124 comments

[ 3.5 ms ] story [ 210 ms ] thread
Having a single apple device on an iCloud account sounds like a security risk. I was in a similar situation out of sheer stupidity (new device, went on vacation, forgot unlock code), but I was eventually able to recover using an old linked iPad, the iCloud password, email, and time.

The interesting bit is theives ability to disable FindMy, it's effects, and following sequence of events.

> out of sheer stupidity

I have to push back on this. It's not stupidity to not realize you need another Apple device to have any reasonable chance of navigating their support channels. It's not something they go out of their way to teach you about, until you learn the hard way. Indeed it's an infuriating (IMO) dark pattern.

Don't blame yourself or others - this is on Apple!

EDIT

My personal brush with this was when my wife's phone was lost/stolen/etc and she forgot her iCloud password. Even though she had not one but two active macbooks, the fact that the credit card she'd registered with iCloud caused weeks of delay from Apple. They wouldn't budge unless we entered the original CC number, but their system rejected it due to the expiration. Madness! I'm glad that I had an internal contact - most people would have been locked out for good. These days I use a thinkpad...

I think parent’s use of “stupid” is referring to themself going on vacation and immediately forgetting their unlock code.

Regaining access to a single device that has been robbed and unlocked at gunpoint is a tough scenario. But I agree that there must be better support patterns to recognize and deal with such a scenario… the rather unfortunate thing I see here is his brother falling for a phishing scam, which yes ultimately will lose the device for good (physical access + password). That is harder to deal with from the support end, I’d imagine.

Many years ago I had my iPad stolen on a train. Realised what had happened while we were still between stations. In theory all I needed to do was use the find my device function on my phone and walk the train until my iPad connected to my phone.

Except the bloody thing wouldn't work on my Android phone. The page was just telling me to download the iCloud app from an Apple device.

I didn't get the iPad back and haven't purchased anything from Apple since.

It does especially when learning from the article, with Argentina's average income, earning an extra device is no small feat:

"An iPhone is not cheap in general, and in Argentina less so. The current price for an iPhone 13 is ca. 400.000 ARS, which roughly translates to 2200 USD or 1300 USD at the unofficial rate (it's complicated). With an average monthly salary of 427 USD (according to Numbeo) you can see that getting a new iPhone is not a choice to take lightly."

How they changed the trusted phone number is the biggest mystery here and the biggest concern. They linked to a HN thread, and I guess by implication they're saying that the phone was unlocked when it was stolen and that is somehow how it was changed?

It is interesting that Apple has no way of viewing phone number histories.

On an iPhone you can go to Settings -> Name, Phone Numbers, Email -> Edit Reachable At. That's one way I guess. Haven't used this menu before so not 100% positive.
True - maybe it shows it afterwards, but adding a new phone number doesn't require password entry or Face ID. As for removing the existing number, I can't remove mine until I de-register it from iMessage & Facetime (since it's the number on the phone), so maybe they turned those off or they popped in a new SIM card.
Something that's always confused/concerned me - at least on Mac - is that when I get asked for a 2FA code logging into the icloud web UI or similar, the same computer I'm logging in from pops up a popup with the code the Apple site is requesting. Wonder if that sort of thing comes into play here - if you are trying to do something "untrusted" on a device, the trust check shouldn't rely on that same device? But then if you only had a single device you're in trouble...
I imagine the problem is that, from the perspective of the web browser, the computer you happen to be using is a separate device, because it's a separate logged-in application. Seems like an obvious hole, but I don't know how you would fix that.
On Safari in latest macOS/iOS, it pops up an official prompt for signing into appleid.apple.com instead of having you remember and enter a code[0], so it becomes "you either need to use the local authentication factor, eg. face ID to sign in, or be in possession of an unlocked device and know the password".

The real question here, IMO, is how do you prevent against this. Because to the Apple engineers in the US of A, having your phone stolen at gunpoint is almost unheard of, and getting it swiped from your hand is also barely a problem anymore since thieves in the US typically don't go through all this effort to phish the Apple ID password from you (at most they sell it to a 3p service that ships it overseas to China for teardowns and parts salvaging).

0: https://apple.stackexchange.com/q/382190 (note that it prompts for local user account password because the long-lived token that performs a new grant for the Safari session is stored in local Keychain; so if you have touch ID or watch unlock on your Mac, it'll use that first)

The web session is untrusted, and they have a trusted connection to the OS known to belong you.

