Protecting your iPhone against shoulder surfing password theft

Edited 19th April 2023: There is currently no known way to defend against this attack.

The Wall Street Journal recently covered a low-tech theft scheme for stealing money from iPhone users that’s quickly gaining popularity.

The basic premise of the theft works like this:

1. The victim’s iPhone passcode is observed, either by shoulder surfing or social engineering.
2. The iPhone is stolen.
3. The iPhone passcode is used to reset the Apple ID password.
4. The victim is then remotely logged out of their other devices to prevent remote wiping the device.
5. The credentials are then used to steal money via banking accounts logged in on the device, Apple Pay, etc. Since the passcode can be used as a fallback for Face ID and Touch ID, every app that doesn’t use a separate passcode or similar is susceptible.

Update: There is currently no way to defend against this attack. Previously, using Screen Time restrictions was recommended as a possible remedy, however it turns out Screen Time suffers from a similar vulnerability!.

Even though it can be hard to protect against steps 1 and 2, there is a simple way to prevent step 3, thus preventing further damage from taking place:

1. Go to Settings → Screen Time.
2. Turn on Screen Time if not yet enabled.
3. Turn on Use Screen Time Passcode and use a different code than your iPhone passcode.
4. Go to Content & Privacy Restrictions.
5. Set Passcode Changes and Account Changes to Don’t Allow.

This ensures that even if someone has access to your device and knows your iPhone passcode, they cannot access or change Apple ID settings and inflict further damage.