Inside an iPhone Heist


00:05
Speaker 1
One night in November of last year, Rehan Ayes was out at a bar in New York City when she saw a stranger talking to her friends.


00:13
Speaker 2
My friend was talking to a few people. I joined. My phone was in my hands, and then the person said hi to me and then grabbed my phone and disappeared her.


00:26
Speaker 1
The person had taken off with her phone, and in a matter of minutes, Rejan's life was turned upside down. Earlier this year, she sat down with her colleague Joanna Stern to tell her story.


00:38
Speaker 3
So you realize your phone has been stolen. What do you do next?


00:43
Speaker 2
At the bar, I log in to find my iPhone on my friend's phone right away.


00:49
Speaker 3
And what happened?


00:50
Speaker 2
I couldn't log in.


00:52
Speaker 1
It turned out the thief hadn't just taken her phone, he'd also gotten a hold of her passcode. The series of typically four to six numbers you use to unlock your phone. And over the next couple of days, Rejan noticed thousands of dollars had disappeared from her bank account.


01:09
Speaker 2
And that's when it hit me that this is way beyond just a petty phone theft. And that's when I also started getting worried. What else is going to hit me?


01:22
Speaker 1
Over the last year, Joanna has heard from over a hundred people like Rahan, who fell victim to the same kind of crime, a crime that revolves around the iPhone's passcode. It's a scheme that's exposing security vulnerabilities in Apple's ecosystem. And now the company is making a change. Welcome to the Journal, our show about money, business, and power. I'm Jessica Mendoza. It's Thursday, December 21. Coming up on the show, how one passcode can let a thief unlock your entire digital life. The kind of iPhone theft that Rehan is fell victim to has taken place all over the country, in cities like Chicago, Boston, and Denver. Joanna and our colleague Nicole Nguyen first reported on these thefts last February, and they've been following this issue since. They've published several stories and spoken to dozens of victims. Here's Joanna again.


02:36
Speaker 3
When we published our first story, were blown away by the reaction, not only from people saying they were really nervous that this could happen to them, but people who had this happen to them.


02:47
Speaker 1
This kind of crime has affected Android users, too, but Joanna says thieves go after iPhones more often because of their resale value. The many stories that Joanna and Nicole heard all have one thing in common. Thieves use the iPhone's passcode to then change the password of a victim's Apple account. That's what happened to Rahan when her phone was stolen at that New York City bar.


03:12
Speaker 3
The really interesting thing about Rayon's story is that she reacts really quickly. The phone gets taken out of her hand, and she says that within minutes, she asks her friend at the bar if she can borrow her phone and log into her Apple account to turn on find my iPhone so she can find where it is.


03:28
Speaker 2
Ideally, I should have been able to log in and lock the phone, but I wasn't able to do that because in the three minutes that had passed, my Apple ID password, which I'm absolutely sure of, by the way, was changed.


03:43
Speaker 3
Your Apple account has pretty much all the things that you think are important on your iPhone. It's got your photos, it's got your notes, it's got lots of passwords saved. And those passwords are often to your most important financial accounts. So with this string of keys, which is all tied back to that original passcode that you put in at the bar, everything can be unlocked.


04:15
Speaker 1
Later that weekend, Rejan noticed her bank accounts were getting drained.


04:19
Speaker 2
I checked all my accounts diligently, and I saw that they transferred some money from my savings account to my checking account and then took a whole bunch in the form of Apple cash.


04:30
Speaker 3
When you say a whole bunch, how much?


04:32
Speaker 2
About $10,000.


04:34
Speaker 1
The thieves even took out a credit card in Rehan's name. And soon she started getting notified about charges of thousands of dollars. Rahan said she was able to work with her bank and Apple customer support to get some things back on track, like canceling that credit card. But there are other issues she wasn't able to resolve. That's because when Rahan was locked out of her Apple id, she lost access to more than just her phone. She also got locked out of things like photos, videos, and notes that were all in Apple's cloud storage system, iCloud.


05:11
Speaker 2
One thing that is gone and gone for good is my iCloud. And I've been an icloud user since I was 18. They've stolen every picture of me ever taken. They've stolen my 20s. They've stolen a decade of my life. I've been using icloud for 15 years for them to store my memories and keep them safe. And they're all gone. When I scroll in my pictures, my brain automatically looks for my pictures with my dad, with pictures of my nieces, my nephew. And they're all gone.


