ownership", those factors cannot prove full ownership because the thieves are not the legal owners of the account. There are multiple ways in which we can prove ownership (legal documents, access to the iCloud email, photos of us inside the account, etc) but Apple doesn't want to provide real tech support (as this commenter [1] pointed out).
Also, related: had this happened in Europe, the GDPR would force Apple to provide my brother his data (as I've written before regarding Google and a locked account [2]). So it's not like they can't, but rather that they don't want to, and I think it's perfectly fair to criticize them for that.
Look, I totally agree with you: this situation is everyone’s worst nightmare. I wish Apple has responded in a more reasonable and timely way.
Saying that, I can see how by limiting their involvement they are reducing the risk surface. To address issues like that (and there is, of course, a huge spectrum of account hijacking situations) they would need to train an army of international support representatives who would have the authority to overwrite iCloud ownership - an incredibly questionable power. They would need to be able to validate various documents (e.g. US military ID or some obscure residence permit in Japan), be able to verify photos (which with recent ML advancements is becoming increasingly difficult), make phone and video calls to verify identify, and so much more. In turn, these representatives would become vulnerable to social engineering attacks themselves. If they overwrite ownership for a very sensitive account - who would ever trust Apple again?
It’s basically one of the major principles of cryptographic products: it’s safer for them (and, to be honest, for everyone) to deny giving access to one account, then jeopardize trust in the entire company.
I hope Apple will be able to help you through some process - maybe it takes longer than it should have. Good luck!
One note: I was the target of a spamming campaign by someone with too much time and bad intent (possibly automated). Under GDPR I asked for my personal data including IP address for the accounts created in my name. Many parties delivered, but some of the privacy professionals noted that since I claimed I did not create the account, the personal data wasn’t mine. I found that unexpected and clever. Never got around to filing a police report and finding the person using the IP address since luckily the harassment stopped.
Have you verified this information? Other comments in this thread have and are saying that changing any phone number connected to iCloud requires a password.
Not going to try to justify Apple but feel like a piece of info is missing from the post. How did they unlock the phone? Maybe the phone had no auth set up?
In general, it's expected that you should be able to update your own phone number in your iCloud account.
Author here. We do not know for sure how they unlocked it, but the phone was locked with a numerical pin. My guess is that those numbers must have been easy to see on the screen based on the smudges alone. I wanted to ask for more details, but I decided against further traumatizing him with my (as far as he's concerned) pointless geeky questions.
Also, trivia for iPhone users: my brother used to have Face ID set up, but he disabled it because he couldn't figure out how to set up a second face and it was annoying when he needed to share the phone with his wife. So don't do that!
It would have been helpful to explain that instead of leaving everyone guessing. Being able to unlock the phone is one of if not the most important detail here.
Are you sure? Want to re-read it one more time? The phone was _stolen_ at gun point, not unlocked. It looks like the password was later phished when author's brother clicked the fake Apple support link. So at that point they had access to both the password and the phone. But I am guessing, it's not clear how/what they did.
I’m not sure, it’s just the most logical and simple explanation.
To add some context, Argentina has a history of robbers asking people to do complex tasks at gun point, like withdrawing money, and other things during “secuestro express”.
Lots of people keep talking about password codes, etc. You should be able to hand over your phone to an attacker and walk away knowing you and your data is safe.
At least don't use biometrics, they will cut off your thumb AND steal your iphone.
Would you prefer not being able to remove your own old phone from Find My?
There is a lot of disappointment expressed in the comments here but we need level-headed solutions, not just rage against things that are actually useful in 99.9999……% situations.
Having a "re-enter your password to confirm" step is bog standard for critical actions like that. It would be no serious burden for a legitimate user, and an extra hurdle for a thief.
One fix that was mentioned in the comments that would have been easy to implement (and, frankly, bizarre it’s not implemented yet) is confirming password when performing such critical actions as removing or adding devices/telephone numbers.
I just tested this on my iphone and it absolutely asks you for a password before you can touch the icloud phone number. I suspect the victim was compelled to either enter or hand over this password when the phone was stolen. It's not out of the question that the brother forgot this happening consider how stressful the situation would have been.
Unfortunately I don't have an iPhone to check, but another comment [1] suggests that this may happen if you physically change SIMs. My brother said they didn't ask for his iCloud password, which makes sense: if they had the password then they wouldn't have needed the phishing step afterwards.
At this point I will just stop commenting on this post as it seems like either Apple already fixed this or some of the most critical information has been omitted by the author. So we are just guessing and raging for no reason.
On an iPhone you can go to Settings -> Name, Phone Numbers, Email -> Edit Reachable At. That's one way I guess. Haven't used this menu before so not 100% positive.
True - maybe it shows it afterwards, but adding a new phone number doesn't require password entry or Face ID. As for removing the existing number, I can't remove mine until I de-register it from iMessage & Facetime (since it's the number on the phone), so maybe they turned those off or they popped in a new SIM card.
The thing that always seemed really strange to me is that I don’t understand how to order anything without looking at the details, comparing prices, checking alternatives, etc. Even with food that I use regularly - do I just say “order almond milk”? I can’t remember the brand… do I need to specify the size? Do I need to double check when is the earliest delivery? Do other people order just “bread” or “light bulbs” or “toilet tissue”?
One minor criticism: it's a bit of a turn off when a well-known logo (and even its position in the header/footer) is so brazenly copied.