A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For
non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-data-privacya-basic-iphone-feature-helps-criminals-steal-your-digital-life-cbf14b1a
A Basic iPhone Feature Helps Criminals Steal
Your Entire Digital Life
The passcode that unlocks your phone can give thieves access to your money and data;
‘it’s like a treasure box’
By Joanna Stern Follow and Nicole Nguyen Follow
Feb. 24, 2023 10:51 am ET
NEW YORK—In the early hours of Thanksgiving weekend, Reyhan Ayas was leaving a bar in
Midtown Manhattan when a man she had just met snatched her iPhone 13 Pro Max.
Within a few minutes, the 31-year-old, a senior economist at a workforce intelligence startup,
could no longer get into her Apple account and all the stuff attached to it, including photos,
contacts and notes. Over the next 24 hours, she said, about $10,000 vanished from her bank
account.
Similar stories are piling up in police stations around the country. Using a remarkably low-
tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones
—and their digital lives.
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…ure-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 1 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
Reyhan Ayas lost about $10,000 and access to her Apple account after her iPhone 13 Pro Max was stolen
outside a bar in Manhattan.
Photo: Nuvany David for The Wall Street Journal
The thieves are exploiting a simple vulnerability in the software design of over one billion
iPhones active globally. It centers on the passcode, the short string of numbers that grants
access to a device; and passwords, generally longer alphanumeric combinations that serve as
the logins for different accounts.
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 2 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
With only the iPhone and its passcode, an interloper can within seconds change the password
associated with the iPhone owner’s Apple ID. This would lock the victim out of their account,
which includes anything stored in iCloud. The thief can also often loot the phone’s financial
apps since the passcode can unlock access to all the device’s stored passwords.
“Once you get into the phone, it’s like a treasure box,” said Alex Argiro, who investigated a
high-profile theft ring as a New York Police Department detective before retiring last fall.
He said there have been hundreds of these sorts of crimes in the city in the past two years.
“This is growing,” he said. “It is such an opportunistic crime. Everyone has financial apps.”
Apple Inc. has marketed itself as the leader in digital privacy and security, selling its tightly
integrated hardware, software and iCloud web services as the best protection for its
customers’ data. “Security researchers agree that iPhone is the most secure consumer
mobile device, and we work tirelessly every day to protect all our users from new and
emerging threats,” an Apple spokeswoman said.
“We sympathize with users who have had this experience and we take all attacks on our users
very seriously, no matter how rare,” she said, adding that the company believes these crimes
are uncommon because they require the theft of the device and the passcode. “We will
continue to advance the protections to help keep user accounts secure.”
An examination of the recent spate of thefts reveals a possible gap in Apple’s armor. The
company’s defenses are designed around common attack scenarios—the hacker on the
internet attempting to use a person’s login credentials, or the thief on the street looking to
snatch an iPhone for a quick sale.
They don’t necessarily account for the fog of a late-night bar scene full of young people,
where predators befriend their victims and maneuver them into revealing their passcodes.
Once thieves possess both passcode and phone, they can exploit a feature Apple intentionally
designed as a convenience: allowing forgetful customers to use their passcode to reset the
Apple account password.
“It was only a matter of time before an attacker would use shoulder surfing or social
engineering,” said Adam Aviv, an associate professor of computer science at George
Washington University. Relying on a phone as a trusted device fails in such cases, he added.
The The!
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 3 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
All of the victims interviewed by The Wall Street Journal said their iPhones were stolen while
they were out at night socializing. Some said the phones were grabbed out of their hands by
someone they had just met. Others said they were physically assaulted and intimidated into
handing over their phones and passcodes. A few said they believe they were drugged. They
woke up the next morning missing their phones, with no memory of the previous night.
In all cases, the iPhone owners were locked out of their Apple accounts. They then discovered
thousands of dollars in financial thefts, including some combination of Apple Pay charges,
drained bank accounts linked to phone apps and money taken from PayPal Holdings Inc.’s
Venmo and other money-sending apps.
A similar vulnerability exists in Google’s Android mobile operating system. However, the
higher resale value of iPhones makes them a far more common target, according to law-
enforcement officials. “Our sign-in and account-recovery policies try to strike a balance
between allowing legitimate users to retain access to their accounts in real-world scenarios
and keeping the bad actors out,” a Google spokesman said.
On the evening of Jan. 22, 2022, Reece Thompson, an art director at a creative agency in
Hiawatha, Iowa, was having a drink with his girlfriend while visiting downtown Minneapolis
when his iPhone 12 Pro went missing from the bar. The next morning, when he tried to log
into his Apple account from a different device, the account password had been changed.
Thousands of dollars had been charged to his credit cards via Apple Pay and $1,500 was
stolen from his Venmo account, he said.
