Strengthen your passcode and use Screen Time controls to keep a predator you meet in real life from hijacking your digital life
iPhone thieves across the country are locking people out of their Apple accounts and draining their bank accounts—sometimes before victims even know what happened. How do they do it and how can you protect yourself? WSJ’s Joanna Stern investigates.
By Nicole Nguyen and Joanna Stern from the Wall Street Journal.
Feb. 24, 2023
Our phones are a portal to everything that’s important to us—our most sensitive communications, our life savings, our photos. You’d think all that would be protected by something more complex than a four- or six-digit passcode.
And yet, as we reported, thieves across the country are stealing iPhones along with their passcodes. They are getting it all: cash from bank apps, access to credit cards via Apple AAPL -1.80%decrease; red down pointing triangle
Pay and more.
That same code also allows these thieves to lock people out of their Apple accounts. Years of photos, notes and messages from loved ones? Gone. It made us think, should we really trust all our data to one big tech company?
“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple Inc. spokeswoman said, adding that the company says these attacks are uncommon because they require the theft of the device and the passcode. “We will continue to advance the protections to help keep user accounts secure,” she said.
We’ve long talked about the importance of strong, unique passwords, those alphanumeric strings used to safeguard online accounts. But it’s the passcode, the short string of numbers used to unlock your device, that presents a unique vulnerability.
Even a recent upgrade by Apple doesn’t solve the issue. The company introduced the ability to use hardware security keys, little USB dongles, to protect the Apple ID. In the Journal’s testing, security keys didn’t prevent account changes using only the passcode, and the passcode could even be used to remove security keys from the account.
After speaking to victims whose passcodes were used to pillage their digital homes, we changed the ways we protect and use our iPhones. Here’s what you should do—and what Apple could do—to discourage these attacks.
What You Should Do
If you’re thinking, “I already use Face ID so I’m fine,” think again. When Face ID or Touch ID fail—or when the iPhone restarts—the phone asks for the passcode.
This is true for unlocking the device, but also for authorizing Apple Pay, opening the iCloud Keychain password manager and more. The passcode enables you to change your Apple ID password.
(Thieves could use a passcode for similar access on Android phones, but law enforcement officials we spoke to said criminals mostly target iPhones, due to their higher resale value.)
You can’t always avoid device theft, but you can make it harder for thieves to get access to the data on your device.
- Cover your screen in public. According to law-enforcement authorities, thieves devise clever ways to learn people’s passcodes, including filming them from afar.
When you’re out and about, rely on Face ID or Touch ID whenever possible to prevent passcode snooping. In cases where you have to type it, treat your passcode like an ATM PIN. Don’t type the code in front of strangers.
- Strengthen your passcode. Use at least six digits and make it complex. No more 1-2-3-4. Longer passcodes are harder to “shoulder surf,” said Adam Aviv, associate professor of computer science at George Washington University.
We changed over to alphanumeric passcodes: Go to Settings > Face ID & Passcode > Change Passcode. When selecting a new passcode, tap Passcode Options > Custom Alphanumeric Code.
In Display & Brightness settings, set your Auto-Lock to 30 seconds, the shortest possible time, so your phone is never left unlocked for too long.
- Enable additional protection. Some apps, such as Venmo, PayPal and Cash App, let you add a passcode. Just don’t use the same one as your iPhone.
You can also set up a Screen Time passcode for yourself, then enable account restrictions to prevent an Apple ID password change, the way parents do with their kids’ devices. In Settings, go to Screen Time > Content & Privacy Restrictions, then toggle Content & Privacy Restrictions on. If you haven’t already set up Screen Time, you’ll need to choose a passcode. (Again, make it different from your iPhone’s.)
Scroll down to the Allow Changes section, and where it says Account Changes, select Don’t Allow. Whenever you need to access your iCloud account settings, you’ll have to go to Screen Time and re-enable this.
- Use a third-party password manager. While Apple’s built-in iCloud Keychain password manager is convenient, the passwords saved there can be accessed using the passcode. That’s a way for thieves to access bank accounts on their victims’ iPhones. You should remove all sensitive passwords.
Instead, use a third-party password manager, such as 1Password or Dashlane, which offer biometric authentication, but prompt for a separate master password if it fails.
- Delete scans of sensitive information. Thieves have used information found in photos on the iPhone, including forms that had a Social Security number, to open up an Apple credit card. Search terms like “passport” “license” and “SSN” in your Apple Photos app to see if you have any. If you need digital copies of sensitive documents, use the secure file storage in a third-party password manager.
- If your iPhone is stolen, act quickly. Sign into iCloud.com on another device as soon as you can, and click Find Devices to remotely wipe your phone. Call your cellular carrier or visit a retail store to deactivate the stolen phone’s SIM, so the thief can’t receive verification codes. Log on to sensitive accounts, such as Google, Venmo and Amazon, to change passwords and revoke access from the stolen device.
What Apple Could Do
- Let people add extra Apple ID password protection. The iPhone’s software doesn’t require users to enter an older password to set a new one for the Apple ID, the login that accesses all Apple services. Requiring an extra PIN, a previous password or a security key to protect the Apple ID could prevent account takeovers. Android phones, which similarly accept passcodes to change Google account passwords, should also offer extra protection.
- Password-protect the iCloud Keychain. The iPhone’s passcode grants access to all credentials stored in the built-in password manager. If Face ID or Touch ID don’t work or are deactivated, the Keychain should require a password or independent passcode.
- Protect account recovery from hijackers. Some victims we spoke to couldn’t regain access to their iCloud account because thieves had changed the backup phone number or enabled a recovery key. Google lets people whose accounts were hijacked provide a previous backup recovery email, phone number or account password to prove their identity. Apple should consider doing the same, as well as accepting other identification, including government-issued IDs.
Yes, Apple can do more, but one big piece remains on us:
“The most important thing is awareness,” says Sgt. Robert Illetschko, the lead investigator on such iPhone theft cases in Minneapolis. “People forget that what they’re holding in their hand is their entire life.” He adds, “If someone has access to it, they can do a lot of damage.”
Appeared in the February 25, 2023, print edition as ‘How to Protect Your iPhone Data’.