No, a stolen iPhone isn’t a brick: How thieves access your data 2


Maybe you’ve heard that a stolen iPhone is nothing more than a brick. Stop and read this. It may save you whole lot of grief and panic.

Perhaps you feel as if your data is safe.

  • You have a password and it’s not 123456.
  • You have find my iPhone.

 

Allow me to burst your bubble by telling you what happened to me and why it could have been WAY worse. Also, turn off Siri right ###ing now. If you cannot bear to part with it, turn it off when locked. Go to Settings , then Siri and Search. Turn off answering when locked.

HOW THIEVES ALMOST GOT AWAY WITH EVERYTHING

On Thursday, when I got off the subway I noticed the side of my bag was unzipped. I didn’t see my phone but my credit card and money were still in the pocket so I didn’t think I was robbed. I just figured I’d thrown it in with my computer. When I got home, I emptied my bag and still couldn’t find it. I used find my iPhone and saw it was 7 miles away. So, I put it in lost mode.

Keep this mind, the thieves had my phone for an hour at most before I noticed and locked it.

After I contacted people from my office and made sure I hadn’t left it there,I erased it.

HOW SIRI IS YOUR ENEMY

In the meantime , the thieves had gotten into my yahoo email and my Facebook  page. How did they do that?

Because when you get your phone and you don’t disable this, Siri will answer when your phone is locked. Say,

“Siri, what’s my phone number? Siri, what’s my email?”

…. and Siri will tell you.

So, now the thief has your phone, your phone number and your email. TURN OFF SIRI NOW!

I never would have thought the default setup would have such a huge security flaw.

It gets worse.

Now the thief goes to yahoo, enters your email and click “Forgot my password.” They have the reset sent to your phone and then they reset the password .  Guess what? The default is that messages show up on locked iPhones so they get the message and enter a new password. Now, they have your email and your password and your phone.

Next, they go to Facebook and log in using that email. They say that they have lost the password and have the password reset code sent to your iPhone or email they have stolen.

Now the thief has your email, Facebook, phone and phone number.

By this time, it had maybe been a few hours, I had figured out what they were doing ERASED  my iPhone using the Find my iPhone app, deleted the yahoo email from my Facebook and changed the phone number on my yahoo account .

WATCH OUT FOR PHISHING EMAILS CLAIMING TO HAVE YOUR PHONE

This is where disaster really could have happened. So, I’m back in the office on Friday trying to do a million things plus reset my password on everything , handle things that come up every day with two companies in two countries and in one of my company accounts I get a message from “Find my iPhone “ . It looks legit . It says we’ve found your iPhone. It gives the model of iPhone , storage , how would a thief know that ? If you think about it , duh, they have my iPhone . But I’m thinking someone jacking iPhones on the subway certainly doesn’t have the skills to create something  this professional. So, I click on it.  Nothing happens. Thank God for my internet provider that strips out malicious code .

What this was supposed to have done was take me to a page that asked for my Apple ID and password to prove I was me. I might have done it, too. I’m staying with my ISP for life now.

After I switched phones,I got the same message in a text to my new phone number. I can only guess that either a) they were still logged in when I changed it or b) they searched for me on Google.

!!!!! These were not some gifted thieves. There are actually SERVICES that do this for them ! Want to get the Apple ID  and password of a person whose phone you’ve stolen? Send them all of the info you have and they will create the fake email and text messages !

EVEN IF YOUR PHONE IS DISABLED,THEY STILL HAVE YOUR SIM CARD

They can (and did) swap that into another phone so not only can they use that phone to make calls and send text messages, charged to you, of course, they also will receive any calls, messages or FaceTime intended for you. If you have not disabled charging to your phone, they can charge any premium services to it and this will show up on your phone bill. When I thought of it two days later,Dennis disabled the account with ATT and he got a message that it was now disabled on a Huawei phone which is not sold in the US but very popular in Chile .

HERE IS WHAT I DID WRONG BEFORE MY PHONE WAS STOLEN

Obviously the Apple default is a huge security flaw. I should have disabled Siri as I never use it and also disabled messages showing on lock mode. (NOTE: Some people contacted me and said it was not set up by default to answer when locked on their phones. It was set that way on both of my phones and I cannot imagine any reason I would have done it since I never use Siri. Check your phone!)

Ironically, I had the yahoo account on my Facebook account thinking it gave me EXTRA security. I hadn’t really used that account in years .

It was possible to reset my yahoo account from a phone, so if someone had my phone they could get access to my email.

HERE IS WHAT I DID RIGHT

I had a second email account that could NOT be reset from a phone. I used that to lock the thief out before they thought of removing it.

When I changed the password and phone associated with my email and Facebook I picked “Log me out of other devices” so if they were logged in somewhere else they couldn’t just change it back.

My phone does not allow purchases so even when someone had my SIM card they could not use it to buy anything. We turned this off with ATT years ago.

None of my bank information is written down anywhere ,  not passwords, accounts,  SSN, nothing . I memorized them. Logins for things like that Software I bought five years ago and the license are written down , or for that stupid forum on blogs. These are not used for anything important .

Any information that might be important is recorded like this:

Password- same as for that computer we used to have in the living room

Had an Internet service provider that stripped out the script on the phishing email and saved me from a huge mistake.

Called ATT to block the number so no one else could use the SIM card

My social media accounts are not connected. Getting into my Facebook doesn’t allow you access to my Instagram, Twitter or anything else. Whenever Facebook asks to connect to anything I say No.

There is very little information in my social media profiles and some of what has been put there automated by Facebook is wrong. So,if anyone was hoping to use the information they got for identity theft they are out of luck .

WHAT SHOULD YOU DO NOW?

At the very least , this second, disable Siri when locked and turn off notifications when locked.

Turn off purchases from your phone.

Turn off resetting your password from a phone .

Disconnect social media accounts from each other so if someone has one account they don’t have all of them.

And for the love of God quit believing that bullshit that a stolen iPhone is no more than a brick!

red line

Support my day job!

Wigwams at sunsey

Learn Native American history, math and English all at the same time. You can play it on your iPad, the web or on your phone (if it isn’t stolen).

 


Leave a comment

Your email address will not be published. Required fields are marked *

2 thoughts on “No, a stolen iPhone isn’t a brick: How thieves access your data

  • Susan Slaughter

    AnnMaria,

    “Allow Siri When Locked” was turned on for my phone–by default! So you are not the only one. It is now turned off on my phone!

    I also deleted myself from my contacts. Now when I ask Siri “What’s my phone number?” (after unlocking my phone), Siri says “I don’t know who you are.” I don’t know if this will have any unintended consequences, but I’m trying it for now because I realized that I don’t want it to be obvious that I own this phone. I know my phone number so there is no reason for me ever to ask Siri that.

    Thank you for a very important blog!

    Susan