It’s a sunny day, and you’re seated outside a popular cafe, thrilled to have a break to meet a friend. You pull out your phone, type in your passcode, and start writing them a message. Suddenly, a hand shoots out of nowhere, grabbing your phone before you can even react. The thief darts away as you watch in disbelief. Your heart sinks. And most likely, you have no clue about the nightmare you’re about to face if the thief knows a little about technology or is part of an organized crime ring. That’s why taking some key protective measures now is crucial before your phone gets snatched from your hands by a thief who watched you type your passcode. There’s no rewind button to what a savvy thief can do quickly.

The race is on. They’ll step around a corner, unlock your phone with your passcode, click on settings, Apple ID, and reset your Apple ID password. All they need to know is your passcode to the phone. Your phone asks them, “Sign out other devices using your Apple ID?” Of course, they know to say yes.

Update on January 27, 2024: Apple has a new feature called Lost Device Protection released with iOS version 17.3 that helps solve this problem. Learn more here: https://fosterinstitute.com/safeguard-your-apple-iphones-and-ipads-activate-the-latest-theft-protection-setting-now/

They know that if you put the phone in Lost Mode, they have the passcode and can unlock the phone immediately. You might have your Apple ID protected with two-factor authentication; good work! But the second step of the verification process displays a verification code on your trusted devices. Unless you set your phone otherwise, the thief has a trusted device. Unless you posses a trusted device tied to your Apple ID, you won’t see the verification code, and your attempt to log in will fail.

At this point, only they can perform any functions that require you to enter your Apple ID and password.

Strive to Intervene:

The process only took seconds. It is unlikely you can stop their next moves quickly enough.

Perhaps your friend walked up as the thief was running away. Thinking you might win the race, you grab in a friendly way, of course, any device they have with Internet access and open https://appleid.apple.com. Enter your Apple ID and your password quickly! Remember, the bad guy is around the corner racing you. Then, guess what? Unless your friend’s device is a trusted device on your Apple ID account, you won’t see the secret code you need to log in. The thief will see the code on your stolen phone’s screen, and they’re laughing but admire your trying. You never had a chance in that race. Read more below about setting up Recovery Contacts and Recovery Keys.

But a way to win and be faster than the thief is if you have your second iPhone in your pocket booted up and connected to the Internet. If so, scramble to be the first to open settings, Apple ID, scroll down through the devices, and log out the stolen device. Reset your Apple ID password. Great job! You did it! They can use the phone and most apps, but at least they cannot take over your Apple ID. Keeping two iPhones connected to your Apple account with you will help if one gets stolen.

Or, a more likely scenario than having two phones, maybe you happen to have your Mac open on the table in front of you the moment the phone is stolen. Assuming you weren’t using the phone as your hotspot, quickly click on the apple symbol in the top left corner, choose system settings, Apple ID, password & security, change password, find the stolen device in the list at the bottom of the menu, log it out, and reset your Apple ID password. Whew! They’re not going to gain control over your Apple ID. But they can still use your apps, log in to bank accounts, and access your company email, so you’ll need to reset all those passwords too.

Will you win the race, or will they? Maybe you want to practice the process a few times.

More Things the Thief Can Do to Affect You:

As you read this, do not be terrified. You can relax and remember this scenario assumes a thief has stolen your phone after watching you enter your passcode and memorized it. Hopefully, that will never happen to you, and it is good to be aware of some consequences, your response, and some preventative measures so you can educate your friends.

Since the thief knows the phone’s passcode, they can reset the Apple ID password. Then they can log in to your Apple account and affect your other Apple devices, including Mac laptops and computers connected to your account.

Then the bad actor can access your device’s Keychain, Apple Pay, Apple Cash, and other sensitive information. They can reset the Apple account’s recovery key. The thief can turn off location services so the phone cannot be tracked. They can change the Apple ID account’s trusted phone number and email address to make it even more difficult for you to regain access to your Apple account. They can change Face ID and Touch ID to their face and finger. They devastated your digital world and will start to steal your money and wreak havoc in your life. And don’t blame Apple; blame the bad guys.