Don’t know how it is implemented exactly, but on the OS level they can do a lot of clever tricks. From their servers they can literally send a challenge-response protocol to the secure enclave of your computer, thus verifying that on the other end of the encrypted connection they are trully talking with a computer manufactured by them, and that computer is the one which is registered to your account.

If they implement this correctly they can make an attack against this chain of trust very costly.

On the other hand on the web they get a http querry with some cookie attached. Maybe. Lot harder to gain the same level of assurances there. And a simple cross site scripting attack, or a compromised browser extension can steal said cookie.

> The web session is untrusted, and they have a trusted connection to the OS known to belong you.

Known to belong to me, yes. Known to be in my possession, no.

You'd still need one further thing to go on as far as I can figure - I'd need the password to type into my browser first - but treating "browser session" and "machine the browser is running on" as separate levels of trust seems naive in terms of what someone who steals the machine can do.

(comment deleted)
I don't know the exact workings, but usually the authentication popup should popup with at least 1 other factor to challenge(e.g. touchid or password) if it hasn't asked recently. That way it uses 1) something you are (touchID) and something you have (Validation from a known good device) as the 2 factors.
I can’t confirm right now if it works today, but I remember previously inserting a new SIM and having Apple ask me if I want to update my iMessage number to the new number? Actually, never mind, easier than that. All you need is unlocked access to a device that already has 2FA, it seems: https://support.apple.com/en-ca/guide/iphone/iphd709a3c46/io... (see section to add or remove a new phone number)

Feels like there’s a missing password prompt there. And maybe confirmation on a second device, if you have one.

I have to enter my password every 15 minutes that I buy something from the App Store. The change felt recent, maybe after high-profile cases of toddlers spending $$$ on in app purchases?

The fact that "I'm going to change my phone number, which is an important credential to this account" has less security than "I want to buy an app for $0.99" just goes to show you that sometimes, particular emergent properties of a system are not what any logical person would come up with deliberately.

That or someone just needs to make a big enough stink and try to get the liability shifted to Apple for negligence here on account takeovers, and they'll figure out how to change.

I'm probably being too cynical. But charge backs and customer support because some kid is falling for predatory IAPs cost apple money. This? Idk
Have you verified this information? Other comments in this thread have and are saying that changing any phone number connected to iCloud requires a password.
Wouldn't figure the person doing stickups for iPhones would be technically savvy enough to send phishing SMSs with associated site hosting. Presumably someone in the underworld is offering this "as a service?"
Division of labor within a larger criminal organization - line workers snatch the phones, and IT "unlocks" them.
Usually stolen goods are sold to a professional fencer for a price that factors in the risk of not being able to unlock/reset and move the phone.

Some of the economics of the underworld are remarkably sophisticated. Everyone has a role and there are some parts of the supply chain that require different kinds of risk. Sometimes it’s risking cash, physical safety or personal-criminal repercussions.

They are savvy to know enough to force people to disable security/ sign out of icloud so they can sell the phones.

This was just in the news in Philadelphia recently where a whole house was forced at gunpoint one by one to unlock and sign out of their iphones. https://www.cbsnews.com/amp/philadelphia/news/how-philadelph...

Id be in trouble since my work iPhone has some password manager generated random nonsense that i would never be able to remember. All i know is it uas the second single tick on the keyboard, not the first, and they look visually identical on ios.

I rather give up my wallet than try to recover all the 2FAs on my phone.
As an iCloud user, this is absolutely terrifying. Apple needs to fix this _yesterday_, and close the relevant holes.
Not going to try to justify Apple but feel like a piece of info is missing from the post. How did they unlock the phone? Maybe the phone had no auth set up?

In general, it's expected that you should be able to update your own phone number in your iCloud account.

That's fine. The issue is that criminals can use it to lock you out of Find My, etc.
Would you prefer not being able to remove your own old phone from Find My?

There is a lot of disappointment expressed in the comments here but we need level-headed solutions, not just rage against things that are actually useful in 99.9999……% situations.

