Category: Software

Protect your digital life: phone theft strategies

Protect your digital life: phone theft strategies

Every year, more of our life goes online. Whether it’s checking a bank account, paying taxes, buying insurance or getting a doctor’s appointment, the first thing we do is to reach for our phone. And as for money: I’ve barely touched a coin or banknote – or even a plastic credit card – in months.

But think for a moment: if all that personal IT were to suddenly break down, how would you cope? These days, all it takes for that to happen is to get your phone stolen. With every service you use yelling at you to set up “two-factor authentication” (sometimes called two-step verification, 2FA or 2SV for short),  your phone is now your access key to a high proportion of the services in your life. If it goes, you’re in trouble.

That possibility is turning into a nightmarish reality with increasing frequency. The 2024 Crime Survey for England and Wales estimated that 78,000 people had phones or handbags snatched in a year – 200 per day – with the figure rising steeply year on year. It’s not just petty criminals selling your phone down the local pub any more: the majority of these thefts are by organised gangs who make high profits by selling them in bulk into countries where legitimate phones are expensive and controls on stolen ones are lax (Algeria and China are prime candidates, according to the New York Times).

Although this type of theft is the most numerous, the type you need to worry about most is different: theft by tech-skilled people who are going to use your phone to siphon off your money. The son of a friend of mine had his phone robbed late at night, and by the time he got to somewhere he could report this, large sums of money had been cleared out of his bank accounts. Even after he reported the theft to his bank, the thieves continued to drain money, putting him under severe stress and causing an uphill struggle with the bank concerned to get restitution.

Big organisations assess risk and have “disaster recovery” plans to deal with major IT failures. They often fall woefully short – just ask the British Library, whose systems still aren’t fully operational two years after they were shredded by a ransomware attack. But the basic idea is sound: be prepared for what to do if things go wrong. And that holds just as true for you as an individual as it does for the biggest worldwide corporation.

The rest of this post is to give you some ideas for what to do and why. Lots more detail is available if needed, but the post was too long already… Here are some headings:

  • Make a contingency plan for phone theft
  • What to do in advance of an attack
  • What to do immediately after an attack
  • Setting and keeping track of strong, unique passwords
  • Laptop theft and other threats
  • Stop the whole thing happening in the first place

Make a contingency plan for phone theft

Ask yourself this: if your phone gets snatched, what do you do next? Do you know how to get your number blocked, how to stop your bank handing out money? How to stop the bad guys getting into your email? And what about all those precious family photos that you have stored on the phone?

From the moment the thieves have your phone, you’re in a race against time. They have to crack any passwords or PINs to get into your precious phone apps, which will take them a certain amount of time – which you can lengthen (see the section on passwords below). During that time interval, however long it may be, you need to prevent them hurting you by doing as many as you can of three things: remotely erase the phone’s contents (ideal but not always possible), get your mobile provider to block phone use (quick, but only part of the solution) and change the passwords on your most important applications.

We’ll talk about the detail of those measures – both in advance of and after an attack – but first, consider this: did you really need the convenience of being able to do your banking on a phone app? If you can keep at least some of your money in an account where you haven’t installed an app on your phone, but access only from your computer at home with one of those plastic keypads your banks provide, that money is 100% safe from phone theft. (An alternative is to use an account which needs a phone app, but only install it on an old phone that you keep safely locked up at home).

What to do in advance of an attack

The first essential measure is to identify all the services that are really critical to your continued well-being, the ones that will cause you a significant problem if you can’t get into them because you no longer have your phone to allow you in. Your primary email service should be at the top of the list, because if it gets hacked, the thieves can use it to do a “forgot password” against most of the others. Your bank account(s) are next. For Apple users, the Apple ID is next, since it lets you manage your devices as well as cloud storage. You may have others – a lot of people run their lives on WhatsApp.

For each of these critical services, you’ll be way faster at saving yourself if you have learned in advance how to get back into them so that you can change your security credentials. Many will let you set a backup phone (most probably a family member or close friend). Others will let you print out a set of recovery codes: do this and keep them in a “Safe Place” – a fire safe is ideal, or a locked cupboard in the house of the said family member or close friend. Others give you a phone number to call, most probably with a set of security questions. Whatever the methods are, make sure that you will know what to do in the wake of an attack.

