The WSJ reported last week that iPhone customers whose devices were taken later had their Apple accounts hijacked, passwords altered, and additional accounts – including bank accounts – accessed. These were not instances of sophisticated hacking, but rather a basic security flaw. Using the iPhone’s passcode (PIN), the thief was able to alter account passwords and gain access to additional accounts without knowing the owner’s credentials.
How? On iOS, users can use their phone’s PIN to reset their Apple ID password, and obtaining a PIN is as simple as observing the phone’s owner enter the number or fooling them into providing their PIN.
As an example, Joanna Stern of the WSJ cited “the fog of a late-night pub environment filled with young people, where predators befriend their victims and manipulate them into surrendering their passcodes” In addition, some of these crooks activated Apple’s Recovery Key function, which prevents customers from accessing their accounts without the stolen iPhone.
However, this is also possible on Android devices, as a PIN is all that is required to change your Google account password.
Mishaal Rahman explained on Twitter how this works, citing an option in Google account settings to reset the account password using the Android phone’s screen lock. Google allows this as long as the password change request originates from a “your” device, but there is no additional verification beyond your PIN. Notably, Google’s method invites you to enter your current password initially, but the “lost password” option allows you to use the PIN instead.
Therefore, even though it’s unlikely to occur on Android, what can you do to safeguard your phone and account?
You can also use biometrics, such as your fingerprint, to prevent prying eyes from viewing your PIN in the first place.
Avoid storing important information on your smartphone, such as in note-taking applications or your photo gallery. This may include social security numbers, passport photos, and other forms of identification, as these thieves can cause considerably more harm if they have easy access to this information.
Secondly, you may enhance your phone’s security. By default, Android just requires a 4-digit PIN, but you can extend this significantly. Pixel smartphones accept PIN numbers of up to 17 digits in length. Android’s pattern unlock is also tougher to steal by looking, and a complete password can be used to generate an extremely complex code.
Additional methods of app security may include disabling biometric/PIN login for specific apps, or at the very least making those PINs distinct from the PIN used to unlock the phone. A dedicated password manager is superior to the one that comes with your device.
Use Google’s “Advanced Protection” option as an alternative. This prevents you from changing your password using a PIN, but requires you to use two physical security keys.