iPhone passcode thief reveals his secrets; this guy is your worst nightmare
If you own an iPhone, someone like Aaron Johnson is your worst nightmare. Interviewed in prison by the Wall Street Journal's Joanna Stern, Johnson explained how in a matter of seconds he could take over control of your iPhone, lock you out, and gain access to your banking and financial apps, and more. He stole hundreds of iPhone units and hundreds of thousands of dollars. The arrest warrant says he stole $300,000 but Johnson says that the real total is somewhere between one and two million dollars.
Johnson's game was originally to steal iPhones, wipe them, and then resell them. He explains that without any job, being homeless, and responsible for children, he had to come up with something to make money, and stealing iPhones was it. But he soon realized that there was more money involved in stealing an iPhone and taking over control of the device all without the phone's owner knowing at first what was going on.
Protect your iPhone's passcode and don't give it out
Johnson would hang out in Minneapolis bars watching iPhone users enter their six-digit passcodes. Besides watching intently to catch an iPhone user tapping in his passcode, he also had a system to get young college-age guys to cough up their passcode because many of them were drunk. He would approach them and say he had drugs even though he didn't. He would offer to put his information in their phone and once in his hand, he would lock the device and either ask for the passcode, or hand it back to the owner to watch him unlock it.
Getting the passcode was one thing, but getting possession of the phone required him to resort to "trickery and violence" according to his arrest warrant. And once he had your phone and passcode, you were in big trouble. He would go to Settings and then iCloud, and click reset password. After entering the stolen passcode, he would change it to his own number. He then turned off Find My iPhone which completely locked out the legitimate owner of the device.
All iPhone users need to be protective of their passcode. With the passcode, someone can change your Apple ID and gain access to your account. Johnson got to the point where he could lock someone out of his/her iPhone and change the passcode and Apple ID in just five to 10 seconds. With the passcode, Johnson could change Face ID so that his own face would unlock the device and give him access to passwords used on banking, securities, and other financial apps.
As Johnson noted when talking with Stern, once you have your face on Face ID, "you got the key to everything." He admitted to opening apps to access victims' savings accounts, checking accounts, Cryptocurrency apps, Venmo, and PayPal. And if he couldn't unlock the phone with his face, he would open the Notes app which he found to be a treasure trove of information. That's where he would find passwords, and social security numbers.
Before 5 am the day after breaking into an iPhone, Johnson would have drained the owner's bank accounts. He would also go on a shopping spree with the victim's unused credit lines. And then, after wiping out the owner of the iPhone, he would perform a factory reset and sell the phone.
Apple will release the Stolen Device Protection feature with iOS 17.3
Stealing iPhones at a rate of five to 10 a night, he'd go through 30 iPhones over a weekend. Selling the stolen handsets alone would bring in $20,000 a week. Some of those funds were used to buy iPad Pro tablets which Johnson sold to generate more cash. Ironically, Johnson says that Apple should be doing more to protect its customers. And indeed, it is.
With iOS 17.3, Apple will be adding the Stolen Device Protection feature which will be off by default. Enable it by going to Settings > Face ID & Passcode > Stolen Device Protection. To protect yourself from criminals like Johnson, you need to enable this feature. When an iPhone is away from the user's home or work, certain tasks such as changing an Apple ID password, changing Face ID, or disabling Find My iPhone would require Face ID or Touch ID verification.
For an hour, no change would be made and Face ID or Touch ID verification would be required again. The hour delay is important because it gives victims an hour to discover that they've been locked out of their phones and report it to Apple, hopefully in time.
Besides leaving passwords and important personal data out of the Notes app, use a passcode made of both numerals and letters. Be careful of how you expose your passcode and don't give out your passcode.
Things that are NOT allowed: