Experienced phone thieves no longer look for expensive smartphones just to sell them, but "hunt" wealthy owners to empty their bank cards registered to the phone. Here's how the "scheme" works.
Out of convenience or habit, smartphone owners rarely set a hard-to-guess password to unlock the screen. But even those who do not neglect this stage make another mistake at least as serious, for convenience disabling the PIN code usually required to connect the SIM card to the mobile network.
So, if a phone thief can't directly access your bank card-enrolled mobile apps, then the "peeped" pictures stored on the unencrypted storage could be a good pretext for blackmail . The well-determined criminal only has to discover and finally access/hijack your facebook, email, whats-app, etc. accounts. And what better way to find online accounts and "recover" passwords than to insert an unprotected SIM card into another phone. For many online services, such as Facebook account or email address, the user's identity is linked to the SIM card, the phone number can even be used as a substitute for the username, the service provider automatically matching the mobile number with the identity your online. Furthermore, recovering the password using the two-step authentication option by receiving the related security code via SMS is a trivial matter, the attacker only having to decide whether to start directly with the Facebook, WhatsApp or Home Banking account, or access your address first email to intercept any password reset links or security codes received there.
Another secret of "modern" phone thieves is accessing notes saved in the Notes app. Although it should be an easy mistake to spot and avoid, many users choose to keep their bank passwords and credit card details in apps commonly used for shopping lists and notes, most of which keep the records stored in unencrypted form, even in phone storage. But if they also gain iCloud access using one of the usual password reset methods, criminals can easily obtain all passwords stored in iCloud Keychain.
When they download data from the cloud to a new device connected to the victim's iCloud account, criminals can initiate simple searches for the word "password," usually uncovering the data they need to access the victim's bank accounts in record time. Once they get this information, less 'educated' pickpockets send the SIM card along with the victim's phone to other members of the criminal group, with experienced hackers then busy emptying bank accounts.
In short, the best thing you can do to protect your accounts is to not store your passwords in the Notes app or other apps that use insecure storage. Set a hard-to-guess PIN code for both the phone and the SIM card. Both should be requested every time the device is turned on. Finally, for complete protection, opt for full storage encryption (on phones that support this feature). Another good option is to use an eSIM instead of a regular SIM, as the eSIM cannot be easily transferred to another device. To avoid accessing the already unlocked phone, as soon as it has been stolen from your ear or hand, set a timeout as short as possible for closing/locking the screen (eg 15 seconds). The chances of a thief making off with your phone and keeping it unlocked long enough to access your data will be greatly reduced.