Reduce the damage caused by iPhone passcode theft with iOS 17.3’s Stolen Device Protection

Last year, Wall Street Journal reporters Joanna Stern and Nicole Nguyen published a series of articles highlighting a disturbing form of crime targeting iPhone users. The thief would discover the victim’s iPhone passcode, wipe the iPhone, and run away. With just the password, thieves can quickly change a victim’s Apple ID password, lock them out of their iCloud account, and use apps and data on the iPhone to steal money, buy stuff, and cause digital havoc.

Essentially, Apple allowed passwords determined through shoulder browsing, covert photography, or social engineering to be too strong, and criminals exploited the vulnerability. It’s better to use Face ID or Touch ID, especially in public, but some people still rely solely on passwords.

Apple has now fixed this issue for iPhone users with the new Stolen Device Protection feature in iOS 17.3. It requires biometric authentication (Face ID or Touch ID) to protect critical security and financial actions when you’re away from a familiar place like home or work. The most critical operations also trigger a security delay of up to an hour before the second biometric authentication. We recommend that anyone using Face ID and Touch ID turn on Stolen Device Protection. The feature doesn’t work on iPads or Macs, but it’s also unlikely to work in places like crowded bars, where many iPhones are taken.

How Stolen Device Protection Works

The location aspect of stolen device protection is key. When you’re in a “significant location” (a place your iPhone determines you frequent), you can do everything you do with your security and financial details as you have in the past, including using passcodes as an alternative or fallback.

But when you’re in an unfamiliar location, like when you might have your iPhone stolen from you in public, Stolen Device Protection requires biometric authentication to:

  • Use a password or key saved in Keychain
  • Use a saved payment method in Safari (autofill)
  • Turn off lost mode
  • Delete all content and settings
  • Apply for a new Apple Card
  • View Apple Card virtual card number
  • Perform certain Apple Cash and Savings operations in Wallet (such as Apple Cash or Savings transfers)
  • Use your iPhone to set up a new device (e.g., Quick Start)

Some actions have more serious consequences, so for them stolen device protection requires biometric authentication, a one-hour security delay (shown with a countdown timer), and then a second biometric authentication. This delay reduces the chance of an attacker forcing you to authenticate with the threat of brute force. You need to perform two-factor authentication plus delay when you want to:

  • Change your Apple ID password (Apple notes that this may cause your device location to be temporarily unavailable on iCloud.com)
  • Sign out of your Apple ID
  • Update Apple ID account security settings (such as adding or removing trusted devices, recovery keys, or recovery contacts)
  • Add or remove Face ID or Touch ID
  • Change your iPhone password
  • Reset all settings
  • Turn off Find My
  • Turn off stolen device protection

There are some things to remember:

  • The iPhone passcode still applies to purchases made with Apple Pay, so a thief could steal your passcode and iPhone and buy something.
  • Although Apple says this is required, you can turn off key locations to require additional biometric authentication and security delays everywhere. This will eliminate the worry of thieves using strategic locations to travel to your most recently familiar locations in an attempt to circumvent additional authentication.
  • If you plan to sell, give away, or trade in your iPhone, be sure to turn off Stolen Device Protection first. Once it is out of your physical control, no one else can reset it.

Turn on stolen device protection

Before you begin, note that Apple says you must use two-factor authentication with your Apple ID (everyone should do it anyway), set a passcode for your iPhone (ditto), turn on Face ID or Touch ID, enable ” Find “My” and turn on Important Locations (Settings > Privacy & Security > Location Services > System Services > Important Locations), although that last item doesn’t actually seem to be needed.

Then, go to Settings > Face ID/Touch ID & Passcode, enter your passcode, and tap Turn on protection. (If enabled, click “Turn off protection” to remove its additional protection.)

Once Stolen Device Protection is enabled and you are in an unfamiliar location, the actions listed above will require biometric authentication or two biometric authentications (separated by a one-hour security delay).

There’s one group of people who shouldn’t turn on stolen device protection: people for whom Face ID or Touch ID don’t work. Most people don’t have a problem with Apple’s biometric technology, but some people have fingerprint wear or other physical features that confuse Touch ID or the less common Face ID.

If this is you, stick with our general advice to prevent your iPhone from being stolen: Never enter your iPhone passcode in public where you may be observed.

(Featured image courtesy of iStock.com/AntonioGuillem)



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *