A convicted individual in the United States has disclosed the method he employed to steal hundreds of iPhones, generating substantial profits by exploiting a security vulnerability. Aaron Johnson, currently serving an approximately eight-year sentence in a high-security prison, revealed that the pivotal element in all his phone thefts was obtaining the “passcodes.” This allowed him to engage in looting the phones by taking advantage of security loopholes within banking applications. Johnson, during an interview with the Wall Street Journal, asserted that he did not consider himself a “sophisticated cybercriminal” but rather recognized the potentially higher value of stolen phones.
He underscored the significance of the “password,” with police data indicating that Johnson and his associates managed to steal over $300,000. Johnson’s modus operandi involved targeting dimly lit bars with a crowd, focusing on young university students, particularly those in an inebriated state. Notably, he observed that women tended to be more “cautious and alert to suspicious behaviors.”
Approaching his targeted individuals, he would pose as a rap singer, expressing a desire to add them on Snapchat, ultimately convincing them to hand over their phones under the pretense of entering information. Johnson paid careful attention to how the victim entered the “password.” Once in possession of the phone, he would promptly change the “passcode” and even modify the Apple account password, thwarting any attempts at remote tracking or deletion. Subsequently, he would transfer funds swiftly or make purchases via Apple Pay for resale in the market.
Johnson specified that his preference for stealing iPhones was attributed to their higher resale value, even when used. Last week, Apple introduced a new feature, “Stolen Device Protection,” designed to safeguard stolen devices from exploitation of passcode knowledge.
However, the efficacy of this feature necessitates activation for comprehensive protection, introducing heightened security levels when away from familiar locations such as home or work. Altering passwords involves additional confirmation steps through facial or fingerprint recognition, ensuring that passcodes alone do not exclusively control device protection levels. The feature also includes an initial hour delay followed by an additional biometric check if attempts are made to disable “Find My iPhone” or deactivate facial recognition.
The Wall Street Journal recommends implementing specific protection measures for banking and money transfer applications, deleting any information pertaining to passwords or social security numbers, and ensuring that these are safeguarded by distinct passwords separate from the device.
Leave a Reply