As originally reported by the Wall Street Journal, criminals have discovered that learning a user’s passcode — the four-to-six digit number that acts as a backup to facial or fingerprint authentication — can allow them to lock out the original owner and block Apple’s Find my iPhone app within a minute.
From there, they can access any built-in apps, potentially allowing them to drain bank accounts before selling the handset. The report says incidents have been reported in New York, Austin, Denver, Boston, Minneapolis and, worryingly, on this side of the Atlantic in London
One such victim stateside was Reyhan Aras, a senior economist at Revelio Labs. She had her phone snatched outside a bar in New York and was locked out of her Apple account before she could log into Find my iPhone on a friend’s handset.
“I estimate it to be like, a maximum of three minutes,” she tells The Standard via video call.
The thief had locked her out of her iPhone and she noticed that money was being drained from her bank account. Apple Keychain — the password management app used by default on iPhones — is also opened by the same passcode. This meant her banking apps were accessible to the non-rightful owner.
She had two-factor authentication enabled, as security experts advise. “But guess what happens to your two-step authenticating? The texts are sent to the same phone,” Aras said.
Apple proved comically unhelpful. Before she realised the extent of the damage, she replaced her iPhone at the Apple Store in New York’s Fifth Avenue. “They put this on the old stolen Apple ID,” she says, pointing at a new, green iPhone 14. “I’m not joking. They asked me if I wanted theft protection, I said ‘yeah sure’ and they put it on that Apple ID account.
“They were clueless. They sent the receipts of this to the old Apple ID. They weren’t even aware that things could go wrong.”
Indeed, the theft protection was added to Aras’ Apple Card. Only she didn’t have an Apple Card — the thief created one for her.
She was in one of the company’s stores when she received an email confirming her application was in process. She was on hold to the company’s support line to warn them when a follow-up email told her she’d been accepted.
The call was dropped after two hours and it took another call to Goldman Sachs — the company that issues the Apple Card — to resolve the issue.
Aras, who spent a year at the London School of Economics, says that London generally feels safer than her new home of New York. She was due to visit again before all of her bank accounts were closed after the theft, forcing her to cancel her trip.
“I had tickets to Winter Wonderland. Add that to the tab,” she laughs.
How criminals get your passcode
As iPhone users will know, even with Face ID and Touch ID enabled, you are sometimes required to type in the passcode as additional security if you haven’t logged in for a while. If a criminal notes the number, they can make a note of it, grab your phone and log in as you — which is exactly what happened to Aras.
Alternatively, there are reports of some criminals befriending people on nights out and engineering a way to get the victim to type in their passcode (restarting the phone, for example, requires you to type it in.) As criminals often work in groups, you may even be covertly filmed as you type in the code.
“Once a criminal has the passcode to a phone, it is a race against time before they empty the victim’s digital life,” Jake Moore, ESET’s Global Cybersecurity Advisor, tells The Standard. “Unfortunately, if this happens on a night out or when the victim is unaware of the theft, the criminals get a huge head start.”
City of London Police told us it had no examples of crimes specifically linked to passcodes. However, it acknowledged that criminals sometimes befriend people on nights out to win their confidence, highlighting an investigation that led to thieves lifting £157,000 worth of items. At the time of writing, we are waiting on similar confirmation from the Met.
But even without specific London case studies to pore over, there’s no reason that the same technique wouldn’t work here — albeit with more hoops for criminals to jump through. That’s because UK banking apps tend to require more than just a password.
Still, once someone has both the passcode and the phone, it’s easy to lock out the original owner, and even force log out other connected devices such as Macs and iPads. By default, no extra security is present, and you don’t have to know the original account password (it’s intended to be easy for those who have forgotten theirs, and if you have both the phone and passcode, Apple assumes you are the rightful owner).
If banking apps also let you in via the same passcode, or if your password is stored within Apple Keychain, then criminals will be free to make transfers. You may even be at risk of identify theft if you store scans of your passport or driving licence on your phone. Apple Photos allows you to search for text in photos saved on the device.
What should consumers should do if they fall victim to this? A UK Finance spokesperson told The Standard that while firms assess claims from customers on a case-by-case basis, “the vast majority of unauthorised fraud losses are refunded back to customers”.
The banking and finance sector “constantly monitors fraud threats”, the spokesperson added. “Someone having their mobile phone stolen and that resulting in a criminal accessing a banking app and stealing money is not a common occurrence, but the sector is not complacent about new and emerging threats.”
The important thing for consumers is that they report fraud to their bank immediately, the spokesperson said.
But the consequences go beyond financial losses. With access to your iPhone and passcode, criminals can set up a recovery key — a 28-character code that means that even Apple won’t be able to offer any help to retrieve your account. All the notes, messages, photos and documents saved to iCloud will no longer be accessible, even if you are able to get your money back via the bank and/or insurance.
This actually happened to Aras herself. She is still locked out of her Apple account, three months after the crime, despite tenacious efforts to urge the company to listen to her plight.
“What’s crazy is that I have access to the email and phone number on that Apple ID,” she says. “And since I can’t log in, I can’t mark the phone as lost, I can’t flag the account, and I can’t put a stop to this madness.”
With a friend at Apple, she was able to get the problem noticed by the company’s top brass (“my name was trending on their Slack three months ago,” she says), who eventually called back. But the company refused to budge without this elusive 28-character key, despite clearly believing she was who she claimed to be.
The 300 gigabytes of photos she’d accumulated? Gone. Until, bizarrely, after she’s dead — a process outlined here.
“They essentially said, yes, when you die, your descendants can apply to get it back. That’s the last thing they told me.”
We reached out to Apple for comment on this story, but had yet to hear back at the time of writing.
It feels likely that in the long term, the company will introduce new account protections. But in the meantime, concerned users should stick to Face ID or Touch ID when around strangers.
When your iPhone does insist on a passcode, be extremely careful when entering it in public, and excuse yourself to do so in private if possible.
We’ve covered some extra precautions you can take — including some on-device settings you can enable — here.