Seems like there are vanishingly few security measures which prevent the held at gunpoint scenario but still allow the user to do things.
One fix that was mentioned in the comments that would have been easy to implement (and, frankly, bizarre it’s not implemented yet) is confirming password when performing such critical actions as removing or adding devices/telephone numbers.
I just tested this on my iphone and it absolutely asks you for a password before you can touch the icloud phone number. I suspect the victim was compelled to either enter or hand over this password when the phone was stolen. It's not out of the question that the brother forgot this happening consider how stressful the situation would have been.

This is essentially the famous xkcd "5 dollar wrench" problem https://xkcd.com/538/

Thanks for testing this, Gigachad!

At this point I will just stop commenting on this post as it seems like either Apple already fixed this or some of the most critical information has been omitted by the author. So we are just guessing and raging for no reason.

Author here.

Unfortunately I don't have an iPhone to check, but another comment [1] suggests that this may happen if you physically change SIMs. My brother said they didn't ask for his iCloud password, which makes sense: if they had the password then they wouldn't have needed the phishing step afterwards.

[1] https://news.ycombinator.com/item?id=34407683

Having a "re-enter your password to confirm" step is bog standard for critical actions like that. It would be no serious burden for a legitimate user, and an extra hurdle for a thief.
Buy pointing a gun at the owner?
It would have been helpful to explain that instead of leaving everyone guessing. Being able to unlock the phone is one of if not the most important detail here.
It’s the first sentence.
Are you sure? Want to re-read it one more time? The phone was _stolen_ at gun point, not unlocked. It looks like the password was later phished when author's brother clicked the fake Apple support link. So at that point they had access to both the password and the phone. But I am guessing, it's not clear how/what they did.
I’m not sure, it’s just the most logical and simple explanation.

To add some context, Argentina has a history of robbers asking people to do complex tasks at gun point, like withdrawing money, and other things during “secuestro express”.

https://xkcd.com/538/

Lots of people keep talking about password codes, etc. You should be able to hand over your phone to an attacker and walk away knowing you and your data is safe.

At least don't use biometrics, they will cut off your thumb AND steal your iphone.

Author here. We do not know for sure how they unlocked it, but the phone was locked with a numerical pin. My guess is that those numbers must have been easy to see on the screen based on the smudges alone. I wanted to ask for more details, but I decided against further traumatizing him with my (as far as he's concerned) pointless geeky questions.

Also, trivia for iPhone users: my brother used to have Face ID set up, but he disabled it because he couldn't figure out how to set up a second face and it was annoying when he needed to share the phone with his wife. So don't do that!

I sympathize with the writer, but have to ask, what solution would make it possible to resolve this situation without weakening the security for another case that sounds the same but is being used by someone malicious?

I think you have to activate the Apple 2-factor authentication so that your key Apple ID info cannot be changed without corroboration or that 28 character code.

If Apple were to let this situation be reversed, who is to say a hacker wouldn't be using this exploit to take over someone else's account?

If an icloud account becomes in dispute then it should be locked, generally. The problem isn't the technology it's the lack of actual tech support. There should be a reasonable way to speak to someone that can validate the account in someway. Similar to credit reports. Show an ID, answer questions about the account, like previous devices, when it was created. Provide pictures etc of the people in the pictures in the account.

The problem boils down to one of the most profitable companies in the world becoming that way by cheaping out on support for their users.

There is not a single tech company out there that wishes to get into the business of checking people's physical IDs or wanting to invite use of IDs (or making judgements about such authenticity) to manage their accounts.

How would this work? You provide a certain number of photos to corroborate who you are? How would that not be vulnerable to hacking as well?

Let me tell you, Apple's iCloud policies are STUPID. Once upon a time you could sign up to an account WITHOUT verifying your email. Someone signed up under my Gmail account, and it's been stuck there since.

As the author found, support is useless . It took me close to 2 weeks after emailing Tim Cook about the situation, since I was seriously considering an iPhone. Executive liason had it reset for me.

I was able to change the password, login, and the VERY next day the password was changed (presumably from whomever is using it on THIER phone). I've given up. My time is not worth chasing this down.

I may eventually just start harassing the douchebag who thinks they have my email address, but there are like 3 or 4 people whom i get email for. AFAICT every single one is a boomer.

