“Shoulder surfers” – people peering at your device’s display over your shoulder unbidden or, worse, criminals even being given the password by users in bars who’ve had too much to drink – are a real problem that leads to hacking, stolen information, and even identity theft. Privacy champion Apple is addressing this low tech security vulnerability. A new iOS setting, coming early next year in iOS 17.3, called Stolen Device Protection is designed to defend against shoulder surfers.
Aaron Johnson, currently serving several years in the Minnesota Correctional Facility, explained the intricacies of crime to The Wall Street Journal.
Joanna Stern for The Wall Street Journal:
Johnson, along with a crew of others, operated in Minneapolis for at least a year during 2021 and 2022. In and around bars at night, he would befriend young people, slyly learn their passcodes and take their phones. Using that code, he’d lock victims out of their Apple accounts and loot thousands of dollars from their bank apps. Finally, he’d sell the phones themselves.
Pinpoint the victim. Bars became his ideal location. College-age men became his ideal target. “They’re already drunk and don’t know what’s going on for real,” Johnson said. Women, he said, tended to be more guarded and alert to suspicious behavior.
Get the passcode. Friendly and energetic, that’s how victims described Johnson… After talking for a bit, they would hand over the phone to Johnson, thinking he’d just input his info and hand it right back. “I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something. And then I just remember it,” Johnson described. Sometimes he would record people typing their passcodes.
Lock them out—fast. Within minutes of taking the iPhones, Johnson was in the Settings menu, changing the Apple ID password. He’d then use the new password to turn off Find My iPhone so victims couldn’t log in on some other phone or computer to remotely locate—and even erase—the stolen device.
Take the money. Johnson said he would then enroll his face in Face ID because “when you got your face on there, you got the key to everything.”
Sell the phones. Finally, he’d erase the phone and sell it to Zhongshuang “Brandon” Su who, according to his arrest warrant, sold them overseas.
MacDailyNews Take: “Don’t give your passcode to anyone you’ve just met in a bar” seems like apt – and blatantly obvious – advice to anyone who’d interested in retaining their bank accounts, identity, etc. For those who can’t manage that, Apple’s new “Stolen Device Protection” feature is coming soon (it’s already here in beta; more info here).
Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!
Support MacDailyNews at no extra cost to you by using this link to shop at Amazon.
It would also be helpful and safer if Apple could enable the Wallet app to require a separate ‘passcode’ in order to open it, as they do with selected Notes. It’s hard to believe that this is NOT already in place.
Neanderthals that didn’t pay attention to their surroundings were weeded out by natural selection, but we don’t have that anymore.
Ignorant statement. Get informed. Your AppleID is not as secure as you think. THAT is the problem that needs to be resolved…. VERY EASY solution too, that would minimize the dependency on this new “solution”.
This is all marketing to give you a false sense of protection. This is an After-the-fact solution. PREVENTION is far better!
Adulting is hard, I get it, but that’s the job description, people. Don’t make Apple bend over again and again by adding more touch-points to compensate for your lack of responsibility. Be an adult.
This has NOTHING to do with Adulting. Get informed. Your AppleID is NOT as secure as you think. THAT is the key problem that needs to be addressed.
Pahlease…
Although a useful option, this is a BAND-AID solution to a problem that neither Apple (nor Google) will acknowledge. AND it is an AFTER THE FACT solution.
The fact is, THEY created the problem in the first place. How? Simple… they do not require you to authenticate yourself to change the password to your AppleID.
The AppleID is the key to it all. Yet, both make is so easy to alter if all you have is the PIN to the phone, or even get to the user to use FaceID or TouchID before taking possession of the phone.
SO MUCH is tied to the AppleID. The REAL solution is to force re-authentication before any AppleID information can be changed. EVERY OTHER service I use does likewise, websites, banks, etc, EXCEPT APPLE and GOOGLE.
I know from personal experience, where my young daughter, having access to a phone supplied to her by me, who needs her phone PIN to access and use it, has been able to alter the AppleID info, so I lost complete control over the device (since regained, but only once she relented; none of Apple’s Recovery methods worked, unless pre-planned WELL IN ADVANCE. I have since learned of ways to prevent this BUT it takes extreme measures to do so, is not obvious, AND requires foreknowledge that it is even necessary. Apple obscures that.)
The closest second best way to protect your AppleID is to use a Screen Time PW. This creates a second layer of authentication before being able to change AppleID info. The problem is that this software is buggy and sometimes fails… by not requiring the Screen Time PW even when it is set up (that is what happened on SEVERAL occasions with my daughter).
I have submitted a report to Apple and they simply brush off the complaint. 🙁
More people should complain about this VERY OBVIOUS security hole!
Don’t be fooled. Marking your phone as Lost/Stolen AFTER the fact WILL NOT PROTECT your AppleID. It will be too late!
Kind of important: “They’re already drunk and don’t know what’s going on for real”
Adulting paused.
So, if they’re not responsible for giving out their passcode while they’re drunk, why are they responsible if they decide to drive while they’re drunk?
If they are responsible for driving while drunk, then they are responsible for giving out their passcode while drunk.