Update: my phone was returned! Read about my takeaways here.
Last week, I lost my smartphone while running around a park with my kids. I realized I lost it within 20 minutes of losing it (I guess that’s a side benefit of checking it way too often). I retraced my steps multiple times and my wife tried calling the phone repeatedly. I knew it had full battery so whoever found it wasn’t answering. When the calls starting going straight to voicemail, we knew it had been turned off, or at least put into airplane mode.
Losing a smartphone is really disturbing. They can read your emails. They can see personal pictures. They can find out where we live. They can spend stupid amounts of money in games or buy stuff on Amazon. They can, in short, really mess things up.
Since so much of my business & personal life is on my smartphone, I’ve always used a password or passcode from the very beginning. I’m *incredibly* thankful for that choice because it bought me time to take action. Here’s what I learned – hopefully this will give you good ideas of what to do before you lose your smartphone.
1. Set a password or passcode
This is the simplest and most important step. It will prevent someone from immediately accessing your data, which is apparently inevitable.[1. Symantec did a study where they ‘lost’ 50 phones. An attempt to access apps or files was made on 49 of them. You can read the whole depressing state of humanity report here.] Based on that, it is well worth the annoyance of entering a code every time you use your phone – unless you like the idea of someone stealing your phone and sexting everyone you know.
The other benefit of the password/passcode[2. Why couldn’t Apple just call it a ‘password’ too?] is that it buys time to take action. I used the default, 4 digit passcode option on my phone and someone could guess it by trying all 10,000 possible combinations over a few hours.
2. Set up Find My iPhone (or Android Device Manager)
Most smartphones have GPS capabilities. If they can direct you to a destination, they can be located via GPS. Thankfully I had Find My iPhone setup except…
3. Use Find My iPhone before sending threatening texts
After I lost my smartphone, we tried calling a few times. Then we sent a ‘We know where you are’ text before using Find My iPhone. That resulted in the phone being turned off – and, I imagine, being tossed into the bushes. If we’d tried to locate it first, maybe we would have been able to retrieve it. However, even though I know kung fu, confronting a potential thief is *not* the best idea. I’d find a police officer, explain the situation and have them approach the people possessing your phone.
Once my phone was turned off, we knew we weren’t getting it back. So Find My iPhone offers the ability to
- Notify you when the phone is back online (I did this immediately)
- Lock the phone and leave a message for the thief (I did this next)
- Erase the phone the next time it’s online (I finally did this, though it hasn’t been online since it was turned off)
4. Change your email account password immediately
This is a must because once someone has access to your email, they can reset other passwords.[3. Thanks to @KendallTotten for pointing this out.]
5. Change your iCloud (or Android equivalent) password immediately
I took a couple of days to do this, which was a stupid choice. I had been checking my bank account and keeping watch for strange activity regularly, but I should have changed the iCloud password right away. That alone would have immediately killed access to my Contacts, Calendars, Notes, Reminders, iMessages, iTunes and a few other services.
6. Use two-step verification
This is also known as two-factor authentication. It basically means you need two things for access – a password and a special code sent to your mobile device. Wikipedia defines it as:
Two-step verification (also known as two-factor authentication) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network.
You’ll notice I said it used a second code – sent to your mobile device. What happens when you lose the mobile device? You de-authorize it remotely so it can’t generate codes. Google offers two-step verification and so does Facebook, Twitter, LinkedIn and bunch of other security-conscious services.
7. Use application-specific passwords for everything
You know how we can use our Google and Facebook accounts to login to other websites[4. This saves us from remembering a zillion different passwords for a zillion different sites.]? That means if they’re logged into, for example, Facebook, they can use that to login to other sites you login to with your Facebook account. And if you use Facebook on your smartphone, you are ALWAYS logged into Facebook. That’s worrisome if you use Facebook to login to a lot of other websites.
However, using an application-specific password[5. That’s what Google calls them. Facebook just calls them app passwords.] makes it easier to logout of different sites and apps remotely. They are unique, individual passwords that you can use instead of using your Facebook or Google password. That way, if that website or app gets hacked, they won’t know your Facebook/Google password.
It also means that you can revoke access remotely. I went into my Google account and deleted access to my Gmail on the lost phone. If the thief managed to log into my phone, Gmail would ask for a new password (whew). I revoked access to every single thing that the stolen phone might have access too. After doing this I checked my Facebook security settings and saw that they offered the same feature; I’ve started using it with Facebook too.
These app passwords are part of two-factor authentication.
8. Don’t save passwords in anything – except a password manager
This is a no-brainer – don’t save passwords in browsers or in sensitive apps like your banking app. I use Amazon.com on my phone’s browser, but nothing can be ordered without a password. I’m VERY thankful for that.
However, I do use a password manager – a browser plugin or app that saves passwords for you. I have to use a password to login to it but I don’t have to remember every password. It’s not completely safe from serious hackers but I doubt the average person who finds & makes no effort to return an expensive phone is that much of a threat. A password manager is a MUCH better option than saving your password in a browser. I recommend looking into Lastpass.
9. Use different passwords for everything
This way if a thief learns one password, they won’t know them all. Services with large user populations are targets for hackers seeking passwords (like LinkedIn, Sony, Gmail, Facebook, Twitter – anyone big is a target). If that password is used on multiple sites then the implications are frightening. Sending spam to business contacts is minor compared to shopping sprees on Amazon or – at worst – direct access to your bank account. Having different passwords for everything is a pain but you only need to remember the couple you use regularly, plus your banking password – everything else can be saved with a password manager.
That’s pretty much it. I lost my smartphone but felt decently prepared to deal with it. I hope not to lose a phone again but I’ll be much better prepared the next time. Hopefully you will too.
Photo credit & license
I think another important point (especially if you aren’t using a password manager) is: change your email password right away. If you have an email app on your phone then it is likely always logged in. If someone has access to your email, they can easily reset your passwords to any online account.
Excellent point, one that I didn’t mention specifically but should have. That’s where an application specific password helped me out – I was able to log into my Google account and revoke the access the Gmail app had.