iPhone 12 iPhone stolen from hand while taking photo - They have my email address :(

[Nick232]

Hello,

I had my phone stolen by professionals, would very much appreciate some technical insights into how vulnerable my data is (I know they have my phone number and email address) and what they might do next - huge thanks in advance


Long story, but here are the facts -

- Was on holiday in Santiago Chili, was taking a photo of my husband in a crowd, and iphone 12 mini was swiped from my hand while unlocked :{

- We both ran after him, with hindsight I was hoping the chase was longer than the 5 minutes it would take for the screen to lock. Thought it was 50/50

- Interestingly although we were shouting and pointing and the guy was suprisingly not running that fast, no one was helping - was told later it was probably a good job we didn't catch up with him :{

- As soon as we had given in, stopped and caught our breath I logged onto icloud on my husbands phone and put the stolen phone in lost mode. After a short deliberation I then went for full erase. It must have been at least 30 mins after the theft though as I needed to call my son in the UK for the 2-factor authentication code. Straight after I called EE, told them the phone had just been stolen and to please block my number (a few days later I arranged a replacement sim).

- When we put the phone in lost mode, despite my protests my husband gave his genuine phone number on the lock screen message

- Approx one hour later my husband received a phishing text - pretending to be a message from icloud saying the device had been located and inviting me to log in to icloud to locate it. We were initially confused before realising the scam and didn't even click the link. Realised this must be a professional act to have got the ball rolling on the scam so quickly

- Felt sick. Picked up cheap replacement android phone for rest of trip

- When checking my email later, I noted the message that afternoon from 'Find My' saying '[iphone name] is being erased'. Basically breathed a massive sigh of relief, told myself not to be so massively stupid next time and decided to move on.


However 2 weeks later.........

- Was looking through my email 'junk mail' folder and found an email from the day of the theft that's made me really stressed... the email subject is literally "your device was found" - all lowercase, so obvious scam. The translated text says "[iphone name] was found near A.Indepencia 1833. Santiago at 19:28 The last known Location of your iPhone will be available for 24 hours" .. and then the obvious link for me to log into presumably a fake icloud page.

HOWEVER... Whats made my blood run cold is that the email has been sent to the *actual email address* of my icloud account (

I didn't think it was possible to access the full icloud email address from an iphone in Locked mode? We *definitely* did not include any emails in any lock messages.

So now I am reassessing the whole security situation which I thought I had got away with, and am now guessing they must have had access to my full unlocked phone for at least some period of time.


I'm wondering now who my adversary is and what I'm up against... is there anyone who could help me understand the following technical questions?


(1) - Am I right in my assumption that the only way they could have got my icloud email address from a passcode locked then icloud locked iphone, is... if it wasn't actually locked? (the email address was NOT included in the lock message)

(2) - If they did have full access to my unlocked phone on airplane mode, is it possible they could have used software to take a full image of everything on my phone (email/texts/photos) or does apple require the iphone pin to copy this? Do criminals have more sophisticated software than itunes that doesn't require a pin, or do I have any protection from apple from making it hard to copy data without a pin? I'm wondering what the chance is that they have an entire copy of my whole digital life for sophisticated scams months or years later

(3) - I recieved the email from 'FindMy' saying my phone had started to be erased, but never recieved one to say it was completed. Is one usually sent out on completion?

(4) - I don't use Apple Wallet or Keychain. Iphone has been lost mode & erased but not removed from icloud. Network provider has been notified of theft. Is there anything else I should be doing to protect myself?

(5) - What's the standard most popular next scam I should expect from the professionals if they did have full access to all my emails, contacts, photos etc?


I realise I was super stupid. Feel very sick. Will learn from this. Any tips to lessen the impact in advance if this ever happens again?


Huge thanks in advance

 

[floral]

I feel really bad for you... I can't imagine the pain that would be getting a phone just snatched like that, but it must be heartbreaking. Here's some info about Find My and how it works:

As far as I know, Find My cannot remotely erase, play a sound, locate, or place a device in lost mode unless the device establishes a connection to the internet, since it uses a connection to the device through an internet server to do that. There is a good chance that the thief/thieves disabled wifi and mobile data when they snatched the device (you said it took you 30 min. to enable lost mode and erase, so that would leave ample time for disabling), so unfortunately your device may be a goner. Now for answering the other questions:

1: Correct. Because of the aforementioned required internet for Find My management, they could just bypass the erasing/lost mode, take a look in the Apple ID section of settings and... there's your email.

