In short: For all the advanced, complex ways thieves can access the troves of sensitive data on our phones, the simplest method remains the most effective: discovering a victim’s passcode before physical contact. to steal the handset. A number of these crimes have occurred recently with iPhone users being the main target, which has led to a response from Apple.
The Wall Street Journal’s Joanna Stern reported on a series of iPhone thefts that resulted in victims being locked out of their accounts. There are also instances of money being stolen through cash apps, ID theft, Apple Pay being used, etc.
Victims said their iPhones were stolen while socializing, often in bars. Working in groups, criminals will befriend targets and ask them to open an app like Snapchat on their phones, trying to observe their password as it is entered. Sometimes, another member of the gang secretly videos the password while the user taps the screen. Once they have the code, the iPhone will be stolen and all its contents will be accessed.
Not all crimes happen this way. Some victims were physically attacked and forced to hand over their phones and passcodes. There are also cases of drugged people, waking up the next morning with no phone or memory of the night before.
Knowing someone’s passcode gives criminals full access to an iPhone; it can even be used to bypass TouchID or FaceID. Thieves can use the codes to reset a person’s Apple ID password, locking victims out of their accounts when they try to access them from a different device. They can also turn off Find My iPhone, preventing it from being found or someone deleting its contents through iCloud. Apple ID contact information can also be changed, and recovery keys are set up. As the WSJ noted, Apple’s policies do not allow users to regain access to their account if a recovery key is enabled and they cannot do so.
Some victims reported that their apps were accessed using iCloud Keychain – one person had over $10,000 transferred from their bank accounts. Thieves are also able to use two-factor authentication when needed. There have even been cases of Apple credit cards being opened in the names of victims and collecting thousands of dollars by finding the last four digits of the phone owner’s Social Security number in the photos.
We also have suggestions for Apple, including
“‘ Add more protection to iOS to change Apple ID password
“‘ Add stronger password protection to iCloud keychain
“‘ Add more account recovery options(🧵6/7)
— Joanna Stern (@JoannaStern) February 24, 2023
Apple responded to The Wall Street Journal’s report by saying that “security researchers agree that the iPhone is the most secure mobile device for consumers, and we work tirelessly every day to protect all of our users from new and emerging threats.”
“We sympathize with users who have had this experience and we take all attacks on our users seriously, no matter how rare,” a spokesperson said. “We will continue to improve protections to help keep user accounts safe.”
There are several recommendations to avoid becoming a victim of this crime: use FaceID or TouchID if possible, switch to an alphanumeric passcode that is harder to understand while entering it, and if you have to type one code, try to hide the screen with your other hand.