Brazilian iPhone thieves demonstrate importance of responsible password practices

Posted:
in General Discussion edited July 2021
A recent rash of iPhone thefts in Brazil serves as yet another cautionary tale for users who store passwords in an unsecured location on their device.

password


In June, reports surfaced about a string of Brazilian iPhone thefts that dates back to 2020. Instead of flipping the hardware for cash, thieves sought a more lucrative payout by using the devices to gain unauthorized access to victims' bank accounts.

Exactly how the locked iPhones were breached and bank accounts accessed remained unknown until Sao Paulo authorities arrested members of a gang that specialized in the technique. Unlike government data gathering operations or sophisticated hacks that require expensive equipment and obscure software exploits, all that was needed was SIM card removal tool, reports Folha de Sao Paulo.

According to Police Chief Fabiano Barbeiro, criminals take the SIM out of a victim's iPhone, place it in an unlocked device and search for linked accounts on social media networks like Facebook or Instagram. Once an account connected to the phone line is found, the intruder searches for an associated email address which, according to one suspect, is usually also paired to a user's Apple ID.

Using the email account and phone number, the thieves reset the Apple ID password on the unlocked iPhone, download system backup information from iCloud and conduct a search for "password," presumably through Spotlight. In many cases, victims store passwords, account numbers and other important information in plain text, according to the suspect.

With the information in hand, the SIM card is swapped back to the original iPhone. Another gang member responsible for accessing bank accounts takes charge of the device and uses it to siphon off money.

9to5Mac spotted news of the Brazilian iPhone crime ring earlier today.

Apple does include certain security features that can mitigate portions of the attack, including two-factor authentication and remote data wipe in Lost Mode. Indeed, the company in a statement last month promised to make data erasure features "easier to access." Still, the security safeguards are only effective if they are enabled prior to theft.

In this case, and as a general rule, it's never safe to store passwords locally in an unsecured location. For those who deal with multiple passwords or "strong" randomized passcodes that are difficult to memorize, investing in a password manager or using Apple's own Keychain are viable options.

Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.

Comments

  • Reply 1 of 16
    maltzmaltz Posts: 443member
    Yet another reason why using SMS to send 2FA or recovery codes is a bad idea...
    Alex_Vappleinsideruserwatto_cobra
  • Reply 2 of 16
    JapheyJaphey Posts: 1,766member
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?
    doozydozenKTRAlex_Vwatto_cobra
  • Reply 3 of 16
    gatorguygatorguy Posts: 24,084member
    Japhey said:
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?
    I don't think the user is tagging it "password" but could be wrong. 
  • Reply 4 of 16
    JapheyJaphey Posts: 1,766member
    gatorguy said:
    Japhey said:
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?
    I don't think the user is tagging it "password" but could be wrong. 
    From the article:
    “conduct a search for "password," presumably through Spotlight. In many cases, victims store passwords, account numbers and other important information in plain text, according to the suspect.”

     If the user wasn’t tagging the word “password”, then a spotlight search for that word would yield nothing. 
    edited July 2021 Alex_VRayz2016watto_cobra
  • Reply 5 of 16
    linkmanlinkman Posts: 1,035member
    I'm a bit lost here. I understand that having the SIM card gives the thief's phone the phone number of the stolen one, but is there any info stored on the SIM that would contain the social media information? But I could see a link between the phone number and a Facebook account for example -- if the thief can search by the phone number and find the Facebook account somehow that connects the two.
    jdiamonddoozydozenAlex_Vwatto_cobra
  • Reply 6 of 16
    NYC362NYC362 Posts: 70member
    I'm an Apple Specialist and it is just incredibly how many people 1) use simple number sequences for their iPhone/iPad passcode. (1111, 0000, 1234, etc). Even worse how many times when I've asked someone to enter their Apple ID password in their phone, they open up the Notes app and there is every password and PIN number for their entire life.

    I try to inform them how unsafe that is, but few listen.  I even show them password books (like an address book) that cost about $5.00 on Amazon.  While even that might not be the safest thing if a home is burgled, it is still better than having an iPhone whose passcode is 0000 and then having all your user names and passwords to every website under the sun in Notes is just courting disaster.  (Often these are the same phones that aren't backed up anywhere, so when it gets lost, the information is gone as well.)


    stompyDogpersondoozydozenwatto_cobra
  • Reply 7 of 16
    I helped an older man, a family friend, with some computer issue he was having years ago. Upon starting up and logging in I got to see that his desktop background was a photograph of a sheet of paper where he had written down all his user names and passwords.

    Seems like these phone thieves could find even easier targets!
    doozydozenAlex_VJanNLwatto_cobra
  • Reply 8 of 16
    JanNLJanNL Posts: 327member
    I helped an older man, a family friend, with some computer issue he was having years ago. Upon starting up and logging in I got to see that his desktop background was a photograph of a sheet of paper where he had written down all his user names and passwords.

    Seems like these phone thieves could find even easier targets!
     :D 
    Have seen it too, it was even a bad photo of the sheet  ;)
    watto_cobra
  • Reply 9 of 16
    Rayz2016Rayz2016 Posts: 6,957member
    Japhey said:
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?

