Wall Street Journal journalists Nicole Nguyen and Joanna Stern today published a report discussing how iPhone users are being locked out of their Apple ID accounts by thieves using Apple’s recovery key security option.
As the duo first reported in February, there have been multiple cases of thieves watching as an iPhone user enters their passcode in public and then stealing the handset to gain access to the iPhone and its contents. The victims interviewed in the original report said their iPhones were stolen while they were out in public in bars and other public places.
Once a thief knows the iPhone’s passcode, they can quickly reset the victim’s Apple ID password in the Settings app. The thief can then turn off Find My iPhone on the device, which prevents the device’s owner from both tracking its location and/or remotely erase the device.
In today’s report, the journalists take a close look at an additional step that thieves can take. They can use the stolen device to set or reset a recovery key, which is a randomly generated 28-character code that can be used to regain access to an Apple ID once the recovery key feature is enabled.
The feature “gives users virtually no way back into their accounts without that recovery key,” says the report. With total access to a stolen iPhone, bad guys can steal money via Apple Pay or possibly other banking and financial apps. The bad guys will also have access to other sensitive information on the iPhone, including photos and emails, and more.
Guard your Passcode in Public – Use Touch ID or Face ID
The report serves as a strong reminder to iPhone users to use Face ID or Touch ID to unlock their iPhones when in public. On older devices, users should hide their screen when entering the passcode, much like debit card users are warned to hide when they enter their PIN code on POS terminals.
If you are forced to use a passcode, it is recommended that users switch from the default four-digit passcode to an alphanumeric passcode, which makes it tougher for bad actors to spy on your code. (Go to the Settings app, then under Face ID & Passcode, tap “Change Passcode.”
To protect your checking and other financial apps, use a strong password and enable two-factor authentication, but do not have the 2FA code sent to text or email, which would be accessible on the stolen iPhone.
Apple Responds to the Report
Apple responded to the report, saying it is “always investigating additional protections against emerging threats like this one.”
“We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare,” said an Apple spokesperson in response to The Wall Street Journal. “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”