From 9to5Mac’s “Brazilian criminals detail how they gain access to bank accounts from stolen iPhones” posted Wednesday:
The Brazilian newspaper Folha de S. Paulo reported last month how criminals had been stealing iPhones in Brazil to access people’s bank accounts instead of reselling the devices. Now, the police seem to have finally figured out how they gain access to bank accounts, and to our surprise, the process seems easier than you might think…
Basically, thieves take the SIM card out of the stolen iPhone and then put it into another iPhone. Using social networks like Facebook and Instagram, they can easily find out the email address used by the person who had the phone stolen. In most cases, this email address is the same as the one used for the Apple ID. All they need to do is reset the Apple ID password using the victim’s phone number.
Barbeiro says that the easiest way criminals have to find passwords is by looking in the Notes app since many users seem to store bank and credit card passwords there. However, with access to the iCloud account, they can easily get all the passwords from the iCloud Keychain as well.
When they download data from the cloud to the new device, they search for information linked to the word “password” and, according to them, they usually get what they need to access the victim’s bank accounts. Once they have this information, they return the SIM card to the victim’s phone and give the device to the gang member responsible for access the bank accounts.
My take: Don’t store your bank passwords in Notes.