Text Conversations with an iPhone Thief

Originally published at: Text Conversations with an iPhone Thief - TidBITS

Veronica de Souza shares the texts she received from the thieves who stole her iPhone and then tried to convince her to unlock it.

1 Like

Journalist Veronica de Souza published an article this week in Gothamist (part of WNYC) describing her refusal to remove a stolen phone from her Apple iCloud account, which permanently bricks the phone to anyone ever trying to wipe and re-use it. The attempts by thieves, hackers, and re-sellers to get her to clear the account resulted in a hilarious series of escalating threats.
The only downside appears to be that the new “owners” could see all her messages and photos (but I thought that’s what “wiping” the phone was supposed to take care of).
Comments? Here’s a link to the article.

I saw that article as well. I also saw a different post on Reddit that shows a Catch-22 to keeping the stolen device in the list: a person who lost an iPhone so long ago that the iOS version that the iPhone is on is preventing him from switching his iCloud account to Advanced Data Protection because all iPhones must be at iOS 16.2 or later.

I think the only three solutions to this are to not use ADP, to remove the old device from your list of devices, allowing it to be reset by whoever now has it, or to switch to a new Apple ID. The latter is probably what I would do, which I think would also allow removing all photos from the old Apple ID (after copying to the new one), and messages, and iCloud Keychain, etc. That’s a lot harder if the Apple ID is an active iCloud, MobileMe, or dotMac email address, though.

2 Likes

Great article. Thanks.

I hope de Souza has archived all these texts and sent them to law enforcement (New York, FBI and possibly others). They may not help her recover her iPhone, but when combined with reports from others, they may help arrest some of the people responsible.

2 Likes

I struck the second part of my reply because apparently you can remove a device from iCloud device list while keeping it in Find My.

2 Likes

I don’t think they had her passcode and it seems like she remotely erased it, so I don’t think the above is a problem.

2 Likes

Oh, you’re right! They were of course lying about seeing her messages and photos! :blush:

4 Likes

How did they get in touch with her through iMessage? I do not recall the lock screen of a remotely erased device showing the email associated with the AppleID the device is locked to.

According to the author in the comments after her article:

when trying to reset my phone they are prompted to enter my iCloud password. My iCloud email is also one of the ways to reach me via iMessage. So they used that to contact me

(the article specifically notes that she erased the phone remotely and that they didn’t have her passcode, FYI)

2 Likes

FWIW, also, when you mark a device as lost you can also display a phone number on the lock screen. Also I believe the email address of the Apple ID is obfuscated when you try to activate the device - see the example here.

3 Likes

See, that’s what I find confusing here. On one hand we have Apple saying email is obfuscated when prompting to unlock. And they show a screenshot which backs that up. But then it appears it’s being reported here that the thieves “are prompted to enter my iCloud password. My iCloud email is also one of the ways to reach me via iMessage.”

So is that email not obfuscated after all? Or is it that they initially, before locking the device, displayed their personal information (perhaps hoping they just lost it and an honest finder would return it) and that’s how the thieves got ahold of contact details? If they after that then locked the device the email would be obfuscated, but the thieves would then already have the contact details they needed to harass the victim.

An off-topic digression.

How can I tell what method the sender used to get a message to me? Is there some indication of what phone number or email address that is associated with my account the sender used?

You can find the sender’s address by tapping the icon at the top of the message’s screen. Then tap the “Info” button to get a contact card from the sender (which will be dynamically created on the fly if you don’t already have one). On that card, you’ll see phone numbers and e-mail addresses - there will only be one if you don’t already have a contact. If you do already have a contact, the one used to send the message will have a “RECENT” tag next to it.

As for how it came to you, that’s harder to tell because Apple doesn’t show you if a message arrives via your mobile carrier (SMS/EMS) or iMessage.

One easy way is if you have a non-phone device (e.g. a Mac, iPad or iPod) logged in to your iMessage account. If that device also received the message (and you don’t Continuity enabled between your devices), then you know it came via iMessage. And that’s great, because it means the sender has an Apple ID. Law enforcement should be able to get a warrant for information about the owner of that ID.

If it didn’t arrive on a non-cellular device, then it’s probably SMS/EMS, and therefore arrived via the cell phone network. Law enforcement get get a warrant to contact the wireless carriers to try and identify the source, but numbers are easily forged, so it might not get them very far.