Look up your phone provider and bank’s mechanisms for blocking use of your phone. For a phone with a physical SIM, it’s a good idea to convert it to an eSIM, which the thief can’t simply take out and plug into another phone. You can do it on the phone and it’s quick (albeit at the cost of making changing handsets more time-consuming).

Another obvious step is to know how to call your phone provider to get them to block your phone. There’s generally a number to call and/or a web page on your mobile account. For any bank apps on the phone, you will want to know the drill for contacting the bank. These things can be looked up online, but even then, it’s helpful to know in advance what security questions they’re likely to ask you.

You want your data to be backed up regularly. On an iPhone, the most convenient way to do this is to subscribe to some cloud storage with Apple (£2.99 per month will get you enough for most usage). Tick the relevant boxes in iOS Settings and you’re done. This also means that you can get your electronic life back to normal with a new phone.

What to do immediately after an attack

The first thing you will want to do after a theft is to erase the data on the phone remotely, preventing the thieves from doing you any harm whatsoever beyond the need to buy a new phone. Both Apple and Android have “Find my” apps, which you can access from any web browser. The big caveat is that if you have 2FA set up, which Apple pretty much force you to do, these days, you have to be able to use whichever 2FA backup mechanism you have set up, as mentioned earlier.

Next, you will want to instruct your phone provider to disable the phone. Potentially, there are two lots of this: the SIM card and the IMEI number (which identifies the phone hardware itself). IMEI blocking isn’t perfect, but it’s still worth doing.

Next comes your bank. I wish I could say that banks were perfect at blocking your app use as soon as you’ve instructed them to. They’re not, but at least making that call gives you a better chance when demanding compensation because they didn’t deal with your request promptly.

Setting and keeping track of strong, unique passwords

Let’s talk about the meaty subject of passwords and PINs – which is the thing that will probably involve you in the most work to change what you’re currently doing. It helps if you understand the most important ways in which the bad guys can break your password security:

  1. You left the password lying round somewhere, either on a piece of paper or in an unencrypted file – post-it notes are frequent culprits, as are laptops left open on a café table.
  2. They guessed a password that was too obvious (you’d be at amazed at the number of passwords that are set to “password” or “123”), or they used “brute force” computing methods to go through thousands or millions of password guesses – so-called “dictionary attacks” are popular, as is use of researchable data like your address, birthday or children’s names.
  3. They found the password in a data leak from one of your websites (or by snooping your connections on public WiFi), and then tried it on all the others.

My preferred scheme for protecting your passwords (there are others) works like this:

  • Identify a few of your (no more than half a dozen) that are so critical that you’re never going to write them down at all (e.g. your email address and your bank account), except perhaps in your Safe Place. Choose passwords that are long (20 characters or more), diverse (include numbers and punctuation) and memorable to you but no-one else. Examples might be “George – Albufeira Beach – 2022” if your best holiday ever was with George in the Algarve, or “Greased Lightning – GL 03 XKZ” for the nickname and licence plate of your first car (don’t use the current one).
  • For the others, go to the other extreme and use a password which is long and random (for example “PlnoplxM#mtazo@!50xFm&UXoSydxx3” and use a password manager to create and remember them all for you (I use LastPass, which costs £2.60 per month, but there are plenty to choose from, including the free ones provided by Google or Apple). These kind of passwords are near-impossible to guess, even by brute force, unless you’re the CIA or Mossad.
  • Change any passwords required to avoid using the same one for more than one website. This is time consuming, but a good password manager will run you through a list of the ones you need to change, either because you’ve re-used them or because they are known to have appeared in a data leak. That way, if a password leaks or is guessed, the damage is contained to just one service and doesn’t spread to others.

Laptop theft and other threats

Other than the replacement cost, losing your laptop isn’t nearly as serious as losing your phone, because all your 2FA still works, so you can still use your phone to access your services. You should still plan on changing all of your critical passwords, and doing a remote erase if you can.

The real killer is if you lose both the phone and laptop at the same time (which is why it’s a really good idea never to put them in the same handbag or backpack). At that point, you’re really thrown back on whatever you can remember in your head or have stored in the “Safe Place” described above.

