3 ways to protect yourself from ‘shoulder surfers’ (phone thieves who also steal your PIN)
Last month The Wall Street Journal reported on a recent trend in phone theft: Thieves in major cities are no longer simply snatching pricy smartphones—they want the users’ PINs, too. The reason? A stolen phone may fetch a nice payment on the black market, but the financial data locked behind your phone’s PIN can net tens of thousands of dollars more.
The main method a thief uses to learn a phone’s PIN, or passcode, is called “shoulder surfing,” which means that the thief literally observes the owner entering their phone’s PIN and then decides to grab that person’s phone. Once they snatch it, the thief can unlock it with the observed PIN, then change the PIN and even account passwords for the owner’s online services, thus locking the owner out of remote tracking of the stolen phone and eliminating their ability to remotely delete data from the stolen device. That PIN also lets the thief gain access to many financial apps on the stolen phone, which the thief can then use to transfer money from the victim’s accounts.
Shoulder surfers can target anyone, regardless of whether they use an iPhone or Android device, and particularly if they use a simple 4-digit PIN to unlock their phone, as most people do. But it’s 2023, and with the amount of personal data (health records, photos, notes, and messages) and financial data (bank apps, money transfer apps, photos of tax records or other financial statements) residing on our phones, protecting all that sensitive information with only a 4-digit PIN is asking for trouble.
Thankfully, there are easy ways built into the iPhone’s iOS and Android operating systems to help you protect your device from shoulder surfing. Here are three that you need to know.
1. When in public, use biometrics to unlock your phone, not a PIN code
While every phone asks you to set up a PIN code that unlocks the device, most also give you the option of gaining access via biometric authentication. Most iPhones, for instance, offer a facial recognition feature, called Face ID, or fingerprint recognition, called Touch ID, while nearly all Android phones offer fingerprint authentication and some offer facial recognition (though facial recognition on Android phones can be much easier to trick than on iPhones).
Regardless of which phone you have, you should always enable facial or fingerprint authentication and use such authentication to unlock your phone whenever you are out in public—whether that’s at a bar or in line for groceries. A thief can still snatch your phone, but they can’t steal your face or fingerprint to unlock the device, too.
To enable Face ID or Touch ID on an iPhone go to Settings > Face ID/Touch ID & Passcode. To enable biometric authentication on Android devices, go to the Settings app and look under the Security section. The exact location of the fingerprint setup will depend on which Android device you have (for a Samsung phone, see here; for a Google Pixel phone, see here).
2. Never, ever, use a numeric 4-digit PIN
Of course, even when you set up facial or fingerprint authentication, your phone will still have a PIN that can unlock the device. Since a PIN can be viewed and entered by a thief, and thus is much less secure than biometric authentication, you’ll want to make your PIN as secure as possible.
This means that you should never, ever use just a numeric 4-digit PIN. A numeric 4-digit PIN is inherently weak for a few reasons. One is that there are only 9,999 possible permutations, meaning someone with a lot of time on their hands could simply try every number between 0000 and 9999. Another is that a numeric 4-digit PIN is incredibly easy for a thief to observe and remember before they snatch your phone. Also, chances are you use the same PIN for your phone as you do for your debit card. If the thief snatches that, too, they could withdraw your cash from any ATM of their choosing.
If you do want your PIN to be solely numeric, at least chose a 6-digit one. This means that there are now 100 times the number of possible permutations—999,999—making it much harder for a thief to carry out a brute force unlock or observe and remember your PIN in the first place.
To change your 4-digit PIN on an iPhone, go to Settings > Face ID/Touch ID & Passcode and tap Change Passcode, then tap Passcode Options and chose a 6-digit PIN. The steps to changing your PIN on an Android device may vary slightly based on your phone, but it will usually be found in the Settings app under the Lock Screen or Security settings.
3. For the most security, use an alphanumeric passcode
While a 6-digit PIN is vastly more secure than a 4-digit PIN, it’s not the most secure PIN option. That would be using no numeric PIN at all, and instead setting an alphanumeric passcode—a string of letters and numbers.
Alphanumeric passcodes are incredibly secure for a few reasons. Given that they can contain all the letters of the alphabet and the numbers 0 through 9 in any order or combination you want, they are incredibly hard to guess because there are billions of possible combinations. Second, because they use numbers and letters, the user needs to use the phone’s small keyboard (and not just a large numeric keypad) to enter the alphanumeric passcode. It’s much harder for a thief to track multiple tiny keystrokes that are hidden by your fingertips than it is to observe which big number buttons you tap using a traditional numeric PIN entry keypad.
Using an alphanumeric passcode is the most secure PIN option available on most smartphones. And remember, you won’t need to enter it every time you unlock your phone if you have biometric authentication enabled. But if you do need to enter the alphanumeric passcode in public, it will be much harder for the thief to observe and remember your code.
To change your numeric PIN to an alphanumeric passcode on an iPhone, go to Settings > Face ID/Touch ID & Passcode and tap Change Passcode, then tap Passcode Options and tap Custom Alphanumeric Code, then choose the one you want. The steps to changing your PIN to an alphanumeric passcode on an Android device may vary slightly based on your phone, but it will usually be found in the Settings app under the Lock Screen or Security settings.
(24)