Apr 14, 2024
The iPhone is a highly desirable gadget and many thieves focus on Apple’s products as they offer high resale values. But there’s also a series of criminals who want to snag your iPhone for what’s inside it and have sophisticated ways to get in—while locking you out. Don’t panic. Here’s what you need to do to help protect yourself from them.
Joanna Stern reported on this in two stories in the Wall Street Journal, and her most recent update includes helpful ideas to stay safe. First of all, remember, the systems described below are still mercifully rare, but that doesn’t mean you shouldn’t be guarding against them. Here’s what happens: instead of simply grabbing your iPhone, a thief will wait until they have seen you enter your passcode. Some even shoulder-surf you and record you as you’re putting the code in. Bars are a popular venue for this as you’re off guard, relaxed and not looking to see who’s over your shoulder before you type your code in.
Once they’ve got your passcode and made off with your iPhone, they very quickly do two things: enter your passcode, go to settings, choose change passcode, and enter their own. Then they go into your Password & Security settings to “Create a Recovery Key”. When both these things are done, often in a matter of minutes after the theft, you can no longer track your iPhone with Find My, or access your Apple ID data. Scary, huh?
Oh, it gets worse. The thief can access any banking apps on your phone and empty your account. In some transactions, an app can require not only your passcode (the new one the thief just created) but ask you to enter a code the bank has just texted to you. Since the thief can edit your trusted phone number, they will have changed this to a number they control.
Getting back into your Apple ID, to retrieve your photos, videos, notes, contacts and so on is suddenly impossible as you don’t have the Recovery Key the thief created
So, what can you do?
First of all, you can ensure you never use your iPhone passcode in public. Use Face ID or Touch ID by default. Of course, there are some times when you need to enter your passcode, like if your face isn’t recognized five times in a row. So, if you do need to enter it, as Stern advises, treat it like your bank card PIN, covering the screen when you tap it in.
Instead of using a simple four-digit code, use six digits, and none of them to do with your birthday. Better still, use an alphanumeric code that’s hard for shoulder surfers to guess. Make sure it’s memorable, of course, and ideally save it to a third party password manager like the brilliant 1Password.
Stern also recommends removing passwords from banking apps and entering them each time when you use the apps. Storing them in 1Password or the like may be a better place for them.
In Settings, choose Screen Time and then Use Screen Time Passcode. Here, create a four-digit passcode which is not the same as your iPhone passcode. The thief will be able to get to the page that offers to let you change your passcode, but they won’t have the original passcode to let them do that (though they could bypass this, but only if they have access to the email associated with your Apple ID).
Next, go to Screen Time again in Settings, choose Content & Privacy Restrictions, swipe the switch to on and scroll down the list to Account Changes. Click on this and choose Don’t Allow.
This means the thief can’t change your passcode.
Please note that there’s an effect from this which is discombobulating when you first see it: In Settings, your name and Apple ID are now grayed out. Tap it as much as you like, as the thief might, and nothing happens. Now, you quite often might need this part of the phone, so you just have to go back to Account Changes to switch it to Allow when you want to.
As I said at the start, these savvy thieves are not that numerous, so there’s no need to panic. Keep your phone safe, and your passcode private, and you’ll substantially reduce your risk level. But the above precautions could be useful.
Finally, when the Wall Street Journal contacted Apple about this, they said, “We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare. We work tirelessly every day to protect our users' accounts and data, and are always investigating additional protections against emerging threats like this one.”