Every year, more of our life goes online. Whether it’s checking a bank account, paying taxes, buying insurance or getting a doctor’s appointment, the first thing we do is to reach for our phone. And as for money: I’ve barely touched a coin or banknote – or even a plastic credit card – in months.

But think for a moment: if all that personal IT were to suddenly break down, how would you cope? These days, all it takes for that to happen is to get your phone stolen. With every service you use yelling at you to set up “two-factor authentication” (sometimes called two-step verification, 2FA or 2SV for short),  your phone is now your access key to a high proportion of the services in your life. If it goes, you’re in trouble.

That possibility is turning into a nightmarish reality with increasing frequency. The 2024 Crime Survey for England and Wales estimated that 78,000 people had phones or handbags snatched in a year – 200 per day – with the figure rising steeply year on year. It’s not just petty criminals selling your phone down the local pub any more: the majority of these thefts are by organised gangs who make high profits by selling them in bulk into countries where legitimate phones are expensive and controls on stolen ones are lax (Algeria and China are prime candidates, according to the New York Times).

Although this type of theft is the most numerous, the type you need to worry about most is different: theft by tech-skilled people who are going to use your phone to siphon off your money. The son of a friend of mine had his phone robbed late at night, and by the time he got to somewhere he could report this, large sums of money had been cleared out of his bank accounts. Even after he reported the theft to his bank, the thieves continued to drain money, putting him under severe stress and causing an uphill struggle with the bank concerned to get restitution.

Big organisations assess risk and have “disaster recovery” plans to deal with major IT failures. They often fall woefully short – just ask the British Library, whose systems still aren’t fully operational two years after they were shredded by a ransomware attack. But the basic idea is sound: be prepared for what to do if things go wrong. And that holds just as true for you as an individual as it does for the biggest worldwide corporation.

The rest of this post is to give you some ideas for what to do and why. Lots more detail is available if needed, but the post was too long already… Here are some headings:

• Make a contingency plan for phone theft
• What to do in advance of an attack
• What to do immediately after an attack
• Setting and keeping track of strong, unique passwords
• Laptop theft and other threats
• Stop the whole thing happening in the first place

Make a contingency plan for phone theft

Ask yourself this: if your phone gets snatched, what do you do next? Do you know how to get your number blocked, how to stop your bank handing out money? How to stop the bad guys getting into your email? And what about all those precious family photos that you have stored on the phone?

From the moment the thieves have your phone, you’re in a race against time. They have to crack any passwords or PINs to get into your precious phone apps, which will take them a certain amount of time – which you can lengthen (see the section on passwords below). During that time interval, however long it may be, you need to prevent them hurting you by doing as many as you can of three things: remotely erase the phone’s contents (ideal but not always possible), get your mobile provider to block phone use (quick, but only part of the solution) and change the passwords on your most important applications.

We’ll talk about the detail of those measures – both in advance of and after an attack – but first, consider this: did you really need the convenience of being able to do your banking on a phone app? If you can keep at least some of your money in an account where you haven’t installed an app on your phone, but access only from your computer at home with one of those plastic keypads your banks provide, that money is 100% safe from phone theft. (An alternative is to use an account which needs a phone app, but only install it on an old phone that you keep safely locked up at home).

What to do in advance of an attack

The first essential measure is to identify all the services that are really critical to your continued well-being, the ones that will cause you a significant problem if you can’t get into them because you no longer have your phone to allow you in. Your primary email service should be at the top of the list, because if it gets hacked, the thieves can use it to do a “forgot password” against most of the others. Your bank account(s) are next. For Apple users, the Apple ID is next, since it lets you manage your devices as well as cloud storage. You may have others – a lot of people run their lives on WhatsApp.

For each of these critical services, you’ll be way faster at saving yourself if you have learned in advance how to get back into them so that you can change your security credentials. Many will let you set a backup phone (most probably a family member or close friend). Others will let you print out a set of recovery codes: do this and keep them in a “Safe Place” – a fire safe is ideal, or a locked cupboard in the house of the said family member or close friend. Others give you a phone number to call, most probably with a set of security questions. Whatever the methods are, make sure that you will know what to do in the wake of an attack.

Look up your phone provider and bank’s mechanisms for blocking use of your phone. For a phone with a physical SIM, it’s a good idea to convert it to an eSIM, which the thief can’t simply take out and plug into another phone. You can do it on the phone and it’s quick (albeit at the cost of making changing handsets more time-consuming).

Another obvious step is to know how to call your phone provider to get them to block your phone. There’s generally a number to call and/or a web page on your mobile account. For any bank apps on the phone, you will want to know the drill for contacting the bank. These things can be looked up online, but even then, it’s helpful to know in advance what security questions they’re likely to ask you.

You want your data to be backed up regularly. On an iPhone, the most convenient way to do this is to subscribe to some cloud storage with Apple (£2.99 per month will get you enough for most usage). Tick the relevant boxes in iOS Settings and you’re done. This also means that you can get your electronic life back to normal with a new phone.

What to do immediately after an attack

The first thing you will want to do after a theft is to erase the data on the phone remotely, preventing the thieves from doing you any harm whatsoever beyond the need to buy a new phone. Both Apple and Android have “Find my” apps, which you can access from any web browser. The big caveat is that if you have 2FA set up, which Apple pretty much force you to do, these days, you have to be able to use whichever 2FA backup mechanism you have set up, as mentioned earlier.

Next, you will want to instruct your phone provider to disable the phone. Potentially, there are two lots of this: the SIM card and the IMEI number (which identifies the phone hardware itself). IMEI blocking isn’t perfect, but it’s still worth doing.