2: Probably not. Accessing an iPhone, if it's already unlocked, doesn't require a passcode - all you have to do is press "Trust this Computer" and they get access to your iPhone, but I don't think any program other than iTunes can actually do something with it, unless they have some unknown program that can.

3: Because of the, again, aforementioned required internet to erase it remotely, it probably didn't go through. However, if they mistakenly turn on internet, it would erase due to establishing a connection to iCloud. So, there is a silver lining.

5: They can't really scam you out of anything now, since they took your single most important device, but since they have your contact list if the device is unlocked, they could target your friends/family next for whatever scam they do. Also, what makes you think they're "professionals"? They could just be random people that are short on cash and desperate for anything.

Be sure to boo me if I'm wrong on some/all the answers...

 

[russell_314]

If the thieves (these guys work in groups) have your passcode as in they saw you unlock your phone with it then they have full access to your iCloud account to include Apple pay cards and passwords. They will likely attempt identity theft on you.

Here's what I would do.


Change your iCloud password and make sure 2FA is on

Report the phone stolen with your carrier so it doesn't receive texts or calls

Change every password you have saved on iCloud. The thieves likely have your email password.

Report all your bank cards as stolen and get new ones.

Look at all your documents on iCloud and asses what kind of damage they can do. Maybe you need to freeze your credit, close bank accounts or whatever..

This is just off the top of my head. This is a growing type of crime and it is critical not to use your passcode in public till Apple puts out a fix for this. Use Face ID or Touch ID

 

[Blarnld]

Is there any way to put a hand strap on our iPhones or phone cases? Might stop this from happening in the first place.

 

[russell_314]

Is there any way to put a hand strap on our iPhones or phone cases? Might stop this from happening in the first place.

There are cases with straps, but most purses have straps and they get stolen all the time. In the USA robbers will pull out a gun and take your phone so it's not worth dying over. The only thing you can do is keep it locked and minimize the damage after by wiping it remotely.

I can't emphasize enough not to use your passcode in public. It's 2023... We all should be using biometrics. These criminals work in teams so one could be watching you enter the numbers and the other grabs your phone. While these crimes are rare now who's to say they won't happen more since all the publicity.

 

[Puonti]

Sorry to hear that this happened to you.

While I don't have much to add to the advice already given, I did notice that you were taking photos with the iPhone unlocked. A small but perhaps useful tip to know in the future is that you don't need to unlock a modern iPhone to take photos.

Depending on your iPhone model and what settings are in effect there's always some way to wake the phone up without unlocking it. From the bottom-right corner of the lock screen you can then open the Camera app. The iPhone will not try to unlock while you're taking photos. It will only do so if:

1. You tap on "All Photos" while reviewing photos you've just taken (easy to avoid)

2. You swipe up from the bottom of the screen to return to the lock screen on an iPhone with Face ID (instead, use the power button once you're done taking photos)

 

[antiprotest]

Is there any way to put a hand strap on our iPhones or phone cases? Might stop this from happening in the first place.

I think it could help in some cases, but it could backfire massively in others. There was this one woman who had a lanyard on her phone. As she was crossing the street, someone on a motorcycle grabbed her phone and kept going. The phone was ripped out from the lanyard. If it wasn't, she could have been dragged on the ground for some distance and gotten hurt.

It's not even my phone but I hate this situation. Feels bad for OP.

 

[joeblow7777]

I’m afraid I don’t have any useful advice, but I just want to say that you (OP) are not stupid. This isn’t your fault and you didn’t do anything wrong. It’s entirely the fault of the scum bag(s) who did this to you.

 

[Wando64]

Change every password you have saved on iCloud. The thieves likely have your email password.

Even if your device is unlocked, passwords and any other keychain information can only be accessed by authentication I.e. the actual device password, or Touch/Face ID.
If your device is stolen unlocked, they can access most of the info on it, but not the Passwords/Keychain.

 

[I7guy]

Sorry to hear about the incident. There are definitely ways to secure your phone as long as your device passcode hasn't been compromised, through for example social engineering.

1. Turn on 2fa
2. Set a screen time password and turn off password changes, account changes, sharing changes and location changes
3. Use a longer than 6 password with letters, upper, special and numeric
4. Disable control center and notifications on lock screen and other lock screen functionality
5. Remove your apple id email from your phone or use web access to access the account
6. Make sure financial apps use face id login

There may be others, but if your device passcode is secure..the damage is limited.

