iPhone Thieves use Passcode to Drain Bank Accounts

An increasingly prevalent method of seizing control over an individual's iPhone and permanently locking them out of the device is causing concern.

As outlined in a recent report by The Wall Street Journal (WSJ), certain iPhone thieves are exploiting a security feature called the recovery key. This technique makes it exceedingly difficult for owners to access their photos, messages, and other data. Disturbingly, some victims have reported unauthorized access to their financial apps, resulting in drained bank accounts. (Source: wsj.com)

How the iPhone Recovery Key Exploit Works

It's important to recognize that executing this form of takeover is intricate. It necessitates criminals either closely observing an iPhone user as they enter their passcode - such as looking over their shoulder at a public place - or manipulating the device owner into revealing their passcode. All of this transpires before the physical theft of the device even occurs.

It's worth mentioning that groups of criminals have also resorted to using date rape drugs to render the victim unconscious (oftentimes at places where alcohol is served), then use the unconscious victim's Face ID to unlock the phone. According to Fox News, several of the druggings resulted in fatal overdoses. (Source: fox.com)

Once the thief has access to the phone, they are then able to employ the passcode to alter the device's Apple ID, deactivate the "Find My iPhone" feature to evade tracking, and subsequently reset the recovery key - a formidable 28-character code designed to protect against online hacking attempts.

Apple mandates this recovery key to facilitate resetting or regaining entry to an Apple ID, enhancing user security. However, if a thief modifies this key, the original owner loses access to it and gets locked out of the account.

An Apple spokesperson conveyed to CNN that "We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare ... We work tirelessly every day to protect our users' accounts and data, and are always investigating additional protections against emerging threats like this one." (Source: cnn.com)

Apple's official website issues a warning: "you're responsible for maintaining access to your trusted devices and your recovery key. If you lose both of these items, you could be locked out of your account permanently."

Jeff Pollard, Vice President and Principal Analyst at Forrester Research, recommended that Apple should expand customer support choices and establish avenues for Apple users to authenticate themselves in order to reset these settings.

Nonetheless, until further developments, users can adopt several measures to potentially shield themselves from falling victim to this situation.

How to Protect Yourself from an Attack

The initial step is safeguarding the passcode.

One way to prevent the passcode from being revealed is to use Face ID or Touch ID to unlock their phone in public, preventing the passcode from being visible to potential onlookers.

Users also have the option to configure a longer, alphanumeric passcode, rendering it more challenging for malicious actors to decipher. In case they suspect their passcode has been compromised, device owners should promptly change it.

Screen Time Configurations

Another measure that individuals might consider is a workaround not officially endorsed by Apple but circulating online. Within an iPhone's Screen Time settings - designed for guardians to enforce usage restrictions on children - a secondary password can be set up. This password would be necessary for any user attempting to change an Apple ID.

By enabling this setting, a thief would need to provide the secondary password before altering the Apple ID password.

Regular Data Backups

Lastly, users can enhance their protection by consistently backing up their iPhones using iCloud or iTunes. This practice ensures data retrieval in case of theft. Simultaneously, users may opt to store essential photos and sensitive files in alternative cloud services like Google Photos, Microsoft OneDrive, Amazon Photos, or Dropbox.

While this may not entirely prevent unauthorized access, it can mitigate some of the aftermath if such an incident occurs.