Next comes your bank. I wish I could say that banks were perfect at blocking your app use as soon as you’ve instructed them to. They’re not, but at least making that call gives you a better chance when demanding compensation because they didn’t deal with your request promptly.

Setting and keeping track of strong, unique passwords

Let’s talk about the meaty subject of passwords and PINs – which is the thing that will probably involve you in the most work to change what you’re currently doing. It helps if you understand the most important ways in which the bad guys can break your password security:

1. You left the password lying round somewhere, either on a piece of paper or in an unencrypted file – post-it notes are frequent culprits, as are laptops left open on a café table.
2. They guessed a password that was too obvious (you’d be at amazed at the number of passwords that are set to “password” or “123”), or they used “brute force” computing methods to go through thousands or millions of password guesses – so-called “dictionary attacks” are popular, as is use of researchable data like your address, birthday or children’s names.
3. They found the password in a data leak from one of your websites (or by snooping your connections on public WiFi), and then tried it on all the others.

My preferred scheme for protecting your passwords (there are others) works like this:

• Identify a few of your (no more than half a dozen) that are so critical that you’re never going to write them down at all (e.g. your email address and your bank account), except perhaps in your Safe Place. Choose passwords that are long (20 characters or more), diverse (include numbers and punctuation) and memorable to you but no-one else. Examples might be “George – Albufeira Beach – 2022” if your best holiday ever was with George in the Algarve, or “Greased Lightning – GL 03 XKZ” for the nickname and licence plate of your first car (don’t use the current one).
• For the others, go to the other extreme and use a password which is long and random (for example “PlnoplxM#mtazo@!50xFm&UXoSydxx3” and use a password manager to create and remember them all for you (I use LastPass, which costs £2.60 per month, but there are plenty to choose from, including the free ones provided by Google or Apple). These kind of passwords are near-impossible to guess, even by brute force, unless you’re the CIA or Mossad.
• Change any passwords required to avoid using the same one for more than one website. This is time consuming, but a good password manager will run you through a list of the ones you need to change, either because you’ve re-used them or because they are known to have appeared in a data leak. That way, if a password leaks or is guessed, the damage is contained to just one service and doesn’t spread to others.

Laptop theft and other threats

Other than the replacement cost, losing your laptop isn’t nearly as serious as losing your phone, because all your 2FA still works, so you can still use your phone to access your services. You should still plan on changing all of your critical passwords, and doing a remote erase if you can.

The real killer is if you lose both the phone and laptop at the same time (which is why it’s a really good idea never to put them in the same handbag or backpack). At that point, you’re really thrown back on whatever you can remember in your head or have stored in the “Safe Place” described above.

The preparation and response to most other threats is surprisingly similar to the steps shown everywhere else above. The one most worth mentioning is a ransomware attack: if you get the kind of screen that says “we have encrypted all your data, please pay us xxx bitcoin to get it back again”. The advice here goes like this:

1. Don’t pay the ransom. There’s a strong chance that the attackers will just pocket the money and won’t actually restore your data.
2. As soon as you see the ransomware screen, do not touch anything on your device. Rather, take a photo of the screen (if it’s on your own phone, borrow someone else’s to do it). Keep it for later diagnosis, if needed.
3. Now switch power off to your device, by whatever means the manufacturer gives you (usually a long press-and-hold on a button somewhere).
4. After a few seconds, switch it on again. If the ransomware demand is still there, you know you have to take the device for repair. If it’s gone, you can breathe a little bit more easily, but you’d probably better get the device scanned for malware (or do it yourself if you’re sufficiently confident).
5. If you want, report the attack – but in the UK, at least, the chances of the police actually doing anything are pretty remote.
6. Once you have your device back and cleaned, it’s time to restore from backup.

Stop the whole thing happening in the first place

Obviously, your starting point should be to avoid thefts happening in the first place. Don’t  leave a phone or a computer lying around on a café table while you go to the loo (along with your house or car keys, it’s possibly the single most stupid item to use to mark a table as being yours). Don’t put your phone in an easy-to-access back pocket or an easily snatched handbag. Don’t walk around with your face buried in Google Maps – look up your itinerary before you start and only refer back to the phone when you need to. If you really can’t avoid walking around staring at your phone, stay away from the edge of the pavement where the classic grab-and-run-from-motorbike is easiest. The list goes on…

That’s it, folks. You might well ask the question of how we all got into such a vulnerable state, and what our institutions might think of doing about it. But that’s a subject for another day…

P.S. Some places where I don’t necessarily agree with the conventional wisdom

Various people will tell you to change passwords often, and it’s true that this helps defeat a particular sort of attack where someone is intercepting your traffic (perhaps by snooping on public Wi Fi, or by plugging a key logger into your desktop computer at work). The trouble is that if you have followed the good advice to use unique, strong passwords, it’s pretty much impossible to do that when you have different passwords for several hundred different websites.

People also say that you should have 2FA everywhere. I’m not so sure. 2FA does indeed protect you in a specific case: when your password has leaked but your device has not been stolen. If you use different passwords everywhere, the impact of this is pretty limited, and it comes at the expense of turning your phone into a giant single point of failure for your whole electronic life. I’m enabling 2FA for most things, but reluctantly.

Finally, I’m not yet a fan for the current trend of asking you to create “pass keys”. I happen to do most of my work on a closed laptop plugged into a docking station (so I don’t have touch id or face id). Therefore, “use a pass key” turns into “type in your main computer password”. This is far less convenient and I remain to be convinced that it’s massively more secure.

That’s really it now, folks.

• IT security
• Software