Here’s the heist: the perpetrator watches you (with eyes or camera) as you enter a code to unlock your iPhone. He/she/they then steals your phone, uses your code to unlock it, and further deploys your code to lock you out of your Apple account (so you can’t wipe the phone remotely), capping off the caper by using the passwords you’ve stored on your phone to empty your bank accounts.
I read about this emerging crime pattern in the Wall Street Journal, and was duly disconcerted: it’s the New York Times to which I generally turn when I’m in the mood for a good panic. Because I use my phone for everything, and because I have plans for my bank deposits that do not include bequeathing them to persons with criminal intent, I carefully read the second half of the article, in which readers were advised of steps to take in order to avoid this particular hazard.
And then I did those things. Or at least – I tried.
The first recommendation involved changing your numeric passcode to an alphanumeric code – something like 2H$?O,;8@hRE!7&q, which nobody could ever possibly guess (or perhaps remember), and which would, according to this article, be harder for a participant in the extra-legal economy to observe and record correctly.
Which is almost certainly true! When you are entering a numeric code, you have only ten potential characters, and you get this screen:
While when you entering an alphanumeric code, you get this one:
With smaller targets it is easier to make a mistake, especially in a long complex string, as I learn one day soon after my anti-fraud password upgrade. I am on the T, hoping to check walking directions that will guide me once I disembark. There is an infelicitous match between the size of my finger pads and the itty-bitty keyboard, especially with the shaking of a moving subway car. Additionally, typing a complex alphanumeric code with a few punctuation marks involves shifting between several keyboards, which slows me down considerably. In the end, over the course of three or four minutes, I re-enter my code five times. By the final time I am going very, very slowly, and mouthing each letter as I type; thinking, as I do, that this is perhaps not the most effective fraud-prevention strategy. After failed attempt #5, my phone takes the obvious anti-fraud step of locking me out for ten minutes, which should be enough time for the Real Laurie to alert the authorities. (What Real Laurie actually does with that ten minutes is to get good and lost, since she can’t open GoogleMaps.)
But fear not! There are other self-protective measures, such as two-factor authentication. If someone tries to use your identity to log into one of your accounts, that account will send a verification code through another channel, either a text message or an authentication app. So if an individual who has opted out of prevailing beliefs about property rights should happen to swipe your phone and use it to try to log into your bank account, the bank will take the precautionary measure of sending a unique, one-time code: to your phone.
Finally, the WSJ advises using face recognition instead of code to open your phone in public spaces, whenever possible. Makes total sense. It doesn’t work if you’re wearing a mask, though. You surely have your own preferences about such things; but these days, for the most part, I only wear masks on crowded buses and subway cars. These are places I’m also likely to turn to my phone for directions, or to check messages or the news. Of course, crowded public transit also seems a particularly promising location for someone looking to advance a career in the growing field of code-copying/phone snatching. So what do you consider the bigger threat: identity theft? Viral infection? Or boredom? (For me, fear of boredom trumps all, every time.)
Look: identity theft, like COVID, is just part of the background these days. In 2020 and 2021, people in two different states, distant from my own, applied for pandemic-related unemployment relief in my name. In addition to phishing, there is now vishing and smishing. Malefaction entrepreneurs can attach readers to credit card machines and even to USB ports in airports or hotels to steal your data while you’re charging up. And don’t think you can escape the threat just by shutting off electronics and returning to paper – oh, no! Apparently someone can rig up a good round of identity theft just by rifling through your mail. (Although anyone rifling through my mail will mostly learn that, despite the fact that my mother has been dead for three years, the Sarasota Opera Company still expects her to renew her annual subscription.)
Here is my proposal: if you want to steal my identity, I think you should take on the WHOLE THING. I’m talking myopia, bad knees, poor proprioception, occasional social anxiety. Remembering that the car needs a new inspection sticker: that’ll be on YOU. While you’re at it, you can also pick up the dry cleaning, file quarterly tax payments, write those overdue thank you notes, water the plants, and re-order a six-month supply of contact lenses. The whole to-do list! It is not short.
You’ll find it on my phone.