Stolen iPhone & phishing attempt - an interesting story

Or just turn it on in a public parking garage 2-3 floors below street level. In some cities, you can just go to an underground subway platform. There are lots of places (at least in a city) where you can avoid any and all cellular signals. Especially if you have another phone to use as a meter in order to look for a place with zero bars.

I suspect you could also just remove the SIM card to block it from any and all cell towers.

A SIM card isnā€™t required to connect to a cell tower, itā€™s common to be able to make emergency calls from a phone without a SIM. But my guess is the Find My Phone feature and remote erase command depend on the phone having an active connection to either a cell data plan or a WiFi network so it can ā€œphone homeā€ to Apple servers.

1 Like

Itā€™s also true that recent iPhones can use eSIMs, so there wouldnā€™t be a physical SIM to remove.

Removing the device from iCloud removes the Activation Lock. Best not to do that with a stolen iPhone. If they manage to bypass the Activation Lock and resell it the next time the iPhone is reset to factory, etc. Activation Lock will re-engage. So leave it in your iCloud. It could pop-up at a much later time.

It may end up on the black market for parts. In chinese electronics markets one can buy iPhone system boards that are activation locked and people do things like desolder the flash storage and other parts. They sell very cheaply. The screen, case, glass, etc. are worth something as well.

Also carrierā€™s have found workers being bribed to unlock stolen iPhones in bulk via organized crime.

1 Like

@stottm - Thanks. Sure I could leave it on my account, but then when does one draw a line and move on?

Here I am exactly three weeks later, and yes, it could pop-up again some time in the future, but thatā€™s both very unlikely now and not really my problem any more (my insurance paid out, Iā€™m using a temporary loaner iPhone, and will buy a 12 Pro Max in a couple of weeks).
So when my 12 arrives, Iā€™ll likely just remove it then, as itā€™ll have been several weeks, and long enough for me to now spend my time and energy elsewhere.

Also, given I was spear-phished via SMS, these crims likely know what theyā€™re doing enough for me not to see it again; breaking it down for parts or selling unscrupulously to unsuspecting buyer as ā€˜workingā€™ device.


On a related note, the police investigation was an omni-shambles!

Despite my best efforts, the Met police failed to collect the CCTV until day 23 after the event, and the restaurant manager failed to keep the data, as their system wiped over the the recording (he didnā€™t seem very interested either). Doh!

In the UK, the venue doesnā€™t have to give me (the victim) a copy of their CCTV, and may say ā€˜data protectionā€™ law prevents them doing so (questionable, as they may/may not still do so?). Also seemingly they have no legal responsibility to keep the footage either, so if they donā€™t want the ā€˜hassleā€™ factor, they can just make excuses and not hand it over even to the police.

The police are, as ever everywhere, under-resourced and in high demand. So unless your crime is near the top of their agenda, they can only get around to it when they can ā€“ hence the 23-day delay in police attempting to collect the CCTV evidence.

Finally, I got a delightful email from the PC (police constable) in charge of my case, saying she was sorry but the CCTV was ā€˜not forthcomingā€™, thus due to lack of further evidence, she has had to close the case. So thatā€™s the end of that then. :confused:

1 Like

I missed the Siri comments earlier - doesnā€™t Siri go by specific voice? Two of us can use Siri in the same room and only our specific phones respond. We have each tried the others Siri and she wonā€™t bite. Granted we are male/female.

Diane

Within minutes of removing the device from your iCloud account, as soon as the device is online the activation lock will be removed. This happens all the time when someone sells a device or gives one away to another person. If you do not unlock the device and use the reset all settings and content option then authenticate with your iCloud account; the device will go into Activation Lock mode when wiped. Displaying a partial iCloud email address and prompting for the iCloud password. Once the device is removed from your iCloud inventory the activation lock is removed and seconds later the activation lock screen on the device disappears and it can be setup as new out of the box. Iā€™ve done this several times with employees who returned iPads upon termination but we werenā€™t MDM managing them at the time. I would hard wipe them and wait at the activation lock screen then ask the former employee to please remove it from their iCloud account. Moments after they did so, the activation lock would just disappear and it was like it was out of the box new.

