iPhone users beware. The Wall Street Journal has a long read covering a technique that thieves are employing to steal not only peoples’ iPhones, but their savings in the process.
The success of the attack relies on the thieves (often working in groups) getting not just physical access to the device, but also learning the passcode — the short string of numbers that acts as a failsafe when TouchID or Face ID fails (or aren’t being used, for whatever reason).
With the passcode and the device, thieves are able to change the password associated with an Apple ID “within seconds”, while also remotely logging out any other connected Macs or iPads. The phone can then be freely used to empty bank accounts via any installed financial apps, before being sold on. The piece is full of examples of victims who have lost tens of thousands of dollars in the process.
iPhone passcode scam — how the crime works
The Journal reports instances occurring in New York, Austin, Denver, Boston, Minneapolis and London. The attack usually targets people on nights out, when alcohol has caused people’s guards to drop. Thieves generally just watch people entering their passcode (sometimes filming to be sure) and then snatch the phone when the victim’s guard is down.
“It’s just as simple as watching this person repeatedly punch their passcode into the phone,” Sergeant Robert Illetschko, lead investigator on a case in Minnesota where a criminal gang managed to steal nearly $300,000 via this technique, told the Journal. “There’s a lot of tricks to get the person to enter the code.”
In some instances, the paper reports, the criminals will first befriend the victim, getting them to open up a social media app. If the user has Face ID or TouchID, the criminal might ask to borrow the phone to take a photo, and then subtly restart it before handing it back, as a freshly rebooted phone requires the passcode to be entered.
If a thief has your iPhone and passcode, at the very least your phone can be wiped and sold for a quick profit. But the bad outcomes multiply if you keep banking apps on there, and get even worse if you keep other personal data onboard.
The Journal mentions a couple of instances where Apple Card accounts have been opened. That shouldn’t be possible, given the surfeit of personal data required, but plenty of people keep that on their phones too. And Apple’s technology can work against users here — the ability to search for text within photos, for example, seems to have exposed one man’s Social Security Number.
Worryingly, the paper adds that hardware security keys — added in iOS 16.3 — didn’t prevent the passcode from changing the Apple ID password either. Worse, said hardware keys could actually be removed from the account via the stolen passcode.
“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesperson said. “We will continue to advance the protections to help keep user accounts secure.”
The Journal notes that while Android phones aren’t immune to this kind of attack, law enforcement officials say that the higher resale value of iPhones makes them a far more common target.
iPhone passcode scam — what can you do to protect yourself?
The first thing to note is that if you make sure you only use Face ID or Touch ID in public, you’re significantly safer. That’s because the Apple ID password reset requires the passcode, and the biometric logins won’t cut it.
If you do find yourself entering a passcode in public, cover your screen: you don’t know who’s making note of the digits.
Of course, this isn’t much use if somebody demands your passcode and iPhone at gun or knife point — something that has been reported in certain locations.
But the damage will be significantly limited in this instance if you set up an Apple ID recovery key. That means criminals won’t be able to reset your password with the stolen passcode and will instead require a 28-character code.
That might not stop some short-term financial losses, though the Journal notes that “most” banks and financial apps have refunded money stolen via such fraudulent activity.
It's not without its drawbacks. If you lose your 28-character code, you're locked out forever, but it does at least mean that the precious memories saved to iCloud won’t be lost forever — as they were for one victim the Journal spoke to.
“I go to my Photos app and scroll up, hoping to see familiar faces, photos of my dad and my family — they’re all gone,” said Reyhan Ayas, who had her iPhone 13 Pro Max snatched by a man she’d just met outside a bar in Manhattan. “Being told permanently that I’ve lost all of those memories has been very hard.”