Cyber Hack: iPhone Theft

You're listening to a Pentest People Techbite. Your headline today:

A basic iphone feature can help criminals steal your entire digital life.

So what is this feature?

You may be wondering remarkably criminals are using a low tech trick where they watch iphone users tap their passcodes then steal the targets phones and their digital lives.

The Wall Street Journal interviewed Ray Haneya's who was leaving a bar in Manhattan when a man she had just met snatched her iphone within minutes, she could no longer access her Apple accounts over the next 24 hours.

She said thousands of dollars had gone from her bank account.

Joining me today on this episode is Omi Welcome back onto the tech Bio Me.

Always a pleasure bank account emptied.

No more access to photos, contacts and anything stored in their icloud, their digital lives gone.

All this leads to the theft of iphone passcode.

Can you tell our listeners about Pasco theft and more detail about how this is happening?

Right?

So in reference to this passcode theft refers to the act of obtaining someone's iphone passcode without their consent or knowledge, which can allow an unauthorized individual to access the device and its data.

This type of thing that can happen in multiple ways.

One of which is the most common, which is shoulder surfing. It's I really like how it sounds.

An attacker observes the victim entering their passcode by looking over the shoulder.

Think about every time you sat next to someone in the bus and entered your passcode on your phone, that person probably knows your password or has glanced over it.

Another way is through phishing scams.

Attackers can trick victims into providing their passcodes by sending fake messages or emails that appears to be from legitimate sources such as apple or a bank or even your I T manager.

So for example, if someone impersonates someone from your office saying we're gonna do this security check and check all our employees iphone passwords to see if they're strong and secure.

And you reply saying, oh, this is my password, then you are a victim.

Phishing scams are very common.

Next would be social engineering Attackers can manipulate victims into revealing their passcodes by exploiting their trust or vulnerability such as pretending to be a friend or authority figure.

So this ties in with phishing scams and in and if an attacker obtains an iphone passcode, they can access the device and its data including photos, contacts and anything stored in the icloud.

They can also potentially make purchases on the victim's behalf.

Access sensitive financial information or steal any other personal data?

So with shoulder surfing, do you want to explain a bit more about that?

Right.

So let's go through the anatomy of this attack, right?

So, say you're sitting on a bench, the thief watches, watches, you type your password and then steals your iphone with both device and password.

The thief can do the following.

First.

First thing would be to change your apple ID password.

He knows the password, he's gotten into your phone number.

One thing you need to do is disable any kind of biometrics.

So if, if there is a fingerprint scanner or a face id, that would be disabled first, then the password would be changed.

At which point the thief can set up his own biometric, which would make his next few steps a lot easier.

Right?

Next.

the Taco could force sign out all your other trusted devices.

So if you have an ipad linked to the same icloud device, it could kick it out.

Basically, they could also turn off, find my iphone, which is essential since that is another thing that you would, that is the first thing that you would look at when you have lost any of your Apple devices with face I D fingerprint scanning.

Can hackers still get into phones because obviously the face of the face recognition, it won't be theirs, right?

So Apple allows you a couple of tries with the biometrics and then if it fails say, I think, I think it's three times, if it fails three times, then it gives you an option to enter the passcode at which point that's all the attacker needs.

And, and most people generally keep a six digit password which is not secure enough once they're inside.

and they've set up their own, they've set up their own passwords.

They target your data.

Now, for me, this is all down to like we said iphone, passcodes, it turns out that passcodes can obviously unlock your phone and they can help someone else unlock your entire digital life.

When you lose your phone, you don't really think about losing everything else like your money, for example, Reagan, who lost thousands of pounds.

Absolutely.

So what's happened here is when the attacker got hold of her phone and changed the passwords, he then he then went to her icloud and kicked all of her other devices out.

So she didn't have access to her laptop or any icloud connected devices, which meant that if she tried to find her iphone in any other way, she wouldn't have been able to once she's kicked out of icloud, which is, which is a simple step to do since all you need to change your icloud account is just your device password, which is a, which is a huge problem.

So, so what's happened here is when the attacker got hold of her phone, changed her device passwords.

He then went into her icloud account and changed her icloud password, which was easy enough to do since all you need is your iphone password for that.

Once that was done, she was no longer able to find her iphone through icloud and neither could she change her password because once you're in, once you're in icloud, you can change all the security questions, you can change two factor authentication.

There's just no way to recover your account, then all her details, all her personal details stored over the icloud was accessible that includes photos, emails, any phone backups, all her photos and her financial information.

Finally, most banking apps that you can find on app, stores are protected are well secured.

Since if you try to send money through the banking app, there's usually a second layer, a different possible that you need to enter before you can send money to to a to a different part to a third party.

For example, in the UK, if you're using the Starling Bank app, if you decide to make a new payment to someone, you need to enter your Starling Bank app account password.

But if you're sending money to someone you've already sent before you don't need to enter the password again.

But since this attacker wasn't in her contacts, he could have, he couldn't have done it through the bank app.

In which case the next target would be Apple Pay.

