(NewsNation) — A man serving time for theft recently revealed to the Wall Street Journal how he accessed people’s iPhones, altered their security and stole their cash.
Aaron Johnson, 26, spoke to a reporter from the newspaper who has been investigating a “nationwide spate of thefts” where people exploit a vulnerability in the software design of iPhones. Using only the phone itself and its passcode, thieves can change the password associated with the owner’s Apple ID, thereby locking the victim out of their account. A Minneapolis Police Department arrest warrant the WSJ obtained shows Johnson and 11 other people he worked with were able to accumulate almost $300,000 this way — though according to Johnson, it was probably more.
Johnson would usually start the scam, he told the WSJ, by befriending his victim. Bars full of drunk, college-age men were his “ideal target.” After Johnson spoke to them, the person would hand their phone to him, thinking he’d give them his contact information. Then, Johnson would tell them their phone is locked, ask for the passcode and memorize it. Or, he’d record the victim typing the passcodes themselves.
Johnson would leave with the phone or give it to someone else in his crew before locking the victim out of their account, changing their Apple ID password, and using it to turn off Find My iPhone. Using the person’s information, Johnson would then have all the information he needed to get into their savings accounts, checking accounts, Apply Pay — even their cryptocurrency apps.
Rick Jordan, CEO of ReachOut Technology, said on “NewsNation Live” Friday that he sees tricks like this happen all the time — even to sober people.
“Password sharing is one of the biggest no-nos in the world,” he said.
Apple recently announced a new iOS setting designed to address security vulnerabilities. Called Stolen Device Protection, it was released earlier this month to beta testers.
When Stolen Device Protection is on, users can restrict certain settings when they are away from a location, like their work or home, that is not recognizable to the phone, according to Fox Business. When users want to change their Apple ID password when not in a familiar location, the phone will require their Face or Touch ID. An hourlong delay will be put into place. Once one hour has passed, users then have to do another Face or Touch ID scan.
Jordan recommends getting this setting once it’s available to the general public.
“Always update. Absolutely,” Jordan said. “Apple sometimes screws up its software, but they’ll roll out a fix pretty quick.”
Read the full WSJ story here.