Like Tree12Likes

Phone Lost: What Can Go Wrong?

Closed Thread
Page 2 of 2 FirstFirst 1 2
  1. #11

    Does this involve drinks and curtain bars?

    Last edited by civil_servant; 20-12-2017 at 10:16 AM.

  2. #12

    Join Date
    Mar 2007
    Posts
    13,099
    Quote Originally Posted by shri:
    I'm trying to get my mind around how the whole thing played out. End result, claimed on the interwebs was several 10s of thousands of money was lost, identity was stolen etc etc.
    Overactive imagination of a couple of housewives trying to scare others. It failed as the scenario is just too far fetched.

    It comes down to this:
    1) Your phone is not easy to break into if you have a decent password and/or fingerprint scanner. Its hard, damn hard, takes more than a few days kind of hard.

    2) Once someone is in your phone, they can easily get into anything where you have yoru password remembered (Paypal, Amazon, Ebay etc) and do some non trivial damage but not huge amount of damage

    3) I've used a few banking apps and none of them allow passwords to be remembered - if those passwords are not written down somewhere, banking is not accessible.

  3. #13

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,963

    HC - the weak area is - no password on the phone + google drive app on the home screen which has a file called "all my passwords" and another one called "id card / passport scan"


  4. #14

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,963
    Original Post Deleted
    android.com/find - has the option, not sure if it works for samsung specifically, it should.

    https://android.com/find
    chuckster007 likes this.

  5. #15

    Join Date
    Dec 2010
    Location
    Wrong side of the door to hell
    Posts
    6,079

    A lot of apps/services now allow you force sign-out on all devices if you change the password, and have a device authorisation/deauthorisation system. Coupled with a fingerprint/complex password, I would assume it would prevent most loss - apart from the phone itself.

    By the time someone has bypassed the access screen, if they can, you should have had time to remove the device from key accounts. Dropbox certainly has this facility.


  6. #16

    Join Date
    Dec 2011
    Location
    Tsim Sha Tsui
    Posts
    3,963
    Quote Originally Posted by HowardCoombs:
    Overactive imagination of a couple of housewives trying to scare others. It failed as the scenario is just too far fetched.

    It comes down to this:
    1) Your phone is not easy to break into if you have a decent password and/or fingerprint scanner. Its hard, damn hard, takes more than a few days kind of hard.

    2) Once someone is in your phone, they can easily get into anything where you have yoru password remembered (Paypal, Amazon, Ebay etc) and do some non trivial damage but not huge amount of damage

    3) I've used a few banking apps and none of them allow passwords to be remembered - if those passwords are not written down somewhere, banking is not accessible.
    You are only thinking about the phone itself.

    'Theft' from the actual phone is as you say trivial, but with identity theft, that opens up a completely new playground where 10s of thousands of dollars is actually just a small figure.

  7. #17

    Phones - A Single Point of Multiple Failure

    1. So a phone was stolen. (not mine)
    2. It had no password/screenlock.
    3. I was told about it a few hours later and I advised to change Google account password immediately.
    4. Oddly, the attempts to login online using their pc which should be normally/automatically logging in fail.
    5. It turns out the attacker had helpfully deleted the Google account about 1 hour earlier - I didn't think this was possible from a phone...
    6. Attempts to recover it fail as it kept wanting to send the OTP to the (stolen) phone - the backup account was not on the phone but she couldn't remember it's password... the recovery email address of the recovery email pointed back to the now compromised phone... ouch.

    7. After a few attempts from another computer I managed to reinstate the account (they can do this up to 4 weeks I believe). I changed the password - but it's worryingly not possible to remove the stolen phone from the account devices! - though it cannot access the account any more. Used the earlier password to regain access - perhaps the attacker had blocked the original PC.



    Anyway, it got me thinking how, even with 2 factor authenticator residing on the phone (and accessible without a PIN) how much trouble and expense could be at risk. 2FA is protection against remote attacks on your account - but not if they have your device. It becomes a single point of multiple failures.

    Here's the things to consider:
    Do you have a screen lock? - most important minimal step.
    Do your SMS flash up even on lock screen? (a hack to get OTP even from locked phone)
    Do all your accounts point back to the same device? - no point if backup email is on the same device that just got stolen.
    Does your other accounts Facebook etc all get password reset to the account on the phone?
    Do you delete sensitive SMS OTP password messages? These give clues to your other accounts that can thus be compromised/reset too.



    So it seems we need another secure/secret/non-obvious recovery account email (that is only logged into when needed, for receiving password/login resets from the phone and other accounts (like Facebook)that is never connected to the phone (via OTP) or the google account (don't use the google account on phone as the recovery account of your recovery account) on the phone.

    This still doesn't prevent an attacker who has access to the phone deleting the Google account... unless the phones Google account/email is actually a copy of the 'real' google account... that remains secure - they get to read the emails of course...

    If the attacker had changed the password of the Google account just before deleting it- I don't think I would have been able to recover it (but maybe you get to use some older password in the recovery process).


    Anyway... just because I'm paranoid, doesn't mean they aren't out to get me.

    z754103 and shri like this.

  8. #18

    Join Date
    Feb 2006
    Posts
    829
    Quote Originally Posted by zerocred:
    1.
    Here's the things to consider:
    Do you have a screen lock? - most important minimal step.
    Do your SMS flash up even on lock screen? (a hack to get OTP even from locked phone)
    Do all your accounts point back to the same device? - no point if backup email is on the same device that just got stolen.
    Does your other accounts Facebook etc all get password reset to the account on the phone?
    Do you delete sensitive SMS OTP password messages? These give clues to your other accounts that can thus be compromised/reset too.
    Helpful list, thanks! Have been trying to explain to elderly relative why she needs to lock her screen! (she still doesn't believe me that it's worth the hassle This has reminded me to check her lock screen notifications as well

  9. #19

    Just bought my wife an iPhone. The first one we have ever owned. I noticed the notifications on her locked screen. Instantly I found that to be a huge security flaw. Does anyone know the purpose/advantage of that? Why would they enable that out of the box?


  10. #20

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,963

    Awesome tip about the notifications and the sms passwords flashing through.

    civil_servant likes this.