Joanna Stern Interviews iPhone Passcode Thief in Prison

Originally published at: Joanna Stern Interviews iPhone Passcode Thief in Prison - TidBITS

For additional background and color surrounding the Wall Street Journal’s reporting on iPhone passcode thefts, watch Joanna Stern’s interview with a convicted thief.

If you subscribe to Apple News+, you can find the article and interview here.

Tip: If you access a news article and find it locked behind a paywall via Safari, you can see if it is available in Apple News using the Share Sheet ‘Open in News’ item.

(I’m “sharing” this article so you should be able to read it without a subscription to The Wall Street Journal. Please let me know if you’re blocked by a paywall.)

After reading the article (thanks @nello !) and learning how Johnson stole money from victims, it strikes me that a classic security tactic might have been able to limit the damage he caused at an individual level: compartmentalization. Somebody who uses both a Mac and an iPhone could limit all financial services activities, apps, and files to the Mac.

Yes, this is a great example of the tradeoff between convenience and security! No more paying bills between innings at a baseball game, right? But a thief cannot use your iPhone to steal your money, if that is something you’re worried about.

Passwords need to be long, complex, and unique to each account. Thus passwords to financial services must be stored in a password manger of some sort.

As a result, I don’t know how to implement “compartmentalization” because
I’m not aware of a way to selectively synchronize (some but not all) passwords among devices.

If the password to a financial service is on an iPhone then it doesn’t matter whether the service’s app is also installed there.

One way an iPhone and Mac owner can compartmentalize their banking, for example, is to do all banking on the Mac using a web browser. The password can be stored using any macOS password manager (for maximum security, store it locally, not in the cloud). For 2FA, use an iOS authenticator app, such as Google Authenticator, or if the bank doesn’t offer TOTP 2FA codes, whatever method the bank does support (even SMS-based 2FA is better than nothing).

Then, a criminal with possession of and access to your iPhone won’t be able to use the iPhone to transfer money out of your bank accounts quickly. The criminal has no direct way to attack your bank account because the full set of login credentials is only available with access to both your Mac and your iPhone.

Is this 100% secure? Of course not. But placing as many obstacles as possible in the path of an attacker buys time to take further steps, such as contacting bank and credit card issuers, before the attacker can.

Somebody who uses both a Mac and an iPhone could limit all financial services activities, apps, and files to the Mac.

That’s my approach. If they steal my phone they get nothing sensitive. Photos, texts.

it is indicative just how vulnerable most civilians are, passwords in Notes or screenshotted. Roll on 17.3, why Stolen Device Protection is not on by default beats me. I guess Apple turns it on with a set of caveats and preemptive warnings.

I pay almost exclusively with Apple Pay, either watch or phone, it might be good if there were additional checks once a daily limit was met.

Unless you (a) use a different password manager and (b) don’t use iCloud Keychain…that’s going to be ongoing difficult isn’t it? I suppose with a 1PW subscription you could use a separate vault for financial stuff and using the travel mode not sync that to the iPhone…but realistically 1PW is going to be protected by the master password and either Face ID or Touch ID and cracking the master password basically isn’t going to work as long as you’re not dumb and use a decently long password. For me…the Safari password list is less secure than just about any other password manager…so I wouldn’t use that (or Firefox’s or Chrome’s or whatever)

I haven’t looked at the relevant settings recently, but I’m pretty sure my card issuers and banks provide those types of alerts through their own websites, independent of Apple Pay/Apple Wallet.

I have similar with my bank in regards to card usage. But I’ve not noticed it with Apple Pay and tapping.

Apple Pay is specifically excluded because you authenticate. With standard debit (or credit) card contactless transactions, there is no authentication which is why banks make you do a chip & pin transaction after a certain amount or number of contactless. I’m pretty sure this is some sort of standardised EU regulation or financial industry requirements (which the UK also follows).