Greg Frasca has been locked out of his Apple account since October, and he’ll do just about anything to get back in.
He has offered to fly from Florida to Apple’s California headquarters to prove his identity in person, or write a check for $10,000 to reclaim the account. It holds the only copies of eight years of photos of his young daughters.
This is all because the thieves who stole Mr. Frasca’s iPhone 14 Pro at a bar in Chicago wanted to drain cash from his bank account and prevent him from remotely tracking down the stolen phone. They used his passcode to change the 46-year-old’s Apple ID password. They also enabled a hard-to-find Apple security setting known as the “recovery key.” In doing so, they placed an impenetrable lock on his account.
In February, we reported that thieves, often in and around bars at night, watch iPhone owners tap in their passcodes, then steal the targets’ phones. With this short four- or six-digit string, criminals can change the Apple account password and rack up thousands of dollars in charges using Apple Pay and financial apps.
Dozens of victims contacted The Wall Street Journal after the report was published, confirming similar crimes in at least nine U.S. cities, including New York, New Orleans, Chicago and Boston. Many are able to get their money back, but those locked out of their Apple accounts by thieves using the recovery key face a bigger challenge: finding a way through Apple’s complex policies and bureaucracy to retrieve their lost photos, contacts, notes, messages and other files.
Apple introduced the optional recovery key in 2020 to protect users from online hackers. Users who turn on the recovery key, a unique 28-digit code, must provide it when they want to reset their Apple ID password.
iPhone thieves with your passcode can flip on the recovery key and lock you out. And if you already have the recovery key enabled, they can easily generate a new one, which also locks you out.
Apple’s policy gives users virtually no way back into their accounts without that recovery key. For now, a stolen iPhone could mean devastating personal losses.
“We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesman said. “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”
The Switch That Locks You Out
Users activate the recovery key in security settings and store it in a secure place. If you ever lose or forget your Apple ID password, you contact Apple, which sends a verification code to your account’s trusted phone number and then asks for that recovery-key code.
If hackers get control of your phone number through a practice known as SIM swapping, the recovery key will protect you, because the hackers wouldn’t be able to produce it. Losing the key, as Apple warns on its website, means “you could be locked out of your account permanently.”
So long as you can access your iPhone, you can add or reset a recovery key without any extra credentials. Apple says this is a convenience measure. However, it also gives thieves easier access.
After Cameron Devine’s iPhone 13 Pro was stolen from a Boston bar in August, the 24-year-old said he spent hours on the phone with Apple customer support trying to regain access to over a decade of data. Each representative told him the same thing: No recovery key, no access. Mr. Devine said he had never heard of the key, let alone set one up.
The People vs. Account Recovery
“Account recovery is a huge challenge for the industry,” said Andrew Shikiar, executive director of the FIDO Alliance, a nonprofit that governs security standards implemented by Apple and others. The main issue for tech companies is being able to validate users’ identities when they forget a password, can’t access their two-factor authentication methods, or lose their devices, he said.
Companies such as Uber are using facial recognition to match selfies to government IDs for verification. “Not everyone is going to be OK with doing a face scan,” Mr. Shikiar said.
LinkedIn recently announced workplace and ID verification through a partnership with Clear, the company known for expedited biometrics-based screening for air travelers. Instagram asks some users to upload video selfies to confirm their identity. On Tinder, users upload a driver’s license or passport to verify their age. Banks use many signals to protect app logins and transactions.
Many victims have offered Apple their passports, driver’s licenses and other forms of identification to prove ownership of their accounts. In a letter to Apple, Mr. Frasca offered to undergo a DNA test or retina scan. Apple says it doesn’t have any such records on file, because of privacy concerns. He and many others are baffled that there isn’t another way to prove their account ownership.
There are other, less privacy-compromising methods Apple could still rely on in lieu of a recovery key.
If someone takes over your Google account, Google’s password-reset process lets you provide a recovery email, phone number or account password, and you can use them to regain access later, even if a hijacker changes them.
Going through the process on a familiar Wi-Fi network or location can also help demonstrate you’re who you say you are. A Google spokesman recommended setting up a recovery phone number and email address in account settings before disaster strikes.
Terry Allen’s iPhone 13 Pro was stolen in New York in August. His account contained precious photos, including some of his young nephew.
After months of calls to Apple customer support and letters to the company about how the thieves had his 28-digit recovery key, he said he finally reached a representative who was willing to do more. Once Mr. Allen answered additional verification questions, Apple disabled the recovery key, he said. He then reset his password, regaining access to the account.
Mr. Allen said he uses some Apple business services, which might explain why he was able to recover his account. Apple declined to comment on Mr. Allen’s situation and why others haven’t been able to get into their accounts.
“I just got lucky,” said the 35-year-old Mr. Allen, who now backs up his photos to an additional service.
What You Can Do
There are ways to prevent thieves with your passcode from turning on a recovery key. Read our complete guide to protecting your data in case of theft. Here are two moves in particular to try:
Set a complicated passcode. You should always try to use Face ID when in public, but when you can’t, rely on an alphanumeric passcode, which includes letters and numbers. To set it up, go to Settings > Face ID & Passcode > Change Passcode. When selecting a new passcode, tap Passcode Options.
Use parental controls on yourself. Apple’s Screen Time—which lets parents place limits on their children’s accounts—can also help you protect your Apple account. But you have to enable a Screen Time passcode. (Remember to make that passcode different from your iPhone’s.)
In Settings, go to Screen Time and scroll down to set a passcode, if you haven’t already. Then go to Content & Privacy Restrictions, and toggle on Content & Privacy Restrictions. Scroll down to Allow Changes, then tap on Account Changes and select Don’t Allow.
This article was originally published in The Wall Street Journal on April 19, 2023, and written by Nicole Nguyen and Joanna Stern. Image courtesy of WSJ.
Spectrum Wealth Management, LLC is an investment adviser registered with the U.S. Securities and Exchange Commission. Registration does not imply a certain level of skill or training. Additional information about Spectrum’s investment advisory services is found in Form ADV Part 2, which is available upon request. The information presented is for educational and illustrative purposes only and does not constitute tax, legal, or investment advice. Tax and legal counsel should be engaged before taking any action. The opinions expressed and material provided are for general information and should not be considered a solicitation for purchasing or selling any security.