Hi 
All,
After reading the article and watching the video where one of the victims described how her phone got stolen in a whole new level, I would like to know more ideas to diversify the security of the iPhone because quite frankly it is scary how easy the thieves got access to everything 
Use Face or Touch ID instead of a passcode.
If you have to use a passcode, make sure no one is watching you enter it.
Don’t leave your phone on the table in public places.
If it’s in a bag, make sure the bag is zipped closed and within your eyesight.
Use FaceID
And carry a miniature laser that instantly burns the retinas of anyone looking over your shoulders.
I’m not sure exactly about the options on iOS but make sure your notifications are not viewable on the lockscreen especially SMS and email, set a pin on your SIM or use an eSIM to stop them putting the SIM in another phone.
On newer androids depending on the manufacturer you can get very granular with notification settings and allow SMS only from specific people to show on the lockscreen for example.
I think the key is to not leave everything to your unlock screen. People can unlock the phone easily by pointing at you or just stealing it when it’s unlocked.
On my phone, my two factor auth app, password manager, email, WhatsApp and a few other apps need FaceID - this severely limits the amount of damage that can be done by just accessing the phone when it’s unlocked. Obviously, you want a secure passcode too otherwise this is all useless.
As others mentioned you also want to disable access to everything while the device is locked and hide all notifications (I’m always astounded when people just leave their personal messages on their Lock Screen anyway!).
Finally make sure the phone screen locks as quickly as possible.
Some extra secure methods for the very paranoid:
)I will say, it’s still a problem. There are people who will follow you until you use your passcode, note it down and then use that, or instances where people have been drugged and their face used to open the phone. It’s sort of inevitable when so much is stored there. But these things are very rare and most more common things are preventable with some basic security.
I’m not overly sure I agree with this part. Although I don’t know what suggestions you’ve seen. But if your phone has your bank, your password manager, your email to reset passwords, your nudes, or whatever else you may have, I think any user should think about how that’s protected. And in terms of threats - any common thief can steal a phone out of someone’s hand while they are looking at it and it’s unlocked - it’s not exactly a high level attack. Sure, there are also plenty of measures suggested that are really only to guard against sophisticated attacks that are only likely against high value targets, but there’s still a bit more I think an average user should do.
Enabling FaceID on apps in particular creates very little issues because FaceID is so slick anyway. Same with setting your phone to lock after 30 seconds instead of two minutes.
Am I missing something here? Even with biometrics enabled, if they fail it asks for the passcode anyway. The point of the article is that if you know the passcode then you can get into pretty much any app,
My mother sometimes asks me to do something for her on her iPhone. All I need to get into it and her banking apps is the passcode, because Face ID gives up after a couple of attempts.
I could be missing something because it’s 4am and I can’t sleep.
Many thanks for all the recommendations.
I feel (perhaps) the article was not read by some. I recognise it was very late when I posted the article
As @mikez mentioned, the thieves spent a lot of time observing the victim inside the New York bar and managed to obtain her passcode (6 digit number) and subsequently stole the phone out of her hand. With that, face ID obviously is redundant and they got access to everything in her phone. The consequences were shocking specially how fast they changed the apple ID.
Monzo has face ID option to access their app AND 
to confirm transactions (in face ID failing, it asks for the phone PIN and ta dah! 
). But I will disable the latter and use the debit card PIN for confirming transfers to other banks (though I wonder if this is also a security risk )
Again, the part of how ridiculously quick they changed her Apple ID and logged her out of the trusted devices to avoid the two factor authentication plus associated their own two factor authentication device, is what I would like to tackle.
I think the child lock in the settings sounds a good way to start. I didn’t know about this.
Plus the eSim too. I had used in the past with another provider. I will request it in my existing one.
Change the PIN to alphanumerical, good idea and I will do that too.
If you have further suggestions please keep them coming 
This is the video: 
Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes | WSJ - YouTube
Use the alphanumeric passcode. I use faceID and when that fails it reverts to my alphanumeric passcode. Simples really.
