A 26-year-old thief has revealed the simple passcode trick he used to break into strangers' iPhones and steal hundreds of thousands of dollars from their bank accounts.
Aaron Johnson, who is currently serving eight years at the Minnesota Correctional Facility, explained in an interview with The Wall Street Journal how he was able to steal over $300,000 between 2021 and 2022.
Johnson would visit local bars, befriend young people, peep over and watch them insert their passcodes, then take their phones.
Having memorized their passcodes, he would then log into the devices, change the passwords and lock the victims of their Apple IDs. He would also enroll his own face into the phone's Face ID and remove the owner's biometric.
That vital hack granted him access to the phone's password keychain - where their log in credentials for banking apps were readily available.
Johnson and his accomplices drained thousands of dollars from the accounts - often before the victim even realized their phone had been swiped.
The security flaw is what prompted the recent launch of Apple's 'Stolen Device Protection' - a setting that prevents cyber-criminals from locking iPhone users out of their Apple accounts or accessing any of their passwords stored in Apple's Keychain.
Johnson explained that he would go to bars and target college-aged men with Pro iPhone models instead of women due to them being 'more guarded and alert to suspicious behavior'.
The thief would then either approach his victims by offering drugs or posing as a 'rapper' and asking to connect with them on social media.
The mostly drunk victim would end up in a conversation with him and hand over their phone, thinking he would simply add in his information and hand it back.
But instead, Johnson would ask them for their password, which the unsuspecting victim would tell him.
'I say, "Hey, your phone is locked. What’s the passcode?" They say, "2-3-4-5-6," or something. And then I just remember it,' he told the Wall Street Journal.
Describing how fast he could change passwords, he said: 'faster than you could say supercalifragilisticexpialidocious. You gotta beat the mice to the cheese.'
Once he would set up his Face ID, Johnson would swiftly transfer large sums of money out of their bank account using mobile payment services such as Venmo, Zelle, and Coinbase.
The next day, Johnson would hit different stores to buy stuff using Apple Pay, including other Apple products.
After completely emptying the victim's bank, he would sell the phone to Zhongshuang 'Brandon' Su', also known as the 'iPhone Man'.
The 32-year-old would allegedly then sell many of the stolen phones overseas, including to Hong Kong.
Over a good weekend, Johnson could sell up to 30 iPhones and iPads to Su and make around $20,000. This did not include money he’d taken from victims’ bank apps.
Last week, Apple added a new layer of protection in the latest iOS update called the Stolen Device Protection.
If the feature detects an unknown location of the iPhone, it will require Apple's FaceID to unlock the device.
Stolen Device Protection is set to roll out with Apple's iOS 17.3 but is currently being tested in beta.
At the heart of Stolen Device Protection is a strict reliance on the user's biometrics via Apple's Face ID or Touch ID and geolocation data on the iPhone owner's most familiar places.
When users enable Stolen Device Protection, three new protective features will be activated.
Stolen Device Protection is designed to block any thief's attempt to lock out the owner by switching the Apple ID if the effort is made when their iPhone is not in a familiar location, like their home or office.
If the owner, a thief or anyone else tries to change the Apple ID password away from these familiar locations, the device will require the owner's Face ID or Touch ID twice.
After the first biometric scan via Face ID or Touch ID, the setting requires a second scan one hour before changes can be made, preventing the kind of low-risk 'smash and grab' an iPhone thief is most likely to attempt.
Stolen Device Protection will also require two Face ID or Touch ID scans one hour apart if anyone operating the iPhone from a strange location attempts to add or delete a 'recovery key' or change a user's trusted phone number.
Apple's recovery key provides a randomly generated 28-character code to deal with lost access to their Apple ID, which users can then save somewhere safe (whether handwritten, emailed to themselves, memorized or something more creative).
Protecting these features ensures that a thief can't lock you out of everything you have saved to iCloud, including personal photos or important files, which might otherwise be lost forever.
Although the new security update ensures several failsafe measures to prevent a true disaster for Apple's iPhone customers, there are still open vulnerabilities if your phone is stolen.
Any app, email or website access that isn't protected by an additional password or PIN would still be at risk.
That means that, in many cases, any account or login that can be reset by text or email will still be at risk even if Stolen Device Protection is turned on.
Adding to that risk, all the credit cards or services linked to Apple Pay will still work with just a passcode if your Face ID or Touch ID biometrics fail.
The Wall Street Journal, which broke news of the nationwide thefts that led to this new update, suggests adding extra PINs or biometric hurdles to any financial apps on your device.
They also suggest moving quickly to access iCloud and wipe your stolen device remotely once you have noticed the theft.