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 4 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
Reece Thompson was visiting Minneapolis when thieves stole his iPhone 12 Pro at a bar and then racked
up thousands of dollars in charges via Apple Pay.
Photo: KC McGinnis for The Wall Street Journal
Minnesota prosecutors say Mr. Thompson, age 42, was a victim of a theft ring that
accumulated nearly $300,000 by stealing iPhones and their passcodes from at least 40
victims. The group targeted bar-goers with Apple smartphones, quickly looted accounts
accessible via those devices and then resold the phones, according to the arrest warrant for
one member of the alleged ring, Alfonze Stuckey. Mr. Stuckey has since pleaded guilty to one
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 5 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
count of racketeering and received a 57-month prison sentence. Eleven other suspects have
been charged with racketeering in the case.
Mr. Stuckey, 23, who has a previous record of misdemeanors, said he wouldn’t comment
unless he is compensated. His lawyer declined to comment.
Groups of two or three thieves would go to a bar and befriend victims, often asking them to
open up Snapchat or some other social-media platform, said Sgt. Robert Illetschko, the lead
investigator on the case. During that interaction they would try to observe the victim
unlocking the iPhone with the passcode, he said. If they didn’t catch the passcode at first,
they might have tried to get the victim to hand them the phone for a photo and then subtly
turn it off before handing it back, he added. After an iPhone is restarted, a passcode is
required to unlock it.
“It’s just as simple as watching this person repeatedly punch their passcode into the phone,”
said Sgt. Illetschko, adding that sometimes thieves would covertly film victims so they could
be sure they caught the correct sequence. “There’s a lot of tricks to get the person to enter
the code.”
Similar cases have been reported in Austin, Denver, Boston and London.
In New York City, one of the first inklings police received about the extent of this new crime
wave came in the form of an unexplained death.
On Friday, May 27, while visiting from Washington, D.C., John Umberger went out for the
night in Manhattan, ending the evening at a bar in the Hell’s Kitchen neighborhood. Five days
later the 33-year-old director of diplomacy and political programs at the American Center for
Law and Justice was found dead in the apartment he was staying in, with an emptied wallet
and no iPhone.
At first, police suspected it was a routine drug overdose. Then his family discovered
thousands of dollars had been taken from his bank, PayPal and Venmo accounts, along with
suspicious credit card charges, according to Mr. Umberger’s mother, Linda Clary. She
believes her son’s Apple account password was changed.
Mr. Argiro, the New York City detective who participated in the investigation of Mr.
Umberger’s death before retiring in September, said authorities came to believe he was the
victim of a group of thieves that target New York bar-goers, launder money via apps and then
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 6 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
resell the phones. This particular group is believed to be responsible for more than 30
incidents, he added.
The Manhattan district attorney’s office is assembling a case to present before a grand jury,
according to people familiar with the investigation.
The Method
In theory, recent security innovations from Apple should eliminate the vulnerability of an
intercepted passcode. The Apple spokeswoman pointed to Face ID and Touch ID as ways that
would limit the need to type a passcode at all.
Yet in New York, some authorities have suggested Face ID as a possible point of entry into the
phones. The city’s Office of Nightlife, a liaison between City Hall and the hospitality industry,
hosted a speaker who recommended bar-goers disable facial recognition, on the theory that
an incapacitated person’s face could be used by the thieves.
Anatomy of the attack
The thief watches you type your passcode, then steals your iPhone. With both device and passcode,
the thief can...
Your Device Your Data Your Money
Change Turn on Send Apple Cash
Apple ID recovery key Change trusted Access payment
password phone # apps like Venmo Use Apple Pay
Force sign out of Remove
trusted devices Find bank app Open credit card
recovery Change email
passwords using personal
contact address
Turn o" stored in iCloud info found
Find My iPhone Keychain in photos
You can’t remotely wipe your You are locked out of your Your financial accounts
device to protect your data Apple iCloud account get looted
Elizaveta Galkina/THE WALL STREET JOURNAL
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 7 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
A passcode breach is the more likely scenario, according to the Journal’s reporting and on-
device testing. To change someone’s Apple ID password on an iPhone, a face scan won’t
suffice: A passcode is needed. When the password change is complete, the software offers an
option to force other Apple devices, such as Macs or iPads, to sign out of the Apple account,
so a victim couldn’t turn to those devices to regain access. The software never requires the
user to enter an older password before setting a new one. Journal reporters were able to do
all that in less than a minute.
An Apple spokeswoman said the system is designed to help users who have forgotten their
account password. She added that it requires two factors, the physical device as well as the
device’s passcode.
With the new password, the thief can disable Find My iPhone, which would otherwise allow
victims to locate their phones and even remotely erase them to protect their data. Disabling
Find My iPhone also allows the thief to resell the iPhone.
