WSJ Article re iPhones thefts

Hi :wave: All,

After reading the article and watching the video where one of the victims described how her phone got stolen in a whole new level, I would like to know more ideas to diversify the security of the iPhone because quite frankly it is scary how easy the thieves got access to everything :scream:

1 Like

Use Face or Touch ID instead of a passcode.

If you have to use a passcode, make sure no one is watching you enter it.

Don’t leave your phone on the table in public places.

If it’s in a bag, make sure the bag is zipped closed and within your eyesight.

5 Likes

Use FaceID

And carry a miniature laser that instantly burns the retinas of anyone looking over your shoulders.

3 Likes

I’m not sure exactly about the options on iOS but make sure your notifications are not viewable on the lockscreen especially SMS and email, set a pin on your SIM or use an eSIM to stop them putting the SIM in another phone.

On newer androids depending on the manufacturer you can get very granular with notification settings and allow SMS only from specific people to show on the lockscreen for example.

4 Likes

I think the key is to not leave everything to your unlock screen. People can unlock the phone easily by pointing at you or just stealing it when it’s unlocked.

On my phone, my two factor auth app, password manager, email, WhatsApp and a few other apps need FaceID - this severely limits the amount of damage that can be done by just accessing the phone when it’s unlocked. Obviously, you want a secure passcode too otherwise this is all useless.

As others mentioned you also want to disable access to everything while the device is locked and hide all notifications (I’m always astounded when people just leave their personal messages on their Lock Screen anyway!).

Finally make sure the phone screen locks as quickly as possible.

Some extra secure methods for the very paranoid:

  • set a SIM pin so your sim can’t be transferred
  • set a childlock on your phone with a separate PIN that prevents changing any security settings
  • In an emergency you can hold the power and volum up buttons and then swipe the medical ID tab. This quickly disables FaceID and locks everything behind the pin, things like 1Password will need the master password to log in (no, I don’t understand why this feature does this either :smile:)

I will say, it’s still a problem. There are people who will follow you until you use your passcode, note it down and then use that, or instances where people have been drugged and their face used to open the phone. It’s sort of inevitable when so much is stored there. But these things are very rare and most more common things are preventable with some basic security.

3 Likes

Nowadays the content of notifications, particularly private ones, are hidden by default, and appear once Face ID registers you. Until then it’s just a generic black notification from the app. That’s the default anyhow. You can go more granular if you’d like but I’d suggest just leaving it be.

There’s very little need to sacrifice usability for security on iOS. And most of the suggestions I see thrown around are usually overkill for your average user’s threat model and takes too much of the convenience away.

My suggestion here would be, if this threat concerns you, opt for a longer passcode, or an alphanumeric one. It’s rare you need to enter it with biometrics, so very little convenience is lost for a lot of security gain.

A memo was sent out to employees over the weekend RE this. It’s something they look at improving all the time, but as of today, solving this problem creatively without impacting the user is a priority focus at Apple.

5 Likes

No need to swipe to the tab by the way. Just hold both for 3 seconds.

There’s several ways of doing this, and it’s worth knowing a few as some are better depending on the situation.

If emergency SOS is enabled, triggering that disables it as well.

Hey siri whose device is this also disables it. So long as the phone isn’t looking at you or unlocked.

2 Likes

I’m not overly sure I agree with this part. Although I don’t know what suggestions you’ve seen. But if your phone has your bank, your password manager, your email to reset passwords, your nudes, or whatever else you may have, I think any user should think about how that’s protected. And in terms of threats - any common thief can steal a phone out of someone’s hand while they are looking at it and it’s unlocked - it’s not exactly a high level attack. Sure, there are also plenty of measures suggested that are really only to guard against sophisticated attacks that are only likely against high value targets, but there’s still a bit more I think an average user should do.

Enabling FaceID on apps in particular creates very little issues because FaceID is so slick anyway. Same with setting your phone to lock after 30 seconds instead of two minutes.

