iPhone passcode theft: how to protect yourself
As already covered by the Standard, criminals have discovered something unnerving: with access to an iPhone owner’s passcode and the device itself, they can lock out the original owner. So what can you do to stop this happening to you?
We hope that in the long run Apple will require extra steps to reset the Apple ID on an iPhone. However, in the meantime, here are some tips to reduce the risk of theft and limit the damage if you are unlucky enough to be targeted.
Making yourself a less appealing target
Without the passcode, the amount of damage a thief can do is far lower. So …
Be careful with your passcode in public
“Passcodes and passwords are often the bane of everyone’s life but it is essential that they remain private,” said ESET’s global cybersecurity spokesperson, Jake Moore. “People should always be aware of their surroundings every time they enter their phone’s access code and opt for facial recognition or fingerprint entry where possible, which does not give away any clues.”
In other words, if your iPhone tells you to type in your passcode, look to see who’s watching and cover your screen. Maybe even nip to the toilet on a night out for maximum privacy.
Make your passcode stronger
“Criminals are getting more aggressive in their tactics but there are still measures in place to protect these devices,” Moore says.
It’s possible, for example, to make your passcode a long, alphanumeric code that makes it far harder for criminals to catch. Go to Settings > Face ID & Passcode > Change Passcode, then tap Passcode Options > Custom Alphanumeric Code when choosing a new one.
Limiting the damage
If criminals can’t observe the passcode, you’re already a less attractive target. But what if you’re forced to hand it over along with your phone at knifepoint?
There are ways that you can limit the potential damage criminals can do, even if they have both your phone and your passcode.
Consider extra security measures
Apple has one big security nuclear option: setting up a recovery key. This is a 28-character key that the phone can’t be reset without, preventing criminals from locking you out. Indeed, it’s so effective that criminals tend to set it up themselves once a phone is stolen, using Apple’s own security against you.
The problem here is that if you lose the 28-character key, Apple won’t be able to help you to restore your account as it disables Account Recovery. As such, it’s vital you store it in a safe place (and obviously not on the device itself — that’s like sticking a copy of your house key to the front door).
If that sounds like too big a sacrifice, there is a softer option found in ScreenTime — Apple’s built-in app for managing how you or your children use their Apple device.
Here, a setting designed to stop kids changing your account details can be used to your advantage. This blocks the ability to change your password, unless you can provide a separate four-digit PIN. Crucially, this is one that a thief won’t have access to.
To do this, go to Settings and then tap Screen Time. Select Use Screen Time Passcode and set up a pin that’s different from your iPhone’s passcode.
Once done, select Content and Privacy Restrictions and turn it on via the slider, before setting Account Changes to Don’t allow.
You’ll still be able to change account settings yourself if necessary – you just have to turn off the feature again in Screen Time via the pin you set up before. Crucially, though, most people won’t need to do this very often, making it a good way of limiting the damage – at least until Apple comes up with a more elegant answer to the problem.
Secondly, switch to a third-party password manager. Apple’s own iCloud Keychain password manager is handy but open to anyone with the passcode, which is how criminals have been able to empty bank accounts.
A third-party option such as LastPass or BitWarden will have a separate password, making you that more secure.
Other iPhone settings you should consider disabling
You can take things a step further by disabling additional settings on your iPhone, including the Control Centre and Reply with Message. Although they are useful, these features can be used by thieves to prevent you from tracking down your phone and to authorise online payments (when used with another function) respectively.
Criminals can effectively evade your security measures by using your iPhone’s Control Centre (a panel that contains buttons to toggle a bunch of features). The drop-down panel can be used to turn your Wi-Fi, data and Bluetooth on and off, and even turn on Airplane mode. All of this can be done without requiring your passcode or biometric info. This can prevent you from using Find My to track down your stolen iPhone.
To switch off control centre, head into settings, tap Face ID and Passcode, enter your passcode, scroll down to Allow access when locked and toggle Control Center to off.
While here, you can also toggle off Wallet access and Accessories access to stop thieves from gaining entry to your travel passes and other info.
In addition, you can toggle off Reply with Message in the Face ID and Passcode section of your settings. Thieves can use this to respond to messages from your bank to authorise payments if you also have notification previews set to always. However, the latter is set to never by default, meaning you should be fine if you haven’t manually changed the setting yourself.
If that’s the case, you can always switch it back to never by heading to settings, selecting notifications, and tapping show previews, and then choosing never.
Get rid of sensitive documents
Finally, you should delete any photos of sensitive documents you have on your phone. Apple’s image search functionality is so sophisticated that merely typing the word “passport” into the Photos app search bar will reveal any scans you’ve taken of your passport, even if they are buried beneath thousands of selfies.
If you must keep a digital copy of this, your driving licence or other sensitive documents on your phone, stick it in the secure file storage of one of the aforementioned password managers. It will then be protected by another layer of password protection.