If you take only two steps of the many listed here, they are:
(1) When at all possible, use Face ID or Touch ID — not your passcode — when in public
(2) Change your passcode into an alphanumeric one rather than just numbers (instructions below)
How to Protect Your iPhone Data From Thieves
Strengthen your passcode and use Screen Time controls to keep a predator you meet in real life from hijacking your digital life
By Nicole Nguyen and Joanna Stern
Feb. 24, 2023 10:22 am ET
Our phones are a portal to everything that’s important to us—our most sensitive communications, our life savings, our photos. You’d think all that would be protected by something more complex than a four- or six-digit passcode.
And yet, as we reported, thieves across the country are stealing iPhones along with their passcodes. They are getting it all: cash from bank apps, access to credit cards via Apple AAPL -1.80%decrease; red down pointing triangle Pay and more.
That same code also allows these thieves to lock people out of their Apple accounts. Years of photos, notes and messages from loved ones? Gone. It made us think, should we really trust all our data to one big tech company?
“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple Inc. spokeswoman said, adding that the company says these attacks are uncommon because they require the theft of the device and the passcode. “We will continue to advance the protections to help keep user accounts secure,” she said.
We’ve long talked about the importance of strong, unique passwords, those alphanumeric strings used to safeguard online accounts. But it’s the passcode, the short string of numbers used to unlock your device, that presents a unique vulnerability.
Even a recent upgrade by Apple doesn’t solve the issue. The company introduced the ability to use hardware security keys, little USB dongles, to protect the Apple ID. In the Journal’s testing, security keys didn’t prevent account changes using only the passcode, and the passcode could even be used to remove security keys from the account.
After speaking to victims whose passcodes were used to pillage their digital homes, we changed the ways we protect and use our iPhones. Here’s what you should do—and what Apple could do—to discourage these attacks.
Anatomy of the attack
[click thru URL above to see this graphic and weep]
What You Should Do
If you’re thinking, “I already use Face ID so I’m fine,” think again. When Face ID or Touch ID fail—or when the iPhone restarts—the phone asks for the passcode.
This is true for unlocking the device, but also for authorizing Apple Pay, opening the iCloud Keychain password manager and more. The passcode enables you to change your Apple ID password.
(Thieves could use a passcode for similar access on Android phones, but law enforcement officials we spoke to said criminals mostly target iPhones, due to their higher resale value.)
You can’t always avoid device theft, but you can make it harder for thieves to get access to the data on your device.
• Cover your screen in public. According to law-enforcement authorities, thieves devise clever ways to learn people’s passcodes, including filming them from afar.
When you’re out and about, rely on Face ID or Touch ID whenever possible to prevent passcode snooping. In cases where you have to type it, treat your passcode like an ATM PIN. Don’t type the code in front of strangers.
• Strengthen your passcode. Use at least six digits and make it complex. No more 1-2-3-4. Longer passcodes are harder to “shoulder surf,” said Adam Aviv, associate professor of computer science at George Washington University.
Longer, more complex passcodes are harder to snoop. To change yours to one with numbers and letters, go to Face ID & Passcode in Settings, then Change Password. Tap Passcode Options, then Custom Alphanumeric Code.PHOTO ILLUSTRATION: NICOLE NGUYEN/THE WALL STREET JOURNAL
We changed over to alphanumeric passcodes: Go to Settings > Face ID & Passcode > Change Passcode. When selecting a new passcode, tap Passcode Options > Custom Alphanumeric Code.
In Display & Brightness settings, set your Auto-Lock to 30 seconds, the shortest possible time, so your phone is never left unlocked for too long.
• Enable additional protection. Some apps, such as Venmo, PayPal and Cash App, let you add a passcode. Just don’t use the same one as your iPhone.
You can also set up a Screen Time passcode for yourself, then enable account restrictions to prevent an Apple ID password change, the way parents do with their kids’ devices. In Settings, go to Screen Time > Content & Privacy Restrictions, then toggle Content & Privacy Restrictions on. If you haven’t already set up Screen Time, you’ll need to choose a passcode. (Again, make it different from your iPhone’s.)
Scroll down to the Allow Changes section, and where it says Account Changes, select Don’t Allow. Whenever you need to access your iCloud account settings, you’ll have to go to Screen Time and re-enable this.
• Use a third-party password manager. While Apple’s built-in iCloud Keychain password manager is convenient, the passwords saved there can be accessed using the passcode. That’s a way for thieves to access bank accounts on their victims’ iPhones. You should remove all sensitive passwords.
Instead, use a third-party password manager, such as 1Password or Dashlane, which offer biometric authentication, but prompt for a separate master password if it fails.
• Delete scans of sensitive information. Thieves have used information found in photos on the iPhone, including forms that had a Social Security number, to open up an Apple credit card. Search terms like “passport” “license” and “SSN” in your Apple Photos app to see if you have any. If you need digital copies of sensitive documents, use the secure file storage in a third-party password manager.
• If your iPhone is stolen, act quickly. Sign into iCloud.com on another device as soon as you can, and click Find Devices to remotely wipe your phone. Call your cellular carrier or visit a retail store to deactivate the stolen phone’s SIM, so the thief can’t receive verification codes. Log on to sensitive accounts, such as Google, Venmo and Amazon, to change passwords and revoke access from the stolen device.
In the event of iPhone phone theft, you can remotely wipe your device without a verification code. Log onto iCloud with your Apple ID username and password, then click Find Devices when prompted for a code.PHOTO: NICOLE NGUYEN/THE WALL STREET JOURNAL
What Apple Could Do
• Let people add extra Apple ID password protection. The iPhone’s software doesn’t require users to enter an older password to set a new one for the Apple ID, the login that accesses all Apple services. Requiring an extra PIN, a previous password or a security key to protect the Apple ID could prevent account takeovers. Android phones, which similarly accept passcodes to change Google account passwords, should also offer extra protection.
• Password-protect the iCloud Keychain. The iPhone’s passcode grants access to all credentials stored in the built-in password manager. If Face ID or Touch ID don’t work or are deactivated, the Keychain should require a password or independent passcode.
• Protect account recovery from hijackers. Some victims we spoke to couldn’t regain access to their iCloud account because thieves had changed the backup phone number or enabled a recovery key. Google lets people whose accounts were hijacked provide a previous backup recovery email, phone number or account password to prove their identity. Apple should consider doing the same, as well as accepting other identification, including government-issued IDs.
Yes, Apple can do more, but one big piece remains on us:
“The most important thing is awareness,” says Sgt. Robert Illetschko, the lead investigator on such iPhone theft cases in Minneapolis. “People forget that what they’re holding in their hand is their entire life.” He adds, “If someone has access to it, they can do a lot of damage.”
PHOTO ILLUSTRATION: ELENA SCOTTI/THE WALL STREET JOURNAL, KENNY WASSUS; ISTOCK
—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.
Write to Nicole Nguyen at email@example.com and Joanna Stern at firstname.lastname@example.org