Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Iphone Crime Security Apple

Thieves Spy on iPhone Owners' Passcodes, Then Steal Their Phones and Money (9to5mac.com) 84

After an iPhone was stolen, $10,000 vanished from the owner's bank account — and they were locked out of their Apple account's photos, contacts and notes. The thieves "stole thousands of dollars through Apple Pay" and "opened an Apple Card to make fraudulent charges," writes 9 to 5 Mac, citing a report from the Wall Street Journal. These thieves often work in groups with one distracting a victim while another records over a shoulder as they enter their passcode. Others have been known to even befriend victims, asking them to open social media or other apps on their iPhones so they can watch and memorize the passcode before stealing it. A 12-person crime ring in Minnesota was recently taken down after targeting iPhones like this in bars. Almost $300,000 was stolen from 40 victims by this group before they were caught.
The Journal adds that "similar stories are piling up in police stations around the country," while one of their article's authors has tweeted Apple's official response. "We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare.... We will continue to advance the protections to help keep user accounts secure."

The reporter suggests alphanumeric passwords are harder to steal, while MacRumors offers some other simple fixes. "Use Face ID or Touch ID as much as possible when in public to prevent thieves from spying... In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry."
This discussion has been archived. No new comments can be posted.

Thieves Spy on iPhone Owners' Passcodes, Then Steal Their Phones and Money

Comments Filter:
  • Fingerprint? (Score:4, Insightful)

    by test321 ( 8891681 ) on Saturday February 25, 2023 @04:05PM (#63323044)

    What is the argument against fingerprint sensors, don't they solve this problem?

    • What is the argument against fingerprint sensors, don't they solve this problem?

      The usual argument is: "I can't be bothered to use them."

      • by teg ( 97890 )

        What is the argument against fingerprint sensors, don't they solve this problem?

        The usual argument is: "I can't be bothered to use them."

        TouchID is so much easier to use than entering a password all the time? My main problem with TouchID was when I had sweaty or really dirty hands, e.g. if I was working in my garden and wanted to open the phone to switch podcasts.

        • by AmiMoJo ( 196126 )

          Fingerprints are much better than face ID. My wife's iPhone only has face ID and it doesn't work with a mask, so she rarely ever uses Apple Pay. I use Google Pay all the time, because it works with the fingerprint sensor.

          • by teg ( 97890 )

            Fingerprints are much better than face ID. My wife's iPhone only has face ID and it doesn't work with a mask, so she rarely ever uses Apple Pay. I use Google Pay all the time, because it works with the fingerprint sensor.

            Apple added support for face masks in two waves - first wave was to make it work if you were wearing an Apple Watch [appletoolbox.com], second wave was to make faceID support mask [apple.com].

            In any case, YMMV. My mother has very poor fingerprints now - both for iPhone and when renewing her passport. Getting FaceID was a major step forward for her. For me, FaceID is more convenient in a few circumstances - involving sweat and/or dirt (or otherwise wet hands). Most of the time, it makes no difference.

          • Agreed that Touch ID is superior to Face ID. My main problem is that if I have my phone sitting on the desk next to me, the camera isn't pointed at my face. I have to pick up the phone to unlock it. With Touch ID I can just press the button. Face ID also works very poorly in low light, making it harder to use in the dark.

          • Whoever is still wearing a mask has a personal anxiety problem.

            It has been several years now and the apocalypse hasn't happened. Anyone who wants and believes in the vaccines can have as many covid vaccines as they want, for free, at the nearest CVS or Walgreens. Anyone who doesn't has no fear of covid anyway and probably had it already, twice.

            Also, there is ample scientific evidence available now about the ineffectiveness of the masks in real-world scenarios, even compared in clinical settings with medical

            • by tlhIngan ( 30335 )

              Whoever is still wearing a mask has a personal anxiety problem.

              It has been several years now and the apocalypse hasn't happened. Anyone who wants and believes in the vaccines can have as many covid vaccines as they want, for free, at the nearest CVS or Walgreens. Anyone who doesn't has no fear of covid anyway and probably had it already, twice.