And now since the attacker has access to biometrics and the phone password.

He wouldn't need to worry about any other form of authentication.

All he would need to do is send money through Apple Pay or just make any purchase they want through the device.

The consequences for owners of iphones can be devastating.

But what can we actually do and how can we better protect ourselves until better protection exists?

The first thing that comes to my mind is to be careful with your passport and public, right?

Many people invest in screen protectors and, and phone cases when looking for a screen protector, maybe you could, you could find the one that has a privacy screen.

So anyone but you will not be able to see what you're looking at next would be to make your password, make your password stronger instead of just having a four digit or a six digit numeric password, try to include an alpha numeric password, say you want to limit the damage, right?

So what do you do?

Obviously, all of these are preventative measures that means you need to do them before it's happened because if it's happened, then it's already too late.

But if it's not happened yet and you want to better protect yourself, you need to limit the damage and this can be done by setting up an apple ID, the recovery key, this recovery key isn't, doesn't exist by default.

So you do need to create it if you don't create it.

And and a threat actor gets hold of your device, he can do it for you.

At which point there would be no, there would be no way for you to recover your apple I D.

So do this first and you can do this by, by going into the settings and tapping recovery key under the password and security section and then enabling account recovery.

Next one is a bit of an interesting one that I found recently there is a setting designed to stop kids changing your account details.

And this can be used to your advantage.

This blocks the ability to change your password unless you can provide a separate four digit pin.

Crucially, this is one that a thief won't have access to.

So to do this, you go into settings and then tap screen time, select, use screen time, password and set up a pin that's different from your iphone password.

Once done, select content and privacy restrictions and turn it on wire the slider before setting account changes to don't allow.

So this adds an additional layer which could help preventing Attackers to change the password.

So even though they know the password that you use on the device, they won't be able to change it.

And finally switching to a third party password manager, Apple's own icloud keychain, password manager is handy and it is convenient but, but it's open to anyone with the password, which is how criminals have been able to empty the bank accounts of people of victims.

And a third party password manager like last pass or one pass is comes, comes in handy when you have an additional layer of password.

So you need to protect the password manager with its own password.

So essentially you're just creating these layers around your data, which is always a good thing.

One last thing I forgot to mention, people should also set up attention detection for face I D in the settings.

This will prevent theoretical attacks against being drugged and unlocked, unlocking the phone with face ID.

Great points.

You've mentioned there are many similar crimes have been reported in London and in New York, Reagan is amongst thousands of victims according to people familiar with these investigations.

So what would you say is the first point of action when this happens?

As someone who's lost their mobile phone in, in the last month, I could say that the first thing that you experience when this happens is panic, right?

And when you panic, you don't think straight.

So what had happened is I got off this strolling home in a bus and I get off this bus and I realized the music stops playing in my airports at which point I think, oh, the songs probably paused, something happened.

It could be like how we pocket dial sometimes and the music just stops.

But after a few minute when the bus left, I tried to play the music again and it didn't work.

At which point I realized that my phone's on the bus.

Next thing I tried to do is try to pick my iphone using my Apple watch and it showed that it was disconnected.

At which point I knew that it was definitely on the bus.

started to panic.

I didn't know what to do.

I was standing outside my house and I wouldn't go upstairs.

I took a minute realized, okay, I could use this find my iphone feature.

I went upstairs, got my ipad saw that the phone was on the bus and I just hoped and prayed that someone would collect it.

And I looked at the policies online that if you lose something in a bus, it usually goes to a loss and found when the bus goes back to the main bus station.

And at this point, I was really calm because I thought okay, I have face I D I have find my iphone turned on.

Even if my iphone goes out of charge, I could still find it because that's a feature on iphones and I didn't know that right.

So you can still find your iphone even if you not got charge.

Yes.

And this is this is an option that you need to manually set in the settings up.It's really helpful because if your iphone does get stolen and the attacker doesn't immediately try to steal your data.

And instead decides to turn it off, you can still track it.

nd hopefully if you've informed the authorities as soon as possible, maybe you could get it back.

I think I'm going to get on that straightaway and amidst this, amidst this panic and this whole adventure, I didn't, I didn't think for one second that had anyone seen me enter my password on my iphone.

I would not only have lost my phone, I would lose everything else that everything as part of your digital life as he has mentioned today, make your passcode stronger.

Go onto setting space I D and pass code and make it at least six digits even better.

Make it an alpha code with banking apps.

You can go on to the app settings to enable additional passcode protection.Just don't pick the same passcode as your iphone.

Of course, using face ID and touch ID will also help you avoid using your passcode in public.

Next rethink your password manager.

Make sure you have removed any passwords and log in information to banks and other financial apps on your eye cloud key chain.

Thanks for joining me today.

Oh, me and thanks for telling our listeners the importance of iphone theft.

Of course, it was lovely being here.

Thank you.

It's really stories like these are eye opening and it really makes you think.

Where do you stand?

Definitely, it could happen to anyone and thank you to our listeners for tuning in, follow our Spotify page for more.