We all know that an iPhone passcode is supposed to remain private. However, Joanna Stern of the Wall Street Journal recently published an alarming story, and accompanying video, that highlights just how critical this is. In this post, I want to describe the problem, then discuss some steps you can take to protect yourself.
The scam
Stern’s investigation revealed that access to a short string of numbers—your iPhone passcode—can unravel your entire digital life. Criminals working in teams, around the country, have come up with ways to cause a victim to unlock their iPhone by typing in their passcodes. Perhaps someone talks to the victim in a bar and volunteers to take a picture with the victim’s iPhone, pressing the buttons on the side of the iPhone to put the iPhone in the mode where it must be unlocked with a passcode instead of FaceID or TouchID. Next, a different criminal watching over a shoulder or taking a video recording from across the room watches the victim unlock the iPhone with a passcode, thereby learning the passcode. Finally, the criminals grab the victim’s iPhone to steal it.
The consequence of having both your iPhone and your passcode stolen are more dire than you probably realized. First, a criminal with your passcode can not only change your passcode (blocking you from using it even if you recover the iPhone) but, far worse, can change your Apple ID password, even without knowing your current Apple ID password. With the new Apple ID password, the criminal can turn off Find My iPhone.
Think about that. The first thing that you would probably think to do if your iPhone was lost—track it with Find My iPhone—becomes impossible almost immediately after your iPhone is stolen.
The criminals might then use your iPhone and passcode to pay for items (using the credit cards in the wallet on your iPhone) or send money to themselves (via Apple Cash). Even worse, if you use Apple’s built-in password management tool to store passwords for things like your bank, the criminals might access your bank account online and transfer money from you to them. Joanna Stern learned of many people who had $10,000 stolen from their accounts.
A criminal with your Apple ID password can also easily delete a lot of your information—perhaps most notably, all of your pictures. And with your Apple ID password changed, this can result in you losing access to all of your photos on all of your devices—computers, iPads, etc.—as one of the victims interviewed by Stern described.
These are the highlights from this story, but I encourage you to read the story for more details. (If you hit a paywall, remember that you can read the Wall Street Journal in the Apple News app if you subscribe to Apple News+) And whether or not you read the story, I recommend that you watch the excellent video that Stern created, which I’ll embed right here:
Steps you can take to protect yourself
Stern discusses some possible solutions in her video. I have similar advice.
First, you need to keep your passcode private. We all already know this, but perhaps knowledge of this specific scam will encourage us all to be more serious about it. Anytime that you type your passcode in public, shield the screen in a way that someone looking ever your shoulder cannot see what you are typing. The scam described by Stern in her article may not work on all iPhones, and you may have other protections if your iPhone is subject to Mobile Device Management, but play it safe. Keep your passcode private, at all times.
Second, consider using a more complex passcode. The default iPhone passcode is six digits. It is possible to change that to only four digits, but you should not do so. In fact, consider doing just the opposite: more than six digits, or a combination of numbers and letters. Apple explains on this page how to use a more complex passcode. That's what I do, and I got used to it very quickly.
Third, be very careful about giving your iPhone to someone else—especially someone who you don’t know. If you do so anyway, and if they hand your iPhone back to you and suddenly you need to enter your passcode, that should be a red flag. It doesn’t necessarily mean that they are a criminal; it could just be that your iPhone tried to unlock with their fingerprint or their face and put itself in the mode where a passcode is required, but be safe and treat this as a sign to proceed cautiously.
Fourth, you should strongly consider using a third-party password manager instead of Apple’s built-in password manager—not only for passwords, but for other information and photos. And in light of the recent troubles at LastPass, the only one that I recommend right now is 1Password. Stern’s story notes that criminals were able to access passwords using Apple’s built-in password manager and could access pictures in the Photos app of items like social security cards, passports, driver’s licenses, and other confidential documents. A password manager can store not just passwords but also confidential information, confidential photos, confidential documents, etc. Even if a criminal has physical access to your iPhone and the passcode, the criminal still cannot access items in your password manager because they are locked behind a different password.
Fifth, use two-factor authentication (“2FA” or “MFA” for multi-factor authentication) when you can, and avoid using a text message as the second form of authentication if you have a choice. When there is a choice, it is much better to use another app like 1Password to store the one-time passcode (one that changes every 30 seconds). I’ll be honest: this is a little complicated to set up, especially the first time you do so, but it gets easier every time. And if you have read this far into this post, I suspect that you appreciate the value of security, so the trouble is likely worth it for you. Unfortunately, some banks and other institutions don’t give you a 2FA option other than text messages, which of course offers you zero extra protection when the criminal has access to your iPhone.
It would not surprise me if Stern’s story and similar news of these scams prompts Apple to make some changes to the iPhone that make some of the steps being used by criminals either impossible or more difficult. But then again, Apple may not do so because this scam has still only impacted a very small percentage of iPhone owners, and Apple knows that almost every step taken to increase security can also make life more difficult for innocent iPhone owners in some other way. Plus, even if Apple makes changes, clever criminals may find new workarounds. Fortunately, the steps that I recommend above can help to protect you regardless of whether Apple, or the criminals, change their approaches.