Thieves took their iPhones. Apple won't give their digital lives back

Original Article ↗ Hacker News Discussion ↗

Account Takeovers via Stolen iPhones

  • Several comments describe a common pattern: thieves shoulder‑surf the device passcode, steal the phone, then use that passcode on a “trusted” device to reset the Apple ID/iCloud password and associated email with no extra factor.
  • Apple’s “Stolen Device Protection” is seen as a partial fix but not enabled by default and still imperfect.
  • Advanced Data Protection (ADP) is noted as making accounts truly unrecoverable if the recovery key is lost, which is viewed by some as an overcorrection.

Security Model, Usability, and User Education

  • Some blame users for losing passwords/recovery codes; others argue a security model that’s easy to misunderstand and full of traps is itself flawed.
  • There’s criticism that security options are too “convenient” and not properly explained; suggestions include mandatory education (videos + quizzes) before enabling high‑risk settings.

Identity Verification and Account Recovery

  • Debate over why banks can remotely re‑verify identity in minutes (ID photo + video) but Apple claims they can’t.
  • Counterpoints: banks accept quantifiable fraud risk, have better KYC data, can cap transaction sizes, and charge for this risk; Apple operates globally and would face unbounded, hard‑to‑insure liability (e.g., “lost career” value).
  • Some propose in‑store ID checks and court‑order requirements; others note dangers of giving support staff powerful account‑transfer tools (SIM‑jacking analogy) and of abusive partners weaponizing recovery processes.
  • It’s noted Apple has a recovery flow, but generally will not take an account away from whoever is currently logged in.

Privacy, Governments, and Apple’s Motives

  • One camp: Apple avoids manual recovery to preserve a “we can’t help, even for governments” posture and avoid backdoor pressure.
  • Another: in these cases data isn’t E2E encrypted (ADP is off), Apple clearly can decrypt and is simply choosing not to provide basic customer service.
  • Broader skepticism: any technical ability to recover implies governments can compel its use (NSLs, subpoenas), so true safety comes only from not giving data to third parties.

Backups, iCloud, and Practical Advice

  • Strong consensus that relying solely on iCloud is risky; 3‑2‑1 backup rule is recommended, with at least one copy not tied to the Apple ID.
  • Multiple reports that full iCloud export (Photos, Drive, app data) is cumbersome and fragile. Workarounds:
    • Mac (or Mac mini) signed into iCloud, set to keep full‑res photos and all files locally, then back that machine up (Time Machine, NAS, Backblaze, external drive, rclone, third‑party downloaders).
  • Some argue: if losing one online account destroys your business, your risk management already failed.