Apple recently introduced the ability to use hardware security keys, little USB dongles, to
protect the Apple ID. In the Journal’s testing, security keys didn’t prevent account changes
using only the passcode, and the passcode could even be used to remove security keys from
the account.
The Damage
Taylor Ashy, a sales executive at a New York-based tech company, said he was drugged the
night of Dec. 10, 2021, at a New York bar. He has no recollection of how his phone was taken.
All he knows is that whoever took it gained access to his bank app, enrolled his bank’s debit
card in Apple Pay, and opened a Venmo credit card and Apple credit card in his name.
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 8 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
Taylor Ashy said he was drugged at a New York City bar before thieves stole his iPhone 11. He awoke to
find thousands of dollars taken via his bank and money-sending apps.
Photo: Michael Bucher/The Wall Street Journal
The New York Police Department declined to provide details of how they believe thieves are
gaining access to their targets’ phones.
Mr. Ashy, who had more than $10,000 transferred out of his bank account, said he stored
passwords to those accounts in Apple’s iCloud Keychain password manager. The feature
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 9 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
auto-fills login information following successful Face ID or Touch ID scans, or the input of the
iPhone’s passcode, according to the Journal’s testing. In Mr. Ashy’s case and others, the bank
fraud happened after the victims’ biometrics were no longer available to the thieves.
If apps require text-message codes as part of their logins, a security practice known as two-
factor authentication, the messages are sent to the iPhone—the same one a thief would be
holding.
After logging into bank apps with the passcode, the Journal was able to add digital debit
cards to Apple Pay without needing the physical cards or their PINs. Money can be sent from
the debit cards to Apple Cash, which can be used to send money or to make contactless
payments at stores.
Several victims said an Apple credit card was opened in their name. The cards quickly
accrued thousands of dollars in charges. Accessed through Apple’s Wallet app, an Apple Card
application will autofill with information that might be stored on the iPhone, such as the
owner’s name, address and birthday.
The Apple Card form does require applicants to enter the last four digits of their Social
Security numbers. One victim, David Vigilante, believes the thieves found that information
right in the Photos app on his iPhone XS Max.
After having the phone stolen at a pizza shop on Manhattan’s Lower East Side in the early
hours of Oct. 23, the 30-year-old product manager at a real-estate data company realized
someone had attempted to charge $15,000 to his credit card via Apple Pay and that a new
Apple credit card had been opened in his name. When he got back into his Apple account a
few days later, he found photos he had previously taken of sensitive documents—his
passport, driver’s license, paycheck direct-deposit form and health-insurance paperwork—
collected in a new photo album.
Apps such as Apple Photos, iCloud Drive and Google Drive now offer the ability to search text
within images and documents. In the Journal’s tests, a search in the Apple Photos app for
‘SSN’ (Social Security number) and ‘TIN’ (taxpayer identification number) immediately
produced a photo of a 1099 tax form with Social Security information that had been stored on
the phone.
Most victims the Journal spoke to filed police reports. One filed an identity theft claim with
the Federal Trade Commission. Most of their banks and financial apps have refunded money
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 10 of 11
�A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ 2/24/23, 1:35 PM
considered lost through fraudulent activity.
Some people whose iPhones were stolen are unable to regain access to their Apple accounts.
With the passcode, an Apple ID’s backup email and phone number can be changed, and a
security feature called a recovery key can be enabled. In recent cases, thieves changed the
Apple account’s contact information and turned on the recovery key, blocking victims from
being able to use an account-recovery service for those who forget their Apple ID password.
The Apple spokeswoman said that account-recovery policies are in place to protect users
from bad actors accessing their accounts.
Those who remain locked out of their Apple accounts have often lost something
irreplaceable.
Right after her iPhone was stolen outside the New York bar, Ms. Ayas, who holds a graduate
degree in economics from Princeton University, tried to log into her Apple ID and access Find
My iPhone. By that point the thief had already changed her password. Months and numerous
calls to Apple support later, she still is unable to get back into her account because the thief
also enabled the recovery key.
According to Apple’s policies, the company doesn’t allow users to regain access to their
account if a recovery key is enabled and they can’t produce it.
“I go to my Photos app and scroll up, hoping to see familiar faces, photos of my dad and my
family—they’re all gone,” Ms. Ayas said. “Being told permanently that I’ve lost all of those
memories has been very hard.”
—Cordilia James, Lisa Schwartz and Nellie Given contributed to this article.
Write to Joanna Stern at [email protected] and Nicole Nguyen at
[email protected]https://www.wsj.com/articles/apple-iphone-security-theft-passcode-dat…re-helps-criminals-steal-your-digital-life-cbf14b1a?mod=hp_lead_pos1 Page 11 of 11
