This article originally appeared on Business Insider.
Wall Street Journal columnist Joanna Stern interviewed an iPhone thief who’s in prison for using iPhone passcodes to make his way into people’s phones.
Once he got into the phones, he and his crew drained victims’ bank accounts to the tune of up to $2 million in total, her reporting says.
The convicted thief, Aaron Johnson, explained to Stern how he’d hoodwink people into handing over their passcodes. And it’s worth reading so you can protect yourself:
Pinpoint the victim. Dimly lit and full of people, bars became his ideal location. College-age men became his ideal target. “They’re already drunk and don’t know what’s going on for real,” Johnson said. Women, he said, tended to be more guarded and alert to suspicious behavior.
Get the passcode. Friendly and energetic, that’s how victims described Johnson. Some told me he approached them offering drugs. Others said Johnson would tell them he was a rapper and wanted to add them on Snapchat. After talking for a bit, they would hand over the phone to Johnson, thinking he’d just input his info and hand it right back.
“I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something. And then I just remember it,” Johnson described. Sometimes he would record people typing their passcodes.
Once the phone was in his hand, he’d leave with it or pass it to someone else in the crew.
After they had the phone and the passcode, the thieves would immediately change the victim’s Face ID and Apple ID passwords — and then get to work draining money from banking apps, crypto wallets, and Venmo. They’d even use Apple Pay to go shopping in stores.
Stern and colleague Nicole Nguyen had been reporting about this particular vulnerability in iPhones for a while. Although things like Face ID, the iCloud keychain’s password manager, and all the other security features on an iPhone are pretty good, everything hinges on one entry point: that flimsy 6 digit passcode.
This is, in a way, a pretty simple theft: gain enough trust to get someone to hand you their phone (something we’ve all done) and unlock it in front of the person. No SIM-swapping or super technical hacking required.
But things could be getting a little more locked-down soon: Apple is set to roll out a new feature: stolen device protection. This will make it much harder to change an Apple ID or Face ID password. It will require a biometric scan — like your fingerprint or eye — and if you’re not in a known location, like your home or work, there will be a one-hour delay before the changes are made.
That could thwart some attempted thefts, like the ones Johnson described to Stern.
The new feature will roll out in an upcoming update to iOS 17: Turn it on — and make yourself a little safer.