The Journal. - Inside an iPhone Heist
Episode Date: December 21, 2023Thieves across the U.S. are stealing people’s iPhones, using them to loot victims’ bank accounts and personal information. After investigating for over a year, WSJ’s Joanna Stern unpacks how the... crime works and how Apple is trying to prevent it. Further Reading and Watching: - The Hidden iPhone Setting Thieves Use to Lock People Out of Apple Accounts - An iPhone Thief Explains How He Steals Your Passcode and Bank Account - Apple Makes Security Changes to Protect Users From iPhone Thefts Further Listening: - How Apple Lost to the EU - Apple Bets Big on ‘Nerd Helmets’ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
One night in November of last year,
Rehan Ayas was out at a bar in New York City
when she saw a stranger talking to her friends.
My friend was talking to a few people.
I joined. My phone was in my hands.
And then the person said hi to me
and then grabbed my phone and disappeared.
The person had taken off with her phone.
And in a matter of minutes, Rehan's life was turned upside down.
Earlier this year, she sat down with our colleague Joanna Stern to tell her story.
So you realize your phone has been stolen.
What do you do next at the bar?
I log in to find my iPhone on my friend's phone right away.
And what happened?
I couldn't log in.
It turned out the thief hadn't just taken her phone.
He'd also gotten a hold of her passcode,
the series of typically four to six numbers you use to unlock your phone.
And over the next couple of days,
Rehan noticed thousands of dollars
had disappeared from her bank account.
And that's when it hit me
that this is way beyond just a petty phone theft.
And that's when I also started getting worried,
what else is going to hit me?
Over the last year,
Joanna has heard from over 100 people like Rehan,
who fell victim to the same kind of crime.
A crime that revolves around the iPhone's passcode.
It's a scheme that's exposing security vulnerabilities in Apple's ecosystem.
And now, the company is making a change.
Welcome to The Journal, our show about money, business, and power. I'm Jessica
Mendoza. It's Thursday, December 21st. Coming up on the show, how one passcode can let a
thief unlock your entire digital life.
When it comes to smart water,
alkaline 9.5 plus pH with antioxidant,
there's nothing to overthink.
So while you may be performing mental gymnastics over whether the post-work gym crowd is worth it,
if you'll be able to find a spot for your yoga mat,
or if that spin instructor
will make you late for dinner again. Don't overthink how you hydrate. Life's full of choices.
Smart Water Alkaline is a simple one.
The kind of iPhone theft that Rehan Ayas fell victim to has taken place all over the country,
in cities like Chicago, Boston, and Denver.
Joanna and our colleague Nicole Nguyen first reported on these thefts last February,
and they've been following this issue since.
They've published several stories and spoken to dozens of victims. Here's
Joanna again. When we published our first story, we were blown away by the reaction, not only from
people saying they were really nervous that this could happen to them, but people who had had this
happen to them. This kind of crime has affected Android users too. But Joanna says thieves go
after iPhones more often because of their resale value.
The many stories that Joanna and Nicole heard all have one thing in common.
Thieves use the iPhone's passcode to then change the password of a victim's Apple account.
That's what happened to Rayhan when her phone was stolen at that New York City bar.
The really interesting thing about Rayhan's story is that she reacts really quickly. The phone gets taken out of her hand, and she says that within
minutes, she asks her friend at the bar if she can borrow her phone and log into her Apple account
to turn on Find My iPhone so she can find where it is. Ideally, I should have been able to log in
and lock the phone, but I wasn't able to do that because in the three minutes that had passed,
my Apple ID password, which I'm absolutely sure of,
by the way, was changed.
Your Apple account has pretty much all the things
that you think are important on your iPhone.
It's got your photos, It's got your notes.
It's got lots of passwords saved.
And those passwords are often to your most important financial accounts.
So with this string of keys,
which is all tied back to that original passcode
that you put in at the bar,
everything can be unlocked.
Later that weekend, Rehan noticed her bank
accounts were getting drained. I checked all my accounts diligently, and I saw that they
transferred some money from my savings account to my checking account, and then took a whole
bunch in the form of Apple Cash. When you say a whole bunch, how much? About $10,000.
When you say a whole bunch, how much?
About $10,000.
The thieves even took out a credit card in Rehan's name.
And soon, she started getting notified about charges of thousands of dollars.
Rehan said she was able to work with her bank and Apple customer support to get some things back on track, like canceling that credit card.
But there are other
issues she wasn't able to resolve. That's because when Rehan was locked out of her Apple ID,
she lost access to more than just her phone. She also got locked out of things like photos,
videos, and notes that were all in Apple's cloud storage system, iCloud.
One thing that is gone and gone for good is my iCloud. And I've been an iCloud user since
I was 18. They've stolen every picture of me ever taken. They've stolen my 20s. They've stolen a
decade of my life. I've been using iCloud for 15 years for them to store my memories and keep them safe. And they're all gone. When I scroll
in my pictures, my brain automatically looks for my pictures with my dad, with, you know,
pictures of my nieces, my nephew, and they're all gone. The thieves went beyond just changing
Rehan's passcode and Apple ID.
