When you’re carrying around a smartphone that’s worth up to $1,000 or more in your pocket, you’re going to want to protect it. But the device isn’t necessarily the most valuable property to thieves — it’s the personal data you have stored on it.
A recent Wall Street Journal report shed light on a new way thieves are hacking into your iPhone to steal your information: your passcode. The report says thieves are now starting to watch as iPhone users enter their numeric or alphanumeric passcodes, memorizing the combination of numbers. Then they steal the users’ phones, log in and change their Apple ID passwords, locking them out of iCloud.
This gives the thieves time to stop you from accessing vital information and tracking your phone using tools like Find My iPhone. After they gain access to your accounts, they can reset recovery codes to block any attempts of resetting changed passwords.
An Apple spokesperson told the newspaper that security researchers would agree that iPhones are the “most secure consumer mobile device,” adding that the company is always working on updates to help thwart any “new and emerging threats” to protect customers. Apple said it doesn’t believe the specific tactic referenced in Wall Street Journal report is common but they still take these incidents seriously.
“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” the spokesperson said. “We will continue to advance the protections to help keep user accounts secure.”
Apple has not yet responded to CBS News’ request for additional comment on the potential risk.
3 ways to protect yourself from hackers
iPhone users should nevertheless remain vigilant when using their smartphones in a public setting. Apple has released a series of security updates and data protections in recent years, but there are still some other steps you can take to protect your phone and data. Here are a few rules of thumb.
1. Protect your passcode
One of the most obvious ways to prevent a potential thief from accessing your smartphone is to cover your phone screen when entering your passcode — or avoid tapping it in altogether.
Vitaly Shmatikov, a professor of computer science at Cornell University and Cornell Tech, says smartphone users should rely on Touch ID or Face ID as much as possible when out in public.
If you have to use a passcode, then make sure it’s complicated.
“Treat your phone’s passcode as you would a bank card PIN: Make sure it’s long and hard to guess,” Shmatikov told CBS News.
2. Don’t store passwords on your devices
While you may be tempted to store a complicated passcode or password on your phone, desktop or tablet, try to avoid it. This can make you vulnerable to potential hacks.
“Don’t store passwords to sensitive websites and apps on the phone,” Shmatikov reiterates.
Consider using a password manager — a secure software application that can generate and store sensitive passwords. According to a 2022 Consumer Reports survey, roughly 39% — a 3% increase from 2019 — of consumers use a password manager for their online accounts.
“Since 2019, a large number of individuals have adapted the use of multi-factor authentication versus a stagnant change in individuals who use a password manager or virtual private network,” the survey states, noting that 77% of consumers reported using two-factor authentication in 2022.
3. Set up two-factor authentication
Two-factor authentication, which requires users to enter a backup security code that’s sent to a trusted device or email before entering their password to access a site, is also a valuable tool.
“Two-factor authentication for Apple ID is a must, the second factor should be a separate trusted device (like an iPad, a Mac, or an Apple Watch),” Shmatikov says.
Many experts caution users against using SMS text messages for two-factor authentication, especially if you’re concerned about your phone getting stolen.
SIM swapping, where a criminal hacks into your SIM card and gains access to your phone, is a rising threat. The FBI Phoenix Field Office recently explained how the scam works.
“Criminals first identify a victim who is likely to own large amounts of digital currency and obtain their phone number and mobile carrier,” the agency explained in a news release. “They then socially engineer a customer service representative to port the victim’s phone number to a SIM card and phone in their control.”
If someone has access to your phone, then a backup text won’t help protect your accounts and a criminal can easily change your passwords and backup keys.
“For sites and apps that require two-factor authentication — for example, banking sites — don’t use SMS/text as the second factor. Instead, use an authenticator app (like Google Authenticator, Microsoft Authenticator, Duo, Okta Verify, etc.) and turn on biometric protection — require Face ID or Touch ID — in the authenticator app,” Shmatikov advised. “Then a thief who steals your phone won’t be able to get authentication codes and log into financial sites as you.”