Practical Personal Information Security (draft)

June 2017 ยท 8 minute read

I’ve had my phone and laptop stolen in the past, and I’ve been thinking about how to properly secure my digital life.

I thought there should a guide which goes through the important steps to do so but I couldn’t find one like this, so here goes.

Preparation

Device serial numbers

It is important to write down the serial number of your devices.

The serial number is usually important for insurance claims and potentially to blacklist the device after it is stolen, to prevent its use after theft.

Preventing device use after theft is mainly important to discourage theft in the future so that stolen devices cannot be sold easily.

Apple Macbook or similar

The serial number can be obtained from “About this Mac”, which is visible when clicking the Apple logo at the upper left corner of the screen.

Also see: “Find the serial number of your Apple product” at Apple Support.

Tracking software and other preparations

  1. Use FileVault so your data does not get compromised.
  2. Ensure all of your most important data and documents are backed up somehow. Probably the easiest way is to use iCloud for this. If you have a lot of data, consider alternatives.
  3. Do not use full disk encryption otherwise, because otherwise the thief will probably wipe everything from the disk, including the tracking software.
  4. Create a guest account, with no parental controls enabled. If the thief can use the laptop immediately, the chances are much higher that tracking software will get online and that you will get some information on the thief.
  5. Test that the guest account works if you have something firewall software installed or something (e.g. Little Snitch).
  6. If you do receive your stolen Macbook back, note that there is a chance that the hardware/firmware/software/data is compromised. It should be a worthwhile precaution to re-install the machine from scratch

Related links:

iPhone or iPad

See: Find the serial number or IMEI on your iPhone, iPad or iPod touch at Apple Support.

Android phone or tablet

See: Locate a device serial number at Google Store help.

Find the IMEI for your phone You can find the 15 character IMEI:

  • Tap All Apps in the Favorites tray on any Home screen and then Settings and then About phone, About tablet, or About Device and then Status
  • Dial *#06#
  • Check the SIM card tray
  • Check the device box
  • Check the back of your device

Find the CSSN/serial number for your tablet - Tap All Apps in the Favorites tray on any Home screen and then Settings and then About phone, About tablet, or About Device and then Status and then Serial number - Check the serial number on the back of your device - Check the CSSN number on the device box - Note that the CSSN and the serial number are the same 8-character number.

Passwords

Nowadays it is recommended to have a password which is at least 12 or 14 characters along with other guidelines on Wikipedia.

It is a good idea to have separate passwords for different devices or services. But it gets difficult to remember passwords beyond a couple of the most used ones, so it is also a good idea to use a password manager.

I personally keep the following passwords separate: - My personal Google account - iCloud/Apple account - Device “local” passwords where applicable (laptop user account password, phone PIN). Windows tends to want to link to the online Microsoft account though. - The master password for my password manager (from before I mainly used the Chrome integrated password manager)

On losing 2FA tokens: https://lifehacker.com/what-do-i-do-if-i-use-two-factor-authentication-and-los-1668727532

Password manager

Multi-factor authentication

2-factor authentication (2FA), and more generally multi-factor authentication (MFA) is a way to enhance information security by requiring “something you have” in addition to a password for authentication.

There are many ways for passwords or other primary authentication methods to get compromised and history has shown 2FA to be effective at mitigating most instances of password theft.

Initially deployed at scale by Blizzard to deal with the then-rampant problem of account theft and followed by banks and various other companies like Google and Amazon.

Nowadays 2FA is relatively common but many services implement this relatively insecurely or have other flaws which allow bypassing the requirement for the second factor entirely (e.g. by allowing account recovery with only SMS)

Services which can be “recovered” just with a phone number

TODO. There should be a list like this somewhere.

2FA Backup codes to password manager or encrypted files?

Many websites (such as Digital Ocean) recommend to store the backup codes in a password manager, or as an encrypted file.

This may be fine for some services, but there is an added risk: if the password manager gets compromised, the backup codes will also get compromised. In this case, the attacker would get both of the authentication factors in one go.

