[ad_1]
Our phones are a portal to everything that’s important to us—our most sensitive communications, our life savings, our photos. You’d think all that would be protected by something more complex than a four- or six-digit passcode.
And yet, as we reported, thieves across the country are stealing iPhones along with their passcodes. They are getting it all: cash from bank apps, access to credit cards via
Pay and more.
That same code also allows these thieves to lock people out of their Apple accounts. Years of photos, notes and messages from loved ones? Gone. It made us think, should we really trust all our data to one big tech company?
“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple Inc. spokeswoman said, adding that the company says these attacks are uncommon because they require the theft of the device and the passcode. “We will continue to advance the protections to help keep user accounts secure,” she said.
We’ve long talked about the importance of strong, unique passwords, those alphanumeric strings used to safeguard online accounts. But it’s the passcode, the short string of numbers used to unlock your device, that presents a unique vulnerability.
After speaking to victims whose passcodes were used to pillage their digital homes, we changed the ways we protect and use our iPhones. Here’s what you should do—and what Apple could do—to discourage these attacks.
Anatomy of the attack
The thief watches you type your passcode, then steals your iPhone. With both device and passcode,
the thief can…
Access payment
apps like Venmo
Force sign out of
trusted devices
Find bank app
passwords
stored in iCloud
Keychain
Open credit card using personal info found
in photos
Your financial accounts
get looted
You are locked out of your
Apple iCloud account
You can’t remotely wipe your
device to protect your data
The thief watches you type your passcode, then steals
your iPhone. With both device and passcode,
the thief can…
Force sign out of
trusted devices
You can’t remotely wipe your device
to protect your data
You are locked out of your Apple iCloud account
Access payment apps
like Venmo
Open credit card
using personal info
found in photos
Find bank app passwords
stored in iCloud Keychain
Your financial accounts get looted
The thief watches you type your passcode,
then steals your iPhone. With both device and
passcode, the thief can…
Force sign out of
trusted devices
You can’t remotely wipe your device
to protect your data
You are locked out of your Apple iCloud account
Access payment apps
like Venmo
Find bank app
passwords stored in
iCloud Keychain
Open credit card using personal info found in photos
Your financial accounts get looted
What You Should Do
If you’re thinking, “I already use Face ID so I’m fine,” think again. When Face ID or Touch ID fail—or when the iPhone restarts—the phone asks for the passcode.
This is true for unlocking the device, but also for authorizing Apple Pay, opening the iCloud Keychain password manager and more. The passcode enables you to change your Apple ID password.
(Thieves could use a passcode for similar access on Android phones, but law enforcement officials we spoke to said criminals mostly target iPhones, due to their higher resale value.)
You can’t always avoid device theft, but you can make it harder for thieves to get access to the data on your device.
• Cover your screen in public. According to law-enforcement authorities, thieves devise clever ways to learn people’s passcodes, including filming them from afar.
When you’re out and about, rely on Face ID or Touch ID whenever possible to prevent passcode snooping. In cases where you have to type it, treat your passcode like an ATM PIN. Don’t type the code in front of strangers.
• Strengthen your passcode. Use at least six digits and make it complex. No more 1-2-3-4. Longer passcodes are harder to “shoulder surf,” said Adam Aviv, associate professor of computer science at George Washington University.
We changed over to alphanumeric passcodes: Go to Settings > Face ID & Passcode > Change Passcode. When selecting a new passcode, tap Passcode Options > Custom Alphanumeric Code.
In Display & Brightness settings, set your Auto-Lock to 30 seconds, the shortest possible time, so your phone is never left unlocked for too long.
• Enable additional protection. Some apps, such as Venmo, PayPal and Cash App, let you add a passcode. Just don’t use the same one as your iPhone.
You can also set up a Screen Time passcode for yourself, then enable account restrictions to prevent an Apple ID password change, the way parents do with their kids’ devices. In Settings, go to Screen Time > Content & Privacy Restrictions, then toggle Content & Privacy Restrictions on. If you haven’t already set up Screen Time, you’ll need to choose a passcode. (Again, make it different from your iPhone’s.)
Scroll down to the Allow Changes section, and where it says Account Changes, select Don’t Allow. Whenever you need to access your iCloud account settings, you’ll have to go to Screen Time and re-enable this.
• Use a third-party password manager. While Apple’s built-in iCloud Keychain password manager is convenient, the passwords saved there can be accessed using the passcode. That’s a way for thieves to access bank accounts on their victims’ iPhones. You should remove all sensitive passwords.
Instead, use a third-party password manager, such as 1Password or Dashlane, which offer biometric authentication, but prompt for a separate master password if it fails.
• Delete scans of sensitive information. Thieves have used information found in photos on the iPhone, including forms that had a Social Security number, to open up an Apple credit card. Search terms like “passport” “license” and “SSN” in your Apple Photos app to see if you have any. If you need digital copies of sensitive documents, use the secure file storage in a third-party password manager.
• If your iPhone is stolen, act quickly. Sign into iCloud.com on another device as soon as you can, and click Find Devices to remotely wipe your phone. Call your cellular carrier or visit a retail store to deactivate the stolen phone’s SIM, so the thief can’t receive verification codes. Log on to sensitive accounts, such as Google, Venmo and
to change passwords and revoke access from the stolen device.
What Apple Could Do
• Let people add extra Apple ID password protection. The iPhone’s software doesn’t require users to enter an older password to set a new one for the Apple ID, the login that accesses all Apple services. Requiring an extra PIN, a previous password or a security key to protect the Apple ID could prevent account takeovers. Android phones, which similarly accept passcodes to change Google account passwords, should also offer extra protection.
• Password-protect the iCloud Keychain. The iPhone’s passcode grants access to all credentials stored in the built-in password manager. If Face ID or Touch ID don’t work or are deactivated, the Keychain should require a password or independent passcode.
• Protect account recovery from hijackers. Some victims we spoke to couldn’t regain access to their iCloud account because thieves had changed the backup phone number or enabled a recovery key. Google lets people whose accounts were hijacked provide a previous backup recovery email, phone number or account password to prove their identity. Apple should consider doing the same, as well as accepting other identification, including government-issued IDs.
Yes, Apple can do more, but one big piece remains on us:
“The most important thing is awareness,” says Sgt. Robert Illetschko, the lead investigator on such iPhone theft cases in Minneapolis. “People forget that what they’re holding in their hand is their entire life.” He adds, “If someone has access to it, they can do a lot of damage.”
—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.
Write to Nicole Nguyen at nicole.nguyen@wsj.com and Joanna Stern at joanna.stern@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
[ad_2]