A few weeks back I was lucky enough to get to visit an old friend in Mexico City. I had a great time, and it felt good to catch up after not having seen each other in years. The joy of traveling to a city I like very much, practicing my Spanish, and spending time with my friend… Are not what this post is about.

One thing that did happen, around 1p.m. on my first full day there, was my iPhone 12 mini, my precious iPhone 12 mini, was stolen out of my pocket on the bus. This was my first time ever having something stolen from me in my young and sheltered life. I’m here to say that being stolen from is disorienting and not fun.

It hasn’t a catastrophe so far. I’m very fortunate in that, assuming my identity doesn’t get stolen, unlike many Americans, I am financially able to weather this event. That being said, I am pretty nervous that the thief will manage to gain access to my phone and then use the information on it to steal my identity or scam somebody in my life. Maybe I’m paranoid, maybe not – and that is what this post is about.

Here are some lessons I’ve learned and thoughts I’ve developed from this experience so far. Hopefully they’ll be of use to somebody.

You Don’t Get to Choose When Your Stuff Gets Stolen

First of all, I know that, intellectually speaking, this is obvious. But I also know that if I had titled the section “use a strong password,” all of my readers (all 2 of you guys?) would have skipped right over it, at least if you are anything like me.

Althought I think of myself as an extremely tech-savvy person who is at least medium-good at cybersecurity, the fact of the matter is I had had this phone for a year and never quite got around to changing the PIN from (redacting my not-that-good PIN for a few months in case the thief finds my blog). As I was packing for this trip to Mexico, I even thought to myself, “this would be a good time to change my PIN from (redacted).” Then I thought to myself, “Meh, I’ll do it Soon(TM).”

In fairness to me, I had different, better PINs on more sensitive applications, namely my password manager and all of the money ones, like Venmo, CashApp, and banking apps. So a thief couldn’t do any of the really juicy or obvious stuff just from guessing my PIN.

Plus, I am pretty sure – like 80% sure – I had that setting on where my phone will erase itself after ten wrong PINs, and I’ve checked a handful of lists that show it is not in the top ten. That last one, which is more comprehensive, doesn’t have it anywhere near the top 10. This is shockingly low to me considering I chose it to be quick to type for a right-handed person, which most people are, but good for me, I guess. Counting out the last 6 digits of my phone number as well, the odds of the thief having actually guessed my PIN in ten tries are reasonably low.

All of this being said, I’ve still learned my lesson and will be using even less common PINs from now on. As I was talking to a friend of mine about this, she gave me the handy tip to choose a six-letter word. It’s a great way to create a strong PIN that is easy to verbally tell people, if you’re like me and don’t mind your partner/close friends/family using your phone for things occasionally.

Unfortunately, pickpockets don’t really stop to ask you if your iPhone is configured the way you want before taking it. So now I get to wonder if someone has broken into my phone, and if so, what kind of damage they’d be able to do without connecting it to the internet. On that note…

Everything Important is on the Internet

Immediately upon realizing my phone was missing, I logged into iCloud on my friend’s phone and put my own phone into Lost Mode. Lost Mode adds an extra layer of security to Apple devices by requiring your iCloud account password to unlock the device, instead of just its PIN. The device needs at least a brief moment of internet access to ping iCloud’s servers and discover that it is lost, though.

A few hours later, I managed to log into AT&T, suspend my SIM card, and block my device from the AT&T network. So, good: now nobody can use my phone to text my contacts and scam them, or get 2FA codes texted to my old phone. Since they also can’t connect to the internet without triggering the iCloud remote erase, as a non-comprehensive list, even with my PIN they couldn’t:

  • Use Venmo, Cashapp, or any banking apps I had installed (which each use a separate PIN from my phone password as well)
  • Hack into my social media accounts
  • Read my emails, Signal, WhatsApp, or iMessage messages
  • Access the high-resolution versions of photos or PDFs of various government IDs that I keep in iCloud photos and Proton Drive

Although it can be a pain how dependent computing has become on the internet – not to mention discriminatory against people who don’t have access to fast or stable internet connections, for any number of reasons outside of their control – I must admit that in this case, I was relieved that simply preventing my phone from reaching the internet will hugely mitigate the security risk from it having been stolen.

