Criminals Target iPhone Passcodes—and Data Protected by Them
Recent news reports highlight ongoing security threats to iPhones. The twist is that they’re primarily related to the physical theft of the device itself. An in-depth Wall Street Journal feature detailed the low-tech way that thieves target unsuspecting iPhone users, stealing their devices and then wreaking havoc on personal data and financial accounts.
The standard script goes something like this: an unsuspecting user in a crowded bar types in a passcode to unlock their phone. Someone watching from nearby—“shoulder surfing,” in modern-day lingo—or a new friend who offers to snap a photo then snatches the phone, logs in, and changes the password to lock the rightful owner out of their own iCloud account.
Within hours, thieves can drain thousands of dollars from bank accounts and financial apps like Venmo or PayPal. They can also delete personal photos, disable Find My iPhone locator apps, access the iCloud Keychain password manager, and force other trusted devices to sign out of the Apple account—all with little recourse available to victims.
Recovery keys that could allow users to regain control of their accounts require multi-factor authentication, which typically sends a text message to the phone number associated with the account. If the phone is in a thief’s hands, that method of security is rendered moot.“Once you get into the phone, it’s like a treasure box,” Alex Argiro told the Wall Street Journal. Argiro investigated hundreds of thefts as a New York Police Department detective before retiring last fall. “It is such an opportunistic crime. Everyone has financial apps.”
Apple says its iPhone is one of the most secure modern devices on the market today. But this growing threat highlights a vulnerability in its systems. If thieves manage to steal a phone—and the passcode that grants access to it—they can leverage a feature that Apple purposely constructed as a convenience: the ability for customers to use their phone’s passcode to set a recovery key for their Apple account, which is often connected to iCloud storage, email accounts, and financial apps.
Bigger threats could be facilitated through the theft of phones, photos, and documents, too. Many victims of this recent fraud have found that thieves can perpetuate full-blown identity theft by using pictures or attachments showing sensitive information like Social Security cards, W2s or 1099s, and drivers’ licenses. That includes applying for instant credit cards through the touchless Apple Pay app or filing fraudulent tax returns to try and deposit refunds into stolen accounts.
These stories may strike fear in even the most conscientious smartphone user. But cybersecurity experts point out that the number of reported cases—often in the hundreds—pales in comparison to the total number of iPhone users in North America—well over 200 million. And you can take extra precautions to protect your device, your data, and your private apps.
Here Are a Few Recommendations from CMIT Solutions:
• Shield your iPhone’s passcode—and avoid using it when you can. Many of Apple’s security measures could feasibly eliminate the threat of a stolen passcode. Using Face ID and Touch ID logins should be prioritized over punching in a numerical code. But numerical passcodes are still required when phones are turned back on. And in big cities like New York and Los Angeles, law enforcement officials say criminals can drug or otherwise incapacitate their targets so that facial recognition and fingerprints can be used to access locked iPhones. So, if you do use a passcode to unlock your iPhone, make it long and complex—not “123456.” (You can also add letters to the mix in Settings > Face ID & Passcode > Change Passcode > Passcode Options > Custom Alphanumeric Code.) Then, make sure you hide your passcode from public view every time you punch it in.
• Do not store account passwords in browsers or on your device. It might seem convenient to store a master list of account passwords on your passcode-protected phone, desktop, or laptop. But avoid it if you can. Instead, consider using a secure password manager—an application that can generate random credentials for different accounts so that one stolen password won’t provide a hacker access to all of your accounts. Of course, that manager must be accessed by a master password, so make sure to create a long, unique, and complex one if you go this route.
• Set a different Screen Time passcode for yourself. Parents primarily use this security setting to manage their children’s devices, but you can also use it to enable additional protection. In Settings, go to Screen Time > Content & Privacy Restrictions, then toggle Content & Privacy Restrictions on. If you haven’t already enabled Screen Time, you can choose a passcode that’s different from your iPhone’s. From the Allow Changes section, select Account Changes > Don’t Allow. (Note: if you ever need to change your iCloud account settings, you’ll have to revisit Screen Time and re-enable this.)
• Implement multi-factor authentication through a dedicated app. Multi-factor authentication requires users to enter something they know (a password) and something they have (a backup security code sent to a trusted device or email). This provides an extra measure of security, but if someone steals your phone, MFA codes sent via text message are no longer secure. Instead, use an authenticator app like Duo, Google Authenticator, or Microsoft Authenticator and turn on biometric protection (like Face ID or Touch ID) to access them. This can prevent a thief from using a stolen passcode to log into other sensitive apps.
• Remove scans of sensitive documents. Perform a regular check for images of Social Security cards, drivers’ licenses, and tax documents—then remove them from your phone so they’re not accessible in case your phone is stolen. In your Photos and Documents app, you can use search terms like “passport,” “license,” and “SSN” to find them. If you need digital copies of sensitive documents, use secure file storage in a third-party cloud provider.
• Don’t assume that non-Apple devices are inherently secure. Cybersecurity experts say thieves can just as easily steal a passcode to gain similar levels of access to Android phones. But law enforcement officials cited in the Wall Street Journal say that criminals primarily target iPhones because of their increased resale value on the black market.
• Act fast if your phone is stolen. If your iPhone is swiped, know what to do to mitigate the potential impacts. Sign in to iCloud.com on another device as soon as you can and select Find Devices to remotely erase the data from your phone. Call your cell phone or visit a retail store to deactivate the stolen phone’s SIM so that verification codes and MFA prompts can’t be delivered via text. Then, log on to sensitive financial and shopping accounts to change passwords and block access from stolen devices.
At CMIT Solutions, we’ve helped thousands of businesses prevent data theft and alleviate the negative consequences of digital issues like this one. We track cybersecurity trends to understand the threat landscape and recommend best practices for protection. If you’re concerned about the threat of device theft or need assistance implementing extra security measures, contact us today. We worry about IT problems so that you don’t have to.