Losing your iPhone is bad. Losing your entire digital life, from photos to finances, is traumatic. Unfortunately, the latter is all too common. Journalist Joanna Stern recently published a report with The Wall Street Journal detailing how thieves in places like New York aren’t just stealing iPhones, but every valuable piece of data inside them as well. The culprit? The humble iPhone passcode.
Your iPhone’s passcode can be used against you
Your passcode is designed to keep your iPhone and its data safe, but it’s far too vulnerable to be considered truly secure. Once a thief identifies those six-digits on your Lock Screen, it’s game over. That makes it a prime target for bad actors in cities around the world. It’s easy enough to spot over someone’s shoulder, but some thieves are orchestrating routines to capture passwords with precision, tasking one person with recording others using the passcode on their phones for easy reference after a theft.
Your passcode unlocks deeply personal parts of your iPhone. Within minutes of stealing the device, thieves can reset your iCloud password by punching in the digits they watched you type. (You can see this for yourself: On your iPhone, head to Settings > [Your Name] > Password & Security > Change Password. Your phone will only ask for your passcode again to begin resetting your iCloud password. Yikes.)
From there, it’s smooth sailing for the thieves. They can remove other devices from the Find My network and turn off Find My tracking altogether, locking you out of all of your connected Apple devices. You lost your iPhone, but now you can’t use your Mac or iPad, either. And, because they changed your password, you can’t fix the problem on your end anymore.
Face ID won’t protect your sensitive apps, either, since they can all be unlocked with the passcode as well. That includes personal notes, banking apps, and money transfer apps like Venmo, Apple Pay, Coinbase, and more. People aren’t only losing devices and data in these robberies, they’re losing real money. Scary stuff, and as it stands, Apple has no real answer to offer. But there are a couple steps you can take to protect yourself right now.
Use an alphanumeric password on your iPhone
The first thing to do is improve your passcode. Switch to a longer, alphanumeric password — meaning one with letters, numbers, and special characters. You can do this from Settings > Face ID & Passcode > Change Passcode > Passcode Options. Sure, it’s less convenient than a six-digit numeric passcode, but it’s far more secure, especially since it’s much harder for someone to see you enter over your shoulder. Plus, you’ll only need to go through the pain of entering it every so often, since Face ID and Touch ID will still be your go-to authentication methods most of the time.
Don’t let anyone see your iPhone’s password
Treat this new passcode like your ATM PIN. If you have to type it out in public, cover your iPhone when entering the passcode, particularly when in a crowded place like a bar or train. Remember: This password is the key to your entire iPhone.
Mind your password managers
Password managers can be a great way to keep your strong and unique passwords in one secure location. If possible, however, try not to use a password manager for financial apps. The Wall Street Journal reports thieves were able to access bank accounts because the information was saved to iCloud Keychain. They could simply autofill the password to break in, or access the enter keychain using your passcode.
Of course, password managers are far easier than remembering your passwords for individual accounts. If you want to use one for your financial apps, use a third-party password manager like 1Password or Bitwarden, as they require a separate master password to access. That way, even if a thief knows your phone’s passcode, they won’t be able to see your financial passwords.
Use an authentication app rather than SMS-based 2FA
Always use a two-factor authentication (2FA) method if your bank app allows for it, and make sure it’s a dedicated authenticator app, not one that works via text message. If the thief has access to your iPhone, they’ll be able to read any 2FA code that arrives through SMS. Instead, choose an app like Aegis or Raivo that lets you set a unique password for the app, rather than relying on your iCloud password for entry. Like the third-party password manager, hackers won’t be able to break into your authenticator app without the master password. Even if they have your bank password, they’ll be stuck.
Don’t keep pictures of your financial information on your iPhone
Lastly, go through your photo gallery and notes and delete all the entries that feature your credit cards, bank details, social security number, or identification documents. A scanned copy of your credit card is sometimes all a bad actor needs to wreak havoc on your bank account.