All with a pinch of salt of course. Could just be a monzo hate post.
I guess with my 15+ bank accounts and 30+ cards at home I might be ok til I can get to O2 the next day and grab a new SIM.
Does make you think though on the what ifs. Possibly take it for granted these type of events are infrequently and I feel the “it wouldn’t happen to me” kinda vibe, and I’m likely not alone with this.
Could be. But the vibe in general (from on here and not just this one post) seems to be “Monzo product development on fire. Support poorly managed and organised - and variable at best.”
Or am I being overly harsh?
You? Harsh? Never!
I always thought monzo had 24/7 phone lines for lost and stolen.
If they do, I don’t know what the number is aside from the standard one.
I do remember them saying that lost and stolen had 24/7 coverage though, as some reassurance when some folk got reduced 9-5 support.
How do you ensure this?
I’m guessing you’re not using your phone-linked iCloud account for your primary email?
Do you also avoid putting your primary email account on your phone entirely, or do you perhaps use an email client on your phone which can be locked independently of the screen lock?
For a start, stop using keychain. 3rd party password managers like 1Password and Bitwarden don’t fall back to phone passcode.
I have 1password set up on my phone, iPad and multiple Macs, also have encrypted USB drives with my 1password emergency recovery document to make me feel like I’m Jason Bourne and can recover things if I get burned but also so it’s separate from any device.
I’d go for an independent password manager and Authy which you can install on a computer as well as a phone.
And don’t chuck or part exchange your old phone. Keep it with the full suite of applications (esp TOTP/ passwords) so you can easily retain access.
There’s actually nothing wrong with keeping a written/printed copy of critical passwords and fall back codes etc. Keep it in an innocuous looking sealed envelope in a place only you know.
If someone is breaking into your place for that, then they’ve probably got the ability to compromise you digitally, too. (And you should probably rethink your career as a spy/international arms dealer).
I think it’s time for phone numbers to exist in software. Why can’t we use the same number on multiple devices, for example?
Cloud-based PBX service.
When my work ‘number’ is called from any source, my physical office desk phone, mobile phone & laptop (both running an app) all ring. Whichever device I choose to answer the call on kills the other 2 when I do. Anytime - so long as I’ve told the devices if/when I’m available or not. And it works anywhere in the world outside of the office where I have service on the mobile/laptop. Integrated with calendars for free/busy times too.
None of this involves a mobile carrier, other than when my laptop/mobile aren’t on WiFi and use mobile data for connectivity.
However - all of the above is ‘corporate’. What is really needed is a personal cloud PBX . A single online (subscription) admin console to place registered devices with an assigned number into, to ring or not, to forward or not, to voicemail or not.
I think we’ll all be using such services in 12-24 months.
Exactly the same. Having thought through most things, I also came to the conclusion it was the most secure way forward. Whatever happens I can keep access to my email. From there I can recover most things step by step.
1Password falls back to the master password, Monzo to the card pin and my email app (spark) to a separate PIN I tend to use to secure apps. So really the amount of damage that can be done with my phone passcode is pretty limited.
Yes please. Disconnect the legacy number from data services, give me this form of service and we’re golden.
You can for watch sims as they have the same number as the phone.
EE also support Apple’s ‘Wi-Fi Calling on supported iCloud-connected devices’. Not 100% sure how that works but they are the only UK network to support it
This doesnt work I believe because once I have your pin I instantly change your password, remove recovery contacts and remove other devices and you are effectively locked out along with changing your icloud trusted numbers, I then turn on airplay and use wifi to peruse your data at my leisure.
I have been trying to think of ways to try and reduce it but there is nothing much you can do right now I believe.
Yep, this is sadly a flaw in Apple’s security design. It’s being actively exploited and worse, they can lock you out of every other Apple device you have. If you don’t change your settings to prevent remote lock.
Yeah, they need to do something about it in 16.4
Hell just think, within minutes they can remote wipe all your other devices and because you wont have the appleid password or email you wont be able to actually use the device again without going to the apple store with proof of purchase.
Sorry my quote box wasnt the best but tell me how turning on a recovery key or having a recovery contact will slow them down by any real amount?
If I got your phone and pin it would take me less than 2-3 minutes (I mean I could do it very very quickly and I dont have to do it often) to lock you out and the only way those 2 things slow me down is having to disable/remove them which is a few seconds each. Then I change the email for the account, remove trusted numbers and remote wipe all your devices with FindMy lock preventing you using them again without an apple fix.
