What To Do If Your Phone Is Stolen?

310

Whether you like it or not, such a mishap may come true someday. I can imagine your anger and despair if it happens, given that a phone isn’t merely a dumb calling device these days. It stores our photos, emails, digital wallets and other sensitive things – every active smartphone user knows how valuable their gadget is. We definitely need to have an action plan for such a scenario.

So, let’s suppose your smartphone has been lost or stolen. There’s a lot of personal data inside, and the price can reach hundreds of dollars. What should you do?

Step 1. Block, find, wipe

Any protection can be circumvented, therefore the first thing on your to-do list is to block the phone remotely and try to figure out its last known location. You may also have to get all data wiped from its memory.

All of this is doable with features built into the OS, or by means of specially crafted software such as Prey and other anti-theft apps. The first option is available at all times, even if you haven’t installed anything third-party onto the smartphone, so let’s look into this one.

Android

  1. Go to the Find My Device web page.
  2. Select the right device on the list. If it’s registered in the mobile network and its location is turned on, it will appear on the map. Voila – you have found it!
  3. Use the “Secure device” feature on the web interface to set a new password and enter a message that the thief will see. You can also indicate a phone number they can call to bring your phone back, although that’s unlikely to happen, obviously.

Another option called “Erase device” allows you to obliterate all data from the smartphone. By the way, if the device isn’t online at the moment, this command will take effect once Internet connection resumes. Keep in mind, though, that the memory card (if any) won’t be wiped – the good news is, there is usually nothing too important on it except photos and game cache. Here’s a couple of life hacks:

  • All of the above transactions can be performed using another smartphone/tablet by means of the Find My Device web interface;
  • Google’s Timeline service can help you see all places all of your devices have been at.

iOS

  1. Visit the Find My iPhone website or run the “Find My iPhone” app on another iOS device.
  2. Select your device and check its geolocation on the map.
  3. Enable “Lost Mode”. This way, you can remotely lock your device with a four-character passcode and configure it to display a custom message on the lock screen that includes your other phone number so that the thief gets a chance to do the right thing.

You can also wipe all data from your gadget. However, if you do so you won’t be able to use the “Find My iPhone” feature to determine its whereabouts. The “Activation Lock” functionality will remain enabled regardless. It means nobody can use your iPhone unless it’s activated using your Apple ID. “Activation Lock” is disabled automatically once you unlink your Apple ID from the iPhone.

More and more people start using a VPN for smartphones. VPN can encrypt all your traffic and change your IP address. It is very helpful while you are using public Wi-Fi networks, but it is worth noting that if crooks steal a phone and a VPN is enabled, it may complicate finding your device because, again all communication is encrypted and routed though different IPs.

Step 2. Disconnect from the cloud

Modern smartphones and the cloud are inseparable. Google, iCloud, Dropbox, Facebook, Twitter – all of these are cloud services and we use them every single day. It’s beyond doubt that a person who gets hold of your smartphone automatically gets access to nearly all your personal data, including emails, calendar. Thankfully, untying a phone from the cloud is easy most of the time, and you may not even have to change any passwords to do it.

Speaking of Android, the first cloud you need to disconnect from is, obviously, Google. In order to complete this process, open the device activity page within your account, click on the name of the misplaced/stolen device and hit “Remove” next to the account access option. Doing so gets your gadget instantly disconnected from Google, including Gmail, calendar and a bunch of other services. The smartphone will only keep cached information, such as emails. Meanwhile, the Find My Device dashboard will continue to display the phone’s location.

