It seems that Apple specialists wanted to do the best, but it turned out as always...
The recent surge in iPhone thefts in the US and other countries has shown that Apple devices are highly vulnerable to hackers when used in public places. At the end of February, we already wrote that a simple passcode used to unlock an apple device is the most powerful tool that criminals can use to bypass all other security measures, one has only to take possession of the victim's smartphone.
However, the scammers have gone further and learned how to use yet another Apple security feature to their advantage. A recent Wall Street Journal report cites the example of an American named Greg Fraska, an iPhone user who has been banned from accessing his own Apple account since October last year. Thieves stole a man's iPhone 14 Pro from a Chicago bar after they spied on his lock screen passcode. A simple pin code allowed them to change the password for the man's Apple ID profile, as well as enable a little-known security feature known as the "Recovery Key", after which the account was completely taken over by the criminals. With all the confidential information that was contained there: contacts, messages, photos, etc.
The recovery key is a security feature that the Cupertino giant introduced back in 2020 as an added layer of protection against intruders. Basically, it's a randomly generated 28-character code that can be used to prevent Apple ID password resets. However, few people use this option, because once an iPhone user loses the aforementioned code, the next time they change their password, there is a risk that Apple will block the user's profile on all their devices. But even without a configured recovery key, as recent cases show, only the lock screen password is enough to hack an account.
It is clear that these are extremely rare cases when the Face ID or Touch ID of a potential victim did not work, and she entered her access code right in front of the attacker. However, this is quite possible. To avoid a similar situation, you should not use the access code in front of other people at all. Or, alternatively, use a very long unique code to make it harder for an attacker to peep and remember it.
Another way is to still set up the recovery key in advance, but write it down on physical media, even on a piece of paper, and put it away where no one will have access to this sheet. The main thing is not to forget later where the recovery key is written.
Another, more secure way is to use the Screen Time feature, which is usually used for parental controls. To do this, go to "Settings" -> "Screen Time" -> "Use a passcode" and then set up a key that is different from the one that is already used as the lock screen password. Then go to the "Privacy and Content Restrictions" section on the same settings page and activate the item using the toggle at the top. Finally, scroll down the list to "Allow changes" and select "Do not allow". So, when changing the password from Apple ID, the attacker will have to enter the passcode from Screen Time.
And the last option, which will help wrest the account from the clutches of scammers, includes pre-configuring a trusted account, through which it will be possible to change the password from the account. This is done in "Settings" -> Profile name -> "Password and security" -> "Account recovery". There you can add a trusted person who, in which case, will be able to reset the password and return the account to the rightful owner.
From the looks of it, the tech industry has yet to find the best way to balance convenience and security to protect user accounts without compromising privacy. Until then, we will have to be content with the protection measures that we have.