There may be critical security vulnerabilities and loopholes within Apple, Inc.’s AAPL iOS software that leaves iPhone users susceptible to theft and identity fraud.
How Thieves Gain Access
In a recent interview with the Wall Street Journal, former iPhone thief Aaron Johnson detailed some of the methods thieves use to obtain passcodes and ultimately gain access to financial accounts on unsuspecting user’s phones.
Johnson chose to target victims in public spaces, like bars, and would approach a potential victim with friendly conversation. He would then encourage the victim to unlock the phone to share his contact information or his social media profile. He would watch the iPhone’s owner enter a passcode into the device or simply ask the victim for the passcode in order to access it himself.
Once Johnson had obtained the iPhone’s passcode from its owner, he would steal the device and change the user’s Apple ID password and FaceID settings. After the Apple ID password and FaceID settings were changed, Johnson had full access to the device, including any sensitive information that had been saved by its original owner.
Interestingly, he also noted that thieves will check the Notes and Photos apps because many people keep their passwords and other personal information saved in those locations.
Stolen iPhones Used For More Crime
The unlocked, stolen iPhones are not the main target. Instead they are used to commit larger thefts using bank and payment apps, including ApplePay. Johnson detailed how he would use payment applications and credit cards on the stolen phones to purchase more Apple products from major retailers, including Target Corporation TGT.
Once all accounts were emptied via transfers and purchases, Johnson would then delete all data from the phone using the passwords he created and finally sell the device itself on the street.
Johnson would steal thousands of dollars from his victims. The stolen device used to access the money was often worth much less than the amount stolen using their personal information, he said.
How Apple Is Reacting
Critics have noted that one of the most critical security flaws in Apple’s iOS system is the ability to change Apple ID and FaceID settings using only the device’s passcode. Following the report from the Wall Street Journal, Apple introduced a new security setting called “Stolen Device Protection” to allow users to add an additional layer of protection. The new setting requires a user’s biometric information (Face ID or Touch ID) before an AppleID password can be changed or Find My iPhone can be disabled.
The Stolen Device Protection setting must be enabled by the user after installing Apple’s iOS 17.3 update, which is expected to be available sometime in January, according to Forbes.
Image: Darwin Laganzon from Pixabay