              Also, there is ample scientific evidence available now about the ineffectiveness of the masks in real-world scenarios, even compared in clinical settings with medical

      • What is the argument against fingerprint sensors, don't they solve this problem?

        The usual argument is: "I can't be bothered to use them."

        Uhhh, for the dangerously lazy, how the hell is punching in a 4-6 digit code actually easier to do, especially when texting while driving?

        • What is the argument against fingerprint sensors, don't they solve this problem?

          The usual argument is: "I can't be bothered to use them."

          Uhhh, for the dangerously lazy, how the hell is punching in a 4-6 digit code actually easier to do, especially when texting while driving?

          Personally I get the stuff fixed, so don't even try asking me as I literally have no clue, It's just the answer I got when asking a few people who do it. That and: 'it's too complicated' which also mystifies me since IMHO since I've seen a seven year old set up Face ID. On top of that there have also been recalls due to defective sensors, particularly fingerprint sensors so that might account for some of these incidents. You'd think people would have them fixed but they either 'can't be bothered' or it's 't

        • What is the argument against fingerprint sensors, don't they solve this problem?

          The usual argument is: "I can't be bothered to use them."

          Uhhh, for the dangerously lazy, how the hell is punching in a 4-6 digit code actually easier to do, especially when texting while driving?

          This is a shit on Apple story. The same argument could be used for looking at a Windows passcode, and accessing the computer that way.

          I use facial recognition, and there is a simple way to keep people from looking at your passcode during the times you have to use it.

          You just don't let people see you type in your passcode - and you definitely do not use it for your ApplePay.

      • by gweihir ( 88907 )

        Seriously? People are _that_ dumb? Well, thinking about it, yes, people are that dumb.

    • Re: (Score:2, Insightful)

      by sinij ( 911942 )
      Due to strange case law providing fingerprint is not protected by 5th, but pin is.
      • by Entrope ( 68843 )

        I don't know about Apple phones, but Android 13 has "Lockdown" and "Restart" options in the menu you get from holding the power button for two seconds. After either of those, the phone requires entering a passcode or equivalent; Bluetooth -based "smart wake" and biometric IDs are disabled. That means one only needs about three seconds to protect against the threat you mention.

        • iOS has this as well. Clicking the power button 5 times will dial 112 (911 for US'ians), you can cancel that within 5 seconds but it will disable TouchID and FaceID, requiring the passcode to be entered. Has the advantage that you can easily do this with the phone in your pocket, no need to pick an item from an on screen menu. Something to remember the next time you're being arrested.
          • by dissy ( 172727 )

            You can also hold power/sleep and volume up (aligned with power on the other side) for 3 seconds.
            This opens the emergency screen where calling 911 needs an extra swipe to do, along with a shutdown and cancel button.

            However at this point face/touch ID is disabled requiring the passcode again.

            I wasn't aware of the 5-press power button thing, so thank you for that.
            Good to have options regarding auto-dialing 911 or not depending on the situation.

            • Likewise thanks for the tip.
            • by AmiMoJo ( 196126 )

              On my Pixel that is activated by pressing the power button 5 times rapidly. It might be device dependent.

              You can configure it to record video automatically, as well as locking down. Very handy if the cop's bodycam malfunctions for some reason.

          • You can also just say "Hey Siri, whose phone is this". Useful when you don't want to be reaching for an object with your hands in a tense situation.

          • Thanks! I didn't know about this feature.

        • That means one only needs about three seconds to protect against the threat you mention.

          This does nothing to protect you if your phone is taken while unattended. And even when it is attended, most people could probably snatch a phone out of someone's hand without warning in less than a quarter of a second.

      • Not all that strange. The police/courts can take possession of your body to throw it in jail, but can't compel you to speak or think a certain way. So, your body can be forced to unlock the device, but not your mind.