Leaving the device in your inventory doesnā€™t inconvenience you in the slightest. But will give the thieves a hard time. It may be many months before someone attempts to do anything with the stolen phone. It may eventually end up in a shipping container with other stolen phones and land overseas somewhere. A year later someone could try activating it again. Just leave it alone. You will only be helping the criminals and thereby encouraging more theft.

There are ways to bypass the activation lock but less likely with newer devices. Even if it was bypassed the next time the device is reset it will still lock again providing it is still listed in your iCloud inventory. I would just leave it there for years. Again, itā€™s no bother to you and itā€™s not doing anything except maintaining the activation lock and pending a wipe.

4 Likes

I know that for ā€œHey Siriā€ thatā€™s the case, but I think activating Siri by button-press processes any voice.

1 Like

Iā€™ll give that a try! What is the button press for newer phones without the button? (I still have a button)

Diane

Siri is a long-press of the side button in Face ID phones.

Thanks again. Yes, I see what youā€™re saying. Itā€™s just a pain to have some old device on my account for what presumably would be an indefinite period of time.

The question then is, just when does one remove a stolen device from ones Apple account?
Apple support doc, leaves this one to the user:

Point 8, just casually gives users the instructions on how to remove it. They donā€™t really advise on what to do further than that.

And this page is both out of date, and talks about a temporary removal from devices list, that makes no sense to me, as those options are not available if the erase request is onā€¦
ā€œIf you are not using a device, you can temporarily remove it from your account so it does not show up in your Devices list. When the device goes online again, it reappears in the list.ā€


Ultimately as there is no global authority to maintain stolen devices (clearly such a thing could never be maintained), the victim whoā€™s device was stolen has to make their own moral choices.

  1. Remove device from your account after X period of time, have clean device list and move on with life.
    If device still exists (could already be broken down for parts), then thief (or person thief sold it to) can then activate device using their own A-ID+pw and use it.

  2. Keep device on your account for X period of time, but have this ghost device on your ac indefinitely.
    If device still exists (could already be broken down for parts), then thief (or person thief sold it to) can NOT then activate device using their own A-ID+pw and use it.

TBH, while the second one sounds like a great thing to do for society and all that, from a personal perspective, who wants a stolen device associated with their A-ID for an indefinite period of timeā€¦ no one.

Sure you could remove it after say 2 years(?) or something, but really itā€™s not the victims responsibility to police stolen device reuse. And itā€™s pretty unreasonable to expect them to, IMO. :neutral_face:

1 Like

I should add here, that there is also a thing called the ā€œGSMA blacklistā€ that most worldwide carriers use.

After checking several online free checkers using the stolen deviceā€™s IMEI #, it shows as ā€œBlacklistedā€ on them all.

EDIT: The only thing that stops this list being effective, is thief has an insider at a carrier, who can presumably take the device off the blacklist again. :neutral_face:

3 Likes

More strangenessā€¦

Today (Monday morning at 9am; just over 3 weeks after device stolen) I get two 30-second silent calls.

So theyā€™ve clearly managed to get my mobile number (how, is anyoneā€™s guess? As itā€™s not shown on Emergency contacts, nor printed on the SIM card), and are doing some testing to see if the line is reactivated.

Called my carrier (O2, here in the UK), they rechecked IMEI of original device was blacklisted (it was), and also checked the SIM card number (not the mobile phone#) was barred on their system when they sent a new SIM card to me (it was).

So now what are the thieves trying to doā€¦?

(I guess I am going to have to leave it on my Apple ID device list then. Screw 'em!) :laughing:

It looks like your phone number is being spoofed; spoofing is supposed to be very easy:

Text messages can also be spoofed, so beware of anything that looks remotely suspicious as well. I might be a good idea to warn friends and family that your number has been spoofed and they might be receiving calls looking like they are coming from you.