The preparation and response to most other threats is surprisingly similar to the steps shown everywhere else above. The one most worth mentioning is a ransomware attack: if you get the kind of screen that says “we have encrypted all your data, please pay us xxx bitcoin to get it back again”. The advice here goes like this:

  1. Don’t pay the ransom. There’s a strong chance that the attackers will just pocket the money and won’t actually restore your data.
  2. As soon as you see the ransomware screen, do not touch anything on your device. Rather, take a photo of the screen (if it’s on your own phone, borrow someone else’s to do it). Keep it for later diagnosis, if needed.
  3. Now switch power off to your device, by whatever means the manufacturer gives you (usually a long press-and-hold on a button somewhere).
  4. After a few seconds, switch it on again. If the ransomware demand is still there, you know you have to take the device for repair. If it’s gone, you can breathe a little bit more easily, but you’d probably better get the device scanned for malware (or do it yourself if you’re sufficiently confident).
  5. If you want, report the attack – but in the UK, at least, the chances of the police actually doing anything are pretty remote.
  6. Once you have your device back and cleaned, it’s time to restore from backup.

Stop the whole thing happening in the first place

Obviously, your starting point should be to avoid thefts happening in the first place. Don’t  leave a phone or a computer lying around on a café table while you go to the loo (along with your house or car keys, it’s possibly the single most stupid item to use to mark a table as being yours). Don’t put your phone in an easy-to-access back pocket or an easily snatched handbag. Don’t walk around with your face buried in Google Maps – look up your itinerary before you start and only refer back to the phone when you need to. If you really can’t avoid walking around staring at your phone, stay away from the edge of the pavement where the classic grab-and-run-from-motorbike is easiest. The list goes on…

That’s it, folks. You might well ask the question of how we all got into such a vulnerable state, and what our institutions might think of doing about it. But that’s a subject for another day…

P.S. Some places where I don’t necessarily agree with the conventional wisdom

Various people will tell you to change passwords often, and it’s true that this helps defeat a particular sort of attack where someone is intercepting your traffic (perhaps by snooping on public Wi Fi, or by plugging a key logger into your desktop computer at work). The trouble is that if you have followed the good advice to use unique, strong passwords, it’s pretty much impossible to do that when you have different passwords for several hundred different websites.

People also say that you should have 2FA everywhere. I’m not so sure. 2FA does indeed protect you in a specific case: when your password has leaked but your device has not been stolen. If you use different passwords everywhere, the impact of this is pretty limited, and it comes at the expense of turning your phone into a giant single point of failure for your whole electronic life. I’m enabling 2FA for most things, but reluctantly.

Finally, I’m not yet a fan for the current trend of asking you to create “pass keys”. I happen to do most of my work on a closed laptop plugged into a docking station (so I don’t have touch id or face id). Therefore, “use a pass key” turns into “type in your main computer password”. This is far less convenient and I remain to be convinced that it’s massively more secure.

That’s really it now, folks.

Software makes mistakes. So do users. So let’s deal with it.

I have a fantasy. OK, so I live a lot of my life in software-development and software-use land, so it’s a kind of prosaic fantasy. But bear with me: here goes anyway.

One day, my fantasy goes, an email will arrive in my Inbox from the vendor of some piece of software I’m using (Intuit, for the sake of example) which will go something like this:

Dear davidkarlin,

Our monitoring systems have detected that on 20th January 2015, you received an error message “Error 407: Unable to update bank transactions. Please try later or contact support.” We have now analysed the cause of this error and are glad to tell you that a fix was deployed in last night’s release.

We trust that this fix has been effective, but if the error should recur, please contact our developers at development@intuit.com quoting incident no. 123456789.

