07 Mar Security News: iPhone users targeted in phone AND data theft campaign
Reprinted from Malwarebytes Labs
When is an iPhone theft not just an iPhone theft? When the user’s Apple ID and more, goes with it.
That’s what the Wall Street Journal reports has been happening over recent months. The paper interviewed a handful of people who fell victim to old-school phone theft while out in a bar. But it wasn’t just the phone that was taken. In minutes, they were also denied access to their Apple accounts and everything attached to them, including photos, videos, contacts, notes, and more.
Some of the victims were robbed of thousands of dollars in the form of drained bank accounts, money taken from Venmo or other money-sending apps, and Apple Pay charges.
Most victims have shared the same story: They are befriended by a small group of two to three people. At some point in the evening, a gang member watches the victim entering their passcode (law enforcement says sometimes members secretly film this process). Then the phone is stolen, usually without the victim noticing.
Some victims say they were physically assaulted and threatened into revealing their passcode. Others believe they were drugged and don’t remember how their phone got swiped.
Once the phone has gone, the thieves log in to the person’s Apple ID and change it to something of their own. None of Apple’s current security features—Face ID and Touch ID—can protect users from thieves who have physical access to a phone and know its passcode. Even the new security key meant to protect Apple IDs doesn’t prevent anyone from making account changes using only a passcode. Surprisingly, a passcode can be used to remove security keys from an account.
Device theft cannot be completely avoided. But, learning from the thieves’ modus operandi, iPhone users can still take steps to minimize the likelihood of them becoming successful targets.
“People forget that what they’re holding in their hand is their entire life,” says Sgt. Robert Illetschko, an investigator on iPhone theft cases in Minneapolis. “If someone has access to it, they can do a lot of damage.”
How to protect your iPhone data
1. Cover your screen in public
Thieves use various tactics to get their victim’s passcode. This includes shoulder surfing and surreptitious video recording. When you’re in public, practice keeping your passcode out of prying eyes. One way of doing this is relying on a different lock method, like Face ID and Touch ID. Think of and treat your passcode as an ATM PIN.
2. Strengthen your passcode
Make your passcode one which isn’t easily guessed (so no 1234 here!). Even better if you can use an alphanumeric passcode.
3. Enable Screen Time
Screen Time is normally used as a parental control tool to prevent children from accessing certain iPhone features, such as sharing photos, and apps like Camera. It also, crucially, disables access to your AppleID. Screen Time uses a passcode, which is different from your device passcode. Here’s how to enable Screen Time:
- Go to Settings > Screen Time > Content & Privacy Restrictions.
- Enable Content & Privacy Restrictions.
- Scroll down to Account Changes and change to “Don’t Allow”.
- Go back two screens to Screen Time, then tap Use Screen Time Passcode. Follow the prompts.
Note: This is a bit of a faff and may annoy some people, but it’s worth trying it out to see if you can live with it.
4. Add more protection to apps
It’s worth taking a look at the security settings in your banking and money transfer apps, and putting the strongest security on them as possible. Venmo, for example, lets users add a passcode—just make sure it isn’t the same as your iPhone.
5. Use a password manager
We’re not referring to Apple’s iCloud Keychain password but a third-party one like 1Password, which offers biometric authentication.
6. Delete photos and scans of important documents on the phone
Since thieves can search for “SSN”, “passport”, “license”, and other PII (personally identifiable information), it’s best to not have important files removed from the phone. If you really need to have important documents with you, store them in your third-party password manager.
7. Act quickly
If you spot your iPhone is missing, sign in to your iCloud using another device and remote wipe your phone as soon as you can. Call your carrier to deactivate your SIM, too, so thieves can’t receive any SMS verification. Finally, change the passwords of any accounts you use on the phone, and revoke all access from devices.