While the ideal outcome for me at this point would be for my phone to get the moment of internet connection it needs to discover that it should erase itself, I doubt that that will ever happen. The thief can’t get into it to connect it to a WiFi network, and the SIM card is no good. It will be stuck in the “Erase Pending” status, showing a sad little red trash can in my iCloud account, until the end of my natural life and beyond. I read one forum post from a person who had specifically decided not to block their SIM card so that the iCloud remote erase had a chance of getting through. This worked for them after a week, but for me, the risk – of a scammer being able to pop my SIM card into a new phone and then text my family, or get 2FA codes over SMS – was far too high to even consider this. So, I’ve resigned my old phone to eternal “Erase Pending” limbo.

I guess this also raises the point that, even though everything depends on the Internet, my digital life may depend even more on my phone number. When I explained to my sister that I had suspended my phone number for a few days until I could get back to America and reactivate my line, she asked if my phone number would be changing, which made me ponder for a brief moment what the fallout might be of losing access to my phone number. I do not recommend pondering this. It was a truly terrifying moment, and with the reliance of most 2FA systems on SMS, there’s not much for the average person to do about it anyways.

Let Me Require A Password to Power Off My Phone

As a slight tangent, I wish Apple would give me a fighting chance of getting to Find My iPhone before a thief can turn my phone off.

Thieves know that most people’s first move will be to put their phone in lost mode so, generally, cutting off the device’s internet access will be the first thing they do: whether this be by putting it in a Faraday bag, removing the SIM card, turning it off, or simply turning on Airplane Mode in the control center. From getting off of a city bus to finding a paper clip to use as a SIM key or some aluminum foil to use as a Faraday bag would likely take at least a few minutes, but this doesn’t matter because iOS offers no settings to require a password to power off the phone, nor to remove the airplane mode control from Control Center. It’s trivial for a criminal who is armed with absolutely nothing to make your phone disappear in a matter of seconds.

Personally, I disagree with the conventional wisdom (kindly repeated here) that settings to require a password to power off a phone are useless. Yes, it’s true that a seasoned criminal who is seeking out somebody to steal a phone from will almost certainly have a Faraday bag with them. Petty criminals are often opportunistic, though – it’s perfectly likely that whoever took my phone didn’t leave the house planning to pickpocket somebody, and instead saw a white American on their commute and made an impulse decision. If they had needed my password to enable airplane mode or shut down the phone, (and if I had been using an eSIM), it’s perfectly likely I would have noticed my phone was gone and remotely erased it before they could take it offline.

In any case, I wish Apple would at least give me the option by adding those settings and replacing force shutdowns with force restarts.

Things I’ll Do When I Travel From Now On

To close out this part, I’ll share some ways I could have been better prepared for the possibility of my phone being lost or stolen while abroad.

Firstly, I was lucky that my friend and I were together when my phone was stolen. I had a few solo excursions on this vacation, and if my phone had gone missing during one of those, it would have been difficult to get in touch with her because she is not one of the very few people whose phone number I have memorized.

I often carry a Field Notes with me, so once my phone was stolen I wrote her phone number in it for reference. I would recommend doing this before a trip even starts, additionally writing down any other pertinent information such as where you are staying and the confirmation number of your return flight. If your primary email account uses 2FA, I would also recommend writing down a recovery code for that – I had memorized a recovery code for my Proton account, which I confess is an unusual thing to do, but I was grateful to be able to get back into my email account right away.

Secondly, I am a hoarder of technology. I never trade in my used tech. I like keeping my entire digital history available to me, and this has come in handy for firing up old 32-bit OSX games that can’t run on modern Macs. (Which, it does hurt that I’ll never see my 12 mini again, by the way.)

The point is, I still have my previous phone from before I got the 12 mini, and I wish I would have stashed this in my carry-on luggage. I could have saved myself the $100 I paid for an emergency “cheapest smartphone that a nearby store had available.” I thought of saving some money by only getting a feature phone to use for the rest of my trip, but having a smartphone gave me a lot of peace of mind by giving me Google Maps access and enabling me to monitor my email and a couple of other accounts.

For the Next Part

For my next posts, I’ll write more about what happened after my phone was stolen. As it turns out, losing a phone creates a lot of chores, at least if you are responsible about preventing identity theft or hacked accounts. I will talk more about those chores, as well as navigating the eBay refurbished phone market and my brief obsession with mobile computing that resulted from all of this.

See you next time!