Lessons learned from a lost phone

For the first time in my life, a few days ago, I lost my phone and it was most probably stolen a few minutes later… So what went wrong, and what went right and how is a life without a phone in 2020?

What went wrong?

I lost my phone, this is clearly what went wrong! Ok, just kidding, I’ll tell you what went really wrong once I no longer had my phone.

I am almost pretty sure that I lost it / forgot it somewhere, and that someone stole it right away. Phone was on and I was using it at some point, I still have timestamp of my last sent message, then a few minutes after, I no longer have my phone. When someone tried to call me right away, it went straight to voicemail.

So, what really went wrong?

First of all, I didn’t had a PIN code on my SIM card. I felt it was so 1990 and thought that with unlimited data, calls, and SMS on my plan, losing my SIM was low risk. I was wrong. The risk here is that someone with access to my SIM could call a pay-per-minute line, even a line the thief would have set-up himself. This could easily cause several hundreds or a few thousands Euro damage as we can learn from the first episode of Darknet Diaries.

This meant I had to suspend my line right away to avoid additional costs! This also meant that with my line now suspended, I could no longer use feature to locate my phone and remotely erase it, such as Android Find and Find My Apple.

My phone was locked with a 6 chars PIN, plus I suppose it was quickly turned off by the thief, considering how fast it went offline, and it requires a needle to remove the SIM. So, I decided my data inside was probably safe (I also had another trick in my sleeve, more on that later) and the real risk was to avoid extra cost and usurpation by someone having access to my phone line.

I have a backup phone, but no extra SIM. It is an old phone and a “transitional” phone. I keep it when I have hardware issue / break current phone, etc. I just have to put the SIM card in it, and everything is set up. It already served its purpose a few times!

So I tried to buy a new phone on Amazon (where I usually buy too many stuff).

In order to confirm my order, I had to authenticate on my bank website and approve the payment. Which I did. Now my bank asked me to confirm the approbation I just gave via an - wait for it - text message !

Yup, I probably have hundreds of orders at amazon, with the same computer and IP, and they almost never asked me to confirm an order with my bank… and my bank never ask me to confirm “twice”… probably because I used to confirm orders (from other sites) with the phone app, and never did with the “regular” website from my computer…

That’s a nice chicken / egg scenario where you have no phone, but require one to get one…

Hopefully, the rest went fine !

What went right?

Wherever I can, I use TOTP tokens as 2FA instead of text message. I have read horror stories about phone lines being “defaced”, and decided a long time ago that phone verification wasn’t a safe thing to do.

Now, just doing that isn’t enough, because if you only have one authenticator app and if it is on your phone, then you are toasted! I use multiple instances of different authenticators. I have Authy on my phone AND on my desktop, and also Bitwarden self hosted. This means, that without my phone, I can continue to log in any 2FA websites.

As I told you before, I was pretty confident my data was safe. I believe the thief went for the device and not the data itself, plus the phone was locked, etc.

However, I still have sensitive data and access granted to all my accounts : mail, Nextcloud, VPN access, etc.

I simply logged into all my accounts from my computer and revoked all accesses for the phone and then disconnected all sessions (this is where the authenticator was need to log back in from my main computer), and of course revoked my VPN access.

Now what?

I’ll keep waiting a few days in case my phone turns up, but if it doesn’t happen then I’ll contact authorities and have the IMEI blacklisted.

I’ll also use a PIN code on my next SIM, which means if something similar happens again, I could wait for the phone to turn up without having to worry about additional costs and/or usurpation. Not that it would help me recover the phone, but still could be fun to be able to track it!

Living without a phone

As an end note, I’d like to point out how it is to live without a phone in 2020s. In my case, I am currently out of my home the whole week : monday to friday, nights included.

Want to order sushi? Need a phone to receive a text message to confirm payment, or a landline to call the restaurant. Want to order a new phone? Probably need a new phone as well… Not a home and no clock nor watch? Need a phone as well! Sending a quick message via Telegram or the like? Well, a phone is still easier ! Need internet access for your laptop because you are not home? A phone will come handy, once again… Have a few phone calls to do? Well…

While it wasn’t as hard as I thought it would be, living without a phone nowadays can still be tricky.