My mom and I vacationed in Mexico last week. Our ~girl’s trip~ started pretty great. We laid on the beach, sipped on mineral water with lime (detox!), and vegged. On our third day, though, the trip took a very not cool turn. Someone broke into our hotel room while we were at dinner and stole my Galaxy S6. I panicked when I realized it was missing. Like, big-time panicked, and I’ll spare you the exact details of what went down, but following the initial theft reporting I immediately called T-Mobile from my mom’s phone.
Now, here’s where I’m going to make a confession: I have terrible operational security. When I realized my phone was gone forever I knew this would be my reckoning. Learn from me, readers.
this would be my reckoning
Though I work as a cybersecurity/tech reporter, I’m also a pretty average human in the world outside this office. I’m slightly paranoid about the surveillance state, refuse to use my debit card at sketchy bar ATMs, and keep my front-facing laptop camera covered by masking tape. The government is probably watching me, and maybe so are cybercriminals, so yeah, I take precautions.
But even still, I also need to function seamlessly every day. In a work environment that requires two-factor authentication for every account, along with the use of unique passwords, I can’t risk being locked out of something because I forgot my login. So I maybe kept a few passwords in a note file on my stolen phone. And maybe it was because I didn’t want to shell out cash for a password manager. Also, there are times when I need to file a story or log into an account from public Wi-Fi. It gives me anxiety every time I do it, truly, but I still haven’t invested in a VPN. I know, I know, I need to do this, and I want to do this. But again, it’s a lot of research and the wrong VPN choice can end in catastrophe.
My lapsing opsec became glaringly apparent in the wake of this unfortunate Mexican phone theft.
The government is probably watching and maybe so are cybercriminals
The good news is that I had Lookout installed on my Android, so in theory, I could track the phone and also remotely wipe it. The bad news is that whoever took my phone wasn’t dumb. They turned it off, thereby making it impossible to track and wipe. Unless they turned the phone on and it connected to a T-Mobile roaming partner, all my data would stay on the device until they wiped it.
T-Mobile blocked the device's IMEI number for me instead, which basically means that even if it was turned on, it wouldn't work on any network. It’s a shell of the device it once was. But again, if the thief correctly guesses my passcode, the data is still there, which is more of a concern to me. To make matters worse — this is where the VPN comes in — the hotel’s Wi-Fi wasn’t password-protected. I had to change my account passwords through a public network during this whole ordeal, AND I didn't have my phone to authenticate login attempts.
It’s a shell of the device it once was
But luckily, I had brought my laptop along on the trip and had previously allowed my accounts to remember it as a familiar device. I was able to log into my email, add my mom’s phone as a backup number, and change my password from there. I figured as long as my email wasn’t compromised I’d be ok. I took an important next step by logging into my Facebook account, Gmail, and Twitter and revoking access to all their apps, and then instructing them to forget my devices, as well as to log me out of all current sessions, excluding the one I was already in. This bought me time.
Ultimately, I don’t think the thieves were after my data. They probably wanted to resell the $800 phone. When I got back to New York, I dropped my bags in my apartment and sprinted to T-Mobile. I couldn’t handle another phone-less day and another day without resetting all my account passwords. I switched to the iPhone because I like that it's encrypted by default and that I can remotely wipe my iCloud account and de-link it in the event of my phone being stolen again. Also, I just felt like it.
Four hours of account resets later, and I think I'm finally in the clear. Where I didn’t already have two-factor, I authorized it, and I opted into login alerts for every service that offers them.
I couldn’t handle another phone-less day
Having your phone stolen sucks. Really, it sucks. Most excruciating was the time spent changing account passwords, but the anxiety associated with my phone being helpless and gone also didn't feel great. Still, nothing terrible happened in the wake of this, and I've learned my opsec lessons. I’m investing in a password manager and I'm actually going to stop my procrastination on finding a VPN provider. If you have a good recommendation, please let me know. Oh, and I got phone insurance!
So let’s recap:
- Use a password manager
- Enable two-factor authentication
- Get into your accounts immediately after a theft and reset your passwords
- Clear your remembered devices
- Make sure you have security software on your Android to help with locating your device and remotely wiping it
- If you have an iPhone make sure "Find My iPhone" is enabled
- Keep a backup device enabled
- Have passwords handy, if possible, and try to change them over secure Wi-Fi connections
- Use a VPN
I can envision the thieves guessing my passcode endlessly — my phone didn't automatically wipe after 10 login attempts, or at least I don't remember opting into that feature. But if they do ever get in, at least I can rest slightly easier knowing my accounts are re-secured with fresh passwords. They'll probably just end up with a phone full of selfies.