Despite the enormous security that Apple integrates into its devices to prevent any foreign hand from accessing them in any way, cybercriminals have devised a really simple system to fully access your entire digital life.
Thieves are exploiting a very simple vulnerability in the software design of more than 1 billion active iPhones worldwide, and you won’t see it coming: watch iPhone owners enter their passcodes and then steal the device.
And yes, with just the iPhone and the passcode, anyone can change the password associated with the Apple ID in a matter of seconds. In addition, the thief can also access all the information stored in iCloud or access financial apps, as the code can unlock access to all passwords stored on the device.
“Once you get on the phone, it’s like a treasure chest,” explains Alex Argiro, who investigated a high-profile gang of thieves as a detective with the New York Police Department before retiring last fall. wsj.
The problem? What is a trend that is growing. He assures that there have been hundreds of this type of crime in the city in the last 2 years. “This is growing,” she says. “It’s such an opportunistic crime. Everyone has financial apps.”
Apple has always promoted itself as a leader in privacy and digital security.
“Security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all of our users from new and emerging threats,” an Apple spokeswoman said.
“We stand in solidarity with users who have had this experience and we take all attacks on our users, no matter how rare, very seriously,” he continues. “We will continue to advance protections to help keep user accounts safe,” she adds.
Apple’s strategy has focused on strengthening privacy for more extreme cases, but not for more bizarre robberies like this guy.
“It was only a matter of time before an attacker used social engineering or shoulder surfing,” says Adam Aviv, an associate professor of computer science at George Washington University. “Trust a phone as a trusted device fails in such cases“he adds.
To all the victims you have interviewed wsj They claimed their iPhone was stolen while they were socializing at night. Some claim that someone they had just met took the device from them, others that they were assaulted and some even that they were drugged.
In all cases, these owners were locked out of their Apple accounts. Soon after, they discovered theft or charges on their Apple Pay accounts.
A similar vulnerability exists in Google’s Android mobile operating system. However, the higher resale value of iPhones makes them a much more common target, according to law enforcement officials.
“Our sign-in and account recovery policies try to strike a balance between allowing legitimate users to retain access to their accounts in real-world scenarios and keeping bad actors out,” a Google spokesperson explains.
The process for the theft is also very simple. Groups of 2 or 3 robbers go to a bar and become friends with the victims. They ask them to open an app and that’s when they try to keep an eye on the access codeexplains Sergeant Robet Illetschko, lead investigator on the case.
“It’s as simple as watching this person repeatedly type their passcode into the device,” Illetschko says. There are times when even robbers covertly record victims to ensure they have captured the correct sequence. “There are many tricks to get the person to enter the code.”
In theory, Apple has integrated new security features to prevent this vulnerability. This is where Face ID or Touch ID come into play as ways to limit the need to type a passcode, says an Apple spokesperson.
However, some authorities believe that Face ID may represent a potential access point. The city’s Office of Nightlife, a liaison between City Hall and the hotel industry, introduced a representative who recommended bar-goers turn off facial recognition, with the theory that the thieves could use the face of an incapacitated person.
Of course, a violation of this type is not the most probable, according to the reports of the journal. Changing your Apple ID password requires a passcode. When the password change is complete, the software offers the option to force other Apple devices to sign out. In this way, the victim cannot access her account, since he does not have the new password. And beware: this can be done in just minutes.
Also, with the new password the thief can disable Find My iPhone so that the user can’t even locate their device.