Joanna Stern Goes to Prison

Joanna Stern, writing for The Wall Street Journal (Apple News+ link for the story; YouTube link for the excellent video):

Before the guards let you through the barbed-wire fences and steel doors at this Minnesota Correctional Facility, you have to leave your phone in a locker. Not a total inconvenience when you’re there to visit a prolific iPhone thief.

I wasn’t worried that Aaron Johnson would steal my iPhone, though. I came to find out how he’d steal it.

“I’m already serving time. I just feel like I should try to be on the other end of things and try to help people,” Johnson, 26 years old, told me in an interview we filmed inside the high-security prison where he’s expected to spend the next several years.

According to the Minneapolis Police Department’s arrest warrant, Johnson and the other 11 members of the enterprise allegedly accumulated nearly $300,000. According to him, it was likely more.

Fascinating and remarkable interview. Humanizing, but Stern in no way absolves Johnson for his thievery. (Points to Johnson for honesty too: he mostly regrets getting too greedy.)

One aspect that struck me from Johnson’s description of his modus operandi is that it relied little on observing people surreptitiously to glean their device passcodes. Instead it was mostly pure social engineering. He’d make fast friends with a target in a bar and just talk his way into the target telling him their passcode, so he could show them his Snapchat account or whatever. He’d talk people into giving him what he needed. Never underestimate how much digital crime revolves around person-to-person social engineering.

I’m glad Apple is adding the new Stolen Device Protection feature in iOS 17.3 (currently in beta), but my main takeaway from this entire saga is that everyone, including Apple, needs to spread awareness that device passcodes need to be treated as holiest-of-holy secrets. You should protect your device passcode with as much care and secrecy, if not more, as you do your ATM card PIN. Use Face ID (or Touch ID), and if you ever find yourself needing to enter your device passcode in public — anywhere in public — find a private location to enter it, far from any prying eyes or cameras. If you keep your device passcodes secret, you’re safe. I’m sure enough about this that I don’t think I’m going to enable Stolen Device Protection, personally.

Wednesday, 20 December 2023