Chances are that most of the apps on your phone will still work even if you log the device out of your Apple account. If the apps remember your passwords for you, then the attacker can use the apps. If you have a password manager that automatically fills in passwords without asking you to prove you are you, the password manager will also fill in passwords for the thief.

And if any of your apps, bank, email, or other services send a text message to your phone to verify your identity, and the thief has your phone, they will get the text message to authenticate and can impersonate you.

And any tools you have that rely on Apple’s Face ID or Touch ID to confirm your identity, if the thief resets Face ID or Touch ID on your phone to their face or finger, they’ll have access to those tools too.

Continue Immediate Steps:

You’d better rush to reset passwords to financial and other sensitive services. See the section on multi-factor authentication below.

Contact your phone service provider and convince them to disable your stolen phone’s ability to call or receive text messages until you buy your new phone.

Reset Passwords on all your other accounts for email, online payment tools, social media, cloud storage, and more. Apple devices, including the stolen phone, are very powerful for running apps, accessing email, using web applications, and more, even if the thief does not know the password for your Apple ID. If a thief has your phone, you have many passwords to reset quickly.

Keep trying to regain control over your Apple ID account. You can download the Apple Support App on your friend’s Apple device and initiate a process that will allow you to set a different phone number for the Apple ID verification process. Still, you must have access to the email address associated with your Apple ID to receive an emailed verification code. If you pass that verification, then endure a waiting period of at least 24 hours. The recovery process is similar to recovering your account at https://iforgot.apple.com/. The thief can cause much trouble during the day or longer wait. Read more below about the preventative step of setting up Recovery Contacts and Recovery Keys. More information about the recovery process: support.apple.com/en-us/HT204921. Apple’s guidance if someone gains control of your Apple ID: support.apple.com/en-us/HT204145.

Some people would advise you to not remove the stolen phone from your Apple ID account. If you do, you will lock yourself out of many ways to recover the phone, although the thief can block many of the protections because they know the passcode.

Multi-Factor Authentication:

An essential protection strategy is configuring multi-factor authentication, such as facial recognition, on apps and websites that support MFA. However, many two-factor authentication techniques rely on you having access to your phone.

It can be complicated to reset passwords on your sites and apps using multi-factor authentication if the second factor goes to the stolen phone’s phone number or relies on you having your phone for some other step. If you set up the MFA to send a text message to the phone, and the thief has your phone, they will see the text message, and you will not.

That might spur you to get a new phone and transfer the phone number to your new phone ASAP before the attacker logs into your apps and sites and changes the verification phone number to a number only they can access, and locks you out.

For websites or services that only support text messages for the second step, consider having text messages go to a device other than your phone.  Consider investing in an inexpensive flip phone with a different phone number to receive text messages. If the website or app supports other options for the second factor besides only text messages, consider how a phone thief could bypass them.

For example, if MFA involves an email message, if the thief can easily access your email on your stolen phone, it defeats the purpose of MFA. If you set up email as the second step, use an email address that requires some other form of authentication or is unavailable on the phone. Ensure email messages do not pop up on the preview screen when received.

Or, do everything possible to prevent an attacker from stealing your phone and knowing its passcode.

If you use passkeys, be sure to see this blog posting: https://fosterinstitute.com/the-risk-iphone-theft-poses-to-your-passkeys-and-what-to-do-now/

Prevention:

To Apple’s credit, and they deserve a lot of credit, they are taking many steps to fight this problem. They must balance the phone’s usability with security, and their multiple advanced security controls are extraordinary, and their responses are highly effective. In the constant game of cat and mouse between those who want to protect you and those who wish to harm you, there might be better defenses when you read this. As of now, here are some essential steps to protect yourself:

One of the most helpful defenses is to be cautious about where and when you enter your passcode. Hence, attackers never find out your passcode. An attacker must know the passcode to the phone as part of resetting the Apple ID password. Using an alphanumeric passcode would be more difficult for a bad actor to read from a distance than a four or six-digit passcode.

