It’s been about a month since my last post, where I talked a bit about how my phone was pickpocketed recently and some ways I wish I had prepared better for that possibility. Thankfully, my identity still hasn’t been stolen so far, so I am starting to think I am in the clear. Not that anybody is ever in the clear, I guess. I’m no longer particularly worried.

Maybe everything would have been fine, regardless, but in this post I’ll talk briefly about some things I did in the days after getting home from my trip to protect myself. Full disclosure, I’m guessing that this post will be the most boring one of the series. The main thing I learned, is that, if you are responsible (or paranoid):

Losing a Phone Creates a lot of Chores

(A probably-not-comprehensive list)

Dealing with AT&T

As I mentioned in my last post, after my phone was pickpocketed I suspended my line to prevent any bad actors from getting my texts or using my number to make calls. Once I got home, where I still had an old, cracked, but still functional iPhone SE (2020), I went to the AT&T store to get my phone number back.

My memories of AT&T stores past made me unsure of whether I’d be able to accomplish this at all. There was one solo trip to an AT&T store that I made in my early teen years to replace my SIM card that required, as authorization, the last four digits of my mom’s SSN. Given my mom, the primary account holder, was traveling this time, I wasn’t sure if I’d even be able to get my phone number reconnected.

Thankfully, AT&T has improved their security measures in the last decade, and are no longer using SSN, a simultaneously sensitive yet easily-compromised piece of information. To change my phone number, I didn’t even need authorization directly from my mom. Any “authorized user” on the plan would do.

I explained my situation to the AT&T store employee, whose name I wish I could remember, and together, we logged onto the My AT&T website, the same website I had logged onto the day before to try to do this myself. Sadly, logging into My AT&T from inside of an AT&T store did not change the way the website works, so we resorted to other measures.

He asked me if I was an authorized user. I told him that I don’t know what that is. He found on the website that my sister is an authorized user, but I was not. He pointed out this part of the website to me and asked me why I wasn’t an authorized user. I told him I don’t normally spend much time on the AT&T website. He tried to scan my driver’s license a few times, but there was something wrong server-side and it wouldn’t work. He said it didn’t matter anyways because I wasn’t an authorized user.

We had called my sister to get a 2FA code for the My AT&T website earlier. He told me that now I needed my mom’s PIN for the phone plan. My mom was unreachable, so I called my sister to ask her if she knew it – she didn’t. It seemed that all hope was lost. Then the AT&T store employee revealed that we could get the job done with another 2FA code from my sister. I called her again.

This mildly Kafkaesque process took about half an hour in total, but it worked. I had my phone number back and could now log into My AT&T all by myself, among other things. I am pretty sure I also left the AT&T store that day a newly-minted authorized user on my phone plan.

Recommendation: If you share a phone plan with other people, it’s worth checking that you are an authorized user. You may be able to save yourself about ten minutes’ worth of AT&T store interactions every five years. More, if you buy your phones through your carrier. Just don’t be like me. Unauthorized. A nobody.

Changing Passwords. So Many Passwords.

Now that I had my phone number back, I could once again get into the many, many accounts that require 2FA specifically over SMS. It was time to get to work changing all my passwords, an ambitious goal that I would not even come close to reaching.

Although I was resistant to using a password manager for a long time, I’ve now been using Proton Pass for long enough that most of my accounts are in there by now. The reassurance that most of my online accounts have their own, unique passwords was nice, as was the ability to pull a list of my online accounts that, though not quite comprehensive, was very long.

As soon as I started scrolling through my Personal Vault(TM) I realized that I needed to do some triage. Modern computing has the average user opening new accounts all the time, to an absurd and unnecessary degree. I have almost 150 logins in Proton Pass, including for:

  • An app that I had to download to get free tickets to a nightclub that my girlfriend and her friends wanted to go to.
  • Another one of those, I think? I truly cannot understand why I would ever have been on the website for Maxwell Social, Yet Another NYC Lifestyle Club that costs $250/month. But I have an account on their website.
  • The 3rd-party service that Tufts, my alma mater, requires alumni to use for ordering transcripts.
  • Adidas, where I have shopped once, because I thought I could get a coupon.
  • The dev forum for tt-rss. This login does not work, and has never worked, because the handful of times I have tried to set it up, their mailer has not sent my confirmation email. I cannot open a support ticket about this because this forum is the only place to get support, and requires an account to post.
  • A community theater in NYC that I went to one time.

Looking over this list, it’s striking how many of these logins were ones that I had to make to be able to enjoy in-person events. We’ve devolved beyond simply every website requiring an account. Now, it feels impossible to even step out of the house without being registered for some website or other. It goes without saying that I didn’t change the passwords for any of the accounts on that list. Hack me if you can.

