It’s not just about having your phone stolen; a phone can be replaced.
It’s about your bank account(s) being drained and your entire digital presence stolen/destroyed.
Worse, Apple’s recovery key feature can deprive you of access to iCould permanently—you lose everything on iCloud, forever.
Local backups (at home and/or office) not connected to a computer are critical. I keep trying to explain this to my kids and they just don’t get it—I hope my readers do.
The passcode that unlocks your phone can give thieves access to your money and data; ‘it’s like a treasure box’
NEW YORK—In the early hours of Thanksgiving weekend, Reyhan Ayas was leaving a bar in Midtown Manhattan when a man she had just met snatched her iPhone 13 Pro Max.
Within a few minutes, the 31-year-old, a senior economist at a workforce intelligence startup, could no longer get into her Apple account and all the stuff attached to it, including photos, contacts and notes. Over the next 24 hours, she said, about $10,000 vanished from her bank account.
Similar stories are piling up in police stations around the country. Using a remarkably low-tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and their digital lives.
The thieves are exploiting a simple vulnerability in the software design of over one billion iPhones active globally. It centers on the passcode, the short string of numbers that grants access to a device; and passwords, generally longer alphanumeric combinations that serve as the logins for different accounts.
With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID. This would lock the victim out of their account, which includes anything stored in iCloud. The thief can also often loot the phone’s financial apps since the passcode can unlock access to all the device’s stored passwords.
MPG: a simple passcode that unlocks everything and allows changing everything irreversibly is unbelievably bad security.
I give Apple an 'F' on real-world security because Apple fails to address the physical risks involved, relying entirely on the (false) premise that passcode security is all you need.
What You Should Do
- Cover your screen in public...
- Strengthen your passcode...
- Enable additional protection for other apps...
- Use a third-party password manager.... [MPG: better than using built-in features, but still a severe risk due to the thread of violence]
- Delete scans of sensitive information...
- If your iPhone is stolen, act quickly... [MPG: good luck! thieves know this too]
What Apple could do
- Let people add extra Apple ID password protection...
- Password-protect the iCloud Keychain...
- Protect account recovery from hijackers...
“The most important thing is awareness,” says Sgt. Robert Illetschko, the lead investigator on such iPhone theft cases in Minneapolis. “People forget that what they’re holding in their hand is their entire life.” He adds, “If someone has access to it, they can do a lot of damage.”
MPG: losing your phone should not mean losing your digital life, and Apple is remiss in making it so easy for thieves to exploit you.
Recommendation: whenever feasible, use 2-Factor Authentication such as a separate hardware key for all financial/sensitive accounts. It’s a small device that fits onto a keychain with a code that changes every 30 seconds or so.