18

I'll be travelling to Mongolia, and I've heard there's a non-trivial chance of theft. I'll be taking two Apple iPhones with me, and I'm not too concerned about the theft of the devices themselves, as that's a bounded cost.

Do I need to take precautions against identity theft, and if so, what personally identifiable information should I delete from my smartphone and email before travelling?

The only personally identifiable information on my email and smartphone relate to me as an Australian - I have worked for a year in the US, but that was prior to me setting up the only email account set up on my phones, and buying my iPhones.

Related questions: Photocopies of important documents stolen (more about what to do after theft has occurred, not beforehand), and What harm can be done with a copy of one's passport? (specific to passports). Wikivoyage has a section on identity theft, but it's more or less only about passports.

Community
  • 1
Golden Cuy
  • 23,027
  • 13
  • 95
  • 207
  • 8
    I don't see anything that makes this Q Mongolia-specific, so could you edit it to make it a general question? – mts Jul 02 '16 at 16:30
  • 1
    @mts how does it look now? – Golden Cuy Jul 03 '16 at 03:27
  • It took the FBI several weeks to find a person that could hack the iPhone in under 2 mins, there are apps and tools out now thanks to this that make it a one and two click operation to gain accessto an iPhone. Just take a dummy phone a cheap $10.00 touch screen while your on holiday so no personal info can be stolen. –  Jul 02 '16 at 23:02
  • What about source of your claim? (One click app for unlocking an iphone ios9+) – Kyslik Jul 03 '16 at 00:32

6 Answers6

36

If you have a sufficiently modern iPhone (eg. anything that runs iOS 9 would be fine), then enable a passcode, set "Require Passcode" to "Immediately" (so you have to enter it every time you open the phone) or something short. The phone's memory is encrypted using a key derived from the passcode. No passcode, no personally identifiable data.

If you do this, then the chance of identity theft due to a stolen phone is effectively zero.

Greg Hewgill
  • 38,016
  • 5
  • 103
  • 138
  • 18
    This answer is correct, but assumes the OP won't be in the situation of being forced to unlock the device (whether by police, immigration authorities, plain old criminals, etc.). If that's a concern then the question has a lot more interesting depth to it. – R.. GitHub STOP HELPING ICE Jul 02 '16 at 18:26
  • 2
    @R.. I'm not that worried about that scenario, as at least I'd know about it happening. (Unless someone's snooping on me using the iPhone) – Golden Cuy Jul 03 '16 at 03:55
  • 1
    A PIN code lock to the SIM card will be helpful. Viber, Whatsapp, etc accounts are tied to your mobile number, so that is a risk. – AKS Jul 03 '16 at 12:12
  • 2
    You should also disable notification preview, as the iphone reveals a few lines of text. It is useful especially for messages – code ninja Jul 03 '16 at 16:08
  • 1
    Personally I wouldn't put all my trust on the pin. A 4 digit (6 if it's an iPhone 6) pin could be easily brute-forced as there are only 26,244 (39,366 for iPhone 6) different possible combinations (I think I did the math right). Apple may actually have more security features to help prevent it that I'm not aware of as I'm not an expert with iPhone security, so please feel free to correct me if I'm wrong. – Keith M Jul 04 '16 at 00:43
  • 4
    @KeithM: The easiest way to mitigate that risk is to set the "Erase Data" option which erases all data on the device after 10 failed passcode attempts. The second easiest way is to use a longer alphanumeric passcode instead of a 4- or 6-digit one. – Greg Hewgill Jul 04 '16 at 02:18
  • 3
    @KeithM: the PIN code used in iOS and Android is very good. You have an exponential cool-down time between attempts (starting from the 5th) - that is it takes longer and longer between attempts to use the PIN. After some time you will have to wait a week between attempts. On top of this you can set the iPhone to erase after 10 missed attempts. The encryption behind this scheme is very good too. – WoJ Jul 04 '16 at 06:44
  • 1
    @KeithM The dedicated crypto processor on the device is designed to be slow (the pin hashing algorithm has a very high iteration count), it would take two years to try all six digit permutations, and the software prevents multiple attempts. To prevent offline attacks, the pin is entangled with a 256 bit random hardware identifier, burnt into the crypto processor at manufacture time, not readable in the software, and that key is used to encrypt the whole backing store. See https://www.apple.com/business/docs/iOS_Security_Guide.pdf – Calchas Jul 04 '16 at 22:58
20

