Imagine Thieves Stealing Your Business iPhone
In the last few weeks, I read several newspaper reports about thieves spying on patrons in bars or clubs to steal their iPhones.
Here is the scenario: You are in a bar or at a party and have fun with your friends. Unbeknown to you, a stranger nearby with their back turned overhears your group's conversation picking up names of friends, your workplace, or your hobbies. That's valuable information. Then the stranger tries to enter your group by pretending to work at the same company or knowing one of your friends who is not at the party. As the evening progresses, the stranger might offer to take a picture of your group with your iPhone. You hand over your locked phone. The person takes the photo and asks you to check the images. When you try to unlock your iPhone, FaceID won't work, prompting you to enter your passcode instead. That's the moment the stranger turned thief is waiting for. When you enter your passcode, the thief memorizes the digits. Later in the evening, you notice that your phone is missing. When you log into your bank account at home, you realize that thousands of dollars have been withdrawn. Shocked, you try to log into your Apple ID only to find your password is rejected.
How can this all be?
Understanding the Significance of Your iPhone Passcode
Once the thief has gotten past your iPhone's Lock Screen by entering your four-to-six-digit passcode, they'll have access to all the apps on your phone, including email, iMessage, and banking apps.
Even if you have enabled 2-factor authentication on your banking app and the bank texts a security code to your iPhone, the thief goes to iMessage and retrieves it. Now they have access to your bank account. Should the credit card company send you a text message asking you to review a suspected fraudulent transaction, the thief will approve it.
Usually, thieves immediately change your Apple ID password, preventing you from remotely wiping your iPhone. Even if you enabled Recovery Key, the thief would have already generated a new one or disabled this feature.
Hard-Locking Your iPhone
The question that puzzled me was why Face ID did not work when you had to unlock the phone to see the images the thief had taken.
The answer is perplexing: the thief had temporarily disabled Face ID by hard-locking your iPhone, which prompted you to enter your device's passcode. It's easy. You follow the same steps as turning off your iPhone: press and hold the power button and either of the volume buttons for about 2 seconds. It will bring you to a screen with a slide to switch off your device. But you don't need to power down your iPhone to hard-lock it. It's already hard-locked. All you have to do now is to press cancel. That's what the thief did. The iPhone then returns to the Lock Screen, requiring you to enter your passcode to enable Face ID. The thief then watches you enter your passcode and memorizes your combination.
What Can You Do as Prevention?
The first is to recognize your passcode's power to unlock everything on your iPhone. Once a thief has your passcode, you are out of luck.
Here are a few housekeeping tips that can help with prevention, but none will solve the problem:
Choose a longer passcode. If you have a four-digit passcode, I recommend choosing a longer one. Go to Settings > Face ID & Passcode. Tap Turn Passcode On. Enter a six-digit passcode or tap to switch to a custom numeric code to enter longer codes.
Switch to an alphanumeric code. You can also make your code alphanumeric. Go to Settings > Face ID & Passcode. Tap Turn Passcode On. Switch to a custom alphanumeric code.
Enter your passcode only in safe places. You could go to a safe place away from spying eyes or surveillance cameras to enter your passcode, for example, outside or in a bathroom, or wait until you return home.
Set a separate screen time passcode. Go to Setting > Screen Time. Scroll down to Set a Passcode. Enter a passcode that is different from your lock-screen passcode. Then go to Content & Privacy Restrictions. Scroll down to Allow Changes. Tap on Account Changes and select Don't Allow. You will then need to enter your Apple ID and password. That will prevent a thief from changing your Apple ID or enabling your Recovery Key. However, savvy thieves know that they can reset this screen time passcode if they have access to your email associated with your Apple ID. At least, having a separate screen time passcode might buy you a little extra time.
Unless Apple changes how some of these features work, there is, unfortunately, not much more you can do without changing how you work.
Avoid Tying Everything to Your Apple ID
Having many critical services tied to your Apple ID adds a layer of risk.
Because if you lose access to your Apple ID, you lose access to all linked services, iCloud Drive, iCloud Photo, backup, contacts, calendar, notes, keychain, and email.
Your Apple ID then becomes a single point of failure.
From a resiliency point of view, it is better to use separate services for critical functions. For example, you could use DropBox or Box for cloud storage and Google Workspace for your business email.
Save a Copy of Your Business Contacts
If you have a lot of business contacts, I recommend exporting them every three months and storing a copy in the cloud — not iCloud Drive. You wouldn't need to rely on your Apple ID-linked backup to restore your contacts.
Sign Out From Critical Apps
Accessing any app from any device is highly convenient. But is it really necessary?
For example, how often do you access the banking app on your phone? If you still get a lot of checks from customers, you probably have a good reason for it, as you can use the banking app to deposit checks without visiting a branch. But if you only use your credit cards stored on your phone for purchases, accessing your bank account from your phone might not be critical.
If you cannot dispense with the apps on your phone, I recommend signing out from any critical app, such as banking and cloud storage (DropBox, Box), when you don't use them. That way, if your iPhone gets stolen and a thief has your passcode, it will limit the damage they can inflict.