The Wall Street Journal has written an article that will challenge your belief on the security of your digital life. It reports on how a basic iPhone feature can allow criminals to steal your entire digital life.

This basic feature is your pass code and the technique involves shoulder surfing the target entering their pass code, followed by the old fashion snatching of the iPhone. This usually happens in a crowded place, where it is easy to shoulder surf, like a bar. 

Once they have the victim’s iPhone, they’ll use the pass code to do the following:

  1. Turn off find my phone
  2. Change apple id password to lock the victim out
  3. Sign out of trusted devices to prevent the victim from gaining access
  4. Change the trusted phone number
  5. And turn on recovery key so that there is no way for the victim to regain their apple account

They then open an apple card using the victim’s social security number which is usually stored on the phone or in the photos. After that they access the banking apps on the phone using the stored credentials on the victim’s apple password manager and use apple pay to transfer the victim’s money to the apple card.

Most victims have recovered the stolen money through fraud claims. However they have been unable to regain access to their apple account and get access to their files and most importantly their photos.

It’s quite confronting how a pass code, which can be as simple as a 4 digit number, can provide the keys to your entire digital life.

Below are some steps to protect ourselves from such an attack:

  • Have a stronger pass code. Make it at least 6 digits or alpha numeric
  • Use Face ID or Touch ID so that criminals cannot shoulder surf to obtain your pass code
  • Use an external password manager instead of the one built into Apple
  • Delete photos with sensitive personal information

Lastly, the strength and robustness of our cyber security is not just limited to the tooling or security controls we have in place. A large part of it relies on our awareness and behaviours. Make sure no one is watching/listening when providing credentials, this includes phone banking. And make sure we keep our devices physically secure, in our pockets or bags instead of placing on the table at a bar or restaurant.

Learn more and watch the video reporting segment on the Wall Street Journal at