1 Like

As far as I know, there is no easy way to tell. If it is iMessage, Settings / Messages / Send & Receive - whichever phone number(s) and email address(es) that you have listed there are any way that you can be contacted. You can’t tell which one was used, but it doesn’t really matter - the other person is using iMessage as well and could use any of those methods the same way. Since all of those addresses/phone numbers are associated with your iMessage account, it will just be sent to the iMessage account.

If it is an SMS or MMS message, they are using your phone number*.

I almost always send to people using either a phone number or directly from their contact card and the Messages app just tells me that it will be iMessage
if the user’s name is blue or SMS (to their phone number from my phone number) if the name is green.

The Messages app does not tell you directly how an individual message was sent to you. But for the most part a message thread is either all iMessage or all SMS/MMS, and if you start typing a reply and see a blue arrow to send, then there probably sent you the message using iMessage. If you see a green arrow, they probably sent you the message using SMS (or MMS for groups.)

    • the one exception is that many carriers have an email gateway so they can send to your phone number using however the carrier supports that (for Verizon it was send an email to phonenumber at vzwtext dot com). For a long time it was the most common form of SMS spam that I got, but IIRC Verizon finally allowed people to disable the email gateway for their account and I believe that I turned it off.
1 Like

If the recipient is an iMessage user but is not connected at the time, your phone will try iMessage, and will fail to send it, falling back to SMS.

I used to encounter this a lot when communicating with my daughter, because we had a metered data plan at the time and she’d keep her cellular data disabled most of the time. So content to/from her would be iMessage when she was on Wi-Fi, and SMS when away from a Wi-fi connection.

1 Like

Right, but then any reply back from you would be iMessage if possible. It’s always going to try iMessage unless it can’t.

Plus you need to turn on the setting in Settings / Messages / Send as SMS for that to happen at all, and I believe that is a non-default setting - in my list of things to do when I set up a phone from scratch, I have a step to turn that setting on. (Though it’s been a while since I set up a phone from scratch - about a year now.)

I am slightly shifting the topic of this talk.

In his article Adam wrote

“Should you suffer an iPhone theft, immediately mark the iPhone as lost and wipe it remotely, but do not remove it from Find My.”

I followed the links to the respective Apple Support Documents which advice you to sign in to Find Devices - Apple iCloud to be able to mark your phone as lost and to wipe it remotely, or alternatively to get help from a family member to do so.

I see some practical problems in Apple’s advice:

– you need a device to access Find Devices - Apple iCloud which can be difficult or even impossible in some situations
– even if you can access Find Devices - Apple iCloud via some device you need to recall the details of your Apple ID; mine are in 1Password to which I do not have access when I am without my iPhone and far from my MacBook
– to make use of Family Sharing you need to be able to contact your family which could be difficult without your phone

How would you solve these problems?

Everyone in the world these days has a device with them with a web browser that can access the internet - you need to find someone who will allow you to borrow theirs as soon as possible.

I know that it’s often preached that every password should be random and impossible to memorize, but I think your Apple ID password should be one that you memorize. 1Password has the ability to generated a memorable password. (I know both mine and my wife’s). If you just can’t do so, then have it written down somewhere safe at home and perhaps inside each of your bags when you travel so you can find it in your hotel room, etc. [edit: not labeled or anything: just the password on a piece of paper that you can use to login if you ever need to. You’ll know what it is; you wouldn’t have to write “my Apple ID password is…”.]

Because of the need for this for marking a lost device, logging in to your Apple ID for find my is the one exception to requiring a two factor trusted device approval process when logging in to your Apple ID on a device for the first time.

2 Likes

I think there are a handful of passwords you need to physically remember: the password for your Mac and the password for 1Password are two that come to mind. In my opinion, your iCloud password should be one of those passwords because, like the other two I mentioned, it’s a key to so much more that you need to function.

4 Likes

Many years ago, I had a rather fun experience with a client’s stolen laptop on which we had LogMeIn installed. I could log into the computer and watch the thief use it to shop for car parts, look up an immigration attorney, and view Mexican porn (thankfully without sound). I’ve always wondered what the thief thought was going on when we occasionally wrestled over control of the mouse. Hard to remember now, but I think we recovered the computer by using its various IP address locations in Arizona and Mexico to link the theft to relatives of a Phoenix family whose house it briefly appeared in. IIRC a detective had to use a subpoena to get the physical address from the ISP.

At any rate, I felt like a genuine detective for a while.

4 Likes