Criminals are always finding new ways to steal iPhone users’ passwords and banking information. A particularly perfidious scam is currently widespread, especially in the USA.
According to a comprehensive report by the Wall Street Journal, hundreds of people have now fallen victim to an astonishingly simple identity theft scam. To take over Apple ID, passwords and banking details, it is enough to have access to iPhone and passcode.
Unauthorized persons get access to passwords and data on the iPhone
Cases in which people have their iPhone stolen and are shortly afterwards locked out of their own Apple ID are increasing in the USA. The process is always similar: strangers watch a person enter their passcode (aka unlock PIN) only to steal the iPhone and use the code to reset the Apple ID password. As a rule, all that is required is to enter a code, which is sent directly to the stolen iPhone via SMS. The criminals can use it to bypass locks like Face ID and Touch ID and lock the owners out of their own accounts with a new password. This also allows them to turn off the Find My feature, preventing owners from remotely locking or resetting the iPhone. They can also disconnect other Apple devices from the Apple ID that would otherwise have access to the account. At worst, the criminals set a one-time recovery key without which Apple ID password reset is no longer possible.
Access to Apple Play and banking apps
If owners no longer have control over their iPhone and their Apple ID, the criminals have a free hand. With the passcode, they can access Apple Pay and even view passwords stored in iOS or a browser — and use them to find login credentials for banking apps. In the cases reported by the “Wall Street Journal”, the criminals were able to transfer several thousand to tens of thousands of US dollars within a few hours, send them via Venmo (a PayPal subsidiary) or spend them on purchases. But not only that: with the passwords from the iCloud keychain you also have access to email accounts, social media and more. Occasionally, they were even able to find sensitive documents such as the Social Security Number and passport in the photos apps. In the US, the insurance number can be used to open an Apple Card that allows criminals to empty the account.
TECHBOOK asked Apple whether the company is planning additional security measures to put an end to identity theft and what users can do to protect themselves in the meantime. Once we get a response, we’ll update this article accordingly.
This is how you can protect yourself
There are ways to prevent criminals from using iPhone and passcode to lock users out of their Apple ID and access passwords.
Use alphanumeric passcode and password manager
Normally, the iPhone only needs a six-digit numeric code to set up a device lock. However, criminals can track this relatively easily by simply observing the input – or even film it. The Wall Street Journal reports that in some cases, strangers try to befriend users in order to take a picture together. In doing so, they turn off the iPhone – which requires the passcode to be entered when turning it on.
So, first and foremost, you should Use Face ID or Touch ID to unlock whenever possible. If the iPhone asks for manual input after a restart, give the passcode only under the hand concealed a – like with an ATM. To make it more difficult for unauthorized persons to get hold of the combination, you can also set an alphanumeric passcode. In addition to numbers, this also contains letters and is therefore much more difficult to understand. This option is in the settings below Face ID & Passcode>change code>code options>Own alphanumeric code to find.
Also, don’t save passwords in the iOS keychain set up your own password manager. This allows you to ensure that nobody with the passcode gains access to your other passwords.
Create recovery key
The criminals take advantage of a loophole in Apple’s security construct to reset the Apple ID with a new password. Because the reset only requires a trusted phone number, which in most cases is the number used on the iPhone itself. The code to complete the process then simply comes via SMS. Unfortunately, Apple does not plan to set up an authenticator app for this process.
However, iPhone owners have another option to prevent their Apple ID from being reset by unauthorized people. You can use a so-called Create a recovery key without which changing the password is not possible. This also prevents someone from setting a new trusted number or creating a new recovery key to lock you out of their own Apple ID.
Read Next: Apple Introduces Security Keys and End-to-End Encryption for iCloud
Do not save photos of sensitive documents
It is useful to always have your passport number ready in the photos app. However, this gives criminals an even larger target to wreak havoc. It is true that it is more difficult in Germany than in the USA to open an account using simple photos of a document. However, there is no harm in playing it safe. However, if absolutely necessary, you can store and password-protect photos in the Notes app.
source
Wall Street Journal: “A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life“ (accessed March 1, 2022)