tl;dr

1. Don’t be a hero. Give them everything they ask.
2. Use apps to hide your sensitive data.
3. Use a password manager.
4. Use yubikeys. Have a backup app on another device home.
5. Don’t carry all your cards with you. Don’t have all your cards in your digital wallet.
6. Keep a backup phone and an contact list at home.
7. Keep your main baking card/credit card at home. Carry with your a different card for your daily expenses.
8. Backup your media in the cloud.
9. Take care of your mental health. Don’t be paranoid. Don’t be naive.

Introduction

Recently I’ve been reading a few posts on reddit regarding theft in London. Theft in London, and in any big city, isn’t something new. In fact in recent years/decades the overall crime rate has gone down. That doesn’t mean that theft doesn’t happen. It does. And it’s not a pleasant experience.

As we can observe in the graph above, while the crime rate has gone up it’s lower that the England & Wales average. The issue is that London is way more dense, with way more people and it’s a city that still grows. So while the crime rate is lower than the average, it’s still a lot of crime. My general approach with this is to be aware of the risks and take the necessary precautions. I don’t want to be paranoid, but I also don’t want to be naive.

So how do we prepare for the worst? First and foremost if you find yourself in a situation where you are being robbed don’t be a hero. Give them everything they ask. Your wallet, your cards, your phone, your pins (recently). The last bit is something that caught me offguard. Thieves now ask for your phone and card pins. There isn’t a lot you can do at this stage for the card pins, other than not carry all your cards with you. The phone pin thought is something else. Our entire life is in our phones. Financials, personal photos, phone numbers, notes. Everything. A thief with access to your phone can do a lot of damage. So what can we do?

The phone

Ideally I would like Apple and Google to implement a “panic mode pin”. The way it should work is that it should be able to unlock the phone as normal but once a certain amount of time passes then it should wipe the phone. This would be a great feature to have. But it’s not there. The next best thing is apps that are hiding certain applications. How those apps work is that they hide the application from the app drawer and from the recent apps list. So if someone gets access to your phone they wouldn’t know that those apps are there. You can also set safezones inside the apps. That means that the apps will be hidden when you are away from your safezones (home, work etc) but visible as normal there. It’s a set it and forget it system. The downside of this is that it adds an extra layer of complexity. You need to remember the pin for the app, the fact that the app is there and the fact that you need to set the safezones. It’s not a perfect solution but it’s better than nothing. On iOS I use an app called Cloak but another famous app is Private Photo Vault. On Android one can use App Lock. All apps are free and have a premium version. I opted for the premium version of Cloak because it has a few more features. The premium version of Private Photo Vault is also quite cheap.

So for the phone we have hidden our sensitive apps (mostly finance apps) and we have set our safezone. What about the rest of the phone? The next thing to do is choose one bank card and remove it from the phone Wallet (Google Pay/Apple Pay). This card should also stay physically at home. Don’t have it with you. The reason for this is that if someone gets access to your phone they also get access to any card you have in the phone Wallet. Keep one backup home. Don’t have everything in the phone wallet.

For the rest of the apps, where you have an option to use a pin do it. Don’t use the same pin that unlocks the phone. That beats the purpose. It goes without saying that for media like pictures and videos you should keep a backup somewhere in the cloud. I use Google Photos for this but Apple Photos is also a good option. The same logic applies for notes. I use Bear app for my notes but there is a myriad of other options. The important thing is to have a backup somewhere in the cloud. If you are using a password manager like KeyPassXC then you should also have a backup of that somewhere in the cloud. Dropbox or Google Drive is a good option.

The wallet

I’ve read different suggestions online. One is to have a decoy wallet with you with expired cards and random receipts. I find this cumbersome and risky. Also it’s a habbit that I believe I would fall out of simply because it’s an extra layer of complexity that it’s not needed. My preference is to keep it simple. Keep your wallet with you as you do but as I mentioned above don’t carry all your cards with you. Leave at least one physical bank card at home.

My general strategy is to have one bank account where my paycheck goes in and my direct debits go out, and another for my day to day shopping and expenses. The card that I use for paycheck/direct debits I don’t carry with me. I do carry with me the day to day card that has a limited amount of money in there. If the worst was to happen I would lose some money but the loss would be contained. So, paycheck card home, day to day card with you. I am on the fence when it comes to credit cards. It’s reassuring to have them with you but it’s also a risk. I know that American Express is good with fraud so that gives me some confidence to still keep it with me. Any other credit cards I would leave at home.

