Nicole Nguyen and Joanna Stern of The Wall Street Journal released a report today highlighting how thieves can use the extra security option of Apple’s Recovery Key to permanently lock iPhone users from their Apple ID accounts.

As reporters first announced in February, there has been an increase in thieves who publicly snoop on an iPhone user’s password and then steal the device to gain broad access to the device and its content, including financial apps. All the victims interviewed in the initial report said their iPhones were stolen while they were chatting at night in bars and other public places.

A thief who knows the iPhone’s password can easily reset the victim’s Apple ID password from the Settings app, even if Face ID or Touch ID is enabled. A thief can then disable Find My iPhone on a device, preventing the owner from tracking its location or remotely wiping the device via iCloud.

Today’s report focuses more on an additional step thieves can take: using a stolen device to install or reset a recovery key, a randomly generated 28-character code required to regain access to an Apple ID after activation.

“Apple’s policy makes it nearly impossible for users to get back into their accounts without a recovery key,” the report said. With full access to a stolen iPhone, device password and Apple ID password, thieves can steal money, view sensitive information like photos and emails, and more via Apple Pay and possibly other banking apps.

Apple’s website warns that losing access to both your trusted devices and your recovery key means “permanently denied access to your account.” But in this scenario, thieves spying on iPhone passcodes before stealing the devices means victims would have to potentially lose their device to be locked out forever. The report serves as a valuable reminder to password-protect your iPhone in public.

Apple responds

In a statement released in response to the report, Apple said it is “always investigating additional protections against new threats like this.”

“We sympathize with people who have had this experience and take all attacks on our users very seriously, no matter how rare,” he said. The Wall Street Gazette Representative of Apple. “We work tirelessly every day to protect our users’ accounts and data, and we’re constantly looking for additional protections against new threats like this one.”

How are you protected?

iPhone users should use Face ID or Touch ID in public places as often as possible to prevent thieves from snooping on their passwords. In situations where password entry is required, users can hold their hands on the screen to hide the password entry.

The report also recommends that users change from a four-digit password to an alphanumeric one, which will be more difficult for thieves to eavesdrop. This can be done in the Settings app under Face ID & Passcode → Change Passcode.

To protect your bank account, try saving your password to a password manager that does not contain your device’s password, such as 1Password. According to the report, users can enable Screen Time parental controls to further lock their devices.