iPhone, Android feature opens security hole that could let someone steal your account

You can change your Apple ID or Google account password using your smartphone's passcode -- now thieves are taking advantage of that

For all the talk of security, iPhones and Android smartphones are both vulnerable to a surprisingly low-tech hack that could leave you locked out of your Apple or Google account, with no access to find your device tools or your data.

The low-tech hack in question? Thieves just need your smartphone passcode and your smartphone. Both iOS and Android have built-in features that let users change the password for their Apple ID or Google account with just the PIN or passcode used to unlock their phone.

The Wall Street Journal detailed the low-tech hack in a recent report, noting that the feature is intended to make it easier for people to change their account passwords. It works because your smartphone is considered a trusted device.

Moreover, the WSJ shared several accounts of this happening to people, revealing just how easy it can be. Someone snooping over your shoulder could see you tap in your PIN. Then if they steal your smartphone, they could use the PIN to change your Apple ID or Google account password. Once changed, the thief would have access to a trove of personal data and the account owners would effectively be locked out. Even worse, the thief could take advantage of the option to force sign out all devices tied to that account, locking victims out of their accounts on other devices they have.

Coupled with the apps many people have on their phones, thieves could potentially do a lot of damage. The WSJ cited several cases of victims having their bank accounts drained by thieves who took their phones, not to mention the thieves would have access to Apple Pay or Google Pay to make purchases. Some victims reported that Apple Cards were opened in their name and used by thieves.

Finally, with access to the Apple or Google account, the thieves can disable security tools for locating missing devices, ultimately enabling them to wipe and resell the stolen phones.

How to protect yourself

Obviously, all of the above is quite concerning for smartphone owners. Thankfully, there are a few ways people can protect themselves. Most of the advice boils down to avoiding using your passcode in public and relying on biometrics like Face ID or fingerprint unlock instead. Though it’s worth noting that there are issues with these unlock methods as well. You can also avoid sharing your passcode and be careful about when you enter it into your phone.

Beyond that, you can strengthen your passcode by making it longer or by switching it to a password instead. Either of these could make it harder for someone to steal by watching you unlock your phone.

Moreover, it’s worth being careful about how you use apps on your phone. For example, don’t enable PIN unlocks for things like your bank app or your password vault. It’s less convenient, but it could hamper a thief’s ability to gain access to sensitive data if they have your passcode.

Source: The Wall Street Journal Via: 9to5Google