      • Re: Fingerprint? (Score:5, Interesting)

        by ArmoredDragon ( 3450605 ) on Saturday February 25, 2023 @05:47PM (#63323198)

        That's not strange at all, that actually makes perfect sense. The four authentication factors are:

        1) What you know
        2) What you have
        3) Who you are
        4) Where you are

        Of all of those, the first factor is the only one that the government can't compel you to offer as evidence against yourself. Everything else they can obtain with a warrant.

        • The problem with "what you know" rapidly turns into just another password. I may remember the first time I had a crush on a girl, but her name would just be a weak password, the location where I met her would require AI to decipher because I might word it differently. So "city you grew up in" really is a password with maybe a few hundred likely choices.

          What I have can be stolen. Where I am is useful in private but not in public if I'm moving.

          Who you are has potential, but its difficult to both
        • by tlhIngan ( 30335 )

          That's not strange at all, that actually makes perfect sense. The four authentication factors are:

          1) What you know
          2) What you have
          3) Who you are
          4) Where you are

          Of all of those, the first factor is the only one that the government can't compel you to offer as evidence against yourself. Everything else they can obtain with a warrant.

          Wrong. Biometric IDs (who you are) may be obtained without a warrant. What you know (passwords) can be compelled via a warrant. But the Supreme Court has ruled that cops can use y

      • Due to strange case law providing fingerprint is not protected by 5th, but pin is.

        I'm betting around 98 - 99.9% of American citizens aren't even aware of that. And the rest of the planet doesn't even bother with a half-ass attempt to recognizes that protection.

      • There is nothing 'strange' about it. You HAVE a fingerprint. You KNOW a pin. The only thing they have in common is that they can unlock your phone.
        • by sinij ( 911942 )

          There is nothing 'strange' about it. You HAVE a fingerprint. You KNOW a pin. The only thing they have in common is that they can unlock your phone.

          You (and courts) are arguing linguistics instead of looking at the intent of the law. You HAVE a memory the same way you HAVE a fingerprint. Your phone is a memory device and there is no difference in intent between you memorizing something and you encrypting a digital note.
          The intent of the law is to avoid forcing self-incrimination. This is a response to medieval methods of extracting confessions with torture. Only now you can again be tortured (indefinite detention) to provide a confession.

          • You HAVE a memory the same way you HAVE a fingerprint.

            Can you see or make a copy of my memory the same way you can see and make a copy of my fingerprint? No, of course not, so they aren't the same. I'm surprised I still have to point this out.

            Give me the combination to this safe. Oh, you claim you don't know it? Well, I don't believe you, so I'm going to put you in jail until you tell me the combination.

            Do I still have to give you more examples of why a fingerprint and memory aren't the same thing?

            • by sinij ( 911942 )

              You HAVE a memory the same way you HAVE a fingerprint.

              Can you see or make a copy of my memory the same way you can see and make a copy of my fingerprint?

              There is nothing conceptually impossible even if we don't have technology to do that right now. Technology to do this is not that far off, we know already that high resolution brain scans can differentiate in how your brain responds to various stimuli, so it is only a question of perfecting existing technology.

              • Technology to do this is not that far off,...

                How high, exactly, are you right now?

                • by sinij ( 911942 )
                  Here is an old article from nature: How to see a memory [nature.com].

                  Chen is among a growing number of researchers using brain imaging to identify the activity patterns involved in creating and recalling a specific memory.

    • by jhecht ( 143058 )
      Fingerprints don't work for everybody. They can be worn down or otherwise unreadable.
      • Fingerprints don't work for everybody. They can be worn down or otherwise unreadable.

        And some people don't have a face, you insensitive clod!

      • Fingerprints don't work for everybody. They can be worn down or otherwise unreadable.

        My mother basically has no fingerprints. I tried many ways to get it to work for her, but despite that her failure rate is >90%. Or was. Now of course she doesn't even try and just enters the passcode.

    • What is the argument against fingerprint sensors, don't they solve this problem?