Itā€™s common for phone thieves to contact rightful owners to ask for a reward, or even to meet you to return the phone, and to extract more information. When you are gone, they they often attempt to break in to your home or car.

1 Like

I would check any dark web services that will tell you if your passwords have been compromised online. As well as any personal identifiable information about you leaked online. Itā€™s pretty easy to get that information, name, address, phone number, etc.

Then I would get myself a password manager and multi-factor authentication tool and change all the critical passwords for financial, social media, etc., etc., etc. This is recommended for anyone not just someone who had a smartphone stolen. Consider changing your phone number as well and updating it everywhere. Consider a credit monitoring service as well.

They are digging deeper to mess with you down the line. Also the thieves might have just sold the device in a batch to another set of thieves who are poking around to see what they can accomplish. You are on their radar now and are on a target list.

Although itā€™s unlikely they will compromise your data from the stolen iPhone they may have identified you and are digging deeper and deeper to exploit any other vulnerabilities so they can phish you and trick you so they can remove the Activation Lock. Or perhaps unlock your device. Or rob you blind. Unfortunately, there are a vast number of easy marks so be on the lookout for all sorts of weird stuff happening.

1 Like

@MMTalker - Yes, two of the three family members on my Emergency contacts received the SMS mentioned at the top of this thread. They were warned by me about SMS/calls/email attempts, and know to ignore them.

As for meeting to get back, they can go stuff it up their backsides, lol! Iā€™d never meet anyone under any circumstances. And as for burglary, I own in a flat (apartment) with plenty of people around front and back areas, and normally (even more so at the moment) there is someone home, so good luck with that one tea leaf.

2 Likes

This may be a coincidence. What evidence do you have that this was the thieves calling?

Also, fwiw, my old iPhone 6s with an old, inactivated SIM card still shows the phone number for that SIM in Settings / General / About. Iā€™m not sure if thatā€™s because the phone once had that number, but, If the SIM shows the number even if inactivated, thieves could have put your old SIM into another phone to get the phone number, if it was indeed them calling.

1 Like

@stottm - I use 1Password religiously daily, with itā€™s ā€˜have I been pwnedā€™ service: nothing so far. Also use 2FA when available.

Not changing my phone number, as thatā€™s too difficult for many reasons.
Credit monitoring. Maybe do one if needed to, just before any new credit application.

As for the rest, phishing isnā€™t going to get them anywhere with me. So thatā€™s off for them.
And anything else, Iā€™ll live with it. :roll_eyes: Thanks!

@ddmiller - Could be coincidence. Just seems unlikely given the recent theft circumstances. Also it was twice ā€“one 30sec call straight after the otherā€“ which I answered on the first ring. The occasional missed robo-call I get normally sound different (I generally never get them, normally happen after a few rings, and certainly never remember ever receiving two together).

I always lock my SIM cards, so whenever my phone is turned on from being completely off (i.e. not just in standby), I enter my device passcode AND it asks for my SIM passcode immediately afterwards. So AFAIU, they couldnā€™t use it for anything (making calls or getting my info from it).
TBH, I donā€™t know why more people donā€™t lock their SIM cards? Apple doesnā€™t really mention it much in their device screens or kb articles AFAIR, and itā€™s rather hidden a couple of menus deep on devices (mobile data > data plans[your number] > SIM PIN).

1 Like

Iā€™m not sure thatā€™s how it works. I might be misremembering here, but the iPhone gets the phone number either from user input or from the carrier, but not from the SIM itself. IIRC the iPhone in fact cannot get the phone number from the SIM alone. I assume in your case it is simply cached and has nothing to do with the state of the deactivated SIM itself.

To the OPā€™s point, if they cannot get into his phone, they cannot get his number. They shouldnā€™t be able to get it off the deactivated SIM either. They might be able to get it from the OPā€™s carrier, but that would involve duping the carrier (eg. ID theft).

1 Like