More than a year after a major report revealed a critical weakness in iPhone security, a new report has revealed that criminal gangs are still using the exploit to swipe phones from unsuspecting victims, before using their own passcode to steal from them.
Last year, Apple said it was working “tirelessly every day to protect our users’ accounts and data” and was “always investigating additional protections against emerging threats,” after it emerged that thieves were stealing iPhones and using their owner's passcodes to access the devices.
The practice, dubbed “shoulder-surfing”, now seems to have found its way to the UK, where criminal gangs are using the method to steal and access upwards of 80 phones a day.
Shoulder-surfing is still a huge iPhone issue
As reported by The Guardian, criminal gangs “shoulder-surf” unsuspecting smartphone users, observing their victims in the hope they’ll catch a glimpse of them entering their iPhone’s passcode. Once they’ve seen you dial in the magic numbers, they can snatch the phone and use that information to unlock your iPhone with ease. With a passcode in hand, even the best iPhone on the market is easy pickings, and thieves “then access the phone and try to break into any financial apps, or search the phone’s notes section for any numbers or passwords.”
The UK proliferation of this practice is a little different from the WSJ method reported last year. In the U.S., criminals would use the observed passcode to access a stolen phone before changing a person’s Apple ID password, locking the victim out of their iCloud account, and crucially, disabling features like Find My iPhone. The UK thefts described in this week's report sound a bit more smash-and-grab, with criminals simply accessing devices, looking for numbers and passwords saved in Notes, and breaking into financial apps to drain money. Not to mention, you can at least use Apple Pay if you know someone’s iPhone passcode.
The insight includes an interview with a gang leader who “runs small teams who shoulder-surf people to steal phones for financial gain.” The ringleader boasted a team of four or five people who can steal 18 to 20 phones per person, netting the group some 80 phones a day.” Phones are reportedly often stolen in pubs and clubs, or snatched by someone on a moped. “The boys know now what they’ve got to do – they’ve got to look at certain apps and see if they can change the passwords,” he confessed.
The operation is lucrative too, with the leader claiming the gang could steal up to $25,000 a day on average, and that he had seen $50-$63,000 drained from an account in just 30 minutes.
This harrowing news highlights the importance of Apple’s biometric security features, Touch ID and Face ID. While there’s only so much anyone can do to prevent someone from taking their iPhone into a crowded bar, nightclub, or even a busy high street, being discreet about entering your passcode in public or avoiding it altogether, is certainly advice worth heeding. It also highlights the importance of Apple’s new “Hidden apps” feature in iOS 18, which lets users hide important or private apps on their iPhones behind an extra layer of security.