      I didn't see anything in TFS arguing against the use of fingerprint sensors. In fact, it was one of the suggested solutions. The main reason Apple shifted away from fingerprint sensors is that for some people, they're still a bit of a hassle to use. My mother was one of those people who could never get it to work right. She'd always either press too hard or too light and just found it frustrating, so she ultimately disabled it. She also hated constantly having to unlock her phone with a PIN as well, so

    • by znrt ( 2424692 )

      since you obviously didn't even skim read the abstract which specifically mentions "touchid" i'm assuming you aren't really interested in the answer, but the "argument against fingerprint sensors" in general is that they aren't a holy grail either, they have a non trivial and fundamental inherent weak spot by design and in light of the experiences with common implementations are not trivial to get to work reliably (ofc ymmv).

      • since you obviously didn't even skim read the abstract which specifically mentions "touchid" i'm assuming you aren't really interested in the answer, but the "argument against fingerprint sensors" in general is that they aren't a holy grail either, they have a non trivial and fundamental inherent weak spot by design and in light of the experiences with common implementations are not trivial to get to work reliably (ofc ymmv).

        When we add up all the reasons that security on people's phones are too hard to use, maybe they should just leave them open, and consider getting ripped off cost of doing life?

    • by c-A-d ( 77980 )

      The argument against using fingerprint sensors is that the cops don't need a warrant to force you to unlock your phone; They can just hold your finger to the sensor.

      • by AmiMoJo ( 196126 )

        On Android check out PanicKit, combined with Duress and Wasted. Designed for exactly that kind of situation.

        This also seems relevant: https://www.forbes.com/sites/t... [forbes.com]

        Make sure you have plausible deniability, e.g. you set it up so that if the device hasn't been unlocked for a certain amount of time it auto wipes and there is nothing you can do to stop it.

    • Not in my case
      Due to a rare skin condition, I don't have them.

      My fingerprints are mostly scar tissue and blankness, and it's good enough for the police, but phone and laptop fingerprint sensors don't read them.
      I don't know why face recognition doesn't work, but the beard might have something to do with it.
    • You can be compelled by law enforcement to use biometrics but cannot be compelled to enter a pin / password because, oops, you forgot.

  • by 93 Escort Wagon ( 326346 ) on Saturday February 25, 2023 @04:29PM (#63323072)

    In that situation, alphanumeric versus numeric isn't really going to matter.

    And, even if you're using FaceID, your iPhone can still be accessed by Nicholas Cage or John Travolta.

    • For me, I don't have any bank or credit card tied to the phone, or any other financial information, or any files containing passwords, etc. None of the pictures on it are even embarrassing.

    • And, even if you're using FaceID, your iPhone can still be accessed by Nicholas Cage or John Travolta.

      Thankfully, they both have successful acting careers, so a face off with either of them in an attempt to steal your phone is highly unlikely.

    • In that situation, alphanumeric versus numeric isn't really going to matter.

      And, even if you're using FaceID, your iPhone can still be accessed by Nicholas Cage or John Travolta.

      Or in my case, Mothher Theresa

    • by tlhIngan ( 30335 )

      In that situation, alphanumeric versus numeric isn't really going to matter.

      Only if they get a clear recording. A passcode entry is 10 digits on the whole screen, making it large and easy to type, so even if the phone is moving you can still make out with relative certainty what number was pressed. You only have to make an educated guess on 6 numbers 0-9 and you can roughly tell from what part of the screen what the digit is.

      Alphanumeric entry uses the full keyboard, and the full symbols, so the hit area is

  • Simple solution (Score:5, Insightful)

    by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Saturday February 25, 2023 @04:36PM (#63323090) Homepage

    Do not use your 'phone for e-banking & similar. I know that the 'phone makes it easy but it also exposes you to all sorts of risks, not just today's story but losing it, .... I know that many people do not have easy access to a PC (preferably non MS Windows) but if you want to be safe how much is a little inconvenience ?

    • Re:Simple solution (Score:5, Interesting)

      by Powercntrl ( 458442 ) on Saturday February 25, 2023 @05:32PM (#63323184) Homepage

      Do not use your 'phone for e-banking & similar.