Can you setup your iCloud using that gmail address but with a different number or placement of dots?

sev.erian@gmail and severian@gmail are the same to gmail but many places treat them as different. (I don’t know what iCloud does.)

https://support.google.com/mail/answer/7436150

Most services have figured this out now and normalize the field internally to prevent this, mostly for spam reasons.
I had a similar thing happen with an Australian insurance company sending me contract details for some woman who had her car and home insurance with them. I don't know if she added the wrong email by mistake or their IT fucked up connecting data from a third party service (I've never been in Australia, and have never made business with the insurance company), but it was hard work getting them to fix it.

Their support did nothing. Their privacy department did nothing. What finally set things into motion was complaining to their regulatory authority. Wouldn't you know it, within two days, I had a personal email saying they'd remove my email from the account, and they haven't emailed me since.

Would emailing the insurance company in question and saying you were looking to cancel your insurance policy be an option?
Possibly, but I didn't want to cause their client any trouble by trying to cancel her policy. I'm pretty sure she didn't do it to annoy me. And if she did I'd be amazed by the creativity and effort she put into trolling some nobody on the other side of the planet.
Someone signed up to Tesco using my email address, and there was no option to delete the account, even after resetting the account password.

So I changed the email address on the account to Tesco support's email address, now they can deal with it.

I wonder if their systems were prepared for automated replies between validated email addresses. Love the approach!
Terrible yet hilarious. Please never give up the fight!

This is straight out of Office Space, except In Real Life.

That's about the worst that can happen if you rely on any cloud. With that risk existing, I think people are massively miscalculating the time / money / complexity they save on cloud offerings.

"You don't have to worry about anything, we've got you covered. But there's a 0.05% chance on any given day that you lose access to everything and we won't bring it back unless you personally know someone at our company."

Because people losing their data before the cloud was unheard of. The most safe option is to use the cloud but also download the data exports for local storage. This is very easy with Google Takeout but I was unable to work out how to do this with iCloud since they seem to think there would be no point ever exporting your data from iCloud.
Not unheard of, but usually your fault ("I didn't think I need a backup"), and easy to avoid once you've formed a habit.

You're right that the safest option will be to have backups of your own, but at that point the cloud is only adding convenience for backing up your device for restoring, or for synchronizing files between cell and pc. To be sure you still have your data five years from now, you still need to do it yourself. I believe a lot of people understand the cloud to mean "I give you money, you make sure everything works and I don't have to get into the details".

> Because people losing their data before the cloud was unheard of.

That's not true at all. There were entire businesses before "the cloud" that did very little more than service people who had lost their data and help them recover it.

I used to get billed out at near-lawyerly rates for recovering data in the mid 1990s. While I was in high school. Businesses like DriveSavers were even more lucrative.

I do wonder how you guard against the threat of you walking down the street staring at your phone and having someone snatch it out of your hand while it's still unlocked. A saavy thief could then disable the auto-sleep and as long as it doesn't run out of battery they could leave your phone plugged in and hence will never require the passcode again. A few apps (at least on iOS) give you the option to require your passcode again to access them (e.g. if you lock a note), but for the most part an unlocked phone is a treasure trove of personal information for the thief.
Disabling autosleep should be behind an authentication step.
Even in that case, they could just install and start a game, which would also prevent autosleep. Or they could just start playing an extremely long video (e.g. x days long black screen) or a video stream.
It really all boils down to "Part 1: Locked out of iCloud". Without that step you can remotely put the device in lost mode and it will lock. That loophole needs a fix.
It's probably worse than that. How would you guard against the threat of someone forcing you to unlock your phone at gunpoint? Call their bluff and just throw the phone in the gutter and run away? Stall for time like you forgot the password?
Yeah I don't think you can defend against a gunpoint threat, but my guess that's much less common than a casual petty thief who just snatches your phone out of your hand and runs.
(comment deleted)
The "trick" unfortunately is to buy a second apple device (macbook, iphone, etc.), sign it into your iCloud account, and make sure it can be used for two-factor authentication. Then if you lose one of your devices, you can use the other device to 2FA into your account without using a phone number.

Another, cheaper but potentially more risky option, is to use a Google Voice number as your 2FA SMS line.

If the OP's brother had either of those options in place, I'm pretty sure he could have recovered his account and removed the stolen iPhone from the list of authorized devices.

