A THIEF has revealed how he stole more than £230,000 from oblivious iPhone owners by using a tool that was meant to protect them.
Aaron Johnson, who is currently serving eight years at the Minnesota Correctional Facility explained how he was able to nick the money.
WSJAaron Johnson revealed how he stole more than £230,000 from oblivious iPhone users[/caption]
WSJHe would visit local bars and befriend young people before he temporarily took their phones[/caption]
Between 2021 and 2022 the 26-year-old explained to The Wall Street Journal how he would visit local bars, and befriend young people.
He would peer over their shoulder and watch them insert their passcodes, before taking their phones.
After taking a mental snapshot of the code he would log into the devices and change the passwords, locking the phone owners out of their apple IDs.
The cunning thief would also ensure he had his own face enrolled in the face ID and that he had removed the owner’s biometric.
This was a crucial element to pulling of the crafty trick as he now had access to the phone’s password keychain where login credentials for banking apps were there for the taking.
Johnson and his accomplices swindled thousands of dollars from the accounts – often before the victim even realised their phone had been swiped.
The security flaw is what prompted the recent launch of Apple’s “Stolen Device Protection” – a setting that prevents cyber-criminals from locking iPhone users out of their Apple accounts or accessing any of their passwords stored in Apple’s Keychain.
Johnson explained that he would go to bars and target college-aged men with Pro iPhone models instead of women due to them being “more guarded and alert to suspicious behaviour”.
The thief would then either approach his victims by offering drugs or posing as a “rapper” and asking to connect with them on social media.
The victim would usually be drunk and would end up in a conversation with him and hand over their phone, thinking he would simply add in his information and hand it back.
But instead, Johnson would ask them for their password, which the unsuspecting victim would tell him.
He told the Wall Street Journal: “I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something.
“And then I just remember it.”
Describing how quickly he could change passwords, he said: “faster than you could say supercalifragilisticexpialidocious.
“You gotta beat the mice to the cheese.”
Once he had set up his Face ID, Johnson would swiftly transfer large sums of money out of the victim’s bank account using mobile payment services such as Venmo, Zelle, and Coinbase.
The next day, Johnson would go on a spending spree and would buy stuff using Apple Pay, including other Apple products.
After he had rinsed the account he would sell the phone to Zhongshuang “Brandon’ Su”, also known as the “iPhone Man”.
The 32-year-old would allegedly then sell many of the stolen phones overseas, including to Hong Kong.
A successful weekend would result in Johnson selling up to 30 iPhones and iPads to Su and making around £16,000 – not including money he’d taken from victims’ bank apps.
Last week, Apple added a new layer of protection in the latest iOS update called the Stolen Device Protection.
If the feature detects an unknown location of the iPhone, it will require Apple’s Face ID to unlock the device.
Stolen Device Protection is set to roll out with Apple’s iOS 17.3 but is currently being tested in beta.
At the centre of Stolen Device Protection is a reliance on the user’s biometrics via Apple’s Face ID or Touch ID and geolocation data on the iPhone owner’s most familiar places.
When users enable Stolen Device Protection, three new protective features will be activated.
Stolen Device Protection is designed to block any thief’s attempt to lock out the owner by switching the Apple ID if the effort is made when their iPhone is not in a familiar location, like their home or office.
If the owner, a thief or anyone else tries to change the Apple ID password away from these familiar locations, the device will require the owner’s Face ID or Touch ID twice.
After the first biometric scan via Face ID or Touch ID, the setting requires a second scan one hour before changes can be made.
This prevents the kind of low-risk “smash and grab” an iPhone thief is most likely to attempt.
Stolen Device Protection will also require two Face ID or Touch ID scans one hour apart if anyone operating the iPhone from a strange location attempts to add or delete a “recovery key” or change a user’s trusted phone number.
Apple’s recovery key provides a randomly generated 28-character code to deal with lost access to their Apple ID, which users can then save somewhere safe (whether handwritten, emailed to themselves, memorised or something more creative).
Protecting these features ensures that a thief can’t lock you out of everything you have saved to iCloud, including personal photos or important files, which might otherwise be lost forever.
WSJThe thief said he could change passwords ‘faster than you could say supercalifragilisticexpialidocious’[/caption]
WSJA successful weekend would result in Johnson making around £16,000[/caption]