by When you carry around a smartphone, that is worth up to $1,000 or more in your pocket, you’ll want to protect it. But the device isn’t necessarily the most valuable asset to thieves – it is personal information you have saved on it.
A recent report from the Wall Street Journal highlighted a new way thieves hack into your iPhone to steal your information: your passcode. The report says that thieves are now starting to watch when iPhone users enter their numeric or alphanumeric passwords, and remember the combination of numbers. They then steal the users’ phones, sign in and change their Apple ID password by entering the password, and lock them out of iCloud.
This gives thieves time to stop you from accessing important information and track your phone using tools like Find My iPhone. After gaining access to your accounts, they can reset recovery codes to block all attempts to reset changed passwords. Additionally, it poses a risk of them using your password to access your financial apps and accounts, enabling them to commit fraud.
An Apple spokesperson told the newspaper that security researchers would agree that the iPhone is the “most secure consumer mobile device,” adding that the company is always working on updates to help counter any “new and emerging threats” to protect customers. Apple said it doesn’t believe the specific tactics referenced in the Wall Street Journal report are common, but it still takes these incidents seriously.
“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” the spokesperson said. “We will continue to advance protections to keep user accounts safe.”
Apple did not immediately respond to CBS News’ request for further comment on the potential risk.
3 ways to protect yourself from hackers
However, iPhone users should be cautious when using their smartphones in public settings. Apple has released a number of security and data protection updates over the past few years, but there are still some other steps you can take to protect your phone and data. Here are some rules of thumb.
1. Protect your password
One of the most obvious ways to prevent a would-be thief from gaining access to your smartphone is to cover the phone’s screen when you enter your passcode – or avoid typing it in altogether.
Vitaly Shmatikov, a professor of computer science at Cornell University and Cornell Tech, says smartphone users should rely on Touch ID or Face ID as much as possible when out in public.
If you must use a password, make sure it is complex.
“Treat your phone password like a bank card PIN: Make sure it’s long and hard to guess,” Shmatikov told CBS News.
2. Don’t save passwords on your devices
While you may be tempted to store a complicated passcode or password on your phone, desktop or tablet, try to avoid it. This can leave you vulnerable to potential hacks.
“Don’t save passwords to sensitive websites and apps on your phone,” Shmatikov reiterates.
Consider using a password manager – a secure software application that can generate and store sensitive passwords. According to a 2022 Consumer Reports survey, approximately 39%—up 3% from 2019—of consumers use a password manager for their online accounts.
“Since 2019, a large number of individuals have adapted to the use of multi-factor authentication versus a stagnant change in individuals using a password manager or virtual private network,” the survey said, noting that 77% of consumers reported using two-factor authentication in 2022.
3. Set up two-factor authentication
Two-factor authentication, which requires users to enter a backup code sent to a trusted device or email before entering their password to access a website, is also a valuable tool.
“Two-factor authentication for Apple ID is a must, the second factor should be a separate trusted device (such as an iPad, a Mac or an Apple Watch),” says Shmatikov.
Many experts warn users against using SMS text messages for two-factor authentication, especially if you’re worried about your phone being stolen.
SIM swapping, where a criminal hacks into your SIM card and gains access to your phone, is a growing threat. The FBI Phoenix Field Office recently explained how the scam works.
“Criminals first identify a victim who likely owns large amounts of digital currency and obtain their phone number and mobile operator,” the agency explained in a press release. “They then socially engineer a customer service representative to port the victim’s phone number to a SIM card and phone in their control.”
If someone has access to your phone, a backup text won’t help protect your accounts, and a criminal can easily change passwords and backup keys.
“For sites and apps that require two-factor authentication – such as banking sites – do not use SMS/text as the second factor. Instead, use an authenticator app (such as Google Authenticator, Microsoft Authenticator, Duo, Okta Verify, etc..) and turn on biometric protection – requires Face ID or Touch ID — in the authenticator app,” Shmatikov said. “Then a thief who steals your phone won’t be able to get authentication codes and log into financial websites like you.”