 

[CharlesShaw]

Is there any way to put a hand strap on our iPhones or phone cases? Might stop this from happening in the first place.

That’s actually a good idea except if everybody did it the thieves would carry knives or scissors to cut the straps.

Regarding the unlocked iPhone this is a good time to remind everybody to keep the phone locked during public photo sessions. Just swipe left or long press on the camera icon on the lock screen. [edit: remove the camera icon from the Home Screen to break the habit of unlocking the phone.]

 

[russell_314]

Even if your device is unlocked, passwords and any other keychain information can only be accessed by authentication I.e. the actual device password, or Touch/Face ID.
If your device is stolen unlocked, they can access most of the info on it, but not the Passwords/Keychain.

This is not correct. I just covered my iPhone camera with my hand then unlocked it with a passcode like the thief would do. When I got to passwords it tried FaceID but when that failed a few times it asked for a passcode. After entering the passcode I had access to everything.

With your passcode they have access to everything on your account. Apple really need to fix this and I'm sure they will.

 

[russell_314]

Sorry to hear about the incident. There are definitely ways to secure your phone as long as your device passcode hasn't been compromised, through for example social engineering.

1. Turn on 2fa
2. Set a screen time password and turn off password changes, account changes, sharing changes and location changes
3. Use a longer than 6 password with letters, upper, special and numeric
4. Disable control center and notifications on lock screen and other lock screen functionality
5. Remove your apple id email from your phone or use web access to access the account
6. Make sure financial apps use face id login

There may be others, but if your device passcode is secure..the damage is limited.

The problem here is this is a social engineering exploit where people are observing the passcode. Don't use your passcode in public! Use FaceID...

I wonder what the 2FA would be if someone just had an iPhone. If the 2FA is text or whatever app on the iPhone it's not really 2FA in this situation because they have the iPhone. I'd be willing to bet even most people who are security conscious (Myself included) have all 2FA methods on their phone. If you get my phone and passcode you have access to everything. 2FA doesn't apply in that case.

Many banks don't give the ability to disable text 2FA either because they don't want to deal with people's locked out accounts. Even if you have another type of 2FA (App on your phone so equally worthless) they will send a text to your phone to reset password.

What Apple should do? Disable the feature to reset your password with only a passcode... Why Apple???... I know why. The same reason banks don't want to disable text 2FA. They don't want to deal with the calls and those calls require someone knowledgeable that isn't easily tricked so that isn't cheap overseas call center support $.

Even with that you're still SOL because even though they can't reset the password they still have access to your data. What they don't have is an iPhone that's able to be reset and sold. That kind of takes some of their profit and motive out. Sure there is maybe something to be made with identity theft but not guaranteed like the iPhone.

The big fix for this till Apple does something is Don't use your passcode in public! Use FaceID... No the NSA isn't downloading your face and even if they are they can do it other ways.

 

[JPack]

Is there any way to put a hand strap on our iPhones or phone cases? Might stop this from happening in the first place.

Crossbody iPhone cases were very popular last year, from a fashion perspective. Hand straps have been available for decades.

 

[Wando64]

This is not correct. I just covered my iPhone camera with my hand then unlocked it with a passcode like the thief would do. When I got to passwords it tried FaceID but when that failed a few times it asked for a passcode. After entering the passcode I had access to everything.

With your passcode they have access to everything on your account. Apple really need to fix this and I'm sure they will.

Just as I said “Even if your device is unlocked, passwords and any other keychain information can only be accessed by authentication I.e. the actual device password, or Touch/Face ID.”

If somebody steals your iPhone while unlocked why would they know your password? (or passcode as you call it)

Accessing the keychain always requires authentication.

 

[russell_314]

Just as I said “Even if your device is unlocked, passwords and any other keychain information can only be accessed by authentication I.e. the actual device password, or Touch/Face ID.”

If somebody steals your iPhone while unlocked why would they know your password? (or passcode as you call it)

Accessing the keychain always requires authentication.

I think what is confusing you is my word passcode. This is what Apple calls the six digit number used to unlock the iPhone. It's called a PIN by some people. I'm not talking about the password that is used with your Apple ID to sign into your Apple account. What is going on here is thieves are watching people unlock their phone with the six digit numeric passcode then stealing the phone. With the passcode they can get into anything on the phone and even reset the Apple ID password.

Here's a MacRumors article on the subject

Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a...

www.macrumors.com

 

[Puonti]

As an outside observer part of the confusion between you two also seems to be that @Wando64 is talking strictly about the OP's specific situation, in which the phone was already unlocked and no mention was made of the possibility of their passcode having been spied beforehand (which could have also happened, we just don't know), while @russell_314 expanded on that original topic early on by talking about a possible scenario in which the thieves might have the device passcode in addition to the device itself.

 

[Tsepz]

As long as you put it in Lost Mode and reset your iCloud password you should be fine.
My Xs Max was taken out of my hand while unlocked and my 11 Pro Max was taken from my table at a restaurant while locked.

With the Xs Max I got the same as you, the scam text etc… ignored them and ensured the phone was in Lost Mode and did a remote erase. My 11 Pro Max they never even managed to try get any details from it, I can still see it in my Find My (it’s in Lost Mode) and the remote erase is pending since late last year because it seems the criminal simply has not bothered to turn it back on and has probably sold its parts by now as when he was travelling and up and down with it my carrier told me that he wasprobably having a hard time selling it due to password lock, I could see where he lived etc…but due to it being a block of flats the cops said they cannot simply guess the unit number and all that.

You should be fine.

 

[Wando64]

I think what is confusing you is my word passcode. This is what Apple calls the six digit number used to unlock the iPhone. It's called a PIN by some people. I'm not talking about the password that is used with your Apple ID to sign into your Apple account. What is going on here is thieves are watching people unlock their phone with the six digit numeric passcode then stealing the phone. With the passcode they can get into anything on the phone and even reset the Apple ID password.

Here's a MacRumors article on the subject

Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a...

www.macrumors.com

Yes, that is correct. I am not saying anything different.
If someone steals a telephone that is momentarily unlocked (like it happened to the OP) the thief would not be able to access the keychain *unless* they have also managed to obtain the phone’s password/passcode/PIN or whatever we want to call it. There is nothing in the OP’s post to suggest that this might have happened.

 

[I7guy]

The OP disappeared so there is no update. Assuming the thief got the phone with the device passcode or pin, depending on what is on the phone and if it is secured can mean the difference between an annoying time of getting a phone replaced or dealing with major financial headaches.

 

[Wando64]

The OP disappeared so there is no update. Assuming the thief got the phone with the device passcode or pin, depending on what is on the phone and if it is secured can mean the difference between an annoying time of getting a phone replaced or dealing with major financial headaches.

I am posting this and then I am out of this thread.
Why would anyone believe that the thief would have the pin? When was the last time you have used it in public? Am I the only one using Face ID? (or touch if you have an older model)

 

[mpavilion]

Wando64 is right. There was no mention in the OP of having used the PIN in public (which I also imagine must be rare). People are conflating the recent article about PIN observation with this specific case.

 

[riverfreak]

Yes, that is correct. I am not saying anything different.
If someone steals a telephone that is momentarily unlocked (like it happened to the OP) the thief would not be able to access the keychain *unless* they have also managed to obtain the phone’s password/passcode/PIN or whatever we want to call it. There is nothing in the OP’s post to suggest that this might have happened.

The thing is, they wouldn’t NEED access to the keychain, they already have the keys to the kingdom for most people: access to their email account.

Using that they can request password resets for any account. (There are caveats here of course, I’m speaking generally).

That’s why it’s so, so critical to control not just your device but accounts or services that act as gateways to everything else in your digital life.

 

[ctjack]

I think what happened is as follows: OP takes camera, runner guys takes it and secretly gives to another person in the crowd, meanwhile OP is chasing another guy maybe with another phone in his hand to distract.
Meanwhile the person in the crowd holding unlocked iphone with turned on camera - they then exit camera and start digging the phone while keeping it in fly mode.
They are good to tinker it as long as nobody pressed power button or let it idle for couple minutes to activate autolock.
This is not what Apple claims to protect people from, they can easily get access to their apps including emails. That is why one would want to activate camera from the lock screen - that way your phone keeps being locked.

 

[riverfreak]

The OP doesn’t use wallet or keychain.

To me, the biggest threat here is someone pilfering through personal details on the phone to use for social engineering in order to gain access to sensitive accounts.

That and, like I said above, access to their email account (assuming they only have one and use it for account recovery).

This is, of course, assuming that the phone is/was unlocked. The purported phishing email may have just been happenstance.

Oh: and it’s Chile, by the way. Chili is in fact on a different planet.