Having your phone stolen is bad enough, but a recent report from The Wall Street Journal brought attention to an iPhone passcode scam currently making the rounds in the real world. However, a similar thing can happen to those using the best Android phones.
If you’re unfamiliar with this scam, it goes a little something like this. First, phone thieves carefully watch their marks to figure out the PIN they use to unlock their iPhones before stealing their devices outright. With a user’s PIN in hand, they then change the password associated with their Apple ID and remotely log them out of their other Apple devices.
To make matters worse, some of the phone thieves running this scam on unsuspecting iPhone owners have figured out how to enable Apple’s Recovery Key feature, which locks the owner out of their accounts without the stolen iPhone.
Now a new report from 9To5Google is warning that a similar scam is possible on Android devices, since you only need a PIN to change someone’s Google account password.
Changing Google account passwords with just a PIN
In a recent tweet, freelance editor Mishaal Rahman explained how this is possible thanks to an option in Google account settings that allows users to use their lock screen PIN to change their account password.
The reason this can be used in a similar way to the recent iPhone passcode scam is that Google allows users to change their password with just their PIN when the request comes from a device that is registered to their account.
What makes this discovery particularly serious though is the fact that there isn’t any further verification beyond someone entering the phone’s PIN. Sure, Google does ask users to input their current password first, but this can be bypassed by tapping on “forgot password” and selecting the option to use screen lock instead. If this sounds familiar, it’s similar to an Android lock screen vulnerability that was discovered back in October of last year.
Fortunately, thieves are more likely to steal the best iPhones due to their popularity and higher resale prices. In fact, in a video posted on its YouTube channel, the police sergeant that The Wall Street Journal spoke to said that 99% of the cases his department saw involved iPhones.
How to protect your Android phone and Google account from thieves
To help keep your Android smartphone safe from prying eyes in public, you should be using biometric authentication like your fingerprint or face instead of a PIN. While you still may be asked for your PIN from time to time and when your fingerprint reader fails, you want to make sure to do so carefully.
As for your PIN itself, you can also make it stronger. Android asks for a four-digit PIN by default but you can actually use a longer PIN that’s harder to guess. For instance if you’re using a Pixel phone like the Pixel 6a, your PIN can be as long as 17 digits.
However, if you want the best protection that Google has to offer, you should look into the search giant’s Advanced Protection Program. Be warned, this program requires you to use two security keys to secure your account. It does block the ability to change your Google account password using your phone’s PIN though.
It might also be a good idea to install one of the best Android antivirus apps, as many of them contain advanced device tracking and other premium features to help you recover your stolen phone. For instance, some can even take a selfie of a phone thief and save it to help identify them later.
Although we often worry about malicious apps, mobile malware and other cyber threats, we need to remember that the real world has its own threats and in some cases like this one, the digital and physical worlds collide.
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.