Bad actors get access to the phone by surreptitiously observing the victim entering their passcode, then stealing the phone. If the victim uses face or Touch ID, the bad actor has no way into the phone.
This. For now.
I think @lilica that the point some people were making (me included) is that it was clear that the user had her passcode captured, and I presume no FaceID because if they had, then they wouldn’t have seen her enter the passcode in the first place.
No victim blaming here, it could happen to all of us. But short of FaceID, I’m not entirely sure what else Apple could do here. Perhaps an additional Layer of 2FA when it comes to signing in?
Leave your phone at home in a safe and never use it again.
No, this isn’t true. After a couple of attempts it falls back to asking for the passcode. This is what we had to do when wearing masks, initially.
I’ll make my point clearer.
The bad actor has observed the victim entering their passcode by shoulder surfing. Therefore, when they steal the phone, they know what to enter.
If, whilst being observed, the victim had been using face/Touch ID, the bad actor would not know the passcode. Therefore, when they steal the phone, they can’t get past the passcode prompt.
Thanks - I see what you were getting at now. They may well have had Face ID enabled but it was one of those times that it either wants the passcode anyway, or it just didn’t work for some reason (face too close, too far away, etc.).
Anyway, as someone mentioned, an alphanumeric passcode is a good idea.
So I heard about this a while ago on hackernews.
If you want to mitigate the account take over:
Go to Settings->Screen Time->Content & Privacy Restrictions->Turn Account Changes to Block and set a pin thats different from your main pin (with no icloud reset)
I believe this blocks them changing your icloud password without that second pin although I have not done it yet.
Also something else worth changing is Settings->Face ID->Turn off Control Centre (in allow access when locked) as this means anyone has to use your pin/face to turn on airplay mode.
I hope 16.4 will change how this works.
Article (not paywalled): https://archive.is/Q4NOR
I think the key weakness is allowing the AppleID password to be reset just using the device PIN, which is fairly easily discoverable via shoulder surfing. When you can lock someone out of their Apple ID in less than a minute, pretty much all other security measures become useless. You’ll be locked out of find my iPhone etc.
Nope, you can still reset the AppleID and the AppleID password is the fallback to reset the screen time password.
There’s nothing you can really do about this as far as I know, apart from making it harder to learn your passcode (although there’s no way to make it impossible, or even overly difficult).
You can at least set double blind passwords on things like your email accounts so they can’t lock you out of those. And I don’t keep main savings account on my phone at all. You can create a double blind password for Starling or other banks too, but sadly not Monzo.
I just tested it and I cant access my AppleID at the top of the settings page to change the password?
Is there another way to do it?
I mean you can also lock out passcode changes as well in there to stop them changing the pin and faceid.
I know the AppleID password can reset the forgot restriction pin but I thought you didnt have to enable that, you can skip. Although I think you may be able to reset the password if you turn on that option as I see it has a reset appleid password but I am not sure if it works.
There will be a vector through the website if your dense enough to save your icloud password in passwords which to be honest should be blocked if its not already.
I don’t believe Apple has publicly commented on making any changes, only that iOS is a secure platform and it is important to protect your passcode from snooping.
John Gruber suggested on his podcast this week that this is a known vulnerability within Apple, and has been for some time, but that it is somewhat intentional. People forgetting their iCloud passwords and needing a way to reset them with a second factor is more common that this type of crime. That is until it was published everywhere and now your amateur iPhone thief is now going to attempt to snoop the passcode.
That said, iOS could surely be strengthened so it doesn’t default back to passcode when biometrics fail.
You need a fallback… masks, or just wierd lighting… can cause failures. Loads of people locked out of their phone to prevent a comparatively rare surfing attack is a support nightmare.
It should try touch before dropping to pin though (although wet fingers, etc. can fail that… it’d catch more cases).