When it comes to other services, I have made a short list with instructions:

  • Dropbox. Open the security page. Under the “Devices” and “Linked apps” tabs, unlink the device and applications that were installed on it.
  • Twitter. Go to the list of connected applications and hit the “Block access” option next to the appropriate apps.
  • Facebook. Go to “Settings”, select “Security and Login”, find the name of the missing device on the list and choose the “Log Out” option.
  • Skype. You have to change your password. There is no other way.
  • Instagram. Change your password, too.
  • Viber. This messenger doesn’t provide a fast and convenient remote blocking and message removal functionality. Therefore, you have to contact their customer support and wait for their response (and blocking) for a fairly long time. A “handy” messenger, isn’t it?
  • Telegram. In case you have enabled the web client via the lost/stolen device’s phone number and haven’t deleted cookies recently, you are a lucky one. You can simply disable the smartphone app using a web browser on your computer. Open Telegram’s site, proceed to “Settings” – “Active sessions”, and click “End session” next to the right device.
  • WhatsApp. This one will get disabled on its own shortly after you replace/block your SIM card.

It’s worth mentioning that all of the above tips prevent other people from accessing your accounts from the device. None of these services uses a password for login via a mobile app. Instead, every device is assigned a token that typically grants access from this device only. Meanwhile, the password itself remains safe and sound.

Step 3. Report the theft to the police and scour online\offline marketplaces

If you haven’t succeeded in finding your phone or you have discovered that it’s being kept by a habitual criminal, then report the stolen device to the police and get ready to wait in queues for ages and file numerous papers. This route isn’t ultimately effective, or rather pretty much futile, but you never know. Here’s what you need to provide in that case:

  • Your ID card\passport;
  • Original package with the IMEI number (simply writing this number on a piece of paper is a no-go);
  • Receipt that confirms the purchase.

Consider visiting a few used phone sale shops. It also makes sense to browse Internet marketplaces, such as Craigslist. Just in case, leave the details of your device on sites that allow potential buyers to check phones for criminal origin by their IMEI numbers.

Will the built-in defenses work?

Okay, suppose you have failed to find the smartphone. However, you probably used a PIN code, the device may have a fingerprint scanner, plus the manufacturer must have taken care of your data. Well, let’s try to figure out whether these will do the trick.

PIN

Most of the time, a PIN code and pattern lock guarantee that your data stays intact, but this only holds true for an iOS or Android device with a locked bootloader that isn’t vulnerable to any known attack vectors. In this case, even if the person who finds your phone unlocks the bootloader, the smartphone will be automatically reset to its factory state. On the other hand, if the bootloader was already unlocked at the moment of theft, then no security mechanisms will help. Getting around the PIN by means of custom recovery is a matter of a couple of minutes.

Third-party anti-theft

The caveat with third-party anti-theft tools is that almost all of them can be circumvented via hard reset or flashing.

Fingerprint recognition systems

It may appear that a security system based on fingerprints is nearly a perfect one in case a smartphone is lost or stolen. Whoever found or stole the device is unlikely to know you in person and definitely has no access to your fingers whatsoever. There is a flip side, though. When taking the floor at the Black Hat conference in Las Vegas, FireEye Labs researchers Tao Wei and Yulong Zhang demonstrated that fingerprint scanners on Android devices can be abused to obtain users’ fingerprints.

In practice, it means that if someone lays their hands on your lost smartphone, not only can they retrieve your files but they can also get hold of your fingerprints. Unlike passwords, that’s something you can’t change.

Apple’s Activation Lock, Samsung’s Reactivation Lock

Activation Lock is an option constituting the Find My iPhone feature that allows for linking a device to the owner’s account. It was introduced in iOS 7. The idea is simple: even if you do a factory reset, an iPhone cannot be activated without Apple ID and password of the previous owner.

Reactivation Lock – that’s a very similar feature by Samsung. Once you enable it, the device will require a password for reactivation after hard reset, or even to begin the reset proper, depending on the configuration. Smartphones have special memory area allocated for Reactivation Lock, which isn’t susceptible to hard reset.

Conclusion

Modern smartphones can store so much valuable personal data that the thieves’ primary motivation might boil down to obtaining this data. Fortunately, security mechanisms are evolving as well and provide more protection options than before. The fundamental thing is to make sure you opt for these mechanisms as long as you care about your device and the data inside it. Whereas it might appear inconvenient to configure all of these “unnecessary” features, the worst-case scenarios typically stem from neglecting these techniques.

David Balaban
david-balabanDavid Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

David Balaban Web Site
In this article