Emails & Passwords

The other big issue here is your email and your passwords. If you are storing your passwords using Apple Keychain or the Google equivalent then you are dead in the water if someone unlocks your phone. This isn’t good enough. You need to use a separate app. I recommend 1Password or alternatively KeyPassXC. Both are cross platform and both are robust. 1Password isn’t free but it’s worth the expense if you can. Otherwise KeyPassXC is opensource and free.

The next problem is 2FA (2 factor authentication). Many people use SMS for the 2FA. This is a terrible idea since this is the least secure method. Anyone with your phone has access to your SMS. The better way to do 2FA is using an app such as Authy or Google Authenticator. These apps generate a unique code that you can use to login to your accounts. The issue is that those apps are in your phone. So if someone access your phone, has access to those apps too. It’s not a huge issue as long as they never managed to have access to your passwords in the first place. It’s still a risk though. What is actually worst is the fact that if you lose your phone and don’t have access to that 2FA application you are locked out of everything. No access to your emails or your socials.

So what can we do? A good solution is to have a backup 2FA application somewhere. This could be a separate phone or tablet that you use for 2FA. The idea is that you install the 2FA app on that device and you keep it at home. If you lose your phone you can use that device to login to your accounts. Even better than that though is to have a hardware token. These are small devices that generate a unique code that you can use for 2FA. They are small and cheap. I have a Yubikey that I use for 2FA. It’s a small device that I always leave at home as my last defence. It’s not a perfect solution but it’s the best we have right now. If you are interested this is an interesting article on how to use a Yubikey for 2FA.

So to recap, you are safe as long as a thief doesn’t have access to both your passwords and 2FA. Keep the passwords in a separate password manager, with a unique unlock pin. Keep the 2FA in a separate device or a hardware token. If you lose your phone you can still login to your accounts using the 2FA device or token.

Emergency phone and contacts

So the worst happened, someone stole your wallet, your cards, your phone and your pin. You are shaken but in one piece. They got your valuables but those are easily replaceable. You were smart though and you have your main bank card home, along with a device that has access to your 2FA and your banking applications. You will bounce back. All you need to do now is let your people know and call the banks to cancel all your cards. How do you do that? First you need to have a list of emergency contacts. This is a list of people that you can call in case of emergency. It should include your bank, your insurance, your family and your friends. You should have this list both in digital and physical form on your and at home. It’s not a terrible idea to include other useful numbers in case of an emergency, such as the police, the ambulance, the fire brigade etc.

The next bit is an emergency phone device with an active sim card. These days most of us don’t have a landline. In lieu of that the next best thing is a dumb phone, like a Nokia, with a pay as you go sim card on the ready. You can park this at home and keep it charged. When the time comes call the police first, then the banks to cancel your cards and finally your friends and family. Alternatively you can keep that phone always with you somewhere in your bag or in your car. The problem is that if you lose your bag then you lose that phone too. So it’s a trade off. I prefer to keep it at home.

Conclusion

I hope none of this ever happens to you or me. But if it does, I hope that you are prepared. I hope that you have a plan and that you have the tools to execute that plan. I hope that you are safe and that you can bounce back from it. I did write what I do to prepare from a practical perspective. I am sure there are better ways and please let me know what are yours.

The final thing I want to address is the mental and physical health perspective of a situation like this. A robbery is a traumatic experience. It’s not something that you can just brush off. It’s a violation of your personal space and it’s a violation of your trust. It can leave you scared for life, it can make you hate a place or a country. Do everything you can to be resilient. Accept the feelings you might feel but speak with someone. Speak with your friends, your family, your community. Some useful resources regarding the PTSD after such an experience can be found here and the always useful NHS site regarding PTSD.

One final thought regarding security. Security isn’t about making sure that nothing bad ever happens. Security is about buying you time to react. It’s about making sure you have a plan to execute and it’s about having the resources in place to execute that plan. More importantly security it’s about making the adversary’s life harder. It’s about making them think that it’s not worth it spending all that time and effort.