This nasty iPhone passcode scam could cost you thousands of dollars

iPhone 14 Pro on table with display facing up
(Image credit: Future)

iPhone users beware. The Wall Street Journal has a long read covering a technique that thieves are employing to steal not only peoples’ iPhones, but their savings in the process.

The success of the attack relies on the thieves (often working in groups) getting not just physical access to the device, but also learning the passcode — the short string of numbers that acts as a failsafe when TouchID or Face ID fails (or aren’t being used, for whatever reason).

With the passcode and the device, thieves are able to change the password associated with an Apple ID “within seconds”, while also remotely logging out any other connected Macs or iPads. The phone can then be freely used to empty bank accounts via any installed financial apps, before being sold on. The piece is full of examples of victims who have lost tens of thousands of dollars in the process.

iPhone passcode scam — how the crime works

The Journal reports instances occurring in New York, Austin, Denver, Boston, Minneapolis and London. The attack usually targets people on nights out, when alcohol has caused people’s guards to drop. Thieves generally just watch people entering their passcode (sometimes filming to be sure) and then snatch the phone when the victim’s guard is down.

“It’s just as simple as watching this person repeatedly punch their passcode into the phone,” Sergeant Robert Illetschko, lead investigator on a case in Minnesota where a criminal gang managed to steal nearly $300,000 via this technique, told the Journal. “There’s a lot of tricks to get the person to enter the code.” 

In some instances, the paper reports, the criminals will first befriend the victim, getting them to open up a social media app. If the user has Face ID or TouchID, the criminal might ask to borrow the phone to take a photo, and then subtly restart it before handing it back, as a freshly rebooted phone requires the passcode to be entered.

Finger typing passcode into iPhone screen.

(Image credit: ymgerman/Shutterstock)

If a thief has your iPhone and passcode, at the very least your phone can be wiped and sold for a quick profit. But the bad outcomes multiply if you keep banking apps on there, and get even worse if you keep other personal data onboard. 

The Journal mentions a couple of instances where Apple Card accounts have been opened. That shouldn’t be possible, given the surfeit of personal data required, but plenty of people keep that on their phones too. And Apple’s technology can work against users here — the ability to search for text within photos, for example, seems to have exposed one man’s Social Security Number.

Worryingly, the paper adds that hardware security keys — added in iOS 16.3 — didn’t prevent the passcode from changing the Apple ID password either. Worse, said hardware keys could actually be removed from the account via the stolen passcode.

“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesperson said. “We will continue to advance the protections to help keep user accounts secure.”

The Journal notes that while Android phones aren’t immune to this kind of attack, law enforcement officials say that the higher resale value of iPhones makes them a far more common target.

iPhone passcode scam — what can you do to protect yourself?


(Image credit: Future)

The first thing to note is that if you make sure you only use Face ID or Touch ID in public, you’re significantly safer. That’s because the Apple ID password reset requires the passcode, and the biometric logins won’t cut it.

If you do find yourself entering a passcode in public, cover your screen: you don’t know who’s making note of the digits.

Of course, this isn’t much use if somebody demands your passcode and iPhone at gun or knife point — something that has been reported in certain locations. 

But the damage will be significantly limited in this instance if you set up an Apple ID recovery key. That means criminals won’t be able to reset your password with the stolen passcode and will instead require a 28-character code.

That might not stop some short-term financial losses, though the Journal notes that “most” banks and financial apps have refunded money stolen via such fraudulent activity. 

It's not without its drawbacks. If you lose your 28-character code, you're locked out forever, but it does at least mean that the precious memories saved to iCloud won’t be lost forever — as they were for one victim the Journal spoke to.

“I go to my Photos app and scroll up, hoping to see familiar faces, photos of my dad and my family — they’re all gone,” said Reyhan Ayas, who had her iPhone 13 Pro Max snatched by a man she’d just met outside a bar in Manhattan. “Being told permanently that I’ve lost all of those memories has been very hard.”

Alan Martin

Freelance contributor Alan has been writing about tech for over a decade, covering phones, drones and everything in between. Previously Deputy Editor of tech site Alphr, his words are found all over the web and in the occasional magazine too. When not weighing up the pros and cons of the latest smartwatch, you'll probably find him tackling his ever-growing games backlog. Or, more likely, playing Spelunky for the millionth time.

  • dpowell7299
    How is this any different than Android? If someone gets access to my Android phone AND passcode then they also can steal information. With most login using text based authentication, they can access my banks and other financial institutions.

    I fail to see why this is an iPhone issue.
  • daveedwp
    It's an iPhone issue, because on Android, having the lock screen passcode does not allow you to change your Google Account password; so the thief cannot to lock you out Google services everywhere.
    Same thing for Bank and other financial apps... knowing the home screen code cannot log you into those apps.

    This is very much an iOS issue, and significantly less impactful to Android.
  • dpowell7299
    OK, but they have my phone and my passcode. They open my banking app, the Android auto fills in the login credentials but that is OK, it is going to text me a code... on my phone. which is in thier hands. So now they log in and drain my accounts. Google neither needed not required. Same as on iOS.

    I'm pretty sure from my phone, I can approve a login into my google account from the PC. Often without even asking for a password, just go to the Google app and enter the code displayed on my phone.