A few days ago we told you about the interesting report by technology journalist Joana Stern on how the standard iPhone PIN can lead to thieves stealing your entire digital life in a short time. Days later, the journalist specialized in Android Mishaal Rahman revealed that Android was equally unprotected: just the PIN to change the passwords of your Google account. Assuming you don’t store passwords in iCloud Keychain, we’ve tried to replicate the experiment on iPhone and found that It took me less than a minute to change my Google password.
The PIN is the Trojan horse
Background. Joana Stern focuses on something key in this matter, the PIN, which by default it is four figures to choose between 0 and 9. Guessing the PIN can take time, but in the scam I narrated for the Wall Street Journal, the thieves were a group of two or three people who, in a public space, used any pretext to get you to unlock your phone. After all, it is not uncommon for us to be on the street or in waiting rooms with the iPhone in hand.
Although it is true that the PIN coexists with the Face ID, there are times when we directly opt for the numerical code: because you’re wearing non-polarized sunglasses or a big scarf or similar, weird angles… or simply because it’s slower. You type the PIN without worrying too much, but there are some eyes lurking behind to memorize the sequence and it is not very difficult to retain it the first time. But if it’s not the case, they might offer to take a picture of it so you accidentally turn it off so you have to plug it in a second time. They already have the PIN.
Then you just have to steal your iPhone and with the PIN change the Apple ID password, the iCloud passwords if you have them activated and Apple Pay. Stern explains in his report that with three minutes on someone else’s iPhone they had already entered the victim’s iPhone 13 Pro and within 24 hours they had their bank accounts empty. After reading so many Apple products, you might think that it rains less on Android. But Mishaal Rahman put on the table that also with Android using the PIN is possible change your google password and with it, have access to everything you use through it: emails and confidential information, documents, etc.
I’m not kidding. If a thief knows the passcode for your Android phone, THEY CAN CHANGE YOUR GOOGLE ACCOUNT’S PASSWORD. I just had to go to Settings > Google > Manage your Google Account > Security > Password > Forgot password > Use your screen lock > Tap YES on phone or tablet.
— Mishaal Rahman (@MishaalRahman) February 25, 2023
So leaving aside that Apple ID is the key to the information and assuming that we do not have active functions such as a keychain, we have proposed with an unlocked iPhone to try to change the Google password. Not only have we done it, but it has taken us less than a minute.
It does not matter if you access Gmail through the browser or through the application, the first thing to do is to close the session so that later, when trying to enter, the ‘Have you forgotten the password?‘ and press yes to try to recover it.
Google will offer you different ways to recover the password, but some interest you more than others. For example, he has offered to send a message to my other phone or my iPad but I have told him that I cannot access these devices. In fact, if you say you can’t, the process is closed. No problem: you can repeat it immediately afterwards, until it appears in your Google application (which in my case I have installed on my iPhone) or the best: a message or call to your phone number. Once you can confirm that it is you, it allows you to change the password. I have only needed the phone unlocked and operational.
After Joana Stern’s report and Mishaal Rahman’s turn, both contacted Apple and Google respectively, telling them what happened and offering suggestions to strengthen security.
Thus, while a Google spokesperson responded that:
Our login and account recovery policies try to strike a balance between allowing legitimate users to retain access to their accounts in real-world scenarios while keeping bad guys out.
Apple claimed to be working on it:
We stand in solidarity with users who have had this experience and take all attacks on our users very seriously, no matter how rare… we will continue to improve protections to help keep user accounts safe.
Minimize risks by changing this option
While waiting for Google and Apple to take action on the matter, the best thing we can do as users is leave the PIN behind in favor of the alphanumeric code, which is longer and with more characters. Yes, it will cost you more to learn it, but the combinations increase and it will not be so easy to keep it at the first change.
To carry it out, go to ‘Settings’ > ‘Face ID and code’. There you will have to enter your current code, scroll down and tap on ‘change code‘. Again, it will be necessary to enter the current code. Now tap on ‘Code Options’ to choose between three options: ‘Custom alphanumeric code’, ‘6-digit numeric code‘ and ‘4-digit numeric code‘. If you are looking for the highest security possible, select ‘Custom alphanumeric code’.
mounting with photo by flicker and own screenshot.
In Applesphere | How to change the security code of the iPhone and iPad so that it is almost impossible to crack