For more important things, I do think it’s important to be able to remember my password… Even though, as I learned from this experience, if I don’t have my phone then nine times out of ten I’ll just be blocked by 2FA anyways. I came up with a new scheme for creating memorable passwords from notable places, and their location. For example, one might be (but isn’t) “Empire State Building” followed by the address of the Empire State Building. I like it so far. I get long passwords that Apple Maps will kindly help me remember.

In one evening, I spent about two hours changing a couple dozen passwords, additionally switching from SMS-based 2FA to passkeys or the OTP feature in Proton Pass, where possible. It was very time consuming and I did not like it. Zero out of ten, as they say.

Wading into the eBay Used Phone Market

I now needed a new phone, and I was not ready to have the iPhone mini lifestyle unceremoniously ripped away from me without any closure, so I was insistent on getting an iPhone 13 mini, which is only available from 3rd-party used phone sellers. I also decided to sell the Android phone I had bought in Mexico to use until the end of my trip – I originally had dreams of hacking on it, installing de-googled Android or some mobile Linux OS, before learning that this would be incredibly difficult to do on the specific phone I had, an Oppo A17.

Shopping for a phone, selling one, and especially diving into the world of alternative mobile operating systems sparked a briefly very deep obsession with mobile computing that has changed me forever, and which will be the subject of the third and final part of this series. But this part is for the boring stuff, so let’s get right to it.

Shopping for used iPhones on eBay

Many people I know, especially less tech-savvy people, are highly skeptical of buying a used phone. Personally, if a phone I want is available refurbished – preferably from the original manufacturer, but that usually doesn’t happen – that is what I will buy. Especially for iPhone users, there is no real need to have the newest one. Go a couple of generations back, and you can get a phone that isn’t all that different from the current model for about half the price.

I do not need insurance on my phone. It is not a big deal if my phone breaks or gets lost. I can replace my phone annually and spend about the same amount as someone who buys new every two years. Usually, I try to stick with one phone for about three years. I spend about $150/year on phones and it is mind-boggling to me that there are many people out there who spend an order of magnitude more than that.

That being said, my biggest piece of advice for buying a used phone is that doing it right takes time. I’m happy that I had a backup iPhone waiting for me at home and didn’t need to rush the process. Not everybody will have that advantage. Here’s how the process went for me:j

I prefer eBay for shopping for used phones. I think it’s usually a little cheaper than Backmarket, and eBay has an official “eBay refurbished” program where phones come with a one- or two-year warranty (depending on the condition), are guaranteed to have at least 80% battery capacity, and have a handy blue checkmark on the listing. Plus, crucially, most sellers have a one- to two-month return window.

My previous phone, the iPhone 12 mini that famously was pickpocketed, came from supplytronics on eBay. Despite the relative lack of information about them online, they seem to be the major player in this space. I was happy with my previous purchase, so it seemed like a no-brainer to buy from them again. I even spent the extra $20 to get a phone in Very Good condition this time.

Unfortunately, this phone had dents and scratches in the metal all around the screen, way more than I would expect for a Very Good phone. When I first turned on the screen, I got the very vague sense that something was up. Sure enough, after going through the setup process, an alert popped up that the phone was using an aftermarket display. The damage specifically to the front of the phone started to make more sense – perhaps whoever had done the screen replacement was a little bit new to the business. Plus, I could only assume that supplytronics was not going to buy a top-of-the-line replacement parts for phones that only go for a few hundred dollars. Most likely, they had replaced the very nice and expensive original display with one that cost, like, thirty bucks.

There is nothing inherently wrong with replacing a phone screen, of course, and Apple won’t sell original parts to third-party repair shops, so it makes sense that the new display would have to be after-market. All the damage to the outside of the phone did make me worry about the quality of the repair job, though – and besides, I had paid extra for a Very Good phone and gotten one that was clearly just Good.

I emailed supplytronics with the subject “iPhone 13 mini was supposed to be in Very Good condition but isn’t.” Honestly, their customer service is pretty great. They always responded promptly, and offered me a copy of the Phonecheck report right away. Sure enough, the report showed that the replacement display was LCD rather than OLED. They were even willing to tell me where they source their replacement parts – MobileSentrix – when I asked. This was pretty awesome, and in my opinion, the best that can be expected from a used phone seller.

However, it was also the information I needed to prove that they had, in fact, installed a display that cost, like, thirty bucks: the only LCD iPhone 13 mini display that MobileSentrix carries costs $26.94.

Pro Tip: I read online somewhere that with supplytronics, as soon as your order has shipped, you can email your order number to customer support and get the Phone Check report from them before your phone has even arrived.

It makes perfect sense that they would do this – the margin on a $340 phone just isn’t wide enough to be spending $100 on the best replacement displays, especially when most customers won’t know or care about the difference. But I know, and I care. I asked the customer support agent to confirm whether the new screen was LCD or OLED, and, tired of my excessive interest in this matter, they said that they didn’t know and sent me a return label in response. Without any hard feelings against supplytronics, I decided to try again.

