Dateline: Alpbach, 27th August 2024.
Claer Barrett, writing about the theft of her mobile phone in the Financial Times, summarised our modern age succinctly. Look up and down any London street, she says, and you will see many, many people walking around with their phones unlocked in their hands despite the fact that the latest official figures (from our Office of National Statistics) show that over the last decade mobile phones have overtaken cash and payment cards as the items most often stolen from individuals in the United Kingdom.
It Could Happen To You
As it happens, I added to this statistical trend because my iPhone was stolen in London a few months ago. Now, given that my iPhone is my bank accounts, my payment cards, my loyalty cards, my event tickets and my everything else, what scared me most was losing my identity, not losing my money! As it happens, I saved both, thanks to some basic precautions.
In the UK, mobile phone theft is more than a nuisance. Reported mobile phone thefts grew by a third in the year to January 2024 and losses from mobile banking fraud increased by 17% to £19 million in H1 of 2023, the highest recorded total, with average losses per customer of £2,314. A mobile phone is reported stolen in London every six minutes.
The theft hot spot is Westminster, where almost a third of the thefts occur. In fact, that’s where mine was stolen. To cut a long story short, I got distracted by a woman begging in a coffee shop. She was pestering my colleague and we were telling her to go away. She was waving around some papers. When she left, I realised my phone was gone. She had covered the phone with the papers and snatched it. I ran out of the door and saw her going down the street so I ran after her but she got into the back seat of a waiting car that drove off. There was nothing more I could do than memorise the registration number and go back to the coffee shop.
(Back at the table I used my colleague’s phone to call the police and report the theft. Interestingly, the manager of the coffee shop asked me for the crime number given to me by the police, because these crimes happen so often that they send the crime number to their head office which then sends the CCTV from inside the store to the police!)
While I was talking to the police, I used my laptop to log in to iCloud to locate the phone and set it to erase. The criminals had turned the phone off to prevent tracking, of course, but I immediately changed my iCloud password so they wouldn’t be able to log in when they turned the phone back on again. I then called my mobile operator to block the number. I also called my bank to block mobile banking.
Changing the iCloud password is the top priority. Note that Apple recently introduced the "Stolen Device Protection” feature that adds a layer of security when your iPhone is away from familiar locations such as your home or work. With this turned on, you may be required to wait for an hour before using your iPhone to make changes to critical security settings or your Apple ID. What’s more, if your iPhone is not in a familiar location, you must authenticate using Face ID or Touch ID, wait for the security delay to end, then authenticate with Face ID or Touch ID again to update security settings. Hopefully for most people an hour is plenty of time to get to another machine and log in to change your iCloud password.
with kind permission of Helen Holmes (CC-BY-ND 4.0)
Since the phone had been turned off to prevent tracking (it later showed up in Southend in Essex, so at least it wasn’t having fun), I felt reasonably safe because the criminals wouldn't be able to unlock the phone when they turned it back on again. This is where the criminals are getting smarter though. A senior UK fraud officer, Detective Superintendent John Roch, says that British criminals are getting better at exploiting human behaviour. Thieves typically "shoulder surf" victims to catch them entering their PIN before stealing the phone. It seems that American criminals adopt similar procedures.
The Wall Street Journal, to choose one illustrative example, reports on the case of a Manhattan woman who was leaving a bar when her iPhone was snatched by a man who had watched her enter her PIN earlier. Within a few minutes she was locked out from her Apple account and within a day, $10,000 vanished from her bank account.
Perhaps the “beggar” or an accomplice had watched me enter the PIN and could access the photos! I was pretty sure I hadn’t entered the PIN in the coffee shop, but I couldn’t be certain. I at once resolved to use only my contactless payment wearable (a ring) to pay in any public place henceforth and then headed home to begin the recovery process.
Your Money And Your Life
What worried me more than the criminals getting into my money (after all, since I had not authorised the transactions, the bank would have to refund me) was them getting into my identity. Money is fungible and recoverable, reputation is non-fungible and non-recoverable. I was panicking slightly because I had remembered that my photos included more than one picture of my passport and my driving licence (and, indeed, me holding a copy of my passport up next to my face because of some dumb onboarding procedure) and therefore my whole identity.
Why? Well, because of a variety of financial services that, lacking any working digital identity infrastructure, require you send valuable personally-identifiable information instead! With the last couple of months I’d sent these pictures to a couple of banks, to Google and to others.
Over the next few weeks I received occasional messages from the thieves variously pretending to be Apple, the police and an insurance company. This is standard tactic. Veronica de Souza wrote about how thieves cycle through different tactics for engaging, convincing, tricking, or scaring victims into unlocking the phone for them. I got the who gamut but naturally I just deleted each of the messages when it arrived (but not before spending a moment reflecting on how the message confirmed that my iPhone was keeping its secrets).
As for other precautions, by the way, I had long ago set the phone to not display message previews when locked. You should do this too, immediately, in order to stop criminals from seeing the one time codes that some financial institutions still insist on using for “security” (and anyway my bank cards were at home since I don’t take them out with my any more, so the criminals wouldn’t know my bank or account number or anything).
Restart
A big shout out to my insurance company, Hiscox, who confirmed first thing that the phone was covered and then processed the claim very quickly. The very next morning I went to the store to pick up another iPhone and have my number ported to it. I fired up the new phone then logged in with my new Apple ID and the phone was restored. This all went very smoothly and I was up and running within the hour.
(Well, almost: over the next couple of days I found myself having to look up passwords to log in to everything again, but in the great scheme of things, it was survivable.)
So, here then is my suggestion for surviving financial catastrophe after iPhone theft, based on my lived experience. If your iPhone is snatched:
First, use your laptop (or a friend’s laptop) log into Apple immediately, wipe the iPhone and change your iCloud password. Do this before you call the police or anyone else.
Second, use your spare phone (or a friend’s phone) and call the phone company get the number blocked.
Third, call the police and get the crime number you will need for your insurance. The police are not going to do anything about getting your phone back (it would take every police officer in Britain to do something about this).
I survived, you can too.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?