Apple Responds to Reports About Thieves Using Recovery Key to Lock Users Out of Their iPhones

Wall Street Journal journalists Nicole Nguyen and Joanna Stern on Wednesday published a report detailing how iPhone users are finding themselves locked out of their Apple ID accounts by bad guys that are using Apple’s recovery key security option.

The pair first reported in February about numerous instances of thieves observing an iPhone user entering their passcode in public, then stealing the device and using the purloined passcode to unlock the iPhone to access it and its personal contents.

The victims that talked to the journalists for the original report said their iPhones were stolen after they used them out in public in bars and other places where people congregate. Dozens of victims have been hit in similar crimes in at least nine U.S. cities, including New York, Chicago, New Orleans, and Boston.

No Subscriptions - Get Microsoft Office Lifetime Access for Just $49.97

Even Microsoft tries to nudge you toward paying monthly for their Suite 365. The good news is that you don't have to. iDrop News readers can get lifetime access to MS Office at 85% off the normal price...Get It Here

Once a thief has unlocked the iPhone using the passcode, it takes only a few moments to reset the victim’s Apple ID password by going into the Settings app. Once that’s been accomplished, the bad actor can then disable “Find My iPhone” on the handset, preventing the device’s owner from tracking its location, while also preventing the victim from remotely erasing the device.

The journalists’ report from today takes a closer look at something else thieves can do, as they can then reset a recovery key for the iPhone. A recovery key is a randomly generated 28-character code that owners can be used to restore their access to their Apple ID once they enable the recovery key feature.

The recovery key feature “gives users virtually no way back into their accounts without that recovery key,” says the WSJ report. Once bad guys have total access to a victim’s iPhone, they can empty the victim’s Apple Pay account, as well as possibly gain access to other banking and financial apps that are installed on the device. Crooks will also gain access to other information on the iPhone, such as photos, emails, and more.

Protect your iPhone Passcode When in Public

iPhone users are urged to use Face ID or Touch ID to unlock their iPhones when they are out in public. Owners of older devices should hide their screen when entering their passcode, and they should also change the standard four-digit passcode used by many owners to an alphanumeric passcode. Switching to an alphanumeric code makes it tougher for the bad guys to determine what your passcode is. To change your iPhone’s passcode, go to the Settings app, then go to “Face ID & Passcode,” and tap the “Change Passcode” menu option.

Apple’s Response to the Report

An Apple spokesperson responded to the report, saying the Cupertino firm is “always investigating additional protections against emerging threats like this one.”

“We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare,” said an Apple spokesperson. “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”