Ask HN: What's your strategy to handle your phone being stolen?
I use an Android phone.
I keep location and mobile data ON when I go outside.(So that I can locate it / remotely wipe it). I use phone's default encryption. Both my sim cards are locked using PIN. What else can I do to prevent misuses/data leak if my phone gets stolen? Whats your approach?
34 comments
[ 3.0 ms ] story [ 88.6 ms ] threadDo people just not have encrypted devices with reasonably strong pass codes?
I'm wondering what the threat model is here. Is an agency with the capability to break into the device going to be fooled by these?
Why would I want to waste that time, to what end? To catch a thief who is probably just hard out for money? That seems like an awful lot of time and effort just to be vindictive
Make backups.
If you have sensitive data, prefer an iPhone. They're slightly harder to crack and extract the data for the average script kiddie. If you require real security, you're on your own. Very few things stay secure once they're in someone else's hands.
Don't use SMS 2FA.
Store 2FA tokens in your password manager (I use Bitwarden).
Protect your password manager 2FA with a Yubikey. Keep it on your person. Have a spare Yubikey in another location.
SMS 2FA is still a mess due to a variety of other issues, of course.
Any old mobile phone sitting around would be fine at that point, until I decide to get a new one.
Here's an answer for normal users.
Buy a pop socket with a ring, keep your finger in it - it gets difficult to take the phone from your hands. Keep your phone in a closed bag when not in use, on the front of your body, like one of those "fanny pack" things, for example. Keep all your important things synced, and know where to find and how to use the "find my phone" and similar features.
For android, for example, you can remotely find and hard-lock your phone and SIM. Know where to find and how to use that.
Buy a non-apple phone, or any other phone that isnt highly desirable by thiefs. iPhones have a very high resell value.
To add to that, cutting the bottom or side of bags on crowded trains is a known theft method, so if it is in a bag, beware anyone in your personal space, and don't assume the bag is full protection.
or get an Iphone SE. People will think you're crazy for having such an old iPhone, and you get 80% of all the latest iphone tech inside.
Is that still true? Seems to me there's been a major reduction in iPhone theft since iCloud locking became a thing. Maybe less in countries where phones are stripped for parts...
While my original comment was a bit flippant and terse, it points to the main thing you can do - minimize the activities on a device that you routinely take out of the house and generally want to remain unlocked for easy use. The "normal user" answer is still to obtain multiple devices, rather than bundling everything onto that phone. For one, it's easy and cheap to buy an old tablet (~$100) for "mobile apps" where having the functionality in your pocket is an outright liability (eg banking, do you really want a mugger to be able to view your account balances?). Second, a "normal user" should still have a laptop with a keyboard they can use at home, to sidestep the extractive "mobile" ecosystem all together. A used one can easily be had for $400 and won't turn into ewaste in three short years, placing it well within the budget of most "normal users".
I had logged it out of google and had the chance to stop the SIM - but getting it working again sounded long winded so I didn't.
They said they looked for emergency contact numbers, but I didn't have any set up. I didn't know you could do that, but I have added them.
I later found a call to it I didn't recognise, but realised I had a business card with the phone which they had tried to contact me with, but just called the phone they already had.
All in all I think I was so lucky and they were magnificently kind. So far as I know there is nothing on it I couldn't get back, but I realised that having personal information with it was probably not actually a good idea. I think I am ok with the emergency contacts because I am getting old and may need to be helped one day. I probably should have put a stop on the SIM. Not sure what else I should have learned.
Solutions: First obvious one is to keep a physical copy of your recovery keys in your wallet. Of course, that doesn't help if your wallet is stolen, so the next option that I use:
Keep a KeePass (or equivalent) database in a hosted cloud like Dropbox (that DOESN'T require 2fa), holding your recovery keys. This way your database is protected by two passwords, so that if either are compromised you are still protected. You'll have to memorize both passwords but that's a good tradeoff imo. Then use KeeWeb (preferably a self-hosted one) to access your database and codes. So the model here is: borrow a phone, log into Dropbox, download KP database, open KeeWeb, open database, and get your 2fa codes. Log into Google (actually, third password you should memorize), and lock/ring/clear your phone.
It is no problem to register the same authenticator code on multiple phones.
6 digit PIN, device encryption, cloud backup of my photos and Apple’s FindMy device feature.
Has worked before fantastically.
It can be very difficult, sometimes impossible, to fix access to an account blocked by lack of access to your 2FA app.
The SD card was gone, and they had tried to reset the phone. I was able to get into it with USB debugging and recovered about 3 Bitcoin that was only stored in a wallet on that device.