      It's far more likely your account(s) will be compromised via a card skimmer or data breach, so why inconvenience yourself over something that's incredibly unlikely to happen? My mother has had her credit card skimmed (likely at a gas station), and I had someone try to use my debit card (which leaked in data breach and the bank took their sweet time replacing it) at some web store in Japan. In both cases, after promptly reporting the fraud, the issue was resolved and no money was ultimately lost.

      IMHO, if you're really concerned about being mugged for your phone, get a concealed carry permit and use old fashioned "2A security".

      • Do not use your 'phone for e-banking & similar.

        It's far more likely your account(s) will be compromised via a card skimmer or data breach, so why inconvenience yourself over something that's incredibly unlikely to happen? My mother has had her credit card skimmed (likely at a gas station), and I had someone try to use my debit card (which leaked in data breach and the bank took their sweet time replacing it) at some web store in Japan. In both cases, after promptly reporting the fraud, the issue was resolved and no money was ultimately lost.

        IMHO, if you're really concerned about being mugged for your phone, get a concealed carry permit and use old fashioned "2A security".

        Pretty much this. If you use facial recognition and don't let people see you tap in your PIN, you are as safe as any other usage, probably safer. Note this was used by people in Bars, so they'll be doing the modern human business of constntly getting texts, entering the PIN, then rinse and repeat.

        Bloody hell! Some alcohol, repeating PIN entry with a lot of people looking on - what could go wrong?

    • Do not use your 'phone for e-banking & similar. I know that the 'phone makes it easy but it also exposes you to all sorts of risks, not just today's story but losing it, .... I know that many people do not have easy access to a PC (preferably non MS Windows) but if you want to be safe how much is a little inconvenience ?

      If we look at that way, it is a risk to do anything with a credit card, so deal in cash only. No checks either

      This is really a shit on Apple story. A Windows machine also has a pincode, if you want to use it - and Microsoft keeps nudging you toward it.

      Fact is, the impressively ignored fix for this is don't let anyone see the passcode you type in. Even if you use Facial ID - and I do, you occasionally have to use the PIN. You tilt the phone away from anyone in your presence, type it in, and no one is t

      • If we look at that way, it is a risk to do anything with a credit card, so deal in cash only. No checks either

        I am speaking as a European, here we have had Chip+PIN on credit cards for many years. Not uncrackable but much safer.

        • If we look at that way, it is a risk to do anything with a credit card, so deal in cash only. No checks either

          I am speaking as a European, here we have had Chip+PIN on credit cards for many years. Not uncrackable but much safer.

          Right. I use facial recognition whenever possible, and Chip as well. I'm not certain if adding a PIN to the chip is all that much safer than Chip alone. But OP was claiming that you should never do CC's on the phone at all.

      • Visa are delightfully aggressive about customer protection as I found out doing chargebacks where deceptive sellers promptly caved in.

        I understand the desperate desire to do everything with a phone but have the sense not to.

        It freaks out zoomers (of any age) when I mention I compartment my finances and even carry cash. They seem to think a grand in ones wallet in 2023 is scary (hint, no one can see inside). If the grid goes down I've plastic and cash. If my local bank goes down (hurricanes happen, Hugo was

        • Visa are delightfully aggressive about customer protection as I found out doing chargebacks where deceptive sellers promptly caved in.

          I understand the desperate desire to do everything with a phone but have the sense not to.

          I use ApplePay for convenience. If it was a fob it was on, I'd use that. My own outlook on Smartphones is that they are shitty little computers. Or occasionally something I tether to my laptop if need be. Otherwise, they are more a nuisance.

          It freaks out zoomers (of any age) when I mention I compartment my finances and even carry cash. They seem to think a grand in ones wallet in 2023 is scary (hint, no one can see inside).

          As long as it works for you. I have a hidden stash of cash, but never carry it on my person unless I have a very specific need to pay for something in cash, and that happens very seldom.

          Speaking of freaking out here goes.

          I have the largest money back credit card, an

    • by antdude ( 79039 )

      Some people don't even have and use computers. :O

    • Pretty soon you won't have a choice.