05:50
Speaker 1
The thieves went beyond just changing Rehan's passcode and Apple ID. They also made a more permanent move and activated something called a recovery key.


06:01
Speaker 3
The recovery key was a security feature that Apple introduced in 2020, and it was really meant to protect people from online hackers. What this does is generate a unique 28 digit code. That code is then necessary when you need to reset your Apple ID password. It was meant so if somebody got your password and tried to get into your account, then they would also need this other set of numbers to get in. It was a second protection on your Apple account. Okay.


06:34
Speaker 1
And so if that existed, why wasn't Rahan able to stop this from happening?


06:42
Speaker 3
Well, the problem is that whoever stole Rahan's phone not only changed the password to her Apple account and then turned off find my iPhone, but they turned on this recovery key. So then when Rahan tries to go to Apple and say, I don't have my password, I can't get back into my account, they say, okay, that's okay. Just tell us your recovery key. And Rahan's like, what's a recovery key?


07:10
Speaker 1
And then they're like, well, you have it on, so you should have access to that.


07:14
Speaker 3
They are adamant that she needs that recovery key to get back into her account. And to this day, Rahan cannot get back into her account because she does not have that recovery. Think, you know, you lose a phone, you just lose a phone. Do you think that you could lose as much as this just from one single phone theft?


07:37
Speaker 2
Absolutely not. And it shouldn't be this way. The entire Apple security environment cannot hinge on a single iPhone being pickpocketed, because iPhones get pickpocketed all the time. If stealing one iPhone means you can literally lock someone out of their Apple id forever and use everything they want without even being able to put a hold on it, I never imagined that could be possible. And I think a lot of people are not aware of the fact that it's possible. That is really sad. Like, when I explain what happened to me, a lot of people don't even understand. They're like, hey, come on, you should be. Why didn't you lock your phone? I'm like, no, it's not my iPhone. It's my Apple id being stolen. That messed me up.


08:33
Speaker 1
Back when Joanna first started reporting on this issue, Apple told her that this kind of crime was a rare occurrence. The company said it requires multiple physical steps and that stealing a user's device is not enough. The problem has really taken off in some cities. One of them is Minneapolis. In September of last year, police there charged twelve people who were allegedly involved with stealing over 40 phones and taking a total of nearly $300,000. And recently, Joanna went to Minneapolis to talk to one of these thieves who's now in prison and to learn how exactly this crime happens. That's after the break. Courage. I learned it from my adoptive mom.


09:19
Speaker 2
Hold my hand.


09:20
Speaker 4
You hold my hand. Learn about adopting a teen from foster care@adoptuskids.org. You can't imagine the reward brought to you by adopt us kids, the US Department of Health and Human Services and the ad council.


09:39
Speaker 1
Earlier this month, Joanna went to a correctional facility in Minnesota and spoke with Aaron Johnson. Aaron is 26 years old. He's pleaded guilty to racketeering and he's been sentenced to over seven years in prison because he said he stole hundreds of iPhones and hundreds of thousands of dollars.


09:57
Speaker 3
I didn't really know what to expect when I got there. I was a little bit nervous mostly that he wasn't going to talk much about what he had done. But I was really wrong. He really opened up about what had happened. How did you get involved with stealing phones?


10:16
Speaker 5
So at first I just started just pickpocketing the phones. I didn't get the passcode or nothing. I just got the phone.


10:25
Speaker 3
Aaron said this was really a result of him not having much. He said he was homeless, living on the streets, had a hard time finding a job, and he saw people pickpocketing on the streets of Minneapolis. And as he started doing that, he realized that the phones he was getting would be more valuable if he could get inside them, if he could unlock them.


10:46
Speaker 1
Aaron said he usually carried out these thefts at crowded bars and typically went after young people who were drunk and easily distracted.


10:54
Speaker 5
I mean, college, they have a lot of money through college. Money is not kind of the easiest route is them, because they're more partying and they are already drunk and don't know what's going on for real. So I go to the bar because it's more people, a lot of things going on, and it's hard to catch me in the dark.


11:31
Speaker 1
Aaron would approach a victim, strike up a conversation, and come up with a reason to get them to pull out their phone. Sometimes he'd pretend to be a rapper and ask people to add him on Snapchat. Other times, he'd present himself as a drug dealer.


11:47
Speaker 5
I say, I have the drugs. They say they want the drugs. And I tell them, take my information down so I won't think you're the police. And then the whole time I don't have any drugs. So as soon as the phone's in my hand, I tell them, I just ask them, what's the code or I watch them put it in before they give it to me.


