A colleague of mine recently lost their cell phone while in airplane mode. They triggered the remote wipe function, figuring that it if was turned on, it would trigger and erase the device. They use a password manager, so figured all their data was safe. But they didn’t call the cell phone carrier and disable the SIM, because that would prevent the wipe from working.
A month later, a cell phone bill for several hundred dollars shows up – the person that had found the phone, didn’t try to resell it or steal the data, they simply extracted the SIM card and put it into another phone, then made a bunch of overseas calls. We saw that years ago with stolen calling card numbers and conference call passcodes, so it’s just a modern version of an old scam.
But she had a good point – the smart phone manufacturers are highlighting the ‘wipe’ function as a key security feature, but if the device is offline, it doesn’t work. Even the cell carrier’s own sites will tell you to send the wiping commands, without an acknowledgement that reporting the device lost or stolen will disable data connectivity. Don’t get me wrong, it’s still work sending the command (especially if it wasn’t in airplane mode), but you can’t rely on remote wipe.
Not a good tradeoff, but there’s some things we can do to help. Let’s start with some before the device is lost.
- Make sure you have the device set to wipe on 10 failed attempts, and lock out any biometrics after only a few (iPhone does the latter automatically)
- Only use robust biometrics – post on that coming soon. Tons of snake oil out there – avoid iris and photo at the moment. Bonus points for fingerprint readers if you don’t use index or thumb prints.
- Only use airplane mode when required – otherwise leave cellular service on*
- Be cautious about what you enable on the lock screen
- Limit how much email you leave on your server. IMAP or exchange via a real email client allows you to move all your mail to a trusted local data store (drag from INBOX to On My Mac folders for example). This will replicate and remove email from your device, so if someone does gain access to it, there’s limited email history available to them. Good reason to avoid cloud-only email services by the way.
- Put a sticker on the back of the phone with contact info, in case the device is found by an honest person and returned.
- Back up the device regularly. I prefer local to the cloud because of the restore times (more on consumer cloud and it’s risks another time).
- Have a quick response plan ready to go in case it’s lost with steps below
And when it is lost:
- Call the device – if you’re lucky, an honest soul will answer and you can get it back. Also try ‘find my device’ to see if it’s locatable. If not, move on to the next steps:
- Immediately send wipe command / put in lost mode
- Immediately change your email passwords. If the device is somehow unlocked, email is how other password resets are validated.
- Notify the cell phone carrier the device has been lost. This prevents the phone from being used for SMS or voice multi-factor authentication.
- Buy a new phone.
The ecosystem is training people to not disable the SIM card, and the cell phone carriers aren’t doing any form of device authentication when SIM cards are moved. I understand the convenience factor there, but at least it should trigger a higher level of fraud detection. New device, no notification from the customer, well, if you see a bunch of calls to Europe happening, maybe the carrier should do some level of validation that it’s legit traffic? Fraud detection algorithms like that are relatively straightforward to put in place.
Right now we’re given a choice between preventing calling fraud and providing a window for wiping the device. Tough situation.
* Note: This is why ‘find my mac’ type of functionality is essentially useless – it has to connect to a known, trusted network before activating.