None, as long as you lock your phone with a password. It took the FBI several weeks of efforts to crack an iPhone belonging to the San Bernardino mass shooter, so a random low-level thief won't have the skills or tools to access your encrypted information.

I would worry more about information stolen on your laptop, although that also can be mitigated by encrypting your drive with VeraCrypt or a similar piece of software.

JonathanReez
  • 83,545
  • 81
  • 372
  • 721
8

Unless you need that specific device, I would get a throw-away device to carry in questionable situations. You can get decent Android devices for under $100 US.

DTRT
  • 32,698
  • 1
  • 67
  • 111
8

Most people that target identify theft are not looking at your cellular phone; they are looking at things that can be used to impersonate you - so your id card, passport, etc.

People stealing phones are looking at reselling them for a quick buck. So, if you put a passcode on your phone, it makes it less of a target for being sold on. iPhones in particular have robust security (as detailed by Greg).

I would not be worried about my identity being stolen via my phone.

Burhan Khalid
  • 39,678
  • 4
  • 82
  • 157
6

Everyone has given good advice about the phone and that it will almost undoubtedly be safe if you put a password on it (rather than a short PIN). The only issue that I see is to ensure that access to your email service is encrypted. Almost all are these days, so it's only a concern if you access mail without using SSL.

You will see this under Advanced Settings in account setup where it should have "Use SSL" selected.

Berwyn
  • 28,476
  • 6
  • 72
  • 141
  • How is this going to prevent identity theft? – Burhan Khalid Jul 04 '16 at 08:28
  • @BurhanKhalid If you're downloading and sending email over an unencrypted connection, you're likely to be providing access to PII – Berwyn Jul 04 '16 at 08:33
  • Okay, but how does that prevent identity theft which is a part of the question. – Burhan Khalid Jul 04 '16 at 08:37
  • 1
    @BurhanKhalid Ensuring your email connection is protected by SSL prevents someone intercepting your email connection, learning your password and reading all your previous email. Within your email is likely to be other information about your identity, including name, birth date, address etc, sent in previous mails. Having access to someone's emails is a rich source of information useful for identity theft. Also you could use for some forms of 2FA also useful for identity theft in some cases. – Berwyn Jul 04 '16 at 08:40
  • Ensuring SSL does not prevent this; because anyone can easily spoof a SSL connection by putting a proxy on the network. China does this all the time; as so do app testers and security firms. The only way this would work is if the application employs SSL pinning - but now we are getting way out of scope here. – Burhan Khalid Jul 04 '16 at 08:45
  • 2
    @BurhanKhalid You cannot spoof an SSL connection without installing a root CA on the phone. If an attacker can do that, they can do anything. – Berwyn Jul 04 '16 at 08:46
  • 1
    @BurhanKhalid GMail in Chrome has certificate pinning, although if you go to the trouble of installing a root certificate with global signing privileges, it will be ignored for the reasons you cite (app testing and system administrators imposing policy on employees). If a Chinese proxy asked me to install a root certificate, I'd probably decline ;) – Calchas Jul 04 '16 at 23:17
2

The only other recommendation I have is to delete (uninstall/remove) any banking related apps on the phone before your travel, for 3 reasons:

  1. It is not too difficult to retrieve logs generated by apps installed on a phone and I wouldn't completely rely on the banks that they have secured their apps in all possible ways
  2. You are likely to access internet via public WiFi
  3. If for any reason you need the apps, you can always re-install them
Rocky Inde
  • 129
  • 2