A 26-year-old thief has revealed the simple passcode trick he used to break into strangers' iPhones and steal hundreds of thousands of dollars from their bank accounts.
Aaron Johnson, who is currently serving eight years in the Minnesota Correctional Facility, explained this in an interview with The Wall Street Journal how he was able to steal more than $300,000 between 2021 and 2022.
Johnson visited local bars, befriending young people, peeking over and watching them punch in their passcodes and then take their phones.
After memorizing their passcodes, he logged into the devices, changed the passwords and locked the victims from their Apple IDs. He also registered his own face in the phone's Face ID and deleted the owner's biometric data.
That crucial hack gave him access to the phone's password keychain, where their banking app login details were readily available.
Johnson and his accomplices thousands of dollars taken from accounts – often before the victim even realized their phone had been stolen.
Aaron Johnson visited local bars, befriended young people, peeked over and watched them enter their passcodes and take their phones. He would later use the code to lock victims out of their Apple ID, disable the Find My iPhone feature and empty their bank accounts
This vulnerability prompted the recent launch of Apple's 'Stolen Device Protection' – a setting that prevents cybercriminals from locking out iPhone users from their Apple accounts or accessing their passwords stored in Apple's Keychain.
Johnson explained that he would go to bars and target college-age men with Pro iPhone models instead of women because they are “more guarded and alert to suspicious behavior.”
The thief then approached his victims by offering drugs or posing as a 'rapper' and asking them to contact them on social media.
The mostly intoxicated victim struck up a conversation with him and handed over their phone, thinking he would simply add his details and give them back.
But instead, Johnson asked them for their password, which the unsuspecting victim told him.
“I say, 'Hey, your phone is locked. What's the passcode?' They say, “2-3-4-5-6,” or something like that. And then I just remember,” he told the newspaper Wall Street Journal.
Describing how quickly he could change passwords, he said: “faster than you could say supercalifragilisticexpialidocious. You have to beat the mice with the cheese.'
Once he set up his Face ID, Johnson would quickly transfer large sums of money from their bank accounts using mobile payment services such as Venmo, Zelle and Coinbase.
The next day, Johnson went to several stores to buy things with Apple Pay, including other Apple products.
Johnson explained that he would go to bars and target middle-aged men with Pro iPhone models rather than women because they are “more guarded and alert to suspicious behavior.”
The thief then approached his victims by offering drugs or posing as a 'rapper' and asking them to contact them on social media. The mostly intoxicated victim struck up a conversation with him and handed over their phone, thinking he would just add his details and give them back.
But instead, Johnson asked them for their password, which the unsuspecting victim told him
After completely emptying the victim's bank, he would sell the phone to Zhongshuang 'Brandon' Su', also known as the 'iPhone Man'.
The 32-year-old would then sell many of the stolen phones abroad, including to Hong Kong.
On a good weekend, Johnson could sell up to 30 iPhones and iPads to Su and make about $20,000. This did not include the money he took from the victims' banking apps.
Last week, Apple added a new layer of protection to the latest iOS update, called Stolen Device Protection.
If the feature detects an unknown location of the iPhone, Apple's FaceID is required to unlock the device.
Stolen device protection will roll out soon with Apple's iOS 17.3, but is currently in beta testing.
At the heart of protection against stolen devices is a strict reliance on user biometrics via Apple's Face ID or Touch ID and geolocation data in the iPhone owner's most known places.
When users enable Stolen Device Protection, three new security features are activated.
Apple is introducing a new feature to protect its customers' passcodes, online banking access, private iCloud photos and videos, and everything else that makes a stolen, unlocked iPhone vulnerable. This setting, called Stolen Device Protection, is now available to beta testers
Stolen Device Protection is designed to block thieves' attempt to lock out the owner by switching the Apple ID if the attempt is made while the iPhone is not in a known location, such as your home or office
Stolen Device Protection is designed to block a thief's attempt to lock out the owner by switching the Apple ID if the attempt is made while the iPhone is away from a known location, such as home or office.
If the owner, a thief, or anyone else tries to change the Apple ID password outside of these known locations, the device will require the owner's Face ID or Touch ID twice.
After the initial biometric scan via Face ID or Touch ID, the setting requires a second scan one hour before any changes can be made, preventing the kind of low-risk 'smash and grab' that an iPhone thief is likely to attempt.
Stolen Device Protection also requires two Face ID or Touch ID scans an hour apart if someone controlling iPhone from a foreign location tries to add or remove a “recovery key” or a user's trusted phone number to change.
Apples recovery key provides a randomly generated 28-character code to deal with lost access to their Apple ID, which users can then save somewhere safe (handwritten, emailed to themselves, memorized, or something more creative).
Protecting these features ensures that a thief can't lock you out of everything you've stored in iCloud, including personal photos or important files, which could otherwise be lost forever.
While the new security update brings several failsafe measures to prevent a real disaster for Apple's iPhone customers, there are still outstanding vulnerabilities if your phone is stolen.
Any app, email, or website access that isn't secured with an additional password or PIN is still at risk.
That means that in many cases, any account or login that can be reset by text message or email is still at risk, even with Stolen Device Protection enabled.
What makes that risk even greater is that all credit cards and services linked to Apple Pay will still work with just a passcode if your Face ID or Touch ID biometrics fail.
The Wall Street Journal, which broke news about the nationwide thefts that led to this new update, suggests adding additional PINs or biometric hurdles to financial apps on your device.
They also recommend quickly accessing iCloud and remotely wiping your stolen device once you notice the theft.