Regards

The Intuit Development team

Sadly, when I’ve woken up, reality is very different. What actually happens is this:

  1. Intuit certainly don’t proactively look at error messages they generate for me and deal with them on my behalf. What actually happens is that I phone the support line; when I’ve negotiated their IVR system, I get put through to an agent whose first reaction to all problems is to ask me to clear cookies and try again.
  2. Once it’s been verified that my error is unaffected by cookies (no surprises there), I get asked to uninstall and re-install as much of the system as possible.
  3. Once that’s failed, we’re into “it’s all terribly difficult, isn’t it: maybe you can try again tomorrow” territory.
  4. I then receive a survey asking me the now-ubiquitous “Net Promoter” question (the one that begins “on a scale of 0 to 10, would you recommend…”), followed by an email about the latest upgrade, which contains some delightful new feature set I didn’t ask for.

By the way, I’m not singling out Intuit here: their support line is actually one of the better ones I deal with. But the general tenor of the experience is common to most technology vendors that I’ve either worked in or whose products I’ve used: software houses prioritise cool new features over the simple business of eliminating errors.

What’s particularly striking is how bad software developers are at dealing with intermittent faults: if you can’t replicate the problem to order, that’s pretty much end of story in terms of getting anyone to take it seriously.

In my view, *any* error message is a bad thing. If it’s as a result of a software bug, there should be zero tolerance. If it’s as a result of user error, I should be thinking “how could I have designed the interface better so that the user would have been less likely to make that mistake”. Eventually, of course, there’s a law of diminishing returns here. But the vast majority of software, I would argue, is a country mile from reaching the point where a significant improvement in user experience would no longer be generated by a straightforward analysis of the rate at which error messages are generated and their most frequent causes.

And here’s an important thing: technically, it’s not all that difficult to keep logs of enough diagnostic information to enable a developer to find out what went wrong, even for the intermittent stuff. It comes down to a matter of choice: do you or do you not make the effort to log the data and then make it someone’s job to look through the logs and find the root causes. The software companies who make engine management or process control  systems keep this kind of log data as a matter of course: it’s completely understood that some particular vibration pattern might only happen once in a long test run, that testers can’t predict when it will happen and that analysis needs to be done after the event.

As well as the technology being there to keep and analyse logs, storage is now becoming so cheap that it’s possible to take logs in a lot more detail. The toughest issue, these days, is ensuring the privacy of all this log data – which is tricky, but not insurmountable.

So here’s my plea to all you providers of software and software-based systems:

  1. Analyse your incidence of error messages, and gather a metric along the lines of “number of errors per user per hour of usage”. Allocate more resources to reducing this metric than you do to providing the latest cool features.
  2. Adopt a zero-tolerance approach to bugs, including intermittent ones. Get rid of the “if you can’t replicate a bug, it doesn’t really exist” mentality, and replace it by “if a bug happens even once, we want to find out why and kill it”.
  3. Invest in instrumentation so that your developers can review logs of one-off events in enough detail to fix them.
  4. And if you really want to delight me, make my own crash data personally identifiable (with my permission, of course) so that you can proactively tell me about the good things you’ve done for me.

After writing this, I made a resolution to put my money (well, time) where my mouth is, so on Friday, I looked through the error logs on Bachtrack’s web server. Surely enough, there was a consistent “page not found” log that occurred over a hundred times in March. That’s not a lot, in the grand scale of things (we get 200,000 page views a month), but it only took an hour or so to find and fix it. If I can keep doing that for a few hours each week, that adds up to a lot of people whose user experience is going to be improved. None of them, by the way, called in to complain.

As software suppliers, let’s all take this stuff a lot more seriously. It really will help the world out there.

Three questions you should ask your cloud-based software provider

Back in the day, if you were a software company pitching to investors, the first questions they asked you were much the ones you might expect: your turnover, margins, how many customers you have and so on. Smarter investors asked about things like retention rates and cost of customer acquisition. Around 2005 or so, all that changed: the question at the top of the list became “What’s your SaaS strategy?” A couple of years later, that morphed into “What’s your Cloud strategy?”

A few years later, I run a business which is small (9 employees) but complex (multi-currency, multi-lingual, multi-country). And indeed, pretty much everything that isn’t on our own server is run in the cloud: I finally moved our accounting system from Intuit’s Quickbooks desktop to Quickbooks Online eighteen months ago.

The move to Online has resulted in some small wins. The main one is that I don’t have to run a Windows Virtual Machine any more (I run Macs because I develop software and the tools require a Unix-family operating system). And it’s occasionally but infrequently useful to be able to get some of the accounts done at home in the evening. But the truth is that most of the product works very similarly and, broadly speaking, going cloud hasn’t affected things much either way.