Another strategy is to use facial or fingerprint recognition to unlock the phone. That would be Face ID, or Touch ID when available, on Apple devices. If the user doesn’t type their passcode into the phone, nobody can “watch the victim type their code” into the phone. If Face ID won’t work due to lighting conditions or some other factor, rather than entering the passcode, you could move somewhere safe where Face ID works.

Even if the attacker holds the phone in front of the victim’s face and the phone unlocks, the attacker still won’t know the passcode to reset the Apple ID account password. Furthermore, Apple’s Face ID settings have an option called “Attention Detection,” so if the user is unconscious or drugged, the facial recognition will refuse to unlock the phone. Unless the thief coerces the victim to tell them the passcode, the thief cannot reset the Apple ID password.

Consider using a password manager rather than the Keychain that is tied to the Apple ID. If the user doesn’t use the Keychain to store passwords and uses a password manager such as 1Password, LastPass, NordPass, or others, then the thief knowing the phone’s passcode does not give them access to passwords stored outside of the Keychain. Ensure your password manager’s settings force you to enter a passcode and do not use the same passcode as the phone.

Before everything seems hopeless, remember this disaster starts when a thief sees you enter your passcode and steals your phone.

Be Proactive:

Erase your SSN, NI, DL, Passport, or other sensitive information anywhere you’ve stored it, whether in text, contact records, photos, and everywhere else. The thief will search for that information and use it to open accounts, take out loans, and perform other identity theft compromises.

And obviously, don’t share your passcode with anyone other than, if you are going to share it, a family member or close friend you can trust with the key to your digital world.

If you’ve not done so recently, visit appleid.apple.com to update all of your personal or security info. Look for an email address that is not yours. Be sure you recognize the devices in your account.

While you are there, consider setting up someone you trust who has an Apple device as a Recovery Contact who can vouch for you and generate a code to help you recover your Apple ID. They cannot access your data, only verify your identity if you lose access to your Apple ID. Details: support.apple.com/en-us/HT212513

You could set up a 28-character Recovery Key to print out and store in multiple secure locations to help you recover your Apple ID. But be careful. If you choose to have a Recovery Key, and lose the 28-character key, even Apple cannot help you recover your Apple ID. Details: support.apple.com/en-us/HT208072

You’ll see an option to set up a Legacy Contact who, with access to your death certificate, can access your photos and text messages but not passwords. Details: support.apple.com/en-us/HT212360.

Stay current on updates. Rarely do updates create security issues; more often they provide protection against ways attackers find to bypass security.

If you lose access to your Apple ID, you could permanently lose access to your photos of you, your friends, and your family. This underscores how important it is to keep backups of your Apple photos and videos in case someone takes over your Apple account: https://support.apple.com/en-us/HT209454.

Reality Check:

Rather than go through life fearing what could happen, reduce the damage you can suffer and the likelihood of something terrible happening. Continue to recognize and avoid dangerous situations and locations. Keep your phone secure, never enter your passcode when someone can see you, and take the preventative and proactive steps above. Now that you know the risks, your subconscious will alert you to dangers more than before.

Examine your risk tolerance. Balance the likelihood of someone stealing your phone against the damage a phone thief can cause you. If you need to be super-secure, you can reevaluate your practices based on the information contained within. Some people might take some steps to reduce the danger and accept what risk is left. Others might leave their phone locked safely at home more often when they go out.

With the advent of AI, attackers will find new ways to steal, but AI will also help develop new ways to prevent attacks. Everything is changing so quickly on both sides. When you read this, perhaps additional protections are available to help keep you, your organization, and your loved ones safe.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.