Apple went a long way toward making iPhone theft unattractive to the criminal element. If your phone is set up with a passcode and Find My is enabled in iCloud, there is not a lot that can be done with a stolen phone. There is a small market for parts, but the crook is unlikely to be able to access your data, and they can’t reinitialize your phone to sell it. Plus, with Find My you (or, better, the police) can track the phone, and you can remotely erase all your data and lock the device.
However, if the thief can get your passcode, they can erase the phone. And a lot worse. A new (or at least increasingly popular) trick is to “shoulder surf” an iPhone user to get the passcode. If that happened to you, they can steal your phone and immediately use the passcode to change your Apple ID password. That gives them access to your phone, including all the stored passwords, and they have access to all your data stored on iCloud. Meanwhile, you lose access to iCloud and all the iCloud services, on all Apple devices! You can’t erase your iPhone remotely at that point – and they potentially could erase your iPad or Mac! With your data, they can potentially get access to credit cards, bank accounts, and more.
So how would they get your passcode? Don’t you normally use your fingerprint or Face ID or Touch ID to unlock your phone?
Here’s a potential scenario.
You’re out with friends at a bar or restaurant. A friendly stranger offers to take a picture of you all together. You open the camera app and hand her your iPhone. She takes a picture and then looks at it while holding down the power and a volume button for a couple of seconds. The screen that allows you to power off or dial 911 pops up. She says, “Oops, I just hit the wrong button, but I got the picture. Here!” and hands back the iPhone. You click the cancel button and are at the iPhone lock screen. When you try to unlock, you’ll be prompted for your passcode, since Face ID or Touch ID aren’t available after a hard lock. You hold up your phone and tap in your passcode.
What you don’t notice is the friendly lady’s friend who is standing just behind you, watching you type. Or perhaps recording your typing with their phone.
Once they have your passcode, they only need to get the phone. Either of the thieves, or maybe even a third, could either grab the iPhone and run for it or wait until you set it on the table or the bar, or put it in your purse or pocket for a surreptitious grab.
By the time you notice the phone is gone and get somewhere that you can do something about it, they can already have your Apple ID in their control.
What can you do? Be aware of the trick, and make a habit of hiding your phone screen as you enter your passcode. Also, a longer passcode, perhaps even a password, makes it harder for a 3rd party to see what you are typing. Use a minimum of a 6-digit passcode (four is way too easy to guess and to see), but iOS supports longer numeric or alphanumeric passcodes. More is better if you can stand it.
For additional information, Joanna Stern at the Wall Street Journal has an in-depth article on the exploit.
Bonus tip: In the scenario above, the creep held the power and a volume button for two seconds to hard lock your iPhone. Though used against you in the scenario, it’s a good feature to know about. If you are using your phone and are approached by a policeman or TSA agent who asks for your phone, hard-locking your phone will require the passcode to unlock. Government agents can’t legally force you to provide a passcode, but they can use your face or fingerprint to unlock it.