HIGHLIGHTS
* Thieves are using a new iPhone security feature to permanently lock people out of their phones.
* The feature, called recovery key, is a randomly generated code required to regain access to an Apple ID once enabled.
* The act starts with thieves gaining access to a victim’s passcode and then subsequently changing all settings.
Criminals and thieves can lock people out of their stolen iPhones by using a security setting called recovery key, a new report has claimed. That’s what happened to 46-year-old Greg Frasca, who had his iPhone 14 Pro stolen from a bar in Chicago. The thieves changed Frasca’s Apple ID password with his passcode and also turned on the recovery key to lock him out and stop him from tracking them using the Find My feature.
Here are all the specifics on how criminals use this feature and what it is.
Thieves lock you out of your iPhone: Here’s How
As per the WSJ report, the victim, Greg Frasca, had his iPhone 14 Pro stolen at a bar in Chicago after someone saw him enter his passcode. The individual stole the iPhone with the intention of gaining access to the victim’s banking and Apple Pay accounts. The thieves were able to gain access to his iPhone through the passcode and also altered his Apple ID password. The thief took additional measures by enabling the recovery key feature, which basically locked the victim out of his Apple ID.
What is the recovery key feature on an iPhone or iPad?
A recovery key is a 28-character code that is made up at random and can help you change your password or get back into your Apple ID. The unique feature is that it allows people to immediately change their Apple ID password without knowing the previous one.
To generate a new recovery key, access the Settings or System Preferences on a trusted device that is signed in with your Apple ID.
* To access the Password & Security section, navigate to Settings, select your name, and then choose Password & Security. It may be necessary for you to input your Apple ID password.
* Click on the option labelled “Recovery Key.”
* To activate the Recovery Key, slide the corresponding button.
* To use the recovery key, you need to enter the passcode.
* It is recommended that you record your recovery key and store it in a secure location.
* Please enter your recovery key on the following screen to confirm it.
What does Apple say?
So essentially, if a person knows your passcode and has access to your iPhone, they have the power to lock you out of your Apple ID and disable tracking. Apple recently released a statement on the issue.
“We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare. We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.” – Apple, to Wall Street Journal
How to Stay Safe?
Well, if a malintent person has access to your passcode, there’s not much you can do. What you can however do is use Face ID and Touch ID to secure your phone, and keep your passcode hidden at public places, as most incidents have been reported from crowded spots.
FAQ’s
1) How Apple Responds to the latest report of the iPhone security feature ?
Ans) In a statement shared in response to the report, Apple said it is “always investigating additional protections against emerging threats like this one.”
“We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesperson told The Wall Street Journal. “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”
2) How to Stay Protected from thieves ?
Ans) iPhone users should use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.
The report also recommends that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode. To protect a bank account, consider storing the password in a password manager that does not involve the device’s passcode, such as 1Password.
3) Apple Responds to Report About Thieves Permanently Locking Out iPhone Users.Details?
Ans) The Wall Street Journal’s Nicole Nguyen and Joanna Stern today published a report highlighting how thieves can use Apple’s optional recovery key security option to permanently lock out iPhone users from their Apple ID account.
As the journalists first revealed in February, there have been increasing instances of thieves spying on an iPhone user’s passcode in public and then stealing the device in order to gain widespread access to the device and its contents, including financial apps. All of the victims interviewed in the initial report said their iPhones were stolen while they were out socializing at bars and other public places at night.
With knowledge of the iPhone’s passcode, a thief can easily reset the victim’s Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud.
Today’s report places more focus on an additional step that thieves can take: using the stolen device to set or reset a recovery key, a randomly generated 28-character code that is required to regain access to an Apple ID once enabled.
“Apple’s policy gives users virtually no way back into their accounts without that recovery key,” the report states. With unmitigated access to a stolen iPhone, the device’s passcode, and the Apple ID password, thieves can steal money via Apple Pay and potentially other banking apps, view sensitive information like photos and emails, and more.
Apple’s website does warn that losing access to both your trusted devices and recovery key means that “you could be locked out of your account permanently.” In this scenario, however, thieves spying on iPhone passcodes before stealing the devices means that victims only need to lose their device in order to potentially be permanently locked out. The report serves as a valuable reminder to protect your iPhone’s passcode in public.
4) Losing your iPhone’s recovery key could leave you locked out of your iPhone forever. Is it true ?
Ans) The recovery key was launched by Apple in 2020. When the feature is enabled, the randomly-generated 28-digit “recovery key” needs to be provided when a user changes his Apple ID password. But if an iPhone is stolen and in the possession of the bad guys, enabling the recovery key will lock out the legitimate owner of the purloined phone. And without that recovery key and the phone, there is nothing that Frasca can do.
An Apple spokesman says, “We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare. We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”
The security key is generated on an iPhone and iPad by following these directions:
* Go to Settings > [your name] > Password & Security. You might need to enter your Apple ID password.
* Tap Recovery Key.
* Slide to turn on Recovery Key.
* Tap Use Recovery Key and enter your device passcode.
* Write down your recovery key and keep it in a safe place.
* Confirm your recovery key by entering it on the next screen.
Keep in mind that when you generate a recovery key, you cannot use account recovery to get back into your Apple account. With account recovery, a user can reset his Apple ID password even if he/she doesn’t have enough information to do so. With the recovery key, an iPhone owner whose device has been stolen or lost can remotely change his/her Apple ID password by using the recovery key, a trusted phone number, and an Apple device.
But even Apple admits that losing the recovery key means “you could be locked out of your account permanently.” And crowded bars are the perfect spot for these crimes to be committed. Frasca, like many victims of phone theft, had his iPhone stolen at a bar where there are so many eyes looking around trying to sport a user’s passcode. Once the passcode is stolen, the thief figures out a way to steal the phone itself.
With the passcode and the phone, the thieves can turn on the recovery key and lock out the legitimate owner. And if the security key has already been generated, a new one can be created. Either way, the iPhone owner cannot get back into his account. Or should we say the owner is not supposed to get back into the account, but one did.
5) One iPhone owner “got lucky” and found support from an Apple rep. Details?
Ans) Terry Allen had his iPhone 13 Pro stolen last summer in New York and like Mr. Frasca, his phone contained important pictures of relatives. After calling Apple for months, he finally came across a sympathetic Apple rep who asked other questions to verify Allen’s identity. Apple disabled the security key and Mr. Allen was able to change his password. “I just got lucky,” he said, but he now backs up his photos.
There are some suggestions such as using a complex passcode in case you can’t use Face ID. This can be done by going to Settings > Face ID & Passcode > Change Passcode. The best suggestion is to hold on to your security key and your phone.
Also Read: iOS 17 features for iPhones, as per the latest leak