Following a recent report highlighting how scammers can use Apple’s recovery key security feature to lock out iPhone users from their Apple account, Apple released a statement in response.
An article published this week from the Wall Street Journal cited multiple instances of thieves being able to lock out iPhone owners’ from their accounts. Scammers stole his iPhone at a Chicago bar and wanted to obtain cash from his bank account and prevent him from tracking the device down.
In the process, they enabled an Apple security setting known as the “recovery key,” changed his Apple ID password, and were able to obtain his iPhone’s passcode. Several other people who had their accounts compromised detailed similar incidents to the paper.
According to Apple’s website, the company started offering its optional recovery key in 2020 as a way to prevent hacking attempts. People who turn on the recovery key, which is a 28-digit code, have to provide it when they reset their Apple account password.
“Creating a recovery key turns off account recovery. Account recovery is a process that would otherwise help you get back into your Apple ID account when you don’t have enough information to reset your password. Learn more about using account recovery instead of a recovery key,” the Cupertino, California-firm said.
However, if a scammer is able to steal a person’s iPhone and obtain their passcode, they can activate the recovery key and lock a user out of their Apple account. Apple provides no way to allow users back into their accounts if they don’t have the recovery key.
“Account recovery is a huge challenge for the industry,” Andrew Shikiar, executive director of the FIDO Alliance, told the paper. He said that Big Tech firms have issues when verifying users’ identities if they forget a password, lose their devices or phones, and cannot access two-factor authentication means.
Jake Moore, global cybersecurity advisor at ESET, told Forbes that Apple needs to figure out how to fix this problem and it’s “taken far too long.”
“Unfortunately, people still use simple or easy-to-find passcodes to unlock their iPhones—plus some may innocently never think about their surroundings when entering the code,” he warned.
Apple told news outlets after the WSJ report that it is “always investigating additional protections against emerging threats like this one” and that “we sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare.”
The company did not address specific claims made in the WSJ report. Nor did Apple address how it might work to improve the recovery key security option to make it less vulnerable to thieves.
“We work tirelessly every day to protect our users’ accounts and data,” Apple added.
The Epoch Times has contacted Apple for additional comment.
But on its website, Apple has long said that if a user has a recovery key, “it means that you’re responsible for maintaining access to your trusted devices and your recovery key.”
“If you lose both of these items, you could be locked out of your account permanently,” the company has warned. “With that in mind, it’s important to keep your recovery key in a safe place. You might want to give a copy of your recovery key to a family member, or keep copies in more than one place. That way you always have your recovery key when you need it.”
How to Protect Yourself
To avoid their passcodes being stolen in public, iPhone users should use either Touch ID or Face ID as much as possible to prevent scammers from taking their phone’s code. Users should hold their hands over their screen to avoid allowing others to see them type in their passcode—if they cannot use those aforementioned features.
Security experts also recommend people use a four-digit passcode and instead switch to an alphanumeric passcode, which is more difficult for thieves to spy on. The code can be changed in the phone or device’s Face ID & Passcode section before tapping Change Passcode.
In order to protect a bank account or similar, users are advised to store a password in a password manager that doesn’t involve the device’s passcode. Security experts recommend the manager 1Password.
“As this code can access saved passwords on Apple devices, it is a good idea to save passwords in a third party password manager instead—which cannot be accessed via the phone’s passcode safety device,” Moore said. “Or use email that also has recovery access.”