      I'm 45 and I don't have and don't want a smartphone. I'm increasingly aware of how hard it is to survive in today's society without one.

    • by Entrope ( 68843 )

      The vulnerability here was not using the phone for "e-banking" but using it for payments, and unfortunately US credit cards have even worse security than our phones, so the alternative might be worse. If somebody takes your credit cards instead of your phone, they can drain your accounts just as fast as they can with a payment-enabled phone. It's also easier to notice that a phone is missing than a credit card.

  • These thieves often work in groups with one distracting a victim while another records over a shoulder as they enter their passcode.

    You can't tell someone's standing six inches behind you or that they're holding their own phone over you while you type in your passcode? Do the words 'situational awareness' mean nothing to these people?

    Others have been known to even befriend victims, asking them to open social media or other apps on their iPhones so they can watch and memorize the passcode before stealing it

    • Do the words 'situational awareness' mean nothing to these people?

      TFS explained that this scam/theft typically takes place in a bar. People go to bars to drink alcohol, a drug which has a deleterious effect on person's ability to maintain situational awareness. Regardless of how you may personally feel about it, it's legal for adults of drinking age to partake in such activities, and the fact that the victims are intoxicated does not justify the actions of the criminals.

    • These thieves often work in groups with one distracting a victim while another records over a shoulder as they enter their passcode.

      You can't tell someone's standing six inches behind you or that they're holding their own phone over you while you type in your passcode? Do the words 'situational awareness' mean nothing to these people?

      Note it was in a bar. It's possible that people here aren't aware of it, but yes - people go to bars and chat others up. Add a degree of alcohol, and some folks interact with each other.

      In fact, if a person acts all paranoid in the bar, they should probably stay home.

    • by gweihir ( 88907 )

      You can't tell someone's standing six inches behind you or that they're holding their own phone over you while you type in your passcode? Do the words 'situational awareness' mean nothing to these people?

      This apparently worked 40 times over a while. Think of the most stupid people you know that have some money...

      Some random person makes your acquaintance and you willingly go to whatever site they ask you to?

      See above. Using narcissism in stupid people (who hence do not know they are stupid, also nicely described by Dunning and Kruger) is a time-honored approach of scammers. Initially it works on everybody, but the non-stupid usually catch on before the scam has worked. The stupid do not. See, for example, countless variations of the pyramid-scheme or applications of the "Greater Fool Theory" (crapcoins

  • by aaarrrgggh ( 9205 ) on Saturday February 25, 2023 @11:52PM (#63323618)

    While Apple has the dumbest possible solution by some measures, the simple solution is to use out-of-band passwords for financial information, including notes for passwords. It is stupid that there aren't better options for managing the information within your phone, but if you want to be paranoid you are going to have to deal with the pain.

  • I used to jokingly take my brother's phone and attempt to guess his pin, always getting it right in a moment or two before quickly looking up silly search queries to ruin his search suggestions and targeted ads (e.g 'pullups' and 'homeopathic resurrection'), creating some fun shenanigans.

    Recently, he handed me his Iphone, with a newly setup touch ID. He offered me $50 if I could crack it. While holding the phone up, I walked away while pretending to look at it, thus capturing his face with the phone over my

    • by gweihir ( 88907 )

      Indeed. Well, there really is no replacement for 2FA in the end for anything that is critical. For example, my banking app takes the same fingerprint that opens the phone, _but_ whenever there is a transfer they cannot easily cancel or where the receiver has low/no reputation with them, they require a confirmation on a different device, i.e. computer or 2nd phone. That makes the type of attack from the story very hard or impossible. My other banking app comes with an authenticator device that scans a code.

  • Seems like a really pressing problem. Or rather seems like 40 stupid people with money that they did not secure reasonably because they are stupid. It is not like you get told that you need to protect your passcode or anything. No, does not happen.

  • So, you hold your phone in one hand, type in the code with the other hand, while shielding your screen from prying eyes with your other other hand. Got it.

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Working...