12:13
Speaker 3
People just give you their passcode?


12:14
Speaker 5
Yeah. I say, hey, your phone. What's the passcode? I say, 23456 or something. Then I just remember it. Then we get to talking this and that. Then they say they got to go or something and forget about it. Then we just go our separate ways.


12:37
Speaker 3
But you'd have the phone?


12:38
Speaker 5
Yeah, I still have the phone. It doesn't hit them until we're, like, 510 minutes away already. Then you have to think, like, where do I leave my phone? By that time, I'm gone already.


12:55
Speaker 3
Then as soon as he would have the phone in the passcode, he would immediately start changing things in the settings. And it's very technical, and it's a lot of different steps, but he started doing this so fast. And tell me, how quickly were you doing this? I mean, you get a phone doing.


13:14
Speaker 5
It quicker than you could say, super Califragilex alidos.


13:22
Speaker 3
You were changing passcodes 510 seconds. You were changing passwords that fast?


13:29
Speaker 5
Yeah, it got to that fast. Where I can do it just right there. Lock on, put it up. Go get another.


13:40
Speaker 1
Aaron said he was making off with several phones a night. Steal a phone, lock the victim out, drop off the phone in his car, and then go back to do it all over again.


13:50
Speaker 5
It's like a race. It's kind of like a bank robbery. You got to be quick. If I don't do it quicker than him, you got to beat the mice to the cheese. Yeah.


14:05
Speaker 3
Then once people were sort of not at the bar anymore, he'd go home and he'd start to go for the money, because he'd already gotten people out of their accounts. Right. There was no fear. As he says, he beat the mice to the cheese. They were already locked out.


14:20
Speaker 5
So then I go add my face on there. On the face. Id verification. Now, when you got your face on there, you got the key to everything.


14:34
Speaker 3
And what are the keys? Where are you taking the keys? What are you opening?


14:40
Speaker 5
Things that people thought were safe, like savings, checkings, cryptocurrency apps, venmo. That's easy. You don't need face for Venmo. But I don't want to. That's kind of little money. I'm trying to.


15:03
Speaker 3
I see.


15:04
Speaker 5
Take as much as I can.


15:10
Speaker 1
I mean, I'm just, like, marveling at how it both sounds super sophisticated, but also, at the end of the day, really simple. You just have to know where to go and what to do.


15:21
Speaker 3
And that's what I think is really interesting about this crime is it wasn't some advanced cybersecurity hacker. This was a pickpocket from the street figuring out some tricks and stealing hundreds of phones and ultimately hundreds of thousands of dollars.


15:41
Speaker 1
Last week, after about a year of Joanna and Nicole's reporting on this issue, Apple announced that it's rolling out a new feature to protect users from exactly the kind of crime Aaron was carrying out.


15:53
Speaker 3
They have come up with something called stolen device protection, and it's a feature that's going to be in iOS 17 three. And what it does is add a layer of protection to your phone when you are away from a familiar place like work or home. Then when you're not at those locations, it's adding a layer of security to various parts of the phone. Many of the things that Aaron was able to do, he wouldn't have been able to do if this feature was turned on. For instance, if you try to change your Apple id password, it first asks for a biometric, so, face or fingerprint, you cannot use the passcode. Then it takes an hour. It's going to ask you wait an hour before this can actually take effect, this change. And then again, it asks for face or touch.


16:47
Speaker 1
Right, so they wouldn't just be able to lock you out immediately the way they've been able to.


16:52
Speaker 3
Exactly.


16:53
Speaker 1
Joanna says the new feature could make a big difference in keeping bad actors out of people's iPhones. But it's not a catch all. A thief with your iPhone and its passcode can still unlock your phone, and any app that you haven't protected with an additional password or pin is vulnerable. That includes money transfer apps like Venmo. Also, when the new feature is released, it will be off by default. Users will have to activate it. So what can people do to be extra safe and make sure that this doesn't happen to them?


17:29
Speaker 3
I have to say, I think when I asked Aaron this question, his answer was the most telling because it was really about humans just being smarter.


17:43
Speaker 5
Don't give your password. Don't give your passcode out. Watch your surroundings. Stay on top of it.