Even for online banking, many suggest to use a google voice number for 2FA SMS, thanks to sim swap attacks. However, some banks don't allow google voice numbers.
Ideally, you want a separate Google Voice number as your trusted phone number and to have no unauthenticated access to that Google account from the phone. I also just checked and you actually can’t even change the trusted phone number without logging into applied.apple.com, and you can also register the numbers of trusted friends or family members as a backup to recover access. So the situation is not as concerning as the original post suggested, if you’re careful.
(comment deleted)
Does anyone know if this is the case when you have the Recovery codes set up?

Another idea, what about Legacy contact? I’d not be ashamed to “use it in any way possible” to re-gain access to something that was stolen from me.

For 2FA - yes. Not for when you lose your password AFAIK.
Hi, What I meant was the special security feature that Apple introduced last year (I think, all the years feel the same since 2020…). You can opt out of any “apple-assisted support” for account recovery and you receive 28char unlock key to recover your account.
One takeaway: a cloud account isn't a sufficient backup on its own. If you have to log into Apple/Google to download your files and photos, then they're at risk. Make regular backups to an external hard drive or something, and ideally have your stuff automatically back up to a NAS somewhere as well.

Also, after reading this I'm going to have to think about what would happen if someone stole my phone. I take it everywhere with me. It's not an iPhone, but it's still worth a few hundred dollars and it has all kinds of data and logged-in accounts on it. I assume if it was stolen at gunpoint, I wouldn't be in a position to refuse to unlock it and unlock some apps/accounts.

Can you routinely and reliably back up iPhone photos to a NAS? I have a NAS but synlogy app is just not reliable
With Google I have it set up to email me the Takeout download link every 2 months which I then download manually
https://takeout.google.com/

I recommend everyone who hasn't done it before, to hit the above url while logged in and firing off an export. It will respond back after some time with URLs you can download. Great for downloading your Youtube playlists and history.

BTW, Apple's version of Takeout is at privacy.apple.com. Once you log in, click on "Get a copy of your data".
Doesn't the takeout strip the metadata from the photos? Things like the location data. I vaguely remember looking into this in the past and from what I remember there was no good way around it.

I haven't seen any alternatives to Google Photos either. Ente might be most promising, but their iOS app is not great at actually automatically uploading photos.

Google Takeout dumps the files exactly how they were uploaded without any modifications. It then provides it's own info/metadata as a json file with the same name.

There are some situations where you may have entered geolocation data on the app/website and this will end up in the json file rather than embedded in the image file metadata. It's up to you to work out how you want to merge this back in.

That is good to know, thanks! I might be misremembering it. It has been a while since I looked at it.
> Can you routinely and reliably back up iPhone photos to a NAS?

The way I do it is slightly roundabout but works well — I sync to iCloud, which in turn syncs to my desktop, which I backup to my NAS from there.

(Important note: You'll need to turn on "Download Originals to this Mac" in Photo's Settings, otherwise you'll get hi-res proxies rather than bit-for-bit source images.)

I highly recommend PhotoSync for iOS. I believe it’s about $25-$40 for a lifetime license. It’s hugely configurable in terms of targets, triggers, and schedules for upload. But most importantly to me, it’s been rock solid and I’ve never run into an issue with it. Only thing to remember is to open it once upon reboot. Works brilliantly after that.
Seconded. I don’t keep photos on my phone for very long, instead I regularly upload them to a self-hosted PhotoPrism instance via PhotoSync.
Make sure to check the saved photos. I stopped using it after I found that random photos were blank after the export. It wasn't reliable, and I only backed up 20Gb, so not that much.
I definitely check it regularly because I’m insane; but in the years I’ve been using it I’ve thankfully never had the issue you describe.
I use the syno app just fine. I setup a geo boundary so that if I’m at home it backs up - for my wife’s phone it just happens in the background, for me though I have to open the app for some reason… so I do it every week or so.
Exactly this. I have Google photos and I use it all the time, for every photo/video I take. But I also back up everything I can using the [gphotos-sync](https://github.com/gilesknap/gphotos-sync) python script. As it says, it's not the 100% quality in either photo or video, but it's still the memories.

Please if you aren't backing up your cloud storage photos/important files, stop reading HN and go and set it up now.

I can recommend backblaze for cheap reliable storage and the restic backup client which is brilliant (a single, small binary). There's also rclone, or even the backblaze cli client. [Sorry I sound like a Backblaze shill!]

