What Apple should really do is a lot more:
1: register the moment that the phone was last held by the owner
2: provide continuous tracking data to the owner
3: take photos periodically, including if medical information is accessed
4: email the user with a standard "so you have lost your phone" message
5: add the phone to blacklists on every telco it has a relationship with
6: report the loss to police
7: send information to the owner and police as soon as that phone accesses any network.
Etc.
Anything they can do with a lost phone they can do with a government order.. from any government big enough to strong arm them. And that PR just isn't worth it.
Edit: or god forbid malware or hackers, they are made up of people after all and haven't fucked up that bad before but there is a first time to everything.
Everyone has the ability to remotely wipe their phone, as long as it's connected to the network. If it's not connected to the network, then not even Apple can do anything (assuming they don't make some sort of dead man's switch, which is a terrible default feature for all sorts of reasons...)
As a user, I prefer having the option to decide how sensitive and/or valuable the data on my phone is, what the circumstances of losing my phone are, and how long I'm willing to wait to get it back.
You were out of the country, without Internet access for a while, you have un-synced vacation photos and not much else on the phone, and there's a strong possibility you misplaced it? There's probably not a reason to ever wipe the phone.
You had secret company data on your phone, without a passcode, and it was ripped out of your hands? Can't wipe it fast enough.
While Apple should offer users advice, I wouldn't want them to ever take action (filing police reports, taking photos, etc.) without my explicit consent.
Thieves will just dump the phone for parts. They need to lock all the potential spare parts to the ID of the logic board on first startup / communication.
Unfortunately, I think a ton of people today still would not know the difference between a "green URL" and an unencrypted URL, or the fact that "find-iphone-location.com" is phishy.
I used to work at a large, competent tech company whose 401k plan was managed on a URL similar to "accessmy401k.com" -- it seemed similarly phishy to me but apparently enough people thought it was a good idea that this financial institution decided to make it their online portal to actual 401ks. I often see my less savvy friends going to places like "cheap-christmas-lights.net" when they want cheap Christmas lights.
I appreciate what the big browsers do when it comes to showing secure connections and highlighting the domain in certain cases, which is pretty much as far as we allow them to go in order to stay in control of our own browsing experiences, but part of me wishes it were a little bit more explicit. There are for sure potential drawbacks... when my Mom said she was booking tickets on "CheapOAir.com" I immediately thought it was a scammy site, but it's actually legit. But a browser (especially a browser on an iPhone?) should be able to see you're at "find-iphone-location.com" and maybe just assist the user a little bit by saying "Hey, just so you know, this is not a legitimate Apple/iPhone service" automatically.
Browsers do have mechanisms for filtering out known phishing (or malware) sites (e.g. Google's Safe Browsing (used by Chrome, Firefox and (IIRC) Safari), Microsoft's SmartScreen). Guessing based on the domain (without having any actual phishing reports or something like that) would probably lead to tons of false positives, which would both annoy users and desensitize them, so most people would click through the warning.
EV certificates can be a solution for some cases - knowing that "Apple, Inc. [US]" is actually operating the site you're looking at is worth something - but it isn't particularly meaningful in other cases - knowing that "CheapOAir, Ltd. [US]" actually operates "CheapOAir.com" doesn't mean much, they could still scam you.
I've noticed that spear phishing attacks have become quite a bit more sophisticated lately. This is a good example of it, but I've gotten emails supposedly from Stripe, my bank (not a common one that would suggest a mass attack), my credit card company, all quite convincing. At first glance I was fooled, but thankfully figured them out before giving away my accounts. I've since become more vigilant of course.
In none of these cases did my email provider figure out that the sender was malicious.
I'll also go further and say you should be using a password manager, so even if you do end up getting scammed out of a login, they can't easily compromise your other accounts (obviously this depends on the kind of account being scammed).
A password manager with autofill will also help you avoid getting scammed in the first place. You may not notice that the domain is weird or the page is unsecured, but your autofilling password manager will. Of course, you need to listen to it when it says so, rather than trying to work around it!
I agree that using a pw manager and 2fa is great. But in this particular case couldn't it be a nightmare?
You don't have your 2nd factor device (phone) and someone else has access to it and presumably an email account too?
I guess they may still need the device's unlock code (PIN/finger print) to do more serious damage, but it'd be rough if you're trying to change your passwords, but can't because you are out your 2FA device. All the while the attacker is able to reset your accounts/passwords.
