This is troubling. Joanna Stern and Nicole Nguyen of the Wall Street Journal have published an article (paywalled) and accompanying video that describes attacks on hundreds of iPhone users in major cities throughout the United States. Some attacks involve drugging people in bars or even violence, but the most avoidable involve the thief or a confederate surreptitiously observing the iPhone user entering their passcode before snatching the iPhone and running.
However it happens, once the thief has a user’s iPhone and passcode, they change the user’s Apple ID password—which is shockingly easy for them to do. With the new password, they disable Find My, making it impossible for the iPhone’s owner to erase it remotely. Then they use Apple Pay to buy things and access passwords stored in iCloud Keychain. They can even look in Photos for pictures of documents containing confidential information, such as credit cards and ID cards. After that, they may transfer money from bank accounts, apply for an Apple Card, and more, all while keeping the user locked out of their account. Of course, they’ll resell the iPhone too. (Apparently, Android users are susceptible to similar attacks, but Android phones have a lower resale value, so they aren’t being targeted as much.) Victims have reported thefts of tens of thousands of dollars, and many of them remain unable to access their Apple accounts.