Stop using 6-digit iPhone passcodes! Do you think I am overly paranoid? Keep reading. 👇
Last week, a friend of mine had his iPhone stolen. What follows is the sequence of events that started as an unfortunate event and ended up with $30,000 in unauthorized wire transfers, $2,500 spent on the AppStore, and accounts of multiple services compromised.
7:35pm: my friend was waiting for an Uber when a criminal hiding a bike took his iPhone in a snap from his hand and ran away.
8:03pm: my friend is tech-savvy. As soon as he got an internet connection and his computer, he activated the Lost Mode on his stolen iPhone. He then headed to a store to buy a new iPhone and transfer his eSIM. Meanwhile...
9:16pm: the thieves unlocked his Apple ID and grant access to his iCloud account.
9:18pm: they logged into my friend's iCloud account via browser...
9:19pm: ...and turned off the Find My on the stolen iPhone.
My friend was still trying to transfer his eSIM to a new iPhone while that happened. He only saw those emails a few hours later. He also didn't notice what was about to happen.
9:47pm: His bank account was compromised. The criminals started wire transferring money to unrecognized accounts totaling $30,000. đŸ˜±
10:22pm: not happy with that, they created a virtual credit card using the bank app and updated the billing information on my friend's iTunes account.
And spent over $2,500 on in-app purchases.
If that wasn't enough, they also changed the password of some email accounts.
So, how could the wrongdoers do all of that in less than 5 hours? After considering many options, the only reasonable explanation is they cracked the 6-digit passcode on the stolen iPhone using some kind of device like the GrayKey.
The passcode gave them access to the keychain. They searched for the iCloud credentials, disabled the Lost Mode, and turned off the Find My.
But how did they access my friend's bank account? It turns out the password was saved to the keychain in 2017. It's shocking that a bank of @santander_br’s size still hasn't implemented a virtual keyboard to enter passwords.
The extension of the damage and the speed of the process is stunning. This could only be done by skilled people, with sophisticated methods, and reasonable preparation. It's not an amateur's job.
A few questions remain unanswered.

1. Why did @Apple allow a device in Lost Mode to be used to unlock itself?

2. Why didn't @Apple raise a fraud alert for the in-app purchases?
3. Most importantly, why a weak passcode is an acceptable alternative to biometric verification to decrypt your keychain and pay with Apple Pay? đŸ€”
As can be seen, our phones are the entry point to critical aspects of our lives. We're sold that Face ID, Secure Enclave, Two-Factor Auth keep our data safe. Don't be fooled. Your passcode is the master key to grant access to sensitive data. Use a strong one to secure it.
You can follow @hprange.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cålculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more