2 Likes

iOS is pretty secure out of the box. I think the default settings strike a good balance. By all means tweak them to your liking, but what I often see as recommended is a blanket disable it all! particularly with respect to Lock Screen notifications. The advice is almost always disable them. It would do the job, but you sacrifice a lot of usability for it. Probably too much for a lot of people.

Apple’s default settings as they are strike a really good balance. Given the threat in your scenario, all I’d really suggest is to change messages so the notifications never display the actual contents of the message. iOS doesn’t push mail notifications to the Lock Screen by default, and you have to go pretty out of your way to enable them for that. It’s never prompted in app.

Not sure on the risk posed by bank notifications. There’s nothing actionable about them in the UK. Not even our fintechs have adopted those features. And it’s an app that should be protected by another layer of security.

No need to go out of your way to set it to lock after 30 seconds either. That’s the default. Face ID phones are attention aware anyway. They know when your eyeballs aren’t looking at it anymore and will lock much faster than the 30 second time out. That’s on by default.

Apple does a lot right by default. That’s why I advocate for most people to just leave them alone. It’s sufficient for the vast majority of users. With the exception of turning on the option to erase device after 10 incorrect passcode attempts, I live with the defaults. It’s a really good balance of convenience, usability, and security.

It’s why my only recommendation for this sort of threat, is to use an alphanumeric password rather than just a passcode. iOS gives you the choice of either during the set up these days, no longer forcing a 6 digit passcode as standard. Shoulder surfaces will have a much more difficult time remembering something, or seeing you input an actual password in the event you do have to use it.

On second thought, no. That’s not quite right. Your phone is unlocked. Your lock screen notifications don’t matter at this point. That’s an indication I’m awake well past my bedtime! Let’s discuss in the morning! :blush:

1 Like

Am I missing something here? Even with biometrics enabled, if they fail it asks for the passcode anyway. The point of the article is that if you know the passcode then you can get into pretty much any app,

My mother sometimes asks me to do something for her on her iPhone. All I need to get into it and her banking apps is the passcode, because Face ID gives up after a couple of attempts.

I could be missing something because it’s 4am and I can’t sleep.

4 Likes

Many thanks for all the recommendations.

I feel (perhaps) the article was not read by some. I recognise it was very late when I posted the article

As @mikez mentioned, the thieves spent a lot of time observing the victim inside the New York bar and managed to obtain her passcode (6 digit number) and subsequently stole the phone out of her hand. With that, face ID obviously is redundant and they got access to everything in her phone. The consequences were shocking specially how fast they changed the apple ID.

Monzo has face ID option to access their app AND :see_no_evil:to confirm transactions (in face ID failing, it asks for the phone PIN and ta dah! :woman_facepalming:t2:). But I will disable the latter and use the debit card PIN for confirming transfers to other banks (though I wonder if this is also a security risk :woman_facepalming:t2:)

Again, the part of how ridiculously quick they changed her Apple ID and logged her out of the trusted devices to avoid the two factor authentication plus associated their own two factor authentication device, is what I would like to tackle.

I think the child lock in the settings sounds a good way to start. I didn’t know about this.

Plus the eSim too. I had used in the past with another provider. I will request it in my existing one.

Change the PIN to alphanumerical, good idea and I will do that too.

If you have further suggestions please keep them coming :pray:t3::iphone:

This is the video: :arrow_right: Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes | WSJ - YouTube

1 Like

Use the alphanumeric passcode. I use faceID and when that fails it reverts to my alphanumeric passcode. Simples really.

3 Likes

Bad actors get access to the phone by surreptitiously observing the victim entering their passcode, then stealing the phone. If the victim uses face or Touch ID, the bad actor has no way into the phone.

This. For now.

I think @lilica that the point some people were making (me included) is that it was clear that the user had her passcode captured, and I presume no FaceID because if they had, then they wouldn’t have seen her enter the passcode in the first place.