Except that I’m now terrified. For three reasons.

What happens, it’s fair to ask,  if I do something really stupid with a transaction – of the sort that can’t be reversed. I’m accident-prone, after all, like anyone else. On the desktop product, it was easy to deal with: I would simply have reverted to the previous night’s or previous month’s backup and re-input a bunch of transactions. On the online product, backup and restore isn’t an option that’s provided. This isn’t unique to Intuit, by the way – the norm seems to be that most cloud vendors simply don’t offer this.

Lest you think this is unlikely to happen, I can tell you that when you advance payroll a month, there’s a large warning saying “This cannot be undone”: any mistakes and you’re toast. And when I have needed to work around bugs or omissions in Quickbooks, their technical support people have recommended with gay abandon that I do things that affect transactions in now-closed periods (i.e. would potentially make my VAT return illegal).

The next question for your vendor concerns their attitude to bugs. Not “technical support issues,” not “stray transactions that can be corrected,” but bugs – the real thing, where the system isn’t working. Perhaps intermittently, and perhaps just on your database. In desktop days, you had the option to simply not upgrade. Or to roll back an upgrade if it all went pear-shaped. In cloud days, you don’t. You really, really want your vendor to be completely committed to doing whatever it takes to bring you back on-line and running. And the truth is, these vendors are not. A missing feature deep in the multi-currency handling of Quickbooks Online kept my ledgers out of balance for most of a year until someone clever in Intuit figured out a workaround. Problems with my online banking interface are approaching their second birthday: the software worked fine when I evaluated it; two months in, Intuit deployed a rewrite which broke it. And there is no sign of them showing any commitment to getting it fixed: they work on it for a bit, and then give up. Fortunately, it’s only a time waster rather than a complete showstopper: because remember, I don’t have data portability of any viable sort. I have no easy way of exporting my data such that I could rapidly start again with another vendor.

The scariest problem (albeit the least frequent) is what happens if you or a vendor messes up your login credentials. You can all imagine the situation: you try to log in one morning and you get told that one of your passwords is wrong, or the software asks you to re-authenticate using one of your “memorable phrases,” and your phrase turns out to be less memorable than you thought.

With one of my cloud service vendors, that’s just what happened: I got locked out of certain areas of my account, and the vendor refused point blank to take the required steps to re-authenticate me. I was unable to satisfy them with the data they required in their online form, most probably because I couldn’t remember the month and year in which I originally joined the service, around a decade earlier, or which of my many email addresses I used at the time – but I can’t be sure.

And no, this wasn’t a small, fly-by-night operator: this was Microsoft. I actually had to stop using my old account (which still exists, by the way: they are unable/unwilling to delete it) and open a new one. Now losing a Skype account wasn’t the end of the world. I shudder to think how I would deal with the situation if this happened to my accounting system, or web host, or Gmail.

And that, by the way, is without considering the possibility of criminal malice: although, thank goodness, I’ve never personally had my identity stolen, I’ve watched it happen to one of my employees (who had a common first name and whose surname was Smith, which didn’t help) and I can assure you that it was a truly horrific experience.

So before you dive into the Cloud, here are three questions you should ask:

  1. What strategy do you support for me to back up and restore my data? (And while we’re on the subject, if I wish to move my data to another provider, how is that supported).
  2. If I hit a bug in my installation, what guarantees and timescales can you provide me that you will (a) provide a fix to get me up and running, and (b) fix the problem permanently?
  3. What, if any, data do you require me to hold to guarantee that, in the event of my being denied access to the system (whether because of identity theft or just my own forgetfulness), you will accept or replace my user credentials ?

The chances are that the answers to these will be something along the lines of (1) you don’t need to back up your data because we guarantee you 99.999% uptime; (2) our technical support team is available to help you 24/7 but we don’t provide specific guarantees and (3) we don’t publish security-sensitive information of this sort.  If they are and you’re a large organisation, you will need to write a set of large, ugly items into your corporate risk register.

Or, if you’re a small business, just lose some sleep.