Bar theft tactic sees iPhone owners permanently locked out of Apple accounts

A spate of iPhone thefts in bars is resulting in owners finding themselves permanently locked out of their Apple accounts, in some cases losing access to years’ worth of irreplaceable photos.

As is often the case, the detail of the story is less dramatic than the headline – in this case, “The iPhone Setting Thieves Use to Lock You Out of Your Apple Account” …

iPhone owners locked out of Apple accounts

The WSJ opens with an example, but rather buries the lede.

Greg Frasca has been locked out of his Apple account since October, and he’ll do just about anything to get back in.

He has offered to fly from Florida to Apple’s California headquarters to prove his identity in person, or write a check for $10,000 to reclaim the account. It holds the only copies of eight years of photos of his young daughters.

This is all because the thieves who stole Mr. Frasca’s iPhone 14 Pro at a bar in Chicago wanted to drain cash from his bank account and prevent him from remotely tracking down the stolen phone. They used his passcode to change the 46-year-old’s Apple ID password. They also enabled a hard-to-find Apple security setting known as the “recovery key.” In doing so, they placed an impenetrable lock on his account.

The rather vital detail buried in the middle of the third paragraph is, of course, “used his passcode.”

The WSJ first reported on this issue back in February, with another dramatic headline: “A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life.” That basic feature turned out to be … your passcode.

So, er, yeah: If a thief has both your iPhone and your passcode, you’re in trouble – and this shouldn’t really be news to anyone.

So what’s the real story here?

The story likely wouldn’t have gotten quite so many eyeballs if it had used the headline “Bad guy who has your iPhone and your passcode can do bad things.” But there are a couple of things worth noting.

First, the way that thieves are carrying out the attacks. The methodology is to watch people in public places as they unlock their phones, in order to observe the passcode. Alternatively, they find a reason to directly ask you to unlock your phone – like claiming they’ve lost theirs and need help looking up a phone number or something.

Second, the setting the WSJ report refers to is the Recovery Key, a method Apple offers to allow people to immediately reset their Apple ID password without having to know the current one.

This is itself a safety feature intended to protect you from losing access to your Apple account – but iPhone thieves are instead using it to ensure owners are permanently locked out. How? Because that’s a feature anyone can toggle on if… they have both your phone and your passcode.

Essentially Apple offers two ways back into your Apple account if you’ve lost your password. The first is some rather impenetrable way of persuading the company you are who you say you are. All reports point to this being a painful, time-consuming, lottery process – where you might get lucky, and you might not.

The Recovery Key is the second method. Using this, you can reliably get back in straight away – but that is then the only proof the company will accept. No recovery key, no access, period.

So, if a thief watches you enter your passcode, then steals your phone, they can flick the Recovery Key option on (Settings > Your name > Password & Security > Account Recovery > Recovery Key), and you are then stuffed.

How can you protect yourself?

The snarky answer is “Look after your phone and your passcode” – but here are three specifics…

Apply the security basics

1. Enable Face ID or Touch ID, so you don’t need to use your passcode in public.
2. Use the Custom Alphanumeric Code to set a complex password.
3. Always switch off your phone after using it.
4. Don’t leave your phone on a bar table, etc., even when sitting there.

Use Screen Time as an additional layer of security

You can also use Screen Time as an additional layer of security, as the paper suggests.

In Settings, go to Screen Time and scroll down to set a passcode, if you haven’t already. Then go to Content & Privacy Restrictions, and toggle on Content & Privacy Restrictions. Scroll down to Allow Changes, then tap on Account Changes and select Don’t Allow.

You of course need to ensure your Screen Time passcode is different to your phone passcode. This means that a thief would still be unable to make any changes to your Apple ID settings, including enabling the Recovery Key option.

Add a Recovery Contact

Finally, you can add a Recovery Contact – a friend or family member whose devices are authorized to receive a recovery code for your devices. You can do this in Settings > Your name > Password & Security > Account Recovery > Add Recovery Contact.

Does Apple need to act?

The WSJ suggests this is an Apple problem as well as a you problem.

Many victims have offered Apple their passports, driver’s licenses and other forms of identification to prove ownership of their accounts. In a letter to Apple, Mr. Frasca offered to undergo a DNA test or retina scan. Apple says it doesn’t have any such records on file, because of privacy concerns. He and many others are baffled that there isn’t another way to prove their account ownership.

While the piece does relate to edge cases, where both device and passcode have been compromised, I do think Apple needs actual known policies in place to address situations where a user is locked out of their account – ditto Activation Lock.

It seems to me that turning up at an Apple Store with a device registered to you and a government-issued photo ID would be a reasonable standard for establishing your identity. Or an Authorized Apple Reseller where you don’t have a local Apple Store.

What’s your view? Should Apple provide a fixed process for account recovery, instead of the current luck-of-the-draw one? As always, please share your thoughts in the comments.

Photo: Sergey Isakhanyan/Unsplash

FTC: We use income earning auto affiliate links. More.