Besides, if you were to store your passwords and 2FA backup codes in Lastpass, and you had 2FA on with Lastpass, you would need to store the backup codes in some other location still.

A possible solution is to keep the backup codes with a friend. This way, you could call your friends if you had lost your 2FA device (a mobile phone or dedicated device). And no one other than you would have all the authentication factors in one place.

Phone number

SMS and phone number related second factor authentication is considered officially deprecated since it is “relatively easy” to obtain unauthorized access to a phone number.

Many internet services still use or even mandate the use of SMS for two-factor authentication so it is prudent to attempt to secure your phone number first.

From hearsay and such, it seems that in the USA, it is possible to port a phone number from one operator to another with few checks. Someone

In Finland, most telecoms seem to ask for personal identity code (kind of like social security number in the USA) and perhaps some other slightly more difficult to guess pieces of information. So phone security may be slightly better in some places and worse in others.

Still, I don’t have much trust on the overall system. There’s bound to be many holes and exploits lurking out there in those systems.

See: - [https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/]() - [http://www.slate.com/blogs/future_tense/2016/07/26/nist_proposes_moving_away_from_sms_based_two_factor_authentication.html]().

U2F key

U2F or Universal 2nd Factor is a recent standard for a hardware-based secure two-factor authentication.

U2F tokens are preferable for 2-factor authentication when it is possible to use them, but care must be taken that there always exists at least one functional backup token somewhere in the world. It is probably preferable still to keep a set of backup codes somewhere since the USB port of your laptop might break or something. See: the section on Secure Storage of Backup Codes.

As of writing, U2F is not well-supported on mobile phones for a second factor in authentication besides the phone itself.

2FA or MFA for phones remains a difficult problem still.

Authy / Duo

Recommended since these allow for making backups of TOTP codes. Otherwise it can be very difficult to recover access to certain services if a phone is lost.

Services

Google

iCloud

2-factor authentication in iCloud seems to always require the use of a phone number (SMS).

Backups

2FA backup codes

Backup codes for two-factor authentication should be kept in a place which can be accessed even when you are on the other side of the world. The backup codes and can be kept as digital files or physical printouts. In case of digital files, it would be prudent to keep the backup codes with a trusted friend or a set of friends, together with a N-of-M (like 2 out of 3) password scheme so that you can obtain the codes anytime by calling 2 of your friends and asking them to coordinate.

With physical printouts of backup codes, the codes should be kept at a friend’s place, perhaps in a safe.

If passwords are pooled with friends and family, consider using Shamir’s Secret Sharing scheme to help ensure backup codes are safe from any individual: https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

Threat scenarios or threat model

International Border Control

The USA

a company called https://en.wikipedia.org/wiki/Basecamp_(company) has an internal international travel guide which has many broadly adaptable pieces of advice when travelling to the USA with personal devices and data: https://github.com/basecamp/handbook/blob/master/international-travel-guide.md.

Stolen phone or laptop

Android kill switch to prevent factory reset

https://www.theverge.com/2014/10/15/6983509/android-lollipop-includes-kill-switch-factory-reset-protection

iPhone stolen while unlocked

Apple has recently implemented some safeguards for protecting user/account information if the phone was stolen:

https://auth0.com/blog/could-your-iphone-get-stolen-while-it-is-unlocked/

Android stolen while unlocked

Google generally has some extra precautions like requiring a PIN to change the most sensitive settings, but I could not find any reference about what can happen with an unlocked Android phone.

My device just got stolen

Android phone or tablet

  1. Go to Google account settings here and check if anything suspicious is going on.

  2. Select “Find Your Phone” and follow instructions to erase it.

  3. Alternatively attempt to locate and erase your phone using the Android Device Manager here.

iPhone or iPad or Macbook or similar

See: If your Mac is lost or stolen at Apple Support.

Note: As of writing, there is no place to report a stolen device to Apple officially. Therefore a stolen device usually cannot be caught even if it is taken to repairs at some Apple Store or similar.

comments powered by Disqus