What you should know
- Aaron Johnson, a convicted felon, used to steal iPhones, lock out the original owners, and gain control of their financial apps, resulting in theft of hundreds of thousands of dollars.
- Johnson would obtain the iPhone passcodes by watching users enter them or tricking them into revealing them, especially targeting drunk individuals in bars. He would then change the passcode and Apple ID, effectively locking out the legitimate owner.
- With the passcode, Johnson could change Face ID settings, gain access to banking and financial apps, and even find passwords and social security numbers in the Notes app.
- Apple is introducing a new feature in iOS 17.3 called Stolen Device Protection. This feature, when enabled, requires Face ID or Touch ID verification for changing Apple ID password, Face ID settings, or disabling Find My iPhone when the device is away from the user’s home or work. It also includes an hour delay, giving victims time to realize they’ve been locked out and report to Apple.
Full Story
Aaron Johnson is a name that would send chills down the spine of any iPhone owner. Why? Well, he’s an expert at hijacking iPhones. The Wall Street Journal’s Joanna Stern had a chat with him in prison. Johnson revealed how he could take control of your iPhone in mere seconds. He’d lock you out and gain access to your financial apps. He’s stolen hundreds of iPhones and swiped hundreds of thousands of dollars. The arrest warrant claims he stole $300,000, but Johnson insists the actual figure is between one and two million dollars.
Initially, Johnson’s game plan was simple. He’d steal iPhones, wipe them clean, and then resell them. His circumstances were dire – jobless, homeless, and with children to care for. He needed a way to make money, and stealing iPhones was his solution. But he soon realized there was more money to be made by taking over control of the iPhones without the owners even realizing what was happening.
Johnson was a regular in Minneapolis bars. He’d observe iPhone users as they entered their six-digit passcodes. He had a particular knack for getting young, college-age guys to reveal their passcodes. Many of them were drunk. Johnson would approach them, claiming to have drugs, even though he didn’t. He’d offer to put his information in their phone. Once the phone was in his hand, he’d lock the device. Then he’d either ask for the passcode or hand it back to the owner and watch him unlock it.
Securing the passcode was just the first step. Gaining possession of the phone required “trickery and violence,” as stated in his arrest warrant. Once he had your phone and passcode, you were in deep trouble. He’d go to Settings, then iCloud, and click reset password. After entering the stolen passcode, he’d change it to his own number. He’d then disable Find My iPhone, effectively locking out the legitimate owner.
All iPhone users need to guard their passcodes fiercely. With the passcode, someone can change your Apple ID and gain access to your account. Johnson became so proficient that he could lock someone out of their iPhone and change the passcode and Apple ID in just five to 10 seconds. He could even alter Face ID so that his own face would unlock the device. This gave him access to passwords used on banking, securities, and other financial apps.
Johnson admitted to accessing victims’ savings accounts, checking accounts, Cryptocurrency apps, Venmo, and PayPal. If he couldn’t unlock the phone with his face, he’d open the Notes app. He found it to be a goldmine of information – passwords, social security numbers, you name it. By 5 am the next day, he’d have drained the owner’s bank accounts. He’d also go on a shopping spree with the victim’s unused credit lines. After wiping out the owner, he’d perform a factory reset and sell the phone.
Johnson was stealing iPhones at a rate of five to 10 a night. Over a weekend, he’d go through 30 iPhones. Selling the stolen handsets alone brought in $20,000 a week. Some of this money was used to buy iPad Pro tablets, which he’d resell for more cash. Johnson believes Apple should do more to protect its customers. And it seems Apple agrees.
With iOS 17.3, Apple will introduce the Stolen Device Protection feature. It will be off by default, but you can enable it by going to Settings > Face ID & Passcode > Stolen Device Protection. This feature is crucial for protecting yourself from criminals like Johnson. If your iPhone is away from your home or work, tasks like changing your Apple ID password, changing Face ID, or disabling Find My iPhone would require Face ID or Touch ID verification.
For an hour, no changes would be possible without Face ID or Touch ID verification. This delay is crucial as it gives victims an hour to realize they’ve been locked out and report it to Apple. To protect yourself further, avoid storing passwords and important personal data in the Notes app. Use a passcode made of both numerals and letters. Be cautious about exposing your passcode and never give it out.
