Stolen phone - survival kit

/e/OS Foundation & Community Data Privacy
1

It’s been a while that I’m thinking about what to do if my phone is stolen/lost and then haked.
I mean: normal user don’t care too much about what to do in that case. eOS users care about prjvacy amd data harvest… But in the case I can’t take my phone, what can I do?

Thanks to @swarfendor437 I try to write here. My english is not good enough to write an how-to. Maybe someone else can?

I think it will be a good thing to write the steps to do in that unfortunate case, something like:

  1. make a list of your apps, especially that ones with password access;
  2. take a list of your sites with password access;
  3. if you store password in the browser (deprecated by very useful) change the password

Maybe an editable post that could be edit in he future with users personal experience.

What do you think about?

Regain your privacy! Adopt /e/OS the deGoogled mobile OS and online servicesphone

2

There are some open source options for recovering a lost phone.

Beyond that you could use something which leverages the Device Administration API.

1 Like
3

I just think that Banking Apps and Wallets are a bad idea. I’ve only used a Wallet once because Taxi service required it. I’ve now got rid of that.

1 Like
4

I lost my phone before…

  • the weakness is the SIM if you use it anywhere for authentication (messenger, banks). That’s the first todo on loss / theft. You could use a separate SIM for that (one that doesn’t leave the house). Messengers do not need it after setup, if you do not do “big banking things” on the go, why take it along?
  • now: disable messages on the lockscreen, they can contain pw reset links or 2FA tokens (if you still use sms for any type of 2FA)
  • encryption is at least an obstacle for any thief, newer encryption (“FBE”) much more so. In bootloader locked devices the decryption needs to happen on device - a high bar. Unless you announce there’s integer size bitcoin on your device, who will bother?
  • password managers and OTP apps can have additional passphrases in front of them - more bruteforce work and helps where the encryption is weak (old full disk encryption - FDE - obsolete now)
  • if you still worry, rotate the “hub accounts”: email accounts that receive the password reset mails. Password resets also trigger active session deletion on well run services - so your device gets logged out. If hub accounts have OTP too, more work if not impossible for attackers.
  • encryption is harder to attack when the device comes from a reboot (“before first unlock”). I’d look for something akin to “auto reboot after n-hours” that force full shutdowns in intervals

I’d worry primarily about the SIM. If you can reduce SIM loss risk upfront, you can do that now.

3 Likes