A few days ago, we told you about an interesting report by tech journalist Joana Stern on how the standard iPhone PIN can lead thieves to steal your entire digital life in a short time. A few days later, Android journalist Mishaal Rahman revealed that Android was also unprotected: the PIN code is enough to change your Google account passwords. Assuming you don’t store passwords in iCloud Keychain, we tried to replicate the experience on iPhone and found that It took me less than a minute to change my Google password.
The PIN is the Trojan Horse
Background. Joana Stern focuses on something key in this case, the PIN, which by default it is four digits to choose between 0 and 9. Guessing the pin code can take time, but in the scam I recounted for the Wall Street Journal, the thieves were a group of two or three people who, in a public space, used any pretext to get you to unlock your phone. After all, it’s not uncommon for us to find ourselves on the streets or in waiting rooms with the iPhone in hand.
Although it is true that the PIN coexists with the Face ID, there are times when we opt directly for the digital code
Then all you need to do is steal your iPhone and with the PIN change the Apple ID password, iCloud passwords if you have them enabled, and Apple Pay. Stern explains in his report that with three minutes on someone else’s iPhone, they had already broken into the victim’s iPhone 13 Pro and within 24 hours their bank accounts were empty. After reading so many Apple products, you would think that it rains less on Android. But Mishaal Rahman put on the table that even with Android using the PIN code is possible change your google password and with it, access everything you use through it: emails and confidential information, documents, etc.
I am not joking. If a thief knows your Android phone password, THEY CAN CHANGE YOUR GOOGLE ACCOUNT PASSWORD. I just had to go to Settings > Google > Manage your Google account > Security > Password > Forgot password > Use screen lock > Press YES on the phone or tablet.
— Mishaal Rahman (@MishaalRahman) February 25, 2023
So leaving aside that the Apple ID is the information key and assuming we don’t have any active functions such as a key fob, we offered with an unlocked iPhone to try changing the google password. Not only did we do it, but it took us less than a minute.
It doesn’t matter if you access Gmail through the browser or through the app, the first thing to do is to log off so that later when you try to enter the ‘Did you forget your password?‘ and press yes to try to recover it.
Google will suggest different ways to recover the password, but some interest you more than others. For example, he offered to message me on my other phone or my iPad but I told him I couldn’t access those devices. In fact, if you say you can’t, the process is over. No problem: you can repeat it immediately afterwards, until it appears in your Google app (which in my case I installed on my iPhone) or best: a message or a call to your phone number . Once you can confirm it’s you, it allows you to change the password
After Joana Stern’s report and Mishaal Rahman’s turn, the two reached out to Apple and Google, respectively, telling them what happened and offering suggestions for tightening security.
Thus, while a Google spokesperson replied that:
Our login and account recovery policies attempt to strike a balance between allowing legitimate users to retain access to their accounts in real-world scenarios while keeping the bad guys out.
Apple claimed to be working on it:
We stand in solidarity with users who have had this experience and take all attacks on our users, no matter how rare, very seriously…we will continue to improve protections to keep user accounts safe.
Minimize the risks by modifying this option
Until Google and Apple act on this, the best thing we can do as users is abandon the PIN code in favor of the alphanumeric code, which is longer and with more characters. Yes, it will cost you more to learn it, but the combinations increase and it will not be so easy to keep it on the first change.
To do this, go to ‘Adjust’ > ‘Face identification and code’. There you will need to enter your current code, scroll down and press ‘change the code‘. Again, you will need to enter the current code. Now press ‘Code options’ choose between three options: ‘Custom alphanumeric code’, ‘6-digit numeric code‘ And ‘4-digit numeric code‘. If you are looking for the highest possible security, select ‘Personalized alphanumeric code’.
Editing with Fliker photo and own screenshot.
In Applesphere | How to Change iPhone and iPad Passcode So It’s Almost Impossible to Crack
