A complex but troubling method of gaining control of a user’s iPhone and permanently locking them off the device appears to be on the rise. Some iPhone thieves are exploiting a security setting, called a recovery key, that makes it nearly impossible for owners to access their photos, messages, data and more, according to a recent Wall Street Journal report. Some victims also told the publication that their bank accounts were drained after the thieves accessed their financial apps. It’s important to note, however, that this type of capture is difficult to accomplish. It requires a criminal to essentially watch an iPhone user enter their device passcode, for example, by looking over their shoulder at a coffee shop or sporting event, or by manipulating the device owner into sharing their passcode. And that’s all before they physically steal the device. From there, a thief could use the passcode to change the device’s Apple ID, turn off “Find My iPhone” so its location can’t be traced, and then reset the recovery key, a complex 28-digit code intended for to protect its owners from online hackers. Apple requires this key to reset or regain access to an Apple ID in an effort to bolster user security, but if a thief modifies it, the original owner will have no “We sympathize with people who have had this experience and take we take all attacks on our users no matter how rare,” an Apple spokesperson said in a statement to CNN. “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this.” If you lose both of these items, you may be permanently locked out of your account. more customer support options and “ways for Apple users to authenticate themselves so they can reset these settings.” it is protecting the passcode. An Apple spokesperson told CNN that people can use Face ID or Touch ID when unlocking their phone in public to avoid revealing their passcode to anyone looking. Users can also set a longer alphanumeric passcode which is harder for bad actors to figure out. Device owners should also change the passcode immediately if they believe someone else has seen it. Within an iPhone’s Screen Time setting, which allows guardians to set restrictions on how children can use the device, is the ability to set a secondary password that would be required of any user before they could successfully change a Apple ID. Enabling This way, a thief would be prompted for the secondary password before changing an Apple ID password. Back Up Your Phone Regularly Finally, users can protect themselves by regularly backing up an iPhone via iCloud or iTunes so that data can be recovered in the event an iPhone is stolen. At the same time, users might consider storing important photos or other sensitive files and data in another cloud service, such as Google Photos, Microsoft OneDrive, Amazon Photos, or Dropbox. This won’t stop an attacker from gaining access to your device, but it should limit some of the fallout if it ever happens.
A complex but troubling method of gaining control over a user’s iPhone and permanently locking them off the device appears to be on the rise.
Some iPhone thieves are exploiting a security setting, called a recovery key, that makes it nearly impossible for owners to access their photos, messages, data and more, according to a recent Wall Street Journal report. Some victims also told the publication that their bank accounts were drained after the thieves accessed their financial apps.
It’s important to note, however, that this type of capture is difficult to accomplish. It requires a criminal to essentially watch an iPhone user enter their device passcode, for example, by looking over their shoulder at a coffee shop or sporting event, or by manipulating the device owner into sharing their passcode. And that’s all before they physically steal the device.
From there, a thief could use the passcode to change the device’s Apple ID, turn off “Find My iPhone” so its location can’t be traced, and then reset the recovery key, a complex 28-digit code intended for to protect its owners from online hackers.
Apple requires this key to reset or regain access to an Apple ID in an effort to strengthen user security, but if a thief changes it, the original owner won’t have the new code and will be barred from the account.
“We stand in solidarity with the people who have had this experience and take all attacks on our users very seriously, no matter how rare,” an Apple spokesperson said in a statement to CNN. “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this.”
On its website, Apple warns that “you are responsible for maintaining access to your trusted devices and your recovery key. If you lose both of these items, you may be permanently locked out of your account.”
Video above: Apple error prevents Mass. man from wiping dead mother’s phone
Jeff Pollard, vice president and principal analyst at Forrester Research, said the company should offer more customer support options and “ways for Apple users to authenticate themselves so they can reset these settings.”
For now, however, there are a handful of steps users can take to potentially protect themselves from having this happen to them.
Protect passcode
The first step is to secure the passcode.
An Apple spokesperson told CNN that people can use Face ID or Touch ID when unlocking their phone in public to avoid revealing their passcode to anyone watching.
Users can also set a longer alphanumeric passcode that is harder for bad actors to figure out. Device owners should also change the passcode immediately if they think someone else has seen it.
Screen time settings
Another step that some might consider is a hack that isn’t necessarily approved by Apple but is circulating online. Within an iPhone’s Screen Time setting, which allows guardians to set restrictions on how children can use the device, is the ability to set a secondary password that would be required of any user before they could successfully change a Apple ID.
By enabling this, a thief would be prompted for that secondary password before changing an Apple ID password.
Back up your phone regularly
Finally, users can protect themselves by regularly backing up an iPhone via iCloud or iTunes so that data can be recovered if an iPhone is stolen. At the same time, users might consider storing important photos or other sensitive files and data in another cloud service, such as Google Photos, Microsoft OneDrive, Amazon Photos, or Dropbox.
This won’t stop a bad actor from gaining access to the device, but it should limit some of the fallout if it ever happens.