    Oh, gets worse.

    https://www.amazon.co.uk/password-notebook/s?k=password+notebook

    Someone asked me if I could get them one of these for Christmas. It's like they'd not listened to a word I'd said.

    "What about one with a locking clasp?"

    "You mean the one with the strap I could cut with a craft knife?"


    Japheywatto_cobra
  • Reply 10 of 16
    citpekscitpeks Posts: 238member
    maltz said:
    Yet another reason why using SMS to send 2FA or recovery codes is a bad idea...

    And yet, financial institutions, and "security" companies like Ring still insist on using them as valid forms of verification.  The latter actually made an effort to drive all their users to SMS codes, in lieu of other methods available before.
    watto_cobramaltz
  • Reply 11 of 16
    JapheyJaphey Posts: 1,766member
    Rayz2016 said:
    Japhey said:
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?

    Oh, gets worse.

    https://www.amazon.co.uk/password-notebook/s?k=password+notebook

    Someone asked me if I could get them one of these for Christmas. It's like they'd not listened to a word I'd said.

    "What about one with a locking clasp?"

    "You mean the one with the strap I could cut with a craft knife?"


    Haha…I looked them up after reading NYC362’s post. A notebook with “Passwords” written  boldly across the front? Seriously? It’s like these people are begging for trouble. And the prices were hilarious too. If a notebook is someone’s idea of a brilliant solution, why not just get a cheap unlabeled one from the school supplies section of any store for like $2? 
    watto_cobra
  • Reply 12 of 16
    gatorguygatorguy Posts: 24,084member
    Japhey said:
    gatorguy said:
    Japhey said:
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?
    I don't think the user is tagging it "password" but could be wrong. 
    From the article:
    “conduct a search for "password," presumably through Spotlight. In many cases, victims store passwords, account numbers and other important information in plain text, according to the suspect.”

     If the user wasn’t tagging the word “password”, then a spotlight search for that word would yield nothing. 
    I still think it's the software tagging it "password" for various site log-ins and not the user. I've seen similar in other data before. 
  • Reply 13 of 16
    JapheyJaphey Posts: 1,766member
    gatorguy said:
    Japhey said:
    gatorguy said:
    Japhey said:
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?
    I don't think the user is tagging it "password" but could be wrong. 
    From the article:
    “conduct a search for "password," presumably through Spotlight. In many cases, victims store passwords, account numbers and other important information in plain text, according to the suspect.”

     If the user wasn’t tagging the word “password”, then a spotlight search for that word would yield nothing. 
    I still think it's the software tagging it "password" for various site log-ins and not the user. I've seen similar in other data before. 
    I hear what you’re saying. I think it’s user error, you think it’s a software error. Perhaps a better written article would shed light on which one it was. 
    watto_cobra
  • Reply 14 of 16
    gatorguygatorguy Posts: 24,084member
    Japhey said:
    gatorguy said:
    Japhey said:
    gatorguy said:
    Japhey said:
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?
    I don't think the user is tagging it "password" but could be wrong. 
    From the article:
    “conduct a search for "password," presumably through Spotlight. In many cases, victims store passwords, account numbers and other important information in plain text, according to the suspect.”

     If the user wasn’t tagging the word “password”, then a spotlight search for that word would yield nothing. 
    I still think it's the software tagging it "password" for various site log-ins and not the user. I've seen similar in other data before. 
    I hear what you’re saying. I think it’s user error, you think it’s a software error. Perhaps a better written article would shed light on which one it was. 
    Not so much an "error", but yes.
  • Reply 15 of 16
    I helped an older man, a family friend, with some computer issue he was having years ago. Upon starting up and logging in I got to see that his desktop background was a photograph of a sheet of paper where he had written down all his user names and passwords.

    How about Mo Brooks, the congressman from Alabama? Last month, he tweeted a photo of his computer monitor to show some information on it. At the bottom of the screen, he had taped a note with his Gmail address and password.
    watto_cobra
  • Reply 16 of 16
    maltzmaltz Posts: 443member
    Rayz2016 said:
    Japhey said:
    I’m dumbfounded as to why anybody would list their passwords next to or under the actual word “password”. Even my non-tech savvy mother knows not to do this. If passwords must absolutely be stored on the phone, at least be clever enough to label them as something else. And I’ve never had to reset my Apple ID or do any of the other things these thieves did, but wouldn’t storing such information in a locked note eliminate this risk since Touch ID and Face ID info is encrypted in the Secure Enclave?

    Oh, gets worse.

    https://www.amazon.co.uk/password-notebook/s?k=password+notebook

    Someone asked me if I could get them one of these for Christmas. It's like they'd not listened to a word I'd said.

    "What about one with a locking clasp?"

    "You mean the one with the strap I could cut with a craft knife?"

    To be fair, a password notebook filled with strong, unique passwords is FAR better than what most people do - use the same, fair-to-poor password on every site they log into, including things that affect money, like Amazon or their bank.  Sure, you then have to worry about the physical security (and backup redundancy) of the notebook, but the largest account takeover threat isn't local anyway.
Sign In or Register to comment.