That's basically the old idea that a single point of failure/backup is not sufficient. It's not specific to Google, Apple, Microsoft, etc. One copy can get damaged, hijacked, erased by accident - so ideally keep 2 or more (encrypted) copies.
I disagree with the way it's presented. It starts off making it sound like his brother was taking every precaution and a few paragraphs in it has him being phished with these URLs:

> https://apple.iforgot-ip.info and https://apple.located-maps.info

maybe you should remove those links.
Nah, I'm good :)

Hell, I'll even go to them and send some fake stuff. Thanks for the idea.

Edit: they're down. Too bad, I'll have to send junk elsewhere.

It helps having an active passcode lock.

And you can put your phone into Lost Mode with Find My turned on, right away by signing into https://icloud.com/find from any web-enabled device.

That does nothing when the situation is someone pointing a gun at you and saying "Hand over your phone and tell me the password"
That's not what happened though, as I read it. The thieves stole the phone at gunpoint, then tricked the victim into giving up their password later via a phishing SMS. So this action would've been useful.
Curious what others think that Apple should have done in this situation. Social engineering and providing stolen information is a tactic that's been around for years.

What are they supposed to do? Believe everyone that calls up with "I got locked out?"

I kind of wish that they had a way to lock possibly stolen accounts and allow people to verify their ID at an Apple Store or something, though.

I don't think there is anything they can do when someone is being held at gunpoint and told to hand over their phone and password.

Perhaps they could prompt users to keep local backups of their icloud data rather than pretending it's impossible to lose info in the cloud.

> someone is being held at gunpoint and told to hand over their phone and password.

The article doesn't say that happened, though. It just says "My brother got his iPhone stolen at gunpoint." If the victim had been made to hand over his password, that's a very very huge detail the blogger did not include.

I had my phone stolen from me at Pride in SF and went through a lot of the same steps. The thieves yanked the SIM immediately. I was able to follow the phone as it hopped onto public wifi networks (mostly at stores) that I had joined before. it finally wound up in Shenzhen, China.

How else could they have swapped the phone number on the iCloud account? That’s the only part of this story which is interesting.
Changing important account information (such as a phone number) should have a recovery period by default.
I’m guessing the thieves with guns got him to leave them with an unlocked phone?
Apparently starting with iOS 15, you can now erase your iPhone remotely and still locate it in Find My. Previously you would lose the ability to track it after wiping.

https://support.apple.com/guide/icloud/erase-a-device-mmfc0e...

It sounds like this might not have worked in the author's situation, where the thieves changed the phone number immediately. It sounds like at that point it was pretty much game over.

Author here. I just want to clarify some of the points I've seen repeatedly mentioned in the comments:

AFAIK my brother didn't hand over his iCloud password. That's what the phishing messages were for. Had he not fallen for that (as the article in Spanish explains) the thieves could have only sold the phone for parts. As for how they changed the recovery number, lstamour [1] has what I consider a good guess.

My brother did have a screen lock, but it was a 4-digit numeric code. My guess is that the smudges on the screen revealed quite easily what the code was as AFAIK the thieves didn't ask for it. He chose that code because he often shares the phone with his wife and having to show his face every time was annoying. He didn't know you can have two registered faces, and I don't have the heart to tell him now.

And finally, many of you correctly pointed out that there are steps that could have mitigated this attack. I wanted to share this story mostly [2] because I think it's an interesting example of what iPhone security is like for the type of user who would never set foot in HN. I could have easily followed the steps delineated in this comment [3] from the other thread, but my brother is not that type of user.

[1] https://news.ycombinator.com/item?id=34407683

[2] Okay, the main reason I published this story was to find someone who can help (wink wink). But the other reason was definitely in the top 3.

[3] https://news.ycombinator.com/item?id=33602627

Well, remember the old days where we had fingerprints on iPhones? I remember. My thumb was registered on my wife's phone and hers on mine. Never an issue with sharing a phone.

I'm sorry this happened to you.

You still had a pin code, in addition to the fingerprint. It's an identical situation.
iOS supports both fingerprinting AND inputting of a PIN ... in iOS?

Did not know that. Then again, not sure how we can do that ... in iOS.

https://discussions.apple.com/thread/7647773

I am sorry this happened to your brother.

I think the information you added makes the majority of the discussion in this thread irrelevant. If the thieves phished the password in a separate attack and then used that to perform iCloud account hijacking - then that's a fairly expected outcome that is not unusual in the industry. Having both the password and the phone basically proves full ownership.

