Apple typically has robust security, so even if you lose your iPhone, iPad, or Mac, your account wouldn't necessarily be compromised immediately. However, a new type of attack could side-step Apple's protections—shoulder surfing.

So, what is shoulder surfing? And can you protect yourself against this threat?

What Is Shoulder Surfing?

a young guy with a magnifying glass to his face

There's always a chance that someone can look at the information you're typing whenever you're in public. Whether you're typing your password or PIN, replying to someone else, or simply reading confidential information, someone can look over your shoulder and memorize whatever they see on your smartphone, tablet, or computer screen.

These attacks are often targeted because they need more than just your PIN to gain from your information. They would need your physical device—like your phone or credit card—or more information, like your username, to successfully steal from you.

However, it can also happen randomly to a target of opportunity, usually when someone is careless with their information and devices. That's because stealing from someone who isn't careful about their surroundings is easier.

How Shoulder Surfing Attacks Compromise Your Apple ID

While Apple has taken several steps to discourage stealing iPhones and other Apple devices, criminals will still find ways to earn money illicitly. Here's how they use shoulder surfing to compromise your Apple ID and more.

The first thing bad actors do is find a target—usually someone using their iPhone with the screen within their easy view. They would either hang about or even befriend the victim. As the target uses their phone, the attacker would wait until they input their PIN in sight. They would then memorize that for use later on.

Once they know your PIN, they'd usually have an accomplice to do the actual stealing. This could be by pickpocketing the target, snatching the phone directly from their hands when they leave the establishment they were in, or even by mugging them in the parking lot.

can you change your ipad passcode

With your iPhone and PIN in the hacker's hands, it's game over. Because they have your PIN, they can access your phone and do a lot of damage. That's because they can access your Apple ID and change its password simply by knowing your PIN and accessing your iPhone.

Even if you use Apple Passkey, the way Passkeys work means they would have access to all your accounts if they manage to gain control of your iPhone. Even your accounts protected by two-factor authentication, either through app or SMS, are compromised.

That's because your authenticator app is probably installed on your iPhone, and the one-time password your other accounts will text you will also land in your Messages inbox. What's worse is that if you have a password manager, which is already one of the smartest and safest ways to store your passwords, and the same iPhone PIN protects it, they might have access to all your accounts too.

How to Protect Your iPhone and iPad Against Shoulder Surfing

So, how do you protect yourself from these nefarious actors? How do you ensure that your accounts remain safe even if someone mugs you and forces you to hand over your PIN?

1. Be Careful When Using Your iPhone in Public Places

a busy pub

Whether you're in a hotel lobby, a bar, or on a bus, avoid using your phone if you don't need to. This reduces the chance that you become a target. After all, criminals won't target someone they aren't sure will net them a good payout.

If they don't see that you're a viable target, they won't waste their time on you. Furthermore, the less you use your phone, the fewer chances they'll see your PIN.

2. Use FaceID or TouchID

To reduce the need for entering your PIN, set up FaceID or TouchID. And if your phone requires you to enter your PIN, always do it out of sight of everyone.

3. Protect Your iPhone With Screen Time

Another way to secure your phone is to use Screen Time to add a second layer of defense to your iPhone or iPad. Here's how to set up Screen Time for additional security

  1. Go to Settings > Screen Time.
  2. Tap Use Screen Time Passcode to add a PIN. Ensure that you use a different PIN from what you use on your device.
how much screen time have i used
use an extra pin for screen time

Enter your nominated screen time passcode twice. Then, in the Screen Time Passcode Recovery, you can input your Apple ID and password to have the ability to reset your Screen Time Passcode if you forget it. You can press Cancel to skip linking your Apple ID, but you won't be able to restore your Screen Time Passcode if you forget it.

recover your screentime passcode
adding an extra pin for iphone screentime

Then:

  1. After setting your Screen Time Passcode, tap on Content & Privacy Restrictions.
  2. In the Content & Privacy Restrictions page, turn on Content & Privacy Restrictions.
  3. After that, swipe down to Allow Changes. Ensure that Passcode Changes and Account Changes are set to Don't Allow.
adding restrictions to iphone
using restrictions to iphone
restriction iphone usage

Optionally, you can also set Cellular Data Changes to Don't Allow and Location Services and Share My Location to Don't Allow Changes to ensure you can always locate your phone.

With that, no one can change your Passcode and Account details without entering your secondary PIN and turning off Content & Privacy Restrictions.

To make changes to your account, go back to Settings > Screen Time > Content & Privacy Restrictions. Turn off the Content & Privacy Restrictions toggle, then make the necessary changes. Don't forget to reactivate it to ensure your account remains secure.

Also, if you have a password manager app that uses your phone's FaceID or TouchID, ensure it's inaccessible with your primary PIN. If it is, we highly recommend you use a secondary PIN to access it for better security.

What Should You Do if You Lose Your Phone or Tablet?

lost apple device in garden or park

While following the precautions above will help protect you from loss, there are times when losing a phone is unavoidable. As Apple Insider reported, even an Apple engineer working on the iPhone 4 prototype in 2010 misplaced the device. That shows that losing a phone can happen to anyone—maybe unless you're the president or the Apple CEO.

So, this is my advice for you as a former bank employee:

  1. Block all online access to your banking accounts if you lose your phone. That way, even if someone cracks your phone security, your funds are inaccessible online. If you don't know how to do this, contact your bank's hotline—and only your bank's hotline.
  2. Log out of all your social media accounts remotely to ensure that the people who stole your phone can't use it to scam your contacts.
  3. Change the passwords for the following accounts as soon as you can access your computer. All these accounts are typically accessed through your phone, so changing their passwords is simply prudent. If bad actors gain control of any of these accounts, they could do real damage to your and your finances:
  4. All online banking and finance access.
  5. All your email addresses logged into your missing or stolen phone.
  6. All your social media accounts.
  7. Wipe your iPhone remotely using Find Devices on iCloud, but don't remove your lost iPhone (or iPad) from your iCloud account.

Keep these things in mind so you can limit the damage any potential hacker can do to you if you lose your phone.

Secure Your iPhone and Your Data, Even if Someone Discovers Your PIN

Most mobile devices are so powerful, you can run your life from them. However, it also means you're vulnerable if you lose any of them and someone with the technical know-how accesses your accounts.

Protect yourself by being aware of your surroundings, using layered security, and being proactive if you lose any of your devices.