How Shoulder Surfing Can Compromise Your Apple ID and Private Data
Apple typically has robust security, so even if you lose your iPhone, iPad, or Mac, your account wouldn’t necessarily be compromised immediately. However, a new type of attack could side-step Apple’s protections—shoulder surfing.
So, what is shoulder surfing? And can you protect yourself against this threat?
What Is Shoulder Surfing?
There’s always a chance that someone can look at the information you’re typing whenever you’re in public. Whether you’re typing your password or PIN, replying to someone else, or simply reading confidential information, someone can look over your shoulder and memorize whatever they see on your smartphone, tablet, or computer screen.
These attacks are often targeted because they need more than just your PIN to gain from your information. They would need your physical device—like your phone or credit card—or more information, like your username, to successfully steal from you.
However, it can also happen randomly to a target of opportunity, usually when someone is careless with their information and devices. That’s because stealing from someone who isn’t careful about their surroundings is easier.
How Shoulder Surfing Attacks Compromise Your Apple ID
While Apple has taken several steps to discourage stealing iPhones and other Apple devices, criminals will still find ways to earn money illicitly. Here’s how they use shoulder surfing to compromise your Apple ID and more.
The first thing bad actors do is find a target—usually someone using their iPhone with the screen within their easy view. They would either hang about or even befriend the victim. As the target uses their phone, the attacker would wait until they input their PIN in sight. They would then memorize that for use later on.
Once they know your PIN, they’d usually have an accomplice to do the actual stealing. This could be by pickpocketing the target, snatching the phone directly from their hands when they leave the establishment they were in, or even by mugging them in the parking lot.
With your iPhone and PIN in the hacker’s hands, it’s game over. Because they have your PIN, they can access your phone and do a lot of damage. That’s because they can access your Apple ID and change its password simply by knowing your PIN and accessing your iPhone.
Even if you use Apple Passkey,the way Passkeys workmeans they would have access to all your accounts if they manage to gain control of your iPhone. Even your accounts protected bytwo-factor authentication, either through app or SMS, are compromised.
That’s because your authenticator app is probably installed on your iPhone, and the one-time password your other accounts will text you will also land in your Messages inbox. What’s worse is that if you have a password manager, which is already one ofthe smartest and safest ways to store your passwords, and the same iPhone PIN protects it, they might have access to all your accounts too.
How to Protect Your iPhone and iPad Against Shoulder Surfing
So, how do you protect yourself from these nefarious actors? How do you ensure that your accounts remain safe even if someone mugs you and forces you to hand over your PIN?
1. Be Careful When Using Your iPhone in Public Places
Whether you’re in a hotel lobby, a bar, or on a bus, avoid using your phone if you don’t need to. This reduces the chance that you become a target. After all, criminals won’t target someone they aren’t sure will net them a good payout.
If they don’t see that you’re a viable target, they won’t waste their time on you. Furthermore, the less you use your phone, the fewer chances they’ll see your PIN.
2. Use FaceID or TouchID
To reduce the need for entering your PIN, set up FaceID or TouchID. And if your phone requires you to enter your PIN, always do it out of sight of everyone.
3. Protect Your iPhone With Screen Time
Another way to secure your phone is to use Screen Time to add a second layer of defense to your iPhone or iPad. Here’s how to set up Screen Time for additional security
Enter your nominated screen time passcode twice. Then, in theScreen Time Passcode Recovery, you may input your Apple ID and password to have the ability to reset your Screen Time Passcode if you forget it. You can pressCancelto skip linking your Apple ID, but you won’t be able to restore your Screen Time Passcode if you forget it.
Optionally, you can also setCellular Data ChangestoDon’tAllow andLocation ServicesandShare My LocationtoDon’t Allow Changesto ensure you can always locate your phone.
With that, no one can change your Passcode and Account details without entering your secondary PIN and turning off Content & Privacy Restrictions.
To make changes to your account, go back toSettings > Screen Time > Content & Privacy Restrictions. Turn off theContent & Privacy Restrictions toggle,then make the necessary changes. Don’t forget to reactivate it to ensure your account remains secure.
Also, if you have a password manager app that uses your phone’s FaceID or TouchID, ensure it’s inaccessible with your primary PIN. If it is, we highly recommend you use a secondary PIN to access it for better security.
What Should You Do if You Lose Your Phone or Tablet?
While following the precautions above will help protect you from loss, there are times when losing a phone is unavoidable. AsApple Insider reported, even an Apple engineer working on the iPhone 4 prototype in 2010 misplaced the device. That shows that losing a phone can happen to anyone—maybe unless you’re the president or the Apple CEO.
So, this is my advice for you as a former bank employee:
Keep these things in mind so you can limit the damage any potential hacker can do to you if you lose your phone.
Secure Your iPhone and Your Data, Even if Someone Discovers Your PIN
Most mobile devices are so powerful, you’re able to run your life from them. However, it also means you’re vulnerable if you lose any of them and someone with the technical know-how accesses your accounts.
Protect yourself by being aware of your surroundings, using layered security, and being proactive if you lose any of your devices.
This in-person form of attack can compromise you when you’re at an ATM, on your laptop, smartphone, or even entering a secure building. Here’s why.
I gripped my chair the entire time—and then kept thinking about it when the screen turned off.
Unlock a world of entertainment possibilities with this clever TV hack.
The fix was buried in one tiny toggle.
It’s not super flashy, but it can help to keep your computer up and running.
So much time invested, and for what?
