Apple believes that needing both the iPhone and its passcode makes it harder for thieves to steal users' information, but having both stolen is common enough, that you need to know how to protect yourself.
It has always been the case that the weakest part of security on iPhones is the passcode, but the Wall Street Journal is again highlighting the problem. The publication has accounts from users who had their iPhone snatched after thieves watched them enter a code, and ones who were forced or even drugged into sharing the code.
In some of these reports, the situation was greatly exacerbated because of a feature Apple intended would give extra protection. Apple's Recovery Key is a randomly-generated 28-character code that you can set up in order to later regain access to your Apple ID.
"While it's not required, using a recovery key improves the security of your account by putting you in control of resetting your password," says Apple in a support document. "Creating a recovery key turns off account recovery... a process that would otherwise help you get back into your Apple ID account when you don't have enough information to reset your password."
The problem is that if users have not set up a Recovery Key like this, the thieves can. They can set up the Recovery Key for themselves and effectively lock the user out forever.
How to protect yourself
Nearly everything you need to do to protect yourself from this, needs to happen in advance of the theft.
The easiest and most obvious first step for prevention of the issue for any user is to always be careful about entering a passcode when it might be seen. Biometrics like Touch ID or Face ID are nearly always better to use when in public.
A thief could snatch the iPhone, hold it in front of the owner's face to unlock with Face ID. But, of course, this takes time and the user would be aware of the theft immediately.
That can be made harder for a thief to pull off, though. Users can go to Settings, Face ID & Passcode on their iPhone and turn on Attention Detection for Face ID. This means the user has to be very specifically looking at the iPhone for it to unlock.
It's possible that a user could still be coerced into unlocking with Face ID, either by threat or manipulation. It's also possible that a user could be drugged first.
Then there is the Apple ID Recovery Key, though this must be set up and protected before.
Screen Time can be configured to prevent account changes as well. Amongst other options, changes to the account can be prevented with another passcode, similar to how you'd stop a child from changing settings on an iPhone.
How to set up the Apple ID Recovery Key
- On an iPhone or Mac, go to Settings > Your Name > Password & Security.
- Tap Recovery Key, then slide to enable it. On a Mac, click Manage next to Account Recovery.
- Tap Use Recovery Key and enter the device passcode.
- Write it down and store it in a safe place, then confirm it on the next screen.
"Using a recovery key is more secure, but it means that you're responsible for maintaining access to your trusted devices and your recovery key," says Apple. "If you lose both of these items, you could be locked out of your account permanently."
This isn't a theoretical problem, but it is rare with the inclusion of biometrics. Of course, that doesn't help the users it happens to.
We all keep so much information on our iPhone that losing it is a boon for thieves but potentially a tragedy for us, so everyone should take extra care to protect themselves and their phone.
9 Comments
What a fucked up country the U.S. is. Its citizens now have to be afraid to go out in public for fear they will be attacked, murdered, their identity stolen. Now we have to be paranoid about our personal devices. And It doesn’t help when dipshits expound on how easy it is to hack an iPhone. Again, a common thread in the Apple Discussion Forums are posts from users who think they have been hacked because their device is acting funny.
And we think we are free? What a joke. We are prisoners in this clown show and carnival mirror maze. And our right to defend ourselves is being eroded by every left wing politician. Oh, you can’t use deadly force unless the perp is actually in your house and is actually attacking your wife or daughter. Otherwise you’ll be charged with assault or murder. The same politicians want ‘stand your ground’ and ‘castle’ laws diluted or even banned because, hey, that teenager breaking into your house with a gun or knife might have a family too.
I don’t know about everyone else on this forum, but all the options, cross-device authentication, different passwords etc make managing our Apple devices really complex, and dare I say, even more unsafe (complexity leads to simplicity, ie same password 123456 for everything).
I don't get people that think the world is WORSE off today than some mythical time in the past. Who wants to go back to feudal times, or the Wild West, and don't get me started on women's equality. We have frickin' cars that let us go anywhere in perfect comfort and we can pay for fuel by waving our phone, the same device that lets us be in immediate contact with our entire world. Oh, boo hoo, I can't remember my password, so be like Ed Rooney's secretary and write it on a post-it.
If you are worried you cannot secure your phone, don't put things on it that others could abuse. You can just go down to the bank and cash a check still. Scammers are a real thing and elder abuse has been happening since the dawn of time. It is likely you are going to lose some money when you can't afford to, but don't blame the phone, blame the horrible human beings that live on the planet with us.
Oh, and I didn't see mentioned, if you wanna secure your phone for fear that someone will force you to open it just hold down the buttons on the side for 5 seconds. It'll call emergency services but then your phone will require your pin to unlock, and even the courts can't force you to unlock it.