Columns

The critical importance of protecting your iPhone passcode

April 2023

by Jeff Richardson | Michigan Bar Journal

We all know that an iPhone passcode is supposed to remain private. However, Joanna Stern and Nicole Nguyen of the Wall Street Journal recently published an alarming story that highlights just how critical this is.¹ I want to describe the problem, then discuss some steps you can take to protect yourself.

THE SCAM

The Wall Street Journal investigation revealed that unauthorized access to a short string of numbers — your iPhone passcode — can unravel your entire digital life. Criminals working in teams around the country have come up with ways to entice victims to unlock their iPhones by typing in their passcodes. Perhaps someone talks to a potential victim in a bar and volunteers to take a picture with the victim’s iPhone, pressing the buttons on the side of the iPhone to put it in the mode where it must be unlocked with a passcode instead of FaceID or TouchID. Next, a different criminal watching over a shoulder or taking a video from across the room watches the victim unlock the iPhone with a passcode, thereby learning the code. Finally, the criminals grab the victim’s iPhone to steal it.²

The consequence of having both your iPhone and your passcode stolen are more dire than you probably realize. First, a criminal with your passcode can not only change your code (blocking you from using it even if you recover the phone) but, even worse, that person can change your Apple ID password even without knowing your current password. With a new Apple ID password, the criminal can turn off Find My iPhone.

Think about that. The first thing you would probably think to do if your iPhone was lost — track it with Find My iPhone — becomes impossible almost immediately after your phone is stolen.

The criminals might then use your iPhone and passcode to pay for items using the credit cards in your iPhone wallet or send money to themselves via Apple Cash. Even worse, if you use Apple’s built-in tool to store passwords for things like banking, the criminals might access your bank accounts online and transfer money from you to them. Stern and Nguyen learned of many people who had $10,000 stolen from their accounts.³

A criminal with your Apple ID password can also easily delete a lot of your information — perhaps most notably, all of your pictures. And if your Apple ID password is changed, the result can be losing access to all of your photos on all of your devices — computers, iPads, etc. — as one of the victims interviewed by Stern and Nguyen described.⁴

Again, I encourage you to read the entire story for more details. If you are not a Wall Steet Journal subscriber, you can read the article in the Apple News app if you subscribe to Apple News+. And whether or not you read the story, I recommend that you watch the excellent video the Wall Street Journal created in conjunction with the article.⁵

STEPS YOU CAN TAKE TO PROTECT YOURSELF

First, keep your passcode private. We all already know this, but perhaps the details of this specific scam will encourage all of us to be more serious about it. Anytime you enter your passcode in public, shield the screen in a way that someone looking over your shoulder cannot see what you are typing. The scam described in the Wall Street Journal article may not work on all iPhones and you may have other protections if your iPhone is subject to mobile device management but play it safe and keep your passcode private at all times. Second, consider using a more complex passcode. The default iPhone passcode is six digits. It is possible to change that to only four digits, but you should not do so. In fact, consider doing the opposite: change to more than six digits or a combination of numbers and letters. Apple explains how to use a more complex passcode.⁶ That’s what I do, and I got used to it very quickly.

Third, be very careful about giving your iPhone to someone else — especially someone you don’t know. If you do so and if they hand your iPhone back to you and suddenly you need to enter your passcode, that should be a red flag. It doesn’t necessarily mean that person is a criminal; it could just be that your iPhone tried to unlock with their fingerprint or their face and put itself in the mode where a passcode is required. Nevertheless, be safe and treat this as a sign to proceed with caution.

Fourth, you should strongly consider using a third-party password manager instead of Apple’s built-in manager — and not only for passwords, but for other information and photos. In light of the recent troubles at LastPass,⁷ the only one that I recommend right now is 1Password. The Wall Street Journal story notes that criminals were able to access passwords using Apple’s built-in password manager and could also access pictures in the Photos app of items like Social Security cards, passports, driver’s licenses, and other confidential documents.⁸ A password manager can store not just passwords but also confidential information, confidential photos, confidential documents, and more. Even if a criminal has physical access to your iPhone and the passcode, that person cannot access items in your password manager because they are locked behind a different password.

Fifth, use two-factor authentication (2FA or MFA for multi-factor authentication) when you can, and avoid using a text message as the second form of authentication if you have a choice. When there is a choice, it is much better to use another app like 1Password to store the one-time passcode (one that changes every 30 seconds). I’ll be honest: this is a little complicated to set up, especially the first time you do so, but it gets easier every time. And if you have read this far, I suspect that you appreciate the value of security, so the trouble is likely worth it for you. Unfortunately, some banks and institutions don’t give you a 2FA option other than text messaging which, of course, offers you no extra protection when the criminal has access to your iPhone.

CONCLUSION

It would not surprise me if the Wall Street Journal article and similar stories of scams like these prompt Apple to make changes to the iPhone that result in some of the methods being used by criminals becoming more difficult or entirely impossible to pull off. Then again, Apple may not do anything because this scam has only impacted a very small percentage of iPhone owners and Apple knows that almost every step taken to increase security can also make life more difficult for iPhone owners in other ways. Plus, even if Apple makes changes, clever criminals may find new workarounds. Fortunately, the steps recommended above can help to protect you regardless of whether Apple or the criminals change approaches.

Law Practice Solutions is a regular column from the State Bar of Michigan Practice Management Resource Center (PMRC) featuring articles on practice, technology, and risk management for lawyers and staff. For more resources, visit the PMRC website at www.michbar.org/pmrc/content or call our Helpline at (800) 341-9715 to speak with a practice management advisor.

ENDNOTES

1. Stern & Nguyen, A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life, Wall Street Journal (February 24, 2023) https://www.wsj.com/articles/apple-iphone-security-theft-passcode-data-privacya-basic-iphone-feature-helps-criminals-steal-your-digital-life-cbf14b1a. All websites cited in this article were accessed March 9, 2023.

2. Id.

3. Id.

4. Id.

5. Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes, Wall Street Journal [https://perma.cc/7CFM-G4MX].

6. Use a passcode with your iPhone, iPad, or iPod touch, Apple Support [https://perma.cc/GNV4-BEQX].

7. Newman, Security News This Week: The LastPass Hack Somehow Gets Worse, Wired (March 4, 2023) [https://perma.cc/75BC-HYGZ].

8. A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life.

New Orleans attorney Jeff Richardson founded iPhone J.D., a website dedicated to lawyers who use iPhones, iPads, and related Apple devices, in 2008. Contact him at jeff@iphonejd.com.