I told you a few days ago that I can’t wait to set up a new iPhone anti-theft security feature in iOS 17.3 that will make it almost impossible for thieves to get into my Apple ID account. Even if they somehow manage to steal my iPhone’s passcode, they won’t be able to change the contents of my Apple ID account.
If you’re somehow still unconvinced about the incredible damage such a thief can make, you need to see this astonishing report from The Wall Street Journal. Joanna Stern sat down with a thief convicted for stealing iPhones.
Aaron Johnson, currently serving nearly eight years at Minnesota Correctional Facility, developed a way to steal iPhones for more than just reselling them for cash. He discovered he could change the iPhone’s passcode, reset the Apple ID password, and add his Face ID to the phone to do more damage. He gained access to banking and crypto accounts and spent money via Apple Pay, all before the victims could do anything to stop it.
Johnson isn’t a hacker who found a security flaw in Apple’s iPhone’s password protection. He just learned the screen passcode, recorded it, or stole it from an unsuspecting victim. He was part of a group that pulled in anywhere from $300,000 and $2 million from this endeavor.
From iPhone passcode to Apple ID password
The thief operated in Minneapolis for at least a year between 2021 and 2022. He figured out that the information inside the iPhone was more valuable than the value of the iPhone.
Initially, he only wanted to steal the phones as he was homeless. “Started having kids and needed money,” he said. “I couldn’t really find a job. So that’s just what I did.” Then he figured out that knowing the iPhone’s passcode would let you change the Apple ID password. From there, you could add your face to Face ID safely and then snoop around.
“That passcode is the devil,” he told the Journal. “It could be God sometimes—or it could be the devil.” How fast would he change the Apple ID password once he had the iPhone’s passcode? “Faster than you could say supercalifragilisticexpialidocious,” he said. “You gotta beat the mice to the cheese.”
How the thief stole money from the iPhone
The mice were the iPhone owners who could use Find My iPhone to track the handset before the thief could perform the password change. But once the Apple ID password was changed, Johnson could turn the anti-theft protection off.
More importantly, he could add Face ID to the iPhone and treat it as his own property. Face ID would give him access to a treasure trove of app-protected information, like banking apps or the iPhone’s passwords app (in Settings).
Furthermore, the contents of the Notes app and screenshots from the Photos app would open the doors to other apps. Often, iPhone users would store critical information in those files.
Also, the thief and his gang would use Apple Pay on those devices to buy expensive Apple hardware in bulk. Like $1,200 iPad Pros, which would then be sold to make a profit.
After the iPhone became useless, he’d sell it, getting as much as $900 for a 1TB iPhone Pro Max model.
How thieves will get your passcode
Johnson would usually target the more expensive iPhone Pro models. It’s easy to spot those in the wild. They have a triple-lens camera on the back, which is a signature design feature for the iPhone Pro.
All it took was social engineering. Johnson would target young men in dimly lit bars who’d be already drunk and wouldn’t pay attention to their surroundings. Women would be more aware of what was happening around them.
He’d claim he was a drug dealer or a rapper, asking them to let him add his contact information. He’d then trick them into revealing the passcode. “I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something. And then I just remember it,” Johnson said.
Johnson’s arrest warrant says he and 11 other members accumulated nearly $300,000 from this iPhone stealing scheme. Johnson says it was up to $2 million.
Protect your iPhone right now
While he’s serving time for what he did, Johnson is not alone. Other thief rings might be acting similarly around the world. You should enable the iOS 17.3 anti-theft protection once the operating system is out. Until then, you should ensure you never share your passcode with anybody. It’s a good idea to have an alphanumeric passcode, which would be a lot harder to remember.
Finally, I’ll remind you to block access to your Apple ID account on your iPhone. It’s the one thing that can save the data on your iPhone even if the thieves get access to your iPhone’s passcode.
Also, you should read The Wall Street Journal’s interview with Johnson at this link. The report also comes with a video version.