I empathize with your frustration, but realistically speaking, the outcome very likely would have been the same if he used any other phone from a major tech company.

> Having both the password and the phone basically proves full ownership.

The thieves changed the phone number immediately while they only obtained the password around 5 days after stealing the phone. Had Apple support been more... well, supportive, we would have been able to recover the account long before the thieves got the second factor. There was a big window of time in which Apple could have helped, but they chose to send us in circles instead.

As for "proving full ownership", those factors cannot prove full ownership because the thieves are not the legal owners of the account. There are multiple ways in which we can prove ownership (legal documents, access to the iCloud email, photos of us inside the account, etc) but Apple doesn't want to provide real tech support (as this commenter [1] pointed out).

Also, related: had this happened in Europe, the GDPR would force Apple to provide my brother his data (as I've written before regarding Google and a locked account [2]). So it's not like they can't, but rather that they don't want to, and I think it's perfectly fair to criticize them for that.

[1] https://news.ycombinator.com/item?id=34407647

[2] https://7c0h.com/blog/new/lost_gmail_ii.html

Look, I totally agree with you: this situation is everyone’s worst nightmare. I wish Apple has responded in a more reasonable and timely way.

Saying that, I can see how by limiting their involvement they are reducing the risk surface. To address issues like that (and there is, of course, a huge spectrum of account hijacking situations) they would need to train an army of international support representatives who would have the authority to overwrite iCloud ownership - an incredibly questionable power. They would need to be able to validate various documents (e.g. US military ID or some obscure residence permit in Japan), be able to verify photos (which with recent ML advancements is becoming increasingly difficult), make phone and video calls to verify identify, and so much more. In turn, these representatives would become vulnerable to social engineering attacks themselves. If they overwrite ownership for a very sensitive account - who would ever trust Apple again?

It’s basically one of the major principles of cryptographic products: it’s safer for them (and, to be honest, for everyone) to deny giving access to one account, then jeopardize trust in the entire company.

I hope Apple will be able to help you through some process - maybe it takes longer than it should have. Good luck!

One note: I was the target of a spamming campaign by someone with too much time and bad intent (possibly automated). Under GDPR I asked for my personal data including IP address for the accounts created in my name. Many parties delivered, but some of the privacy professionals noted that since I claimed I did not create the account, the personal data wasn’t mine. I found that unexpected and clever. Never got around to filing a police report and finding the person using the IP address since luckily the harassment stopped.
I use a 4 digit unlock code, and every now and then I get curious and look to see if I have smudges over those numbers. I've never seen telltale smudges on mine. Of course MMV
Apple is making changes to allow using Yubikeys and other FIDO keys to secure your account. There is now also a recovery code mechanism that disables the grossly insecure phone-based recovery mechanism.

https://support.apple.com/en-us/HT208072

Can you elaborate on how the phone-based recovery mechanism is grossly insecure - I am genuinely curious…
Well, the OP said the thieves were able to change the phone number on the account, for starters.

Even without changing the number, phone numbers are easy to hijack. The security of the scheme depends on how gullible a cell phone company customer service rep is, or how corrupt a phone shop employee is who is willing to do a "SIM swap" for the crooks. See Brian Krebs' website for a description of the process and how it was used to empty crypto wallets.

Furthermore, telecom standards were designed by committee and rely mostly on security by obscurity. The SS.7 system used to carry text messages has no encryption or authentication and no security whatsoever, which is how Russia or Saudi Arabia have been using it to track dissidents in the US through their phones. Even if you don't have access to the SS7 network, you can also intercept them over the radio waves using about $1000's worth of PC and electronics because spy agencies have gimped the encryption standards to make them easy to tap.

IIRC changing the phone number associated to an AppleID involves knowing the device code, the AppleID passcode or having access to another device with 2FA.

I may be wrong and I have multiple devices with 2FA activated, so my mileage may vary because of this. I’d always expect 2 factors to be necessary to make changes to my account. If changing the phone number with activated 2FA is possible without one of these elements present I’d consider it an oversight. I consider the SMS mostly a tool to make sure the user has access to the new phone number while setting it up and does not misstype.

Since OP mentions a 4-digit smear code I am not convinced that Apples security is the weakest link.

I emphasize with you but I am not sure if Apple even should be able to help you in the ways you imagine.