How to prevent stolen iMessages

Editor’s note: We’ve discovered a solution far simpler than setting a SIM PIN, so we’ve updated this story accordingly.

A week ago, Ars Technica reported on a flaw within Apple’s iMessaging system. iMessage, you’ll recall, is Apple’s iOS 5 alternative to sending traditional SMS and MMS messages. The problem Ars reported in short: A lost or stolen iPhone could continue to receive iMessages directed towards your cell phone number—even if you remotely wiped the iPhone’s data, moved your number to a new phone, or changed your Apple ID’s password.

This misdirected iMessage issue seems like a bug on Apple’s end. But until Cupertino releases a fix, iLounge’s Jesse Hollington posted about a way to protect yourself: Set a PIN on your iPhone’s SIM card. His fix works, and we’ll get to it in a moment. But there’s a much easier way.

Macworld can confirm that perhaps the easiest way to ensure that a stolen phone stops receiving iMessages is to remotely wipe the phone, and then call your carrier and instruct them to deactivate your old SIM. The third and final step? Activate a new SIM in your new phone.

Completing those three steps—wiping, deactivating your old SIM, and then activating a new one—ensures that your iMessages will get sent only to you and your iOS devices, and not anywhere else.

If talking to your carrier is anathema to you, Hollington’s SIM PIN solution works, too. Read on.

Why a SIM PIN works, and why it’s risky

Such a PIN SIM is separate from an iPhone passcode that you may have set. It specifically locks your SIM, and you’ll be prompted to reenter the PIN whenever you restart your iPhone. If you lock your SIM with a PIN and your phone ends up in the wrong hands, you’re more protected: After a remote wipe, the phone will restart and prompt the new owner to enter the SIM before the phone will accept new iMessages (or FaceTime calls) at your old number.

Besides the potential added annoyance of needing to enter your PIN code whenever you restart your iPhone, there’s one other potential downside to locking your SIM: It’s the tiniest bit risky. There are a couple reasons for that: The iPhone’s interface for setting a new SIM PIN is rather awful, as we’ll explain in a minute. And you usually need to know your carrier’s default PIN before you can set a new one. Worst of all, if you make a mistake one too many times while changing the PIN or unlocking your SIM, you can end up locking yourself out—and at that point, only intervention from your carrier can help you.

How to set your SIM PIN

Be careful when you first see this screen: It’s asking for your carrier’s default PIN, not your new one.

Here’s how to change your SIM’s PIN to avoid the potential iMessage problem, without incurring the SIM PIN pain we just alluded to.

First, on your iPhone, launch the Settings app, scroll down, and tap on Phone. On the Phone screen, scroll down and tap on SIM PIN. Slide the SIM PIN slider to On.

At this point, the iPhone will prompt you for a PIN. But here’s the rub: It’s not asking for your new PIN; rather, you’re being prompted to provide your current pin. If you haven’t set one yet, you need to know your carrier’s default PIN. If you’re on AT&T or Bell Canada, it’s 1111. If you use Sprint, it’s 0000. For Rogers Wireless, it’s 1234.

The Verizon iPhone 4 doesn’t have a SIM card at all, so this workaround can’t help with that phone. The Verizon iPhone 4S does contain a SIM card, but reports from around the Web suggest that changing its PIN wouldn’t help at best (because in normal use, the SIM card doesn’t send data to the network the same way that it does on the other carriers), and can cause problems in some cases. For now, if you use a Verizon iPhone—either the iPhone 4 or 4S—we don’t recommend setting a PIN; you’ll need to wait for another solution to prevent your phone from potentially falling victim to the iMessage issue.

If you mistakenly enter your SIM card’s default PIN, or mis-enter your own PIN when unlocking the device after a reboot too many times, your SIM card may get locked. If that happens, you need to obtain a PUK (PIN Unlock Key) to unlock it. AT&T provides a page explaining how to do just that; you’ll need to contact your other carrier for information should you get to this step. Most carriers give you at least three tries to enter your PIN code correctly before requiring that you enter a PUK.

Note, however, that if you misenter a PUK code too many times—ten’s the limit with AT&T—your SIM card can be become permanently locked. The only solution at that point is to obtain a new SIM from your carrier.

Looking forward

So, unless you’re a Verizon iPhone customer, the SIM PIN is a reasonable way to ensure that your lost or stolen iPhone won’t fall victim to this iMessage issue; so long as you wipe the device remotely, it will reboot and require your PIN before allowing the phone’s new owner to receive your iMessages in error.

The far simpler solution—and the one that doesn’t leave Verizon customers in the lurch—is to go through that three-stop process mentioned above: Wipe your old phone, tell your carrier to deactivate its SIM, and then activate your new SIM. Since SIM PINs are not without risk, and entering the code whenever your iPhone reboots is an added annoyance, remembering the three-step workaround seems like the way to go.

We’ve also heard reports of a similar iMessage problem: If your old iPhone is lost or destroyed and you activate a new, different phone—say, an Android model—messages from other iPhone owners may still be routed over iMessage, meaning you wouldn’t see them at all. That issue reportedly resolves itself after a couple weeks, but it’s obviously still problematic. Simply turning off iMessage on your iPhone doesn’t fix this problem; the three-step process and SIM PIN both do.

While both solutions will work to prevent the iMessage issue from ever affecting you, we would expect a forthcoming iOS update to address this issue.

Updated at 10:49 a.m. ET with the far simpler three-step process.

Subscribe to the Best of Macworld Newsletter