17:52
Speaker 3
That's all he said. Don't give your passcode out, and beware of your surroundings. Those are two pretty, not very technical things. I could list a whole bunch of technical things that I think people should do. You should make your passcode stronger, make it alphanumeric, so it isn't easy for somebody to sort of look over your shoulder and remember that passcode. Add extra protection to those Venmo apps. There's the ability to add passcodes to those as well. So yeah, I can tell you a host of things to do to protect yourself, but the best advice might be errands, which is just beware of your surroundings and treat this phone like it has the keys to your life, because it does it.


18:48
Speaker 1
That's all for today. Thursday, December 21 the Journal is a coproduction of Spotify and the Wall Street Journal. Additional reporting in this episode by Nicole Nguyen. The show is made by Annie Baxter, Kylan Burtz, Katherine Brewer, Maria Byrne, Victoria Dominguez, Pia Gakari, Rachel Humphreys, Ryan Knutson, Matt Kwong, Kate Linebach, Annie Minoff, Laura Morris, Enrique Perez de la Rosa, Sarah Platt, Alan Rodriguez Espinosa, Heather Rogers, Jonathan Sanders, Pierce Singhi, Jivaka Verma, Lisa Wang, Catherine Whalen, Tatiana Zamis and me, Jessica Mendoza. Our engineers are Griffin Tanner, Nathan Singapock, and Peter Leonard. With help this week from Sam Baer. Our theme music is by so Wiley. Additional music this week from Catherine Anderson, Peter Leonard, Billy Libby, Bobby Lord, Emma Mung, Nathan Singapock, Griffin Tanner and blue Dot sessions. Fact checking by Mary Mathis. Thanks for listening and happy holidays.

Comments

Post a Comment

Popular posts from this blog

U.S. Strikes Houthi Forces & Oregon Lawmaker’s Reelection Bid | Afternoon Update | 2.1.24

00:00 Speaker 1 This episode is brought to you by Netsuite. Download Netsuite's popular KPI checklist, designed to give you consistently excellent performance. Absolutely free@netsuite.com. Slash Morningwire that's Netsuite.com slash Morningwire. 00:15 Speaker 2 I'm Daily Wire editor in chief John Bickley with Georgia Howe. It's Thursday, February 1, and this is your morningwire afternoon update. 00:24 Speaker 3 Us military forces carried out a self defense strike against houthi unmanned aerial vehicles. 00:30 Speaker 4 And a ground control station early this morning. Daily Wire senior editor Cabot Phillips has more. 00:36 Speaker 5 According to CENTCOM, the military determined that a recently discovered uav ground control station, as well as a number of uavs in the houthi controlled areas of Yemen, presented an immediate threat to ships passing through the Bob Elmandeb Strait. As a result, CENTCOM says, the station was hit along with ten one way u...
Read more

Ukraine's $30 Billion Problem

00:05 Speaker 1 For the last two years, Ukraine has been fighting off a russian invasion. And this effort is exhausting and costly. To keep the country running, Ukraine has been relying on tens of billions of dollars from the US and the EU. But now that money me isn't flowing, what's at stake if Ukraine doesn't get. 00:31 Speaker 2 This money for Ukraine, the money that it's waiting on from the US and the EU determines its ability to fight the war? I think there's no way around that. Everybody agrees that it's extremely critical. 00:47 Speaker 1 That's our colleague Chelsea Delaney, and we're. 00:51 Speaker 2 Talking both about military aid, so ammunition, drones, all of those things, and as well, the money that the government needs to keep meeting its obligations to the people in Ukraine. So all of that is hung up right now. And without either the US or the EU, Ukraine's ability to fight, Russia is going to be severely constrained....
Read more

Border Bill Drama & Neuralink’s First Implant | 1.31.24

00:03 Speaker 1 While bipartisan negotiations over a border bill continue, many Republicans say it's dead on arrival. Instead of deterring immigration, they're literally incentivizing illegal immigration. They're handing people a parole and a work permit. Day one. That has to stop. 00:19 Speaker 2 When will the Senate share the full text of the bill? And can President Biden take unilateral executive action? 00:25 Speaker 1 I'm daily Wire editor in chief John Bickley with Georgia Howe. It's Wednesday, January 31, and this is Morning wire. 00:37 Speaker 3 Guys, this is not allowed, guys. Asking you to leave property. Or are we calling all the police? Have it your way. 00:50 Speaker 1 Six pro life protesters face eleven years in prison and hundreds of thousands of dollars in fines after being convicted of face act violations. Is this a case of political targeting? 01:02 Speaker 2 And Elon Musk announces his biotech company has implanted their ...
Read more