Little-known iPhone setting allows thieves to take over your Apple account
Facepalm: While thieves grabbing your iPhone and your passcode may seem like a rare possibility, it’s slowly becoming a trend as of late. The cherry on top is that unless you take some precautions, you may end up locked out of your Apple ID account with virtually no way of getting back in.
If you’re an iPhone user, you probably haven’t given much thought to what you’ll do in the event it gets lost or stolen. Even less so if you religiously pay for AppleCare+, a service designed to give you peace of mind for as long as you let the company charge you for it.
However, the recent surge in iPhone thefts across the US and elsewhere has revealed that Apple devices – which made up eight of the top 10 best-selling smartphones last year – present a serious security risk when you use them in public spaces. Thieves have recently learned that the passcode you use to unlock your device is the most powerful tool they can use to override all other security measures in place and that there’s little you can do to stop them once they get their hands on it.
A Wall Street Journal report highlights the example of Greg Frasca, an iPhone user that has been locked out of his Apple account since October. The thieves stole the 46-year-old’s iPhone 14 Pro at a bar in Chicago after seeing him use his passcode. This allowed them to change his Apple ID password as well as enable a little-known security feature known as the “recovery key.”
The recovery key is an optional feature the Cupertino giant introduced in 2020 as an additional layer of security against hackers. It is essentially a randomly generated 28-character-long code you can use to prevent them from resetting your Apple ID password. The problem is the corresponding setting is buried under many others and losing said recovery key can lock you out of all devices linked to your Apple ID, which is why few people use it.
Admittedly, this is an edge case where thieves manage to memorize or record the victim entering their passcode when Face ID or Touch ID refuse to work for whatever reason. Still, the process of convincing Apple to let you back into your account after thieves lock you out of it involves, at best, going in person to Apple’s headquarters or writing a check for $10,000. That is if you’re lucky since in most cases the company will only help you if you provide the recovery key.
So what can you do to prevent this from ever happening to you? For one, you can try to use only Face ID/Touch ID and avoid entering your passcode in public, or use a custom alphanumeric code to decrease the chances that thieves will be able to remember it. You can do this under Settings -> Face ID & Passcode (Touch ID & Passcode on iPhone SE/8/older) -> Change Passcode.
Another way is to use the Screen Time feature which is normally used for parental control. Go to Settings -> Screen Time -> Use Screen Time Passcode and set up a different key to what you use as your phone passcode. Then go to Content & Privacy Restrictions on the same settings page and enable it using the toggle at the top. Finally, scroll down the list to the “Allow Changes” category and select “Don’t Allow” for Account Changes.
If you want to be thorough, you can also set up a recovery contact by going to Settings -> your name -> Password & Security -> Account Recovery and adding a person you want to be able to help in case you need recovery assistance. It’s also good to get into the habit of regularly making offline backups of your important files.
As for Apple, the company issued a typical response to the report, assuring users it takes every attack on their security “very seriously, no matter how rare” and that it is “always investigating additional protections against emerging threats like this one.”
Other companies like LinkedIn and Uber already employ additional ways to verify your identity that can help with account recovery among other things, but they’re far from perfect. However, the tech industry has yet to find a great way to balance convenience and security without invading your privacy with things like facial recognition or requiring a government-issued ID for protecting your account.