Apple is addressing a security vulnerability that has allowed iPhone thieves to take over customers’ accounts, access saved passwords, steal money and lock people out of their digital memories.
A new iOS setting called Stolen Device Protection is designed to defend against these attacks. It is rolling out to beta testers starting Tuesday.
The Wall Street Journal reported on a nationwide spate of thefts where criminals used the iPhone passcode to break into victims’ accounts and upend their lives. Thieves in New York, Chicago, New Orleans, Minneapolis and other cities watch iPhone owners tap in their passcodes before stealing the targets’ devices.
The Journal’s reporting outlined for the first time how these thefts resulted in losses far beyond phones, and how Apple’s security settings gave victims few ways of preventing harm once their passcodes fell into the wrong hands. We have heard from hundreds of people over the past year whose iPhones and digital lives were stolen.
Apple is planning to include Stolen Device Protection in a coming software update. Still, users must turn the new setting on, and it won’t cover all threats to your personal and financial information on an iPhone. Here’s why you would want it, and what to consider even if you turn it on.
How it works
Your passcode, that short string of numbers that grants access to an iPhone, has powerful reach. With this number, typically four or six digits, thieves can access a lot of your data and make sweeping changes to your accounts. And when Face ID or Touch ID fails, the passcode serves as a fallback.
File: Person uses iPhone. (Credit: LOIC VENANCE / AFP via Getty Images)
If you enable the new Stolen Device Protection, your iPhone will restrict certain settings when you are away from a location familiar to the iPhone, such as your home or work. Here’s the rundown:
Apple ID password change
• If you do nothing: A thief can use the passcode to change your Apple account password and lock you out. This move is the key to thieves turning off Find My and wiping phones for resale. Since you, the iPhone’s owner, don’t have the changed Apple ID password, you can’t immediately locate your iPhone or remotely wipe its data.
• With Stolen Device Protection: If you want to change an Apple ID password when away from a familiar location, the device will require your Face ID or Touch ID. It will then implement an hour-long delay before you can perform the action. After that hour has passed, you will have to reconfirm with another Face ID or Touch ID scan. Only then can the password be changed.
Update Apple security settings
• If you do nothing: A thief can use the passcode to enable what is called a recovery key. Apple designed the setting to protect users from online hackers. But if a thief adds a recovery key, you can’t reset your Apple ID password with your phone number or email. That means losing access to all your photos, files and whatever is saved in iCloud—possibly forever.
• With Stolen Device Protection: As with changing the Apple ID password, enabling or changing the recovery key or trusted phone number will require two biometric scans an hour apart. (Needless to say, thieves couldn’t use the passcode to immediately turn off Stolen Device Protection itself—that, too, will require the same biometric scans and security delay.)
Accessing passwords in Keychain
• If you do nothing: When you use Apple’s iCloud Keychain as a password manager to store passwords for your bank, cash and crypto apps, a thief could use the iPhone passcode to unlock the Keychain and access them all. We have heard from plenty of people who said thieves transferred tens of thousands of dollars from their accounts.
• With Stolen Device Protection: The device requires your Face ID or Touch ID to access those passwords. The passcode will no longer serve as a backup for failed biometrics.
What can still be stolen
A thief with your iPhone and its passcode can still unlock your phone, even when Stolen Device Protection is on. Any app that isn’t protected by an additional password or PIN is vulnerable. So are accounts that can be reset by text or email. And Apple Pay still works with a passcode if Face ID or Touch ID fails. That’s why we suggest the following:
Don’t give your passcode to strangers. Hide it in public, and always try to use Face ID or Touch ID.
Create a hard-to-guess alphanumeric passcode. A string of letters and numbers is much harder for a thief to snoop than a six-digit code. Go to Settings > Face ID & Passcode > Change Passcode > Passcode Options > Custom Alphanumeric Code.
Add PINs to cash and crypto apps. Add protection to Venmo and Cash App by enabling an additional PIN or biometrics. You can also set up a separate passcode to protect Coinbase or Robinhood in security settings.
Act quick to remotely wipe your device. If we have learned anything from our reporting, it’s that the toll of a stolen phone can be much more than just the cost of the device. So if a thief does get hold of your iPhone, act quickly. Memorize this simple web address: icloud.com/find. You can use it on any device or web browser to log in and remotely erase the data on your missing or stolen device. (You should always back up your phone to iCloud.)
When Apple releases Stolen Device Protection, it plans to prompt users to turn it on. You will find the setting under Face ID & Passcode.