The Apple software never requires the user to enter an older password before setting a new one
New York, February 26
The passcode in iPhones that helps people unlock their devices is now giving thieves easy access to steal their money and data at public places.
According to Wall Street Journal, using a remarkably low-tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones and their digital lives.
A 31-year-old senior economist at a workforce intelligence startup lost all photos, contacts and notes in her iPhone 13 Pro Max which was snatched at a bar in Midtown Manhattan and about $10,000 vanished from her bank account in just 24 hours.
“With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID,” said the report.
This would lock the victim out of their account, which includes anything stored in iCloud.
“The thief can also often loot the phone’s financial apps since the passcode can unlock access to all the device’s stored passwords,” it added.
When the password change is complete, the software offers an option to force other Apple devices, such as Macs or iPads, to sign out of the Apple account, so a victim couldn’t turn to those devices to regain access.
The Apple software never requires the user to enter an older password before setting a new one.
With the new password, the thief can disable Find My iPhone. Disabling Find My iPhone feature also allows the thief to resell the iPhone.
As Apple spokesperson said that iPhone is the most secure consumer mobile device, and “we work tirelessly every day to protect all our users from new and emerging threats”.
“We sympathise with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” the spokesperson was quoted as saying.
“We will continue to advance the protections to help keep user accounts secure.” Nearly all of the victims had their iPhones stolen while they were out at night socialising at public places, pubs and bars.
In all cases, the iPhone owners were locked out of their Apple accounts.
“They then discovered thousands of dollars in financial thefts, including some combination of Apple Pay charges, drained bank accounts linked to phone apps and money taken from PayPal’s Venmo and other money-sending apps,” the report elaborated.
The same vulnerability is there in Google’s Android mobile operating system but the “higher resale value of iPhones makes them a far more common target”, according to law enforcement officials.
“Our sign-in and account-recovery policies try to strike a balance between allowing legitimate users to retain access to their accounts in real-world scenarios and keeping the bad actors out,” a Google spokesperson was quoted as saying.
Apple recently introduced the ability to use hardware security keys, little USB dongles, to protect the Apple ID.