No victim blaming here, it could happen to all of us. But short of FaceID, I’m not entirely sure what else Apple could do here. Perhaps an additional Layer of 2FA when it comes to signing in?

1 Like

Leave your phone at home in a safe and never use it again.

4 Likes

No, this isn’t true. After a couple of attempts it falls back to asking for the passcode. This is what we had to do when wearing masks, initially.

3 Likes

I’ll make my point clearer.

The bad actor has observed the victim entering their passcode by shoulder surfing. Therefore, when they steal the phone, they know what to enter.

If, whilst being observed, the victim had been using face/Touch ID, the bad actor would not know the passcode. Therefore, when they steal the phone, they can’t get past the passcode prompt.

5 Likes

This is why Monzo need to have their own app security features as standard, with Face ID implemented as a means to bypass them!

I can’t remember if it’s still the case, but because of Monzo’s implementation, they’re susceptible to an attack vector here that other banks aren’t, and it’s a pretty significant one.

It’s why a story that came out not too long ago, about someone stealing thousands from them just from observing their passcode is probably largely true, as unbelievable as folks on here said it was. But I’m not allowed to go into specifics as how to do this per the forum rules so that’s all I can say.

On the bright side, Monzo uses your card pin, as opposed to device pin for authenticating transfers. So just don’t turn Face ID on for that if this concerns you. Considering the tech part of fin, Monzo’s implementation is bafflingly amateur. Like it was an afterthought that never got fixed.

I suspect Apple will have tackled this for you come iOS 17. It’s the easiest part of the problem to solve.

For now, alphanumeric password is really the single most important change you can make to protect yourself from this attack. So if you only change one thing, change that. Some of the other suggestions just aren’t necessary, and might be overkill for you. Creating unnecessary friction for little to no additional gain above what an alphanumeric password will offer.

eSim is good if it’s available to you. I wouldn’t bother with a sim pin personally. To use Techlore’s methodology, this would be a zone 3 thing for me. It’s a very rigid, hardcore security option. Once set you can’t change it. Once forgotten the sim is done for, and that puts your number at risk, as carriers aren’t always the most reliable at safely moving it over to the replacement sim they’d have to send you. And if the threat actor really wanted to, it’s easy to bypass with a little social engineering. Phone companies aren’t like banks. They’re easier to trick, and are willing to offer enough leeway to make the trickery easier.

Again, need to tread carefully here, so won’t say more than that. It’s helpful to know how certain things are done to protect yourself from them, but often those things aren’t exactly legal, so can’t be discussed here.

For general all round device security habits (going beyond just protecting against this threat) I am a fan of Techlore’s approach. Worth giving that a watch. iOS has so few decent hardening guides out there I’m afraid though. Zone 1 is easy to implement with little impact to the user experience. There’s actually very little to change here though, it’s more or less tips for using what’s there by default most optimally. For zone 2 do what you’re comfortable with, and you can probably ignore zone 3. Overkill and not necessary for the vast majority of people.

Small caveat here, is some of their suggestions fall into the trap of

Which I don’t agree with, especially with how lock screen notifications work these days.

1 Like

Thanks - I see what you were getting at now. They may well have had Face ID enabled but it was one of those times that it either wants the passcode anyway, or it just didn’t work for some reason (face too close, too far away, etc.).

Anyway, as someone mentioned, an alphanumeric passcode is a good idea.

So I heard about this a while ago on hackernews.

If you want to mitigate the account take over:

Go to Settings->Screen Time->Content & Privacy Restrictions->Turn Account Changes to Block and set a pin thats different from your main pin (with no icloud reset)

I believe this blocks them changing your icloud password without that second pin although I have not done it yet.
Also something else worth changing is Settings->Face ID->Turn off Control Centre (in allow access when locked) as this means anyone has to use your pin/face to turn on airplay mode.

I hope 16.4 will change how this works.

Article (not paywalled): https://archive.is/Q4NOR

4 Likes