A new report highlights that when a thief has both an iPhone and the associated passcode, the user’s entire digital life is at risk. While this is by no means new, there are some simple steps you can take to reduce your risk.
The “hack” involves the thief watching the victim enter their passcode, then stealing the iPhone to access their data. In one case, a victim was locked out of her Apple account and lost about $10,000 from her bank account, according to The Wall Street Journal.
Because the sign-in password provides access to most other apps—and system settings—a thief could use it to change the Apple ID password to lock victims out. “When you get into the phone, it’s like a treasure box,” said Alex Argiro, who investigated a high-profile theft as a New York Police Department detective before retiring last fall.
The thief can also use your device’s password to access iCloud Keychain, putting a person’s entire online life at risk. Argiro said these opportunistic crimes have increased in the past two years in New York. “This is growing,” he said. “It’s such an opportunistic crime. Everyone has financial apps.”
All victims The Wall Street Journal the interviewees had their iPhones stolen while socializing in public in places such as bars. In some cases, victims were physically assaulted and intimidated into handing over their phones and passwords, and others believed they had been drugged.
Sgt. Robert Illetschko, the lead investigator on one case, said groups of two or three thieves would go to a bar and befriend victims to try to gain access to their iPhones. If they couldn’t see the victim entering their password, thieves might try to get them to open a social media app or get the victim to hand over their phone for a photo.
Similar cases have been reported in Austin, Denver, Boston and London.
In another case, a man had his identity stolen because he had stored photos of his passport, driver’s license, direct deposit form and health insurance papers in the Photos app. He was able to access his Apple ID, but it is highly likely that the thief kept the sensitive information.
Source: Elizaveta Galkina/The Wall Street Journal
Face ID or Touch ID can help prevent such attacks since people don’t need to enter a password. But in New York, authorities have proposed Face ID as a possible entry point to iPhones.
Like a passcode, a thief can take an iPhone after a victim logs in using biometrics, then prevent the iPhone from going into sleep mode. However, that access will be more limited since a password is required to enter Face ID or Touch ID settings.
Apple users can turn on a feature called Attention Detection for Face ID in Settings > Face ID & Passcode. It requires a person to look at the iPhone before it authenticates the login, meaning thieves who drug their victims cannot log into the iPhone using this method.
As The Wall Street Journal noted, iOS does not require a person to enter an older password before entering a new one for Apple ID. Hardware security keys supported by iOS 16.3 did not prevent account changes using only the password.
The password can even be used to remove security keys from the account.
An Apple spokeswoman said account recovery policies are in place to protect users from bad actors gaining access to their accounts.
“We sympathize with users who have had this experience, and we take all attacks on our users very seriously, no matter how rare,” she said, adding that Apple believes these crimes are unusual because they require the theft of the device and password. “We will continue to advance protections to keep user accounts safe.”
Apple typically doesn’t allow users to regain access to a stolen account if a thief puts a recovery key on the Apple ID that the victim doesn’t have access to.
How to protect yourself
Not sure why The Wall Street Journal this is treated as a new emergency, or an emerging attack vector. Code theft has always been a concern for users at one level or another, and securing that code has always been good advice.
In some of the cases, thieves were able to steal a victim’s social security number because of tax forms stored in iCloud Photos. Some Apple apps allow users to search by text, and searching for “SSN” or “TIN” (Taxpayer Identification Number) in Apple Photos produced the document image.
While iCloud encryption can help prevent online hacking, it can’t stop thieves from accessing sensitive information once they gain access to your iPhone. So it is dangerous to store such information in Apple Notes, Photos or other apps.
Then, Apple users should enter their own Apple ID recovery key, which prevents others from doing so.
- On an iPhone or Mac, go to Settings > Your name > Password and security.
- Press Recovery key, then slide to activate it. On a Mac, click Achieve next to account recovery.
- Press Use recovery key and enter the device password.
- Write it down and keep it in a safe place and confirm it on the next screen.
People should also set up attention detection for Face ID in Settings > Face ID & Passcode. This will prevent the theoretical attack of being drugged and unlocking the phone with Face ID.
Perhaps there is more the company can do to prevent such crimes. But in the meantime, as it always has been, Apple users should be careful about entering their passwords in public or giving their device to a stranger.