The story below happened to our iOS developer on his trip to Barcelona in May. Sergey works for our development unit at Redwerk and is really tech-savvy. Luckily, he knew how to act and didn’t give attackers a chance to get a hold of his information and cash when his iPhone X was stolen.
How it Went Down
Coming back from La Paradeta near the Liceu Opera in Barcelona, a random guy asked Sergey for cigarettes. When they started talking, the guy said that he was from Brazil and suddenly began to dance the samba. While making strange movements, he pulled the iPhone out of his pocket.
When Sergey noticed the missing, he tried to find his phone with the help of his girlfriend’s iPhone through Apple family subscription service and discovered that it was still on and around 15 meters from him. He tried to find the thief, but he got lost in the crowd and evening darkness.
It turned out to be a problem of epic proportions, as many reports on the internet tell about people talking to tourists, showing how to dance the samba and what not. Yet, Barcelona police does very little about this issue.
What Police Does
Realizing that the chance to find his phone was low, Sergey went to the police. They accepted the statement, and that’s about it. There was nothing more they could do. Needless to say, the visit to the police station was not helpful at all.
What Thieves Do
Things got heated when the following evening Sergey received two same messages on his email and his girlfriend’s iPhone.
Wonder how the thieves got his girlfriend’s number? Pretty easy, actually. As soon as Sergey realized his phone was missing, he activated Lost Mode. You can do that from any other Apple device. When you activate Lost Mode, your phone will do nothing but display a message on the screen, preventing the phone from being used. The thing is that you write this message yourself and include a contact number to call in case somebody finds your phone. It looks something like this:
And that is how the thieves got the number of Sergey’s girlfriend. He basically just gave it to them.
Now, back to the message Sergey received on his girlfriend’s phone. Here is its context:
Following the link, he saw the iCloud website and started to enter his data, but when entering the password, he thought that he could check the location of the phone via the official Find My iPhone app. The app showed the phone was near the place he was yesterday. But when Sergey came to the location point, the thief turned off the phone.
At home, following the link again, he entered the wrong data to see what happens next.
As a true developer, firing up the DOM inspector in Safari, Sergey noticed two oddities:
-
- First, the email address seemed weird. Not something that Apple would use.
- Second, the connection to the server was not SSL-encrypted. When sending the data, all it did was said the login or password were incorrect. According to the HTML page source, the collected login and password data were sent to the script server-side called save.php.
It’s a typical phishing scheme to get the account data in order to untie the phone from iCloud and unlock it.
Important note here. Apple took this possibility into account: even if someone gets their hands on your Apple ID, you still need to confirm it from your another Apple device. Watch out for these messages and be careful.
Realizing how technologically advanced the bad guys were, Sergey never entered his real password, while continuing to receive messages with a false iCloud link keeping his stolen device a useless brick of glass and metal.
Tips Not To Find Yourself In This Situation
For those who wouldn’t wanna be in Sergey’s shoes, here are some main tips on how to prevent your iPhone from being stolen::
1. Keep it in disguise
The easiest thing you can do is not show off your iPhone. Put it in an old case, not in a fancy one. Make it look less tempting to thieves.
2. Keep it on you
Don’t leave your phone somewhere a thief can easily take it. Even if it is in your sight. Keep it in your inside pocket or a bag you are carrying.
3. Try not to use it in public
Watch out in a crowded place, especially when people approach you to offer something or ask directions.
Tips Not To Let The Thieves Unlock Your iPhone
In case your iPhone got stolen, here are some tips to consider not to become the scammers’ victim:
1. Careful with the number in Lost Mode
There can be all kinds of messages coming from the people who stole your device with one goal: to trick you into revealing your login and password. They can text or call you, pretending to be from Apple, your mobile operator, even your mum. Don’t fall for it.
2. Text messages are suspicious
Apple never sends short text messages — only emails. If you receive an SMS from something that seems like Apple with a link to iCloud asking for your password, it is a typical scam.
3. Check login pages for phishing
Even a perfectly looking login page can be a honeypot for collecting your login data. Double-check before you enter your password.
4. Check URL
Make sure you check URL (the top bar) of a login page. It has to match the domain of the service it pretends to be. In this case, the only real URL of Apple’s iCloud service is
https://www.icloud.com.
Any other URL there means you’re on a phishing page. Some URL examples would be: apple.track-location.com, show-iphone-location.com, and even (watch out!) apple.inc. Here is an example:
Tips Not To Let The Thieves Unlock Your iPhone
These are the common ways to keep your iPhone hack-proof. Make sure you have all that set up.
1. Touch ID and Face ID
Don’t use Touch ID and Face ID when traveling or going to the area you don’t trust. Your fingerprints and facial geometry can be used against you if you fall asleep, for example. You can re-register your biometrics later.
To set up, go to Settings > Touch ID or Face ID & Passcode > and turn off Touch ID or Face ID
2. Use alphanumeric password
You can set an alphanumeric password to your iPhone instead of 6 digits or even 4 digits.
To set up, go to Settings > Touch ID & Passcode (enter your passcode) > Change Passcode (enter your old passcode) > Passcode options > Custom Alphanumeric Code.
3. Enable Find my iPhone
Find my iPhone option uses GPS to track your phone when it is lost or stolen.
To set up, go to Settings > User Name > iCloud > Find My iPhone > turn on Find My iPhone and Send Last Location
4. Set up 2FA
Use two-factor authentication that requires a second form of authentication in addition to your account password. It can be a password or PIN, credit card or security token, or biometrics. So if your first-factor authentication is hacked, it will be much harder to break the second-factor authentication.
Go to Settings > Tap your name > Password & Security > Tap “Turn on Two-Factor Authentication” > Follow the prompts
5. Turn on USB Restricted Mode
USB Restricted Mode is a new feature that prevents USB accessories to make data connections with the iPhone so that the information can’t be stolen via the USB charging port.
To set up, go to Settings > Touch ID & Passcode (enter your passcode) > USB Accessories > OFF
Wrapping Up
Phone theft is widespread all over the world, but it’s only recently it became so technologically advanced. By sharing our experience and security tips with you, we hope you don’t have your smartphone stolen in the first place. But if it happens, we want the thieves to be unable to unlock and resell a stolen device. The more iPhone users are careful and aware, the sooner the whole phone theft goes out of business!