Don't neglect the physical security of your device -- a critical part of protecting your overall privacy and security.
The physical security of your device is a critical part of protecting your online safety and digital identity.
I originally posted on this topic in Feb 2023, as I was just getting started with this substack! It's been almost two years since then, and I’ve posted 115 articles about helping experts and non-experts protect their privacy and security.
I have noticed that when we discuss digital privacy and security, hacking, and breaches in the news, it’s easy to forget the importance of physical device security and only focus on digital protective measures (like using MFA, strong passwords, etc.). Those protective measures are super important, but neglecting physical access to your device can lead to similarly catastrophic consequences.
If someone has access to your unlocked or unencrypted device, they own everything about you and can access anything they want. They don’t need to hack any of your accounts.
Recovering from an attack like this can be extremely difficult because a bad actor can do a fantastic amount of harm in a very short period, such as (and certainly not limited to!):
Taking over all of your accounts (financial, email, social, shopping) – even if you have MFA (which is probably an SMS message, phone call, email message, or authenticator app — all of which are on your phone), they can take over all of your accounts (taking over an account means they change the password so you don’t have access).
Going into your banking apps or payment apps (i.e., Venmo) and transferring money to the bad actor.
Buying things with shopping apps (i.e., Amazon) and charging your credit cards.
Using your phone number, email, and social media to send messages to your contacts to implant malware, phish them, or conduct a family emergency scam.
Accessing potentially compromising or embarrassing photos or other sensitive information that could be used against you.
![[Post update] You should know about family emergency scams so you can protect you and your family](https://substackcdn.com/image/fetch/$s_!NHAj!,w_140,h_140,c_fill,f_webp,q_auto:good,fl_progressive:steep,g_auto/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f7a485c-dadf-433c-926e-c0f7b19c16c4_1024x1024.png)
Prevention Tips
Remember, prevention is the most important thing. Remediating any cyber-harm is usually extremely painful. Here are some of the most important things you can do to protect the physical security of your device!
On your device:
Lock your device and have a strong passkey! Use a strong password on your device (eight digits are better than four digits, alphanumeric passwords are better than eight digits, and biometrics are good in most cases). However, if you are in a situation where you might be compelled to provide access to your phone, such as a detention situation, biometrics aren’t great because you can be forced to give access to your device.
If you use biometrics, you should use a strong password as a backup.
Get in the habit of locking your device when you are done using it—click the button on the side to do so.
Set auto-lock to lock your device if it has not been used for X amount of time (the shorter, the better). This means that if you leave your phone unattended, it will lock automatically.
Auto-lock settings on an iPhone Encrypt your device! (All recent Android and iOS phones are encrypted by default.) However, computers and other devices might not be encrypted by default, so make sure you check those settings and turn on encryption.
Set up “Find my Phone” features. This allows you to locate, lock, or delete your device remotely. This is critical if someone steals your device or you lose it. You can immediately move to find, lock, or delete it to protect your data.
Only download apps from official app stores (Google Play Store or iOS App Store). This protects you from downloading obvious malware apps, although some bad apps can get through the protections Google and Apple put in place (especially true for the Google Play Store). Also note that some “legitimate” apps are extremely poor for privacy and security (e.g., TikTok and Temu, which I highly recommend you do not use).
Restart your phone whenever you think about it (ideally daily). This protects you from persistent malware that is stored in your device’s memory (that will be cleared upon restart).
Physical Security Measures
Be aware of your surroundings when you enter your passcode on your phone, especially in crowded places. A bad actor looking over your shoulder on the subway can see your passcode, steal your phone at the next stop, and have access to your unlocked device.
Don’t leave your device unattended! Keep your device in your view at all times. An unattended device is easily swiped and/or tampered with. Worse, if a device is unattended, you might not know it was tampered with. If someone has access to your device, it only takes a few seconds for them to navigate to a URL and download malware or spyware on your device.
Advanced Tips
Use a privacy screen. This reduces the angles from which someone can view your screen, meaning that they’d have to be directly behind you to see your passcode or any of your sensitive information.
Ensure sensitive apps (e.g., financial, password manager) also require authentication. This means that if you open the app, you have to enter your passcode or use your face ID/fingerprint again to access it. This way, the bad actor can’t log in to your financial accounts without reauthenticating.
On iOS, you can now require any app to require Face ID. To do this, long-tap (or click and hold) on the app you want and select “require Face ID.” This is a great security measure that will protect your apps even if someone gets ahold of your phone.
Use the “erase data” settings after a certain number of failed device access attempts (on iPhone, it is 10 failed attempts). That way, someone can’t brute force their way into your device by trying hundreds of combinations.
Remediation Steps:
If you lose your device, it is stolen, or you suspect it has been compromised in some way, here are some things that you should do.
Be quick! A bad actor with your device is one of the most significant risks, and they can rapidly cause a lot of harm.
Remotely Lock or delete your device. Go to the nearest computer or phone, log in to “Find my phone,” and lock or delete your device remotely. For iPhones, you can use “lost mode” or “erase” mode.
Resecure your “Crown Jewels” accounts. Start logging into your “crown jewels” accounts (your most valuable accounts (email, financial, social media usually). Change the password (unique/strong), enable MFA, and log out of devices that have access to a service (i.e., on Google, you can log out of devices from your Google Account).
Stop cell service! Contact your cell phone provider and stop service to the device – this way, the bad actor won’t get any MFA codes sent to your phone.
Wrapping up…
Protecting the physical access of your device is critical to protecting yourself from online harm. Some of the most horrifying cyber harm victim scenarios I’ve encountered are from people who have had their device stolen and the bad actor had the passcode (because they saw it entered).
Use a VPN I use Nord in all my devices. Author may have advise in the area
super intuitive and helpful!