As featured in a recent Wall Street Journal report, iPhone thieves are exploiting a security setting called the ‘recovery key’ to permanently lock owners out of their own iPhones and gain access to their financial apps.

The method, however, hinges first upon ‘shoulder surfing’, i.e. looking over the iPhone user’s shoulder to get the passcode, or finding a way to make the device’s owner share their passcode. Once the passcode has been obtained, the thief uses it to change the device’s Apple ID, turns off “Find my iPhone” and resets the 28-digit recovery code (which was intended to be a security measure), thereby locking the owner out of their own device.

The advice to iPhone owners is to use Face ID or Touch ID when unlocking the phone in public, set up an alphanumeric passcode that would be very difficult for thieves to figure out, consider using the iPhone’s Screen Time setting to set up a secondary password, and to regularly back up your iPhone via iCloud or iTunes.