Recent iPhone thefts highlight the danger of using passcodes in public

A new report from The Wall Street Journal looks at a recent trend of iPhone thefts that have happened across the US. Instead of just looking to snatch devices, these thieves are watching for passcodes so they can immediately get into iPhones, change Apple ID passwords, access financial accounts, and more. Here’s a look at the risks of using an iPhone passcode in public, how much power the passcode wields, and some steps to keep yourself safer.

WSJ’s Joanna Stern has been hearing from victims about a specific kind of iPhone theft. What’s happening is thieves are watching for people to enter their passcodes in public places like bars before stealing the devices, sometimes right out of their hands.

Joanna interviewed one victim whose entire digital life was lost after her iPhone was stolen with the thieves changing her Apple ID password within 3 minutes of taking her smartphone. Then they stole thousands of dollars through Apple Pay, opened an Apple Card to make fraudulent charges, and more using the passcode they obtained.

These thieves often work in groups with one distracting a victim while another records over a shoulder as they enter their passcode. Others have been known to even befriend victims, asking them to open social media or other apps on their iPhones so they can watch and memorize the passcode before stealing it.

A 12-person crime ring in Minnesota was recently taken down after targeting iPhones like this in bars. Almost $300,000 was stolen from 40 victims by this group before they were caught.

What about Face ID?

You might be thinking, why not just use Face ID in public? That’s definitely one way to avoid this issue, but the feature doesn’t always work, and it can be easy to not give a second thought to manually entering a passcode as that’s what iOS asks for if Face ID isn’t successful.

Also, some people may not have Face ID or Touch ID set up at all.

The power of the passcode

Joanna notes the tricky part about all this is how much power the iPhone passcode has. Once a thief has it, they can change a victim’s Apple ID password, access any passwords saved with iCloud Keychain, send/steal money via Apple Pay or other financial apps, and more.

Locking apps to only work with Face ID isn’t a viable solution for Apple to increase security as there needs to be a secondary authentication method for times the feature doesn’t work, if someone has had an accident and their facial appearance has changed, or in the event of something like a damaged front camera.

Apple’s thoughts

Joanna asked Apple about the situation and a spokeswoman share that the issue is “uncommon.” She sympathized with the victims and said Apple is working to “advance” iPhone protections.

“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare. The thefts described are uncommon and require multiple physical steps – stealing a user’s device is not enough.”

“…we will continue to advance the protections to help keep user accounts secure”

4 ways to boost your iPhone security

If you’re concerned about attacks like this, here are some steps you can take:

1. Whenever possible, use Face ID or Touch ID in public
2. Cover your iPhone screen if you need to enter your passcode in public
3. Switch to a custom alphanumeric passcode instead of a 4 or 6 digit one (Settings > Face ID & Passcode > Change Passcode)
4. Remove sensitive account passwords saved with iCloud Keychain or use a separate password manager like 1Password that can’t be opened by your iPhone’s passcode

Joanna also called out 3 changes Apple could make to improve security for situations like this:

• Add further protection to iOS to change an Apple ID password
• Add stronger password protection for iCloud Keychain
• Add more account recovery options

Check out the full report in the video below: