Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Thieves targeting surfers steal over a million dollars, apparently able to break into iPhones and bypass FaceID

SnowCrocodile

SnowCrocodile

macrumors 6502a
Original poster
Nov 21, 2022
563
588
SouthEast of Northern MidWest
www.cnn.com

A pissed-off surfer crowdsourced friends — and cracked an alleged crime gang | CNN

Logan Dulien was robbed days after his mom died. In seeking revenge, this surfer got a lucky break and helped take down an alleged crime gang working the Southern Californian coast.
www.cnn.com www.cnn.com

The most frightening and concerning thing is that the “mastermind” was apparently able to break into locked iPhones and bypass FaceID to access bank and credit card accounts.

Apparently this happened before

www.securitynewspaper.com

This gang was able to unlock stolen iPhone/iPad with the latest iOS and bypass Face ID, Touch ID, passwords and steal money from banking apps. They were finally arrested

This gang was able to unlock stolen iPhone/iPad with the latest iOS and bypass Face ID, Touch ID, passwords and steal money from banking apps. They were finally arrested - Incidents - Information Security Newspaper | Hacking News
www.securitynewspaper.com www.securitynewspaper.com
 
Last edited:
  • Like
  • Wow
Reactions: foliovision and russell_314
SnowCrocodile said:
www.cnn.com

A pissed-off surfer crowdsourced friends — and cracked an alleged crime gang | CNN

Logan Dulien was robbed days after his mom died. In seeking revenge, this surfer got a lucky break and helped take down an alleged crime gang working the Southern Californian coast.
www.cnn.com www.cnn.com

The most frightening and concerning thing is that the “mastermind” was apparently able to break into locked iPhones and bypass FaceID to access bank and credit card accounts.

Apparently this happened before

www.securitynewspaper.com

This gang was able to unlock stolen iPhone/iPad with the latest iOS and bypass Face ID, Touch ID, passwords and steal money from banking apps. They were finally arrested

This gang was able to unlock stolen iPhone/iPad with the latest iOS and bypass Face ID, Touch ID, passwords and steal money from banking apps. They were finally arrested - Incidents - Information Security Newspaper | Hacking News
www.securitynewspaper.com www.securitynewspaper.com
Click to expand...
The article requires a subscription. The thought of bypassing Facebook ID is pretty scary!

To my knowledge, there is no way to bypass Face ID. I’m not sure I would trust CNN claiming this. Is this being reported by any major news agency besides CNN?
 
  • Like
Reactions: reinem85
russell_314 said:
The article requires a subscription. The thought of bypassing Facebook ID is pretty scary!

To my knowledge, there is no way to bypass Face ID. I’m not sure I would trust CNN claiming this. Is this being reported by any major news agency besides CNN?
Click to expand...

“But Dulien still didn’t understand how exactly those thieves were accessing phones and then bank accounts. “I’m about to find out that there’s these other lower-end guys but it’s really one guy — it’s a professional Jedi Master hacker.”

According to court documents, a low-level accomplice would steal a surfer’s phone and wallet then immediately hand them off to that hacker. Bypassing phone security and FaceID is very complex. Even the FBI brings in outside contractors to do it. But these days, once you get into a phone, once you crack FaceID, you have access to pretty much every cent the owner of that phone has in the world.”

I added a second article about the similar crime spree in Brazil, they go into more detail.

www.securitynewspaper.com

This gang was able to unlock stolen iPhone/iPad with the latest iOS and bypass Face ID, Touch ID, passwords and steal money from banking apps. They were finally arrested

This gang was able to unlock stolen iPhone/iPad with the latest iOS and bypass Face ID, Touch ID, passwords and steal money from banking apps. They were finally arrested - Incidents - Information Security Newspaper | Hacking News
www.securitynewspaper.com www.securitynewspaper.com


Authorities in the Brazilian state of Sao Paulo announced the arrest of multiple individuals identified as members of a gang dedicated to stealing and hacking iPhone devices in order to access victims’ online banking accounts and steal all their money. Authorities consider this to be a highly sophisticated criminal group, capable of bypassing the complex security mechanisms implemented by Apple, including multi-factor authentication, access passwords and biometric recognition.”
 
  • Like
Reactions: bousozoku
Can read it in reader mode.

Pretty meh to these stories. Usually written by someone that does not have any or strong tech background, not really fact checked re tech involved. And nothing new: there have been by-pass hacks, boxes, etc forever.

My guess, and a missing data point, assuming a simple passcode (ie. four digit) in use. And maybe even really dumb version of it (eg. "1111" is the equivalent of "password1"). Pretty easy to find articles or dumps of most used PINs to speed things up.

(12 character complex passcode on iOS for me)
 
  • Like
Reactions: dominiongamma, barracuda156, Timpetus and 9 others
NoBoMac said:
Can read it in reader mode.

Pretty meh to these stories. Usually written by someone that does not have any or strong tech background, not really fact checked re tech involved. And nothing new: there have been by-pass hacks, boxes, etc forever.

My guess, and a missing data point, assuming a simple passcode (ie. four digit) in use. And maybe even really dumb version of it (eg. "1111" is the equivalent of "password1"). Pretty easy to find articles or dumps of most used PINs to speed things up.

(12 character complex passcode on iOS for me)
Click to expand...
Good point. Do they point out how many times the hackers failed to crack the iPhones? Maybe they only could get in once in a while. If each success gains them thousands of dollars then it is worth a bunch of failures.
 
  • Like
Reactions: Timpetus
neutrino17 said:
Maybe they only could get in once in a while. If each success gains them thousands of dollars then it is worth a bunch of failures
Click to expand...

No doubt.

SnowCrocodile said:
There’s another story I posted a link to about a gang in Brazil specifically targeting iPhones.
Click to expand...

The Brazil story is from almost four years ago so whatever vulnerability was in place then might not be exploitable now.
Like I said earlier, nothing really new.

IMO, it all adds up to keep your software up to date, use strong passwords, and don't do something stupid like stash your keys and or devices under a proverbial door mat. Even if these surfers were up to date, they were lazy re protecting themselves. Not much different than the stories from last year re UK thieves on motorbikes grabbing phones from people (great example picture in the link: woman walking down the street waving around her $1k+ gadget; also in the article, use strong passcodes).
 
NoBoMac said:
No doubt.


The Brazil story is from almost four years ago so whatever vulnerability was in place then might not be exploitable now.
Like I said earlier, nothing really new.
Click to expand...
If there was a FaceID exploit 4 years ago, chances are there’s one now.

“Might” is putting a lot of trust in the only thing standing between people’s entire financial accounts or private data, and criminals.
NoBoMac said:
IMO, it all adds up to keep your software up to date, use strong passwords, and don't do something stupid like stash your keys and or devices under a proverbial door mat. Even if these surfers were up to date, they were lazy re protecting themselves. Not much different than the stories from last year re UK thieves on motorbikes grabbing phones from people (great example picture in the link: woman walking down the street waving around her $1k+ gadget; also in the article, use strong passcodes).
Click to expand...
The difference is, we have being told on many occasions that a locked iPhone is all but impenetrable, and the thieves are mostly after spare parts. It seems that the real security situation is quite a bit more worrisome. The thieves in Brazil, for example, used sophisticated computer forensics methods to break into the phones, not sure that a password of any strength would stop them.

I have separated my financial and other sensitive passwords from my “everyday” passwords a while ago.

The regular passwords go into Apple Passwords and use FaceID.

The sensitive passwords go into Bitwarden and use a long passphrase.

FaceID makes it just too easy to get to sensitive data.
 
NoBoMac said:
Can read it in reader mode.

Pretty meh to these stories. Usually written by someone that does not have any or strong tech background, not really fact checked re tech involved. And nothing new: there have been by-pass hacks, boxes, etc forever.

My guess, and a missing data point, assuming a simple passcode (ie. four digit) in use. And maybe even really dumb version of it (eg. "1111" is the equivalent of "password1"). Pretty easy to find articles or dumps of most used PINs to speed things up.

(12 character complex passcode on iOS for me)
Click to expand...
Did you skip the part where FBI brings in outside contractors to break Face ID? Remember all the government pressure on Apple to create a backdoor in IOS? Then poof nothing, think government said nevermind?
 
A 4/6 digit pin of your birth date is usually easy way to access the phone. I am assuming people stopped using 1111,2222 or 123456 as pin.
 
A friend had his phone stolen in Brazil recently. Then his mother (emergency contact) received some scare ware text instructing her how to approve access to his iCloud, or asking for his phones passcode from “apple”. I forget the specifics. But they didn’t fall for it and his phone/accounts were never further compromised.

If you’re running some old hardware with jailbreaks then you may be at risk to something more sophisticated than basically phishing.
 
  • Like
Reactions: kitKAC
In this one, if your banking app has a FaceID option turn it off and use a second pin which is different to the phone one.

I got rather drunk a year ago and a friend managed to get into my phone, work out where my AirBnB was and order me a taxi on Bolt. Someone else might not be so friendly.
 
cjsuk said:
In this one, if your banking app has a FaceID option turn it off and use a second pin which is different to the phone one.

I got rather drunk a year ago and a friend managed to get into my phone, work out where my AirBnB was and order me a taxi on Bolt. Someone else might not be so friendly.
Click to expand...
Well in that case all it takes is him holding the phone to your face.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back