They also made a more permanent move and activated something called a recovery key.
The recovery key was a security feature that Apple introduced in 2020.
And it was really meant to protect people from online hackers.
What this does is generate a unique 28-digit code.
That code is then necessary when you need to reset your Apple ID password.
It was meant so if somebody got your password and tried to get into your account, then they would also need this other set of numbers to get in.
It was a second protection on your Apple account. Okay. And so, if that existed, why wasn't Rehan able to stop this from happening? Well, the problem is, is that whoever stole Rehan's phone not only changed the password
to her Apple account and then turned off Find My iPhone, but they turned on this recovery
key. So then when
Rahan tries to go to Apple and say, I don't have my password. I can't get back into my account.
They say, okay, that's okay. Just tell us your recovery key. And Rahan's like, what's a recovery
key? And then they're like, well, you have it on, so you should have access to that.
They are adamant that she needs that recovery key to get back into her account.
And to this day, Rehan cannot get back into her account because she does not have that recovery key.
Do you think, you know, you lose a phone, you just lose a phone.
Do you think that you could lose as much as this just from one single phone theft?
Absolutely not.
And it shouldn't be this way.
The entire Apple security environment cannot hinge on a single iPhone being pickpocketed.
Because iPhones get pickpocketed all the time. If stealing one iPhone means you can
literally lock someone out of their Apple ID forever and use everything they want without
even being able to put a hold on it. I never imagined that could be possible. And I think a
lot of people are not aware of the fact that it's possible.
That is really sad.
Like, when I explain what happened to me,
a lot of people don't even understand.
They're like, hey, come on, you should be,
why didn't you lock your phone?
I'm like, no, it's not my iPhone.
It's my Apple ID being stolen.
That messed me up.
Back when Joanna first started reporting on this issue,
Apple told her that this kind of crime was a rare occurrence.
The company said it requires multiple physical steps
and that stealing a user's device is not enough.
The problem has really taken off in some cities.
One of them is Minneapolis.
In September of last year, police there charged 12 people
who were allegedly
involved with stealing over 40 phones and taking a total of nearly $300,000. And recently,
Joanna went to Minneapolis to talk to one of these thieves who's now in prison
and to learn how exactly this crime happens. That's after the break.
That's after not that.
Don't overthink how you hydrate.
Life's full of choices.
Smart water is a simple one.
Summer's here
and you can now get almost anything you need
for your sunny days delivered with Uber Eats.
What do we mean by almost?
Well, you can't get a well-groomed lawn delivered, but you can get a chicken parmesan delivered. A cabana? That's a no. But a banana? We'll be right back. Almost, almost anything delivered with Uber Eats. Order now. Alcohol in select markets. Product availability may vary by Regency app for details.
Earlier this month,
Joanna went to a correctional facility in Minnesota
and spoke with Aaron Johnson.
Aaron is 26 years old.
He's pleaded guilty to racketeering
and he's been sentenced to over seven years in prison
because he said he stole hundreds of iPhones and hundreds of thousands of dollars.
I didn't really know what to expect when I got there.
I was a little bit nervous, mostly that he wasn't going to talk much about what he had done.
But I was really wrong.
He really, really opened up about what had happened.
How did you get involved with stealing phones?
So at first, I just started just pickpocketing phones. I didn't get the passcode or nothing.
I just got the phone. Aaron said this was really a result of him not having much. He said he was homeless, living on the streets, had a hard time finding a job.
And he saw people pickpocketing on the streets of Minneapolis.
And as he started doing that, he realized that the phones he was getting would be more valuable if he could get inside them, if he could unlock them.
Aaron said he usually carried out these thefts at crowded bars
and typically went after young people who were drunk and easily distracted.
I mean, college, you know, they have a lot of money through, you know,
college money.
It's not kind of the easiest route.
It's them because they're more partying and they're already drunk
and don't know what's going on for real.
So I go to the bar because it's more people.
There's a lot of things going on
and it's hard to catch me in the dark.
Aaron would approach a victim, strike up a conversation,
and come up with a reason to get them to pull out their phone.
Sometimes he'd pretend to be a rapper and ask people to add him on Snapchat.
Other times, he'd present himself as a drug dealer.
I say I have the drugs. They say I have the drugs.
They say they want the drugs.
And I tell them
to take my information down
so I won't think you're the police.
And then, you know,
the whole time I don't have any drugs.
So as soon as the phone's in my hand,
I tell them.
I just ask them what's the code or I watch them put it in before they give it to me.
People just give you their passcode?
Yeah.
I say, hey, your phone, what's the passcode?
I say, 23456 or something.
Then I just remember it.
Then we get to talking, this and that,
and they say they gotta go or something
and then forget about it.
Then I just, we just go ourself away.
But you'd have the phone?
Yeah, I still have the phone.