I found a listing from directauth that was even cheaper, and in Excellent condition this time. I was curious (and a little nervous) to find out why it was cheaper, but I went ahead and ordered it. Here are my guesses as to how, and why, directauth drives their prices down:

  • Directauth has only a tenth the number of reviews as supplytronics. (At the time of writing, 13,902 vs. 109,500; directauth’s are 97.7% positive and supplytronics’ are 98.4% positive.) I imagine reputation is extremely important in this business, and with fewer reviews, they have to find other ways to compete.
  • They didn’t ship with Fedex like supplytronics does. Both sellers have free shipping, so of course, the shipping cost is baked into the price. It took a couple of days longer for the phone to arrive, but it was still well under a week.
  • They weren’t able to send me a Phonecheck report when I emailed their customer service to ask. This part is honestly a bit problematic for me – with a used phone, I want documentation of the repair status and, importantly, whether the phone has been reported as stolen before. That latter part I was able to get from Phonecheck myself for $5, but I think providing a report of the phone’s diagnostics and history is an important part of running a reputable business.

However, PhoneCheck didn’t raise any alarm bells about the phone, and it was in pretty excellent shape. Finally, success!

The lesson here is that buying a used phone will inevitably, to some extent, come down to the luck of the draw. If time is really of the essence, I recommend buying two phones and sending one back. If they are both in good shape, you can use the battery capacity as a tiebreaker.

Selling a Used Phone on eBay

It had been a very long time since I had tried my hand at eBay selling. My last, failed, attempt at a sale was a car part I listed the summer after high school that nobody bid on until months after I had moved away to college. I refunded the buyer and removed the listing. It was anticlimactic.

The UX of selling stuff on eBay is great. There’s a reason they have managed to be, I’d argue, the only site of their kind that matters for over twenty years now. The workflow for listing an item was easy to follow and made it easy to provide lots of details about the phone. I filled in as much as I can, thinking that would help my listing turn up in more searches, and gave it the best SEO’d title I could muster, “OPPO A17 Android Smartphone Pristine With Original Packaging (SEE DESCRIPTION).” I was a little bit shocked when, on the last day, the price shot up from $41 to $71 (plus the flat $6.95 I charged for shipping). The fees were brutal, and the shipping label cost just a little more than I had charged, so I only ended up being paid out $57.80. I’m happy that I was able to recoup half of the $110 I spent on this emergency phone, but a 16% platform fee is steep.

EBay also required me to put in my government ID before they would pay me out, which I’m not very happy about. I looked online for ways to get around this, but apparently they are required by US law to do this, even for people like me who are only making $60 per, uh, ever. I guess it is not eBay’s fault, but it’s annoying, and I wish I had known before listing the phone in the first place. If you are especially privacy-conscious, it’s something to consider.

Buying Identity Theft Protection

Whew, that last section was long, longer than I planned, but what can I say besides what I have already said?

[This experience] sparked a briefly very deep obsession with mobile computing that has changed me forever.

I’ll keep this one nice and short.

Just in case someone was somehow able to get sensitive information from my stolen phone, I decided to buy identity theft protection, mostly for the industry-standard $1mm insurance that comes with basically any plan. Therefore, I prioritized affordable, single-person plans in my comparison shopping, and settled on IDX. Part of the process of signing up for identity theft protection is providing the company with everything they should be scanning for on the dark web – all of your IDs, SSN, emails, phone numbers, health insurance card – everything. It takes a considerable amount of time to do this, but I haven’t thought about it at all since then, which is probably the best review I can give for a product like this.

IDX’s portal will also help you get copies of your current credit report and freeze your credit. My credit was already frozen with all three bureaus, something that is worth doing for anybody who is subjected to America’s bizarre, unfair, archaic credit reporting system.

I also enabled a setting on the brokerage account I use to not allow any transfers out of my account without extra verification of my ID. Since I don’t transfer money out of brokerage, or really even sell stocks, ever, this setting doesn’t affect how I use the account at all, and I am happy with it so far.

Wrapping Up

I like to make posts about the kinds of mundane matters that can be difficult to Google, because the vast majority of people would never thing to post online about these things. I’m doing this mostly to offer a data point, akin to how many people use Reddit: here is one random person’s specific account of this boring, bureaucratic ordeal.

If you’ve recently had a phone stolen and are anxious about it, I’m happy to be part of the internet rabbit hole you have gone down. If you’re looking for information about supplytronics, which, surprisingly, is hard to find online, then I’m glad I could share my experience.

If you read this post from top to bottom just for fun, then thank you, and I am genuinely shocked that you found this engaging enough to read the whole, long thing.