I mean there will be people who dont know about these tools but there will be plenty that do.
I could list the order I would do it, each action limiting your ability to stop me, which wouldnt take long to do. Hell the password is one of the later stages as even if you know your password it wont matter without trusted contacts/numbers so your done as soon as I remove them although changing the email is actually one of the earliest, you cant log in without the email address.
Recovery contacts and codes are good though, but they really wont do much if anything if your phone is stolen with the pin, but if its lost or smashed they will be very helpful so please set them up people.
I hope to be honest I am wrong and missed something but there is nothing that will help you if they have your pin and phone, they can own everything iDevice and cause absolute hell. Apple needs to add controls to 16.4 to make it impossible to do without extra controls, extra controls you cant disable under duress which is hard to consider.
The problem is I have seen this happening in the wild, the person lost everything because the thieves know there is a gain from doing it, its not complex instructions to follow, it takes minutes and if you stealing phones you will normally know whats needed to get max value from them given the resale is limited time wise with IMEI bans.
I may be giving them too much credit but I feel you are underestimating them and the simplicity of what they need to do, I could teach my dad how to do this all while telling him what they can do with the data after resale wise.
All the barriers above are not barriers, they are settings, there is nothing stopping you removing it with the pin. Yes some may miss something but even if the person is still your recovery contact you can login with the email address which is something being changed and did get changed on the HN news story so your still done for even if they remain a recovery contact. I do have all of the security options setup but I know it wont matter much, hell I wish yubikeys did more as a form.
Also consider after your phone is stolen you have to deal with a great many things like the police etc all holding up the persons ability to consider trying to beat the 2-3 minutes it will take the thief to lock you out.
Lets say you find a device to login with and phone someone for the recovery code in the less than 2 minutes it takes to remove your ability to do that. I know I would beat you if I got your phone, I just change your email address first and your done first. I dont want to put the steps on verbatim here but its seconds depending on signal/wifi with each passing second closing your ability off all while you try and find something to login with and call someone to get a recovery code.
I would change your email address first, your done at that point, then remote wipe all your devices, then remove recovery contacts and trusted numbers and change your password.
Removing the code and recovery contacts would be quick as well though to be honest but once your email is changed its endgame if I recall, you cant login even if you have all the other details. I dont even think it needs a verification on the existing email address (not changed in a while to be honest) but if it did that would help, I could then setup an icloud address thats not logged into the phone.
Not necessarily, they have made changes in point versions before because of media coverage so I am not ruling some sort of limitation coming in 16.4 with a better solution in 17.
A ability to block email/password changes without another factor would be a start, it wont be ideal for those without a second iDevice or recovery code/contact, same as password to remove recovery contacts would be a start.
I am going to London soon and have been trying to think of ways around this but there is nothing, if they get my phone and my pin its done for unless I am really lucky although I do hope I have missed some workaround for this or even something that would help but nothing I have seen is anything other than a minor delay/very luck based.
This is before you consider shoulder surfers that grab the phone which means further delay to realising although my watch would hopefully alert me to that.
EDIT: Thinking now, using a large alpha numeric pin with a 10 wrong wipe would at least add the change the crim gets it wrong enough to bork themselves.
They need your password to remove the FindMy lock so it will be changed sharply if they want any attempt at getting limited value from the hardware, FindMy reduced thefts of iPhones because there was little gain due to the lock but now suddenly their is value. Look at the reddit post of the guy being mugged in London and they demanded his pin to allow this.
Ha thats literally because you made a me.com account as your icloud id, if you do that it cant be changed but I literally know < 5 people with this problem and those are all kids account as they were forced to use @me.com accounts unless you used a DoB workaround.
Its ironic something so annoying is actually giving you more protection than anyone else can get.
I mean I dont think I would miss anything but the only way to be sure would be to list every step I would take, I know all the bits to clear out and the order but I dont want to list them, I am just saying once the email is changed and removed from your account and other devices are remote wiped your locked out as far as I can see.
Send me what you think I have missed in case I have not considered it but there is not a lot of ways to lock down and in true apple fashion its easy to do normally.
My other half could do that, my house number is voip in a really really easy to remember so she can actually use my account on her laptop to do it to be honest, thanks, I will prep her on the process so she is ready in case.
We also have a safe with essential passwords in it but in order form to make it less trivial to use.