How a Stranger Used One Text Message to Steal My Entire Digital Life
Consider, for a moment, the architecture of your own life. The photographs of your children. The passwords to your bank. The device in your pocket that pays for your coffee, unlocks your front door, and holds the second factor that guards everything else. Now ask a harder question: how many separate keys protect all of it, and how many of those keys are, in truth, the same key?
For most of us, the honest answer is one. One account sits beneath the others: an Apple ID, a Google login, a phone number that every "forgot password" link routes back to. We would never accept this design anywhere else.
I’m a pilot. No aircraft I have ever flown is permitted a single point of failure: every critical system carries a backup, and often a backup for the backup, so that no single fault can bring the plane down. Redundancy is the first principle of any system that cannot be allowed to fail. And yet millions of people carry their entire financial and personal identity on exactly one such lock, and think nothing of it.
On the afternoon of June 25, 2026, I learned what happens when the lock turns in a stranger's hand. It began, as these things now do, with a text message. It looked entirely official: a fraud alert about a possible unauthorized charge on my Goldman Sachs Apple Card, the credit card tied to my Apple ID. The message asked only that I reply "yes" or "no" to confirm the transaction. This is a routine, familiar request, the kind your bank sends all the time. I replied no.
A few minutes later, my phone rang. The number, the FBI would later confirm, belonged to the genuine Apple Card support line. It had been spoofed so precisely that the messages accompanying the call arrived in the same gray bubbles, with the same Apple logo, that only real Apple support uses in iMessage. Everything my eyes could check told me this was Apple. The man on the line said he was going to send a code to verify my identity, and that I should read it back to him. It is a request that feels routine in the moment, though I now know that no legitimate institution should ever make it.
When I asked the caller to prove he was who he claimed to be, he did something that turned my stomach: he read my entire Social Security number and my date of birth back to me. That was the moment I knew my identity had been stolen. No honest caller needed to recite my full Social Security number to me; the only reason he had it was that he already had everything.
He pressed on, offering to secure my account by mailing me a new card and asking which of my two addresses I wanted it sent to, naming them both. But I had begun to stall, and by then he was already inside.
I watched it happen on the screen in my hand. One by one, the cards in my Apple........
