How iPhone Recovery Keys Help Thieves Lock Users Out of Apple Accounts | WSJ Tech News Briefing

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this is your Tech news briefing for Friday April 21st I'm Zoe Thomas for The Wall Street Journal a basic feature of iPhones can help criminals who steal phones to also take over the digital lives of victims it's the phone's passcode the four to six digit sequence users type to unlock their devices this is something the Wall Street journal's personal Tech columnist Joanna Stern and Nicole Nguyen reported on back in February and since then people have been reaching out to them about another iPhone security feature that thieves are using to take over accounts this time it's the recovery key Joanna Stern has a video looking at this and speaking with one of the victims you can check that out here on YouTube but to understand more about how this crime works and how users can protect themselves I'm joined Now by Nicole Nguyen so Nicole we spoke about this kind of theft where someone's iPhone and their passcode can be stolen can you just remind us how this crime works and what some of the repercussions are a thief will cozy up to a Target or will Snoop their passcode from afar and using that passcode and then stealing the victim's phone they will then access the iPhone's passwords and log into banking apps and use other financial apps such as PayPal and venmo in order to rack up fraudulent charges many of these victims were out socializing at night and these thieves very cleverly would coerce them into handing over their phones they could take a picture and then disabling the phone so that when it was returned to the victim or the target they would have to enter in their passcode again or they would film them from afar and then zoom in to the video to see what that passcode was that that person had entered before stealing their phone so now you're reporting that for some victims of this crime there can be a bigger issue because of something called a recovery key can you just first explain what the recovery key is so a recovery key is an apple design security setting that was initially intended to protect people so if you forget your password or you lose your password Apple has this password reset flow at iforgot.apple.com where you can enter in your phone number and then you get a verification code sent to that phone number and then you can reset your password without knowing your previous password so in this case if your phone number was hijacked by a criminal through an attack known as Sim swapping which is pretty complicated but essentially thieves coerce the cellular companies to move your phone number to their own Sim to a phone that they have in their hand then the recovery key which is an additional 28 digit code is protective because it would ask for both the Verification codes into the phone and this recovery key that ideally Only You possess so there's this recovery key which was supposed to protect Apple accounts is being exploited by thieves in order to lock people out of their apple accounts permanently so that the thieves can continue racking up fraudulent charges without the victim remotely wiping their device or tracking it down through find my and the photos contacts messages lost are just collateral damage from this crime user is already using the recovery key though won't they have that 28 digit passcode themselves you would think that but all it takes to generate a new recovery key or turn one on is that device passcode the iPhone's passcode is the most powerful way to access your online identity if you store a lot of your data in Apple's iCloud so that device passcode can change your Apple ID password without needing the previous password and it can also turn on the recovery key or generate a new recovery key without any sort of additional credentials you spoke with some of the victims of these kinds of crimes can you tell us about their experience one victim I spoke to Cameron Devine he's 24 years old and he went to a bar in Boston with his friends after a Red Sox game and his phone was taken and he thought no problem you know my phone is locked with a passcode and actually someone had sent a friend of his a text saying I am the bar manager and I have your phone and you can come by the bar to pick it up tomorrow well in truth that the text was sent by the thief and it bought the thief a little bit more time to rack up fraudulent charges on Cameron's account and also turn on the recovery key so after Camden realized that the bar did not have his phone he spent weeks with Apple customer service trying to get back into his account and the representatives told him again and again we cannot let you back into this account unless you furnish a recovery key and he didn't know what that was he definitely had never set it up because he had never heard of the recovery key and so he's had an Apple account since he was a kid and has lost 15 years worth of photos contacts messages everything he was even locked out of his own Apple watch because the thief had booted all of the trusted devices from his Apple account and so the Apple watch that was currently on his wrist that he didn't know the Apple account password to was essentially a paperweight what is Apple saying about this situation an apple spokesman told us we sympathize with people who have had this experience and we take all attacks on our users very seriously no matter how rare we work tirelessly every day to protect our users accounts and data and are always investigating additional Productions against emerging threats like this one why does Apple have the recovery key system Apple has this recovery key system because online hacking is very prevalent the situation that the recovery key does not protect against is if your iPhone is stolen and the passcode is stolen along with it so how do others in the industry deal with account recovery account recovery is a big issue across the industry any tech company that provides a service has this problem Google handles account recovery a little bit differently if you're a thief and you've stolen an iPhone and the passcode you can change The Trusted phone number you can turn on the recovery key all sorts of things to block the actual owner out from the password reset process Google however accepts a previously listed recovery email address or phone number in it you can use data like a familiar Wi-Fi network or a familiar location in order to prove that you are you just for some context I mean how big a deal is this potential theft because more than half of U.S cell phone users have iPhones it's hard to know exactly how many people are affected by this type of crime but we do know that since publishing our original story dozens more victims have reached out to us and new cities have emerged as hot spots and that includes Chicago New Orleans and Boston are there any steps that users can take to protect themselves from running into this situation with potentially having their phone stolen at their passcode stolen and then not having access to the recovery key until Apple makes a change to their policy or some sort of fix to this setting there's not much you can do to prevent a thief from turning on the recovery key but you can make it harder for them so setting a complicated passcode and using both letters and numbers what's called an alphanumeric passcode is really important and you can also use parental controls on yourself you can use screen time which is Apple's parental controls system to block account changes on your iPhone all right that's our personal Tech columnist Nicole Nguyen Nicole thanks for joining us for this conversation thanks Zoe and that's it for this week's Tech news briefing tnb's producer is Julie Chang we had production assistants from Zoe Culkin our supervising producer is Melanie Roy and our executive producer is Chris sinsley I'm your host Zoe Thomas thanks for listening and have a great weekend [Music]

Info

Channel: WSJ News

Views: 159,010

Rating: undefined out of 5

Keywords: apple, iphone, iphone theft, hidden iphone setting, recovery key, recovery key iphone, apple account, iphone passcode, iphone passcode problem, find my iphone, apple account password, apple security loophole, wsj, account recovery, forgot my password, create a recovery key, recovery key apple id, recovery key problem, recovery key id, apple support, recovery key apple, recovery key backup failed, tech news briefing, apple accounts, iphone recovery keys, help thieves, techy

Id: NVm8Io7nQ2U

Channel Id: undefined

Length: 9min 13sec (553 seconds)

Published: Fri Apr 21 2023