It doesn't hit them until,
we're like five, 10 minutes away already.
Then you have to think like,
oh, where did I leave my phone?
By that time, I'm gone already, so. Then, as soon as he would have the phone in the passcode,
he would immediately start changing things in the settings. And it's very technical,
and it's a lot of different steps, but he started doing this so fast.
And tell me, how quickly were you doing this? I mean, you get a phone.
I was doing it quicker than you could say supercalifragilisticexpialidocious.
You were changing passcodes?
Five, ten seconds.
You were changing passwords that fast?
Ten seconds.
You were changing passwords that fast?
Yeah.
I got to that fast where I can do it just right there.
Then lock it on, put it up, go get another one.
Aaron said he was making off with several phones at night.
Steal a phone, lock the victim out, drop off the phone in his car,
and then go back to do it all over again.
It's like a race.
It's kind of like a bank robbery.
You got to be quick.
If I don't do it quicker than them,
you got to beat the mice to the cheese.
I mean, yeah.
Then, once people were sort of not at the bar anymore,
he'd go home and he'd start to go for the money
because he'd already gotten people out of their accounts, right?
There was no fear.
As he says, you know, he beat the mice to the cheese.
They were already locked out.
So then I go add my face on there, on the face ID verification.
Now when you got your face on there,
you can, you got the key to everything, so.
And what are the keys? Where are you taking the keys? Where are you opening?
Things that people thought were safe.
Like?
Savings, check-ins, cryptocurrency, apps.
Venmo?
That's easy. You don't need Facebook Venmo, but I don't want to.
That's kind of little money. I'm trying to take as much as I can.
as much as I can.
I mean, I'm just like marveling at how it is both an,
it both sounds super sophisticated,
but also at the end of the day,
really simple.
You just have to know where to go
and what to do.
And that's what I think
is really interesting about this crime
is it wasn't some advanced
cybersecurity hacker.
This was a pickpocket from the street
figuring out some tricks
and stealing hundreds of phones
and ultimately hundreds of thousands of dollars.
Last week, after about a year of Joanna and Nicole's
reporting on this issue,
Apple announced that it's rolling out a new feature
to protect users from exactly
the kind of crime Aaron was carrying out. They have come up with something called stolen device
protection, and it's a feature that's going to be in iOS 17.3. And what it does is add a layer
of protection to your phone when you are away from a familiar place like work or home.
Then, when you're not at those locations, it's adding a layer of security to various parts of the phone. Many of the things that Aaron was able to do, he wouldn't have been able to do
if this feature was turned on. For instance, if you try to change your Apple ID password,
If you try to change your Apple ID password, it first asks for a biometric, so face or fingerprint.
You cannot use the passcode.
Then it takes an hour.
It's going to ask you wait an hour before this can actually take effect, this change.
And then again, it asks for face or touch.
Right.
So they wouldn't just be able to lock you out immediately the way they've been able to.
Exactly.
Joanna says the new feature could make a big difference in keeping bad actors out of people's iPhones.
But it's not a catch-all.
A thief with your iPhone and its passcode can still unlock your phone.
And any app that you haven't protected with an additional password or PIN is vulnerable. That includes money transfer apps like Venmo. Also, when the new feature is released,
it will be off by default. Users will have to activate it.
So what can people do to be extra safe and make sure that this doesn't happen to them?
So what can people do to be extra safe and make sure that this doesn't happen to them?
I have to say, I think, when I asked Aaron this question, his answer was the most telling.
Because it was really about humans just being smarter.
Don't give your password. Don't give your passcode out.
Watch your surroundings.
Yep.
Stay on top of it.
That's all.
He said, don't give your passcode out and beware of your surroundings.
Those are two pretty not very technical things.
I could list a whole bunch of technical things that I think people should do.
You should make your passcode stronger. Make it alphanumeric so it isn't easy for somebody to sort of look over your shoulder and remember that passcode.
Add extra protection to those Venmo apps. There's the ability to add passcodes to those as well.
So, yeah, I can tell you a host of things to do to protect yourself.
But the best advice might be Aaron's, which is just beware of your surroundings and treat this phone like it has the keys to your life, because it does.
That's all for today, Thursday, December 21st.
The Journal is a co-production of Spotify and The Wall Street Journal.
Additional reporting in this episode by Nicole Nguyen.
The show is made by Annie Baxter, Kylan Burtz,
Catherine Brewer, Maria Byrne, Victoria Dominguez,
Pia Gagcari, Rachel Humphries, Ryan Knutson,
Matt Kwong, Kate Leinbaugh, Annie Minoff,
Laura Morris, Enrique Perez de la Rosa, Our engineers are
Our theme music is by So Wiley.
Additional music this week from Catherine Anderson,
Peter Leonard, Billy Libby, Bobby Lord,
Emma Munger, Nathan Singapak, Griffin Tanner,
and Blue Dot Sessions.
Fact-checking by Mary Mathis.
Thanks for listening, and happy holidays.