🔐 The iPhone Security Problem

Issue 40-Technology

iPhones and Apple products in general are considered to have very good security measures. This is because of Apple’s advertisements and also the number of features that they have, for example, the ability to disable tracking. Recently a new trend of locking the owner out of their iCloud has arisen and is becoming a big problem. So in this article, I’m going to explain what happens, what thieves do, and what you can do right now to protect yourself! Make sure to like, share, follow, and check out my LinkedIn page here!

How The Scheme Works

Most of these cases occur at bars, or places where people will find themselves distracted and not fully attentive. A thief may watch over your shoulder as you enter the passcode into your phone, and they will jot it down. The thief may try to befriend you by doing something nice, but when you least expect it, they’ll grab your iPhone and take off. Now, okay, you just lost your phone. our first thought may be to borrow someone else’s phone to log in to Find My iPhone, but it isn’t as simple as that!

How A Thief Locks You Out Of Your Apple Account

After your iPhone is taken away, the thief’s first steps are to put in the passcode, go to settings, click on the iCloud name, select “Password & Security”, and change the password. Here, the thief can change the password for your entire Apple account, which may hold all your photos, files, messages, contacts, and so much more. The problem is that the iPhone's passcode is the only security before changing the Apple ID password. Since the thieves already have that, they can easily change the iCloud password and lock you out of your Apple Account. Now if you try to log in to Find My iPhone, you won’t be able to get in because the thief just locked you out of your Apple Account.

It’s even more unlikely that you’ll be able to track your phone after the thieves change the Apple ID password, they can also turn off Find My iPhone tracking. They may also select an option to “sign out of all trusted devices,” so that if you have an iPad or Mac to gain access to your Apple Account, this still won’t work. They may also turn on something called a recovery key which we’ll go more in-depth on later in the article.

After locking you out of the Apple Account, the thieves will then try to access banking apps. On most banking apps, you will have to log in every time you try to access it for security purposes. However, lots of people have their passwords stored in Apple’s built-in password manager, which unfortunately is behind some biometric authentication or the iPhone passcode. They may also try to open credit cards in the victim’s name since they already have the SSN and other details of the person on photos or documents stored on the phone.

The Recovery Key Problem

I mentioned something called a recovery key earlier. This is key to modifying your Apple Account. The thieves use the passcode to turn on the recovery key before they do anything else on the phone so that the owners can’t remotely erase the device and use Find My iPhone. This is an additional barrier to keep you from getting back into your Apple Account. First, they change the main lock, the Apple Account password, which can be changed with the passcode. Well if they only change the account password you can still get back in with the “forgot your password” button. You just need to provide some details like your phone number and you should be good. However, the thieves may change the trusted phone number to theirs and then turn on the recovery key which is a unique 28-character code. This is needed to change the Apple Account password. The main flaw here is that even if you had this turned on before you had your phone taken away, thieves can create a new one to replace the other. Apple did this as a convenience thing for people who misplace their original code. If you lose this key, you may never be able to get into your iCloud account ever again!

What About Android?

You may be wondering why is this mainly a problem with iPhones.In reality, this problem very well exists on Androids with the passcode having many of the same functions as IOS. The reason is because of the resale value of the iPhone. People generally like to think of Android phones as “cheaper” and that’s why when you go to a place like Backmarket which specializes in refurbished devices, the resale value of iPhones is much greater than a comparable Android.

The Solution

Apple is currently working on improving its security measures for these sorts of attacks. However until then, here are four things that we can do to keep our Apple Account safe.

1. Remove Passwords From iCloud Keychain — As mentioned previously, the thieves use this to access any saved passwords to your accounts. Go to settings, scroll down to passwords, and then delete all the ones you have. Try using a different app like Microsoft Authenticator and enable the pin feature on that. Make sure to set this pin to something that’s not the same as your iPhone password
2. Remove Sensitive Information — Remove pictures or documents of your ID or Passport so the thieves don’t have formal identification of you.
3. Change Your Passcode — Make your passcode hard to tell or guess. Try using a 6-digit passcode or an alphanumeric code which is the better option
4. Prevent Account Modification — Go to Settings, Screen Time, and use the screen time passcode. Make sure to set this to something different than your main passcode. After this, go to “content & privacy restrictions”, turn on the toggle at the top, then scroll down to the allow changes section. Click “passcode changes”, and “account changes” and make sure to turn those to don’t allow. This way, a thief can’t change the Apple ID password or add a recovery key if your iPhone was stolen.

Thanks for reading this week’s article and I hope you learned something new about keeping your iPhone secure and what this problem even is. I’ll talk to you next week!

— Luke Rapaka