Brazilian iPhone thieves demonstrate importance of responsible password practices
A recent rash of iPhone thefts in Brazil serves as yet another cautionary tale for users who store passwords in an unsecured location on their device.
In June, reports surfaced about a string of Brazilian iPhone thefts that dates back to 2020. Instead of flipping the hardware for cash, thieves sought a more lucrative payout by using the devices to gain unauthorized access to victims' bank accounts.
Exactly how the locked iPhones were breached and bank accounts accessed remained unknown until Sao Paulo authorities arrested members of a gang that specialized in the technique. Unlike government data gathering operations or sophisticated hacks that require expensive equipment and obscure software exploits, all that was needed was SIM card removal tool, reports Folha de Sao Paulo.
According to Police Chief Fabiano Barbeiro, criminals take the SIM out of a victim's iPhone, place it in an unlocked device and search for linked accounts on social media networks like Facebook or Instagram. Once an account connected to the phone line is found, the intruder searches for an associated email address which, according to one suspect, is usually also paired to a user's Apple ID.
Using the email account and phone number, the thieves reset the Apple ID password on the unlocked iPhone, download system backup information from iCloud and conduct a search for "password," presumably through Spotlight. In many cases, victims store passwords, account numbers and other important information in plain text, according to the suspect.
With the information in hand, the SIM card is swapped back to the original iPhone. Another gang member responsible for accessing bank accounts takes charge of the device and uses it to siphon off money.
9to5Mac spotted news of the Brazilian iPhone crime ring earlier today.
Apple does include certain security features that can mitigate portions of the attack, including two-factor authentication and remote data wipe in Lost Mode. Indeed, the company in a statement last month promised to make data erasure features "easier to access." Still, the security safeguards are only effective if they are enabled prior to theft.
In this case, and as a general rule, it's never safe to store passwords locally in an unsecured location. For those who deal with multiple passwords or "strong" randomized passcodes that are difficult to memorize, investing in a password manager or using Apple's own Keychain are viable options.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
In June, reports surfaced about a string of Brazilian iPhone thefts that dates back to 2020. Instead of flipping the hardware for cash, thieves sought a more lucrative payout by using the devices to gain unauthorized access to victims' bank accounts.
Exactly how the locked iPhones were breached and bank accounts accessed remained unknown until Sao Paulo authorities arrested members of a gang that specialized in the technique. Unlike government data gathering operations or sophisticated hacks that require expensive equipment and obscure software exploits, all that was needed was SIM card removal tool, reports Folha de Sao Paulo.
According to Police Chief Fabiano Barbeiro, criminals take the SIM out of a victim's iPhone, place it in an unlocked device and search for linked accounts on social media networks like Facebook or Instagram. Once an account connected to the phone line is found, the intruder searches for an associated email address which, according to one suspect, is usually also paired to a user's Apple ID.
Using the email account and phone number, the thieves reset the Apple ID password on the unlocked iPhone, download system backup information from iCloud and conduct a search for "password," presumably through Spotlight. In many cases, victims store passwords, account numbers and other important information in plain text, according to the suspect.
With the information in hand, the SIM card is swapped back to the original iPhone. Another gang member responsible for accessing bank accounts takes charge of the device and uses it to siphon off money.
9to5Mac spotted news of the Brazilian iPhone crime ring earlier today.
Apple does include certain security features that can mitigate portions of the attack, including two-factor authentication and remote data wipe in Lost Mode. Indeed, the company in a statement last month promised to make data erasure features "easier to access." Still, the security safeguards are only effective if they are enabled prior to theft.
In this case, and as a general rule, it's never safe to store passwords locally in an unsecured location. For those who deal with multiple passwords or "strong" randomized passcodes that are difficult to memorize, investing in a password manager or using Apple's own Keychain are viable options.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
Comments
If the user wasn’t tagging the word “password”, then a spotlight search for that word would yield nothing.
I try to inform them how unsafe that is, but few listen. I even show them password books (like an address book) that cost about $5.00 on Amazon. While even that might not be the safest thing if a home is burgled, it is still better than having an iPhone whose passcode is 0000 and then having all your user names and passwords to every website under the sun in Notes is just courting disaster. (Often these are the same phones that aren't backed up anywhere, so when it gets lost, the information is gone as well.)
Seems like these phone thieves could find even easier targets!
Have seen it too, it was even a bad photo of the sheet
Oh, gets worse.
https://www.amazon.co.uk/password-notebook/s?k=password+notebook
Someone asked me if I could get them one of these for Christmas. It's like they'd not listened to a word I'd said.
"What about one with a locking clasp?"
"You mean the one with the strap I could cut with a craft knife?"
And yet, financial institutions, and "security" companies like Ring still insist on using them as valid forms of verification. The latter actually made an effort to drive all their users to SMS codes, in lieu of other methods available before.
How about Mo Brooks, the congressman from Alabama? Last month, he tweeted a photo of his computer monitor to show some information on it. At the bottom of the screen, he had taped a note with his Gmail address and password.