Summary:
Thieves are using a lesser-known iPhone security setting to lock people out of their Apple accounts, causing significant personal losses, reports the Wall Street Journal, following up on a story from two months ago.
After stealing iPhones, criminals are enabling the “recovery key” option introduced by Apple in 2020, which was initially designed to protect users from online hackers.
Thieves watching iPhone users punch in their passcodes at bars at night is how they get access in the first place. Once they see your passcode, all they need to do is steal your phone next.
When thieves use a victim’s passcode to enable or generate a new recovery key, the account owner can be locked out permanently if they do not possess the 28-digit code.
Victims in at least nine US cities, including New York, New Orleans, Chicago, and Boston, have reported similar incidents, reaching out to the WSJ after reading its original story from February.
While some have managed to retrieve their money, those locked out of their Apple accounts due to the recovery key face difficulties navigating Apple’s policies and bureaucracy to recover their data. Some have even offered to fly to Cupertino to verify their identity or send a DNA test to recover their Apple ID.
An Apple spokesman told the WSJ, “We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare. We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”
However, victims are frustrated with the lack of alternative methods to prove their account ownership, and many are demanding that Apple consider less privacy-compromising alternatives to the recovery key.
How to set up a recovery key on your iPhone? Go to Settings > Apple ID > Password & Security > Account Recovery > Recovery Key > ON.
Apple will then ask you if you’re sure you want to create a recovery key, because “if you lose your recovery key and cannot access your devices, Apple will not be able to help you regain access to your account or your data.” Yeah, that line makes it wary for some to turn that setting on.
At the end of day, when punching in your iPhone passcode, make sure nobody is looking over your shoulder. Or you can also set up an alphanumeric passcode that contains letters and numbers, making it a bit more difficult for someone to remember what you’re typing in.
Have you set up a Recovery Key for your Apple ID?
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
This article does not mention its mainly older phones that have problems as mine uses facial recognition to log in. Hope I am right.
Face ID logins are safe. But some people don’t like Face ID and turn it off, sticking with their regular passcode. Or if Face ID doesn’t work you still need to punch in your passcode. This is what bad people are looking for.
Thank you for confirming.
Many people are not so smart. I have seen many times people punching in their password. They don’t hide it. I hope they tap their debt card if they do not hide the pin of that.
Thank you for confirming.
Many people are not so smart. I have seen many times people punching in their password. They don’t hide it. I hope they tap their debt card if they do not hide the pin of that.
Every once in a while Apple forces you to enter in your passcode BY DESIGN. So you can’t count on ALWAYS using faceID since Apple doesn’t allow that. So if Apple’s algorithm decides it’s time for you to enter your passcode before FaceID is allowed again, and you’re out at a bar – well, you’ve become vulnerable to this type of attack.
An easy safeguard is to setup Screen Time > Content & Privacy Restrictions > Account Changes > Don’t Allow with a different PIN code than your lock screen … that way there is no way for anyone to i) disable FindMy ii) change Account passcodes or iii) generate new recovery codes. It’s an easy simple fix.
No Touch ID?