This article was published on February 14, 2019

How I became pen pals with the kid who stole my iPhone

Was it phishing? Or was it friendship?


How I became pen pals with the kid who stole my iPhone

I’d always wanted to go to India. So I was pretty outraged when, in 2011, my iPhone went without me.

I think it’s only fair to place around 5 percent of the blame on my friend Blair. A group of us were in a London wine bar pretending to be grown-ups, searching for more sophisticated ways to say “second-least-expensive bottle” while tossing around wine terms we’d heard in a semi-ironic attempt to impress our waiter. “Oaky.” “Fruity.” “Hmm… chewy.”

What actually did impress him, however, was Blair, a man so charming he wins people over basically just by being present. The waiter rewarded his charm by bringing us the leftover wine from other people’s tables after they’d left; a quarter bottle here, a half bottle here. Now this one is really nice…

I was drunk, is what I’m saying.

Was there a professional phone thief pilfering smartphones in that bar? Or did an opportunist spot one teetering on the edge of the table while its hapless owner twirled in circles trying to put her coat on by shoving her arm into the hood? Whatever it was, by the time I turned around, my phone was gone.

I called my carrier from a friend’s phone, and they locked my phone, assuring me it would now be “useless” to whoever had stolen it, and then explaining in the politest possible way that no, I couldn’t cancel my contract — I just had to buy a new phone. I bought a new iPhone and seethed at myself for weeks.

It wasn’t until a few months later that I got my first email from Sachi. It read:

Hey Erica this is Sachi from India. I have purchased ur iPhone which u had used previously. I want to know what password u had kept for ur iTunes coz I had recently reset all settings in the phone. So I’m having problems in downloading apps…. Please mail me if u can….. Thank u

I was shocked. Is he kidding? This guy had my phone, clearly had my contact details, and now wanted my password? I took a deep breath and replied in what I imagined to be a steady, Liam-Neeson-in-Taken voice:

“I’ll give it to you,” I replied, “if you tell me who sold you my stolen phone.”

How “useless” is a locked phone, really? Whatever my carrier did, it’s hardly a kill switch: All Sachi had to do was turn it on before he had a direct line back to me; my name, my email address, my personal information.

“It’s not necessarily ‘useless’ from a third-party point,” says Ian Heritage, cybersecurity architect at Trend Micro. “A locked phone is like a phone in airplane mode: You can connect to a Wi-Fi network and use it as a device like a computer, but you can’t necessarily do the phone actions. Apple would not allow you to register or put another iTunes account onto it, and this is probably the reason that guy was asking for your iTunes password, because he couldn’t put any other apps on it.”

Sachi replied quickly. I opened the email, cracking my knuckles, eager to get into a fight with this presumptuous, criminal little…

“Heyy I’m sorry didn’t noe it was stolen……,” began the email. “I dont noe who sold it cuz my dad bought it and I’m only 16….”

Oh. He’s a kid. I put down my nunchucks.

“U live at London rite???” the email continued. “All ur personal info was there in the fone… I deleted it so don’t worry…. But wer did ur fone get stolen??”

“It was stolen from my bag in London,” I typed back. No need to mention that it was really on the table while I was struggling with basic motor functions trying to get my coat on, and I don’t want to be a bad influence on the kid, I told myself. I explained, in a much friendlier tone than I’d planned, that I couldn’t give him my password because it couldn’t be used by both of us and that an iTunes password is tied to a bank account.

“Still,” I told him, “I hope you enjoy the phone. Someone should.”

“Heyy,” he replied, “thanks a lot for the info…. Ur sweet. But the connection from London to Mumbai seems strange….I feel guilty using your phone now… Really. Can I help u in anyway?? And by the way my dad surely wudnt have purchased it if he knew.. The seller is not a thief cuz there is always a long chain. Nevertheless can we stay in touch thru mail???”

We did.

When I tell Ian Heritage about this, he immediately moves to rob me of the notion that I had a pen pal. But, I reply, “this surely couldn’t count as phishing though, could it?”

“You’ve said to me straight off that someone’s asked for your password, and as a security guy, I see that as a criminal activity,” he says. It’s true that smartphone theft is usually followed by a lunge for your password, but it’s usually a lot more sophisticated than a polite request.

“It could have been a phishing attack,” admits Joseph Cox, a senior writer at Motherboard, “Maybe they thought if they did it really obviously, you’d just hand it over — but I see much better phishing attacks.” The go-to is software with templates that look like real Apple emails with a Google maps interface. The email claims your phone has been tracked, there’s a red pin pointing to the supposed location on a map, and you’re asked to click a link, which takes you to a personal-information donation box disguised as your iCloud login page.

“I’d say the kid is probably genuine,” Joseph says, “because there are much better phishing attacks than ‘please give me your password.’”

The path for stolen smartphones is complex and varied; if a professional Apple-picker stole my phone, I would assume them to either be a hacker or know one, to unlock it and sell it on. Instead, it seems they made a quick-and-dirty sale; perhaps it was sold as part of a batch of locked iPhones on eBay, presumably for much less than a usable phone, and then again and again, until it ended up in Mumbai, on sale to Sachi’s dad. I think my phone was passed across the world in the cheapest way at every stage. No one bothered to make it something more profitable or explain to Sachi’s dad that a discounted phone sometimes isn’t a phone at all.

I think Sachi was just who he said he was. I don’t think he was phishing; I think his dad got poor customer service. I wonder how much money my phone made, and for how many different people, between leaving my hand and arriving in Sachi’s? I’m guessing considerably less than I spent on a new one.

Over the next year or so, Sachi and I updated each other on our lives; he emailed me to let me know how well his exams went and asked my advice on what he should do after leaving high school. I emailed to say I’d started a masters degree and was planning to be a writer. He said I definitely should come to Mumbai someday and offered to be my tour guide.

The last email I got from him brought us full circle:

“Guess what?… the iPhone got stolen again, in a cab.”

Whoever got it never wrote to him.

This article was originally published by Erica Buist on Medium. Erica is a writer and freelance journalist, currently traveling to death festivals and writing a book about it called This Party’s Dead.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top