This guide describes what should be done when your phone is stolen, and what preventive actions could be done to limit the damage.
Better safe than sorry. These are the measures that you should do right now to reduce the impact of a phone theft.
Use screen lock. This is the most important advice of all. Set
up biometrics and PIN to unlock your phone. Use password instead of
PIN if you feel like going hardcore. Avoid use of trivial PINs
(0000, 1234, etc.), those are as good as no PIN at all. Avoid
using pattern for unlocking your phone, pattern locks are
notoriously insecure. Set up a time interval for the phone to lock
automatically, interval of 1 minute or less seems appropriate. When
you set up screen lock, test it. Let the phone sit unlocked, make
sure it locks itself instead of just going dark. Screen lock is your
first and most important line of defense. If you do not have screen
lock then you are toast, you may as well hand over your complete
digital life to the thief. Seriously, always have your phone lock
active.
Prefer to use biometric unlock whenever possible. Unlock your phone with your fingerprint or your face. Avoid unlocking your phone with PIN, especially at public locations. If you have to, be very careful when entering screen lock PIN. Be aware of your surroundings, the thief can be watching you. In fact, the thief may be following you for quite some time, waiting until you enter your PIN, stealing your phone after that. Your PIN is the key to your entire digital kingdom. Do not enter it unless it is absolutely necessary, and be very careful when you do so.
Always explicitly lock your phone when putting it away. Do not rely on timeout to lock your phone automatically. Press the lock button when putting the phone in your pocket, or even when placing it on the table in front of you. In time, it will become a habit, you will be doing that without even thinking about it. This makes sure your phone is always locked.
Do not use your phone for payments (Google pay, Apple pay, Curve, etc.) Putting your "money" in your phone means you are putting too many eggs in one basket. The phone payments are not like contactless payments with your card. If the thief can unlock your phone, it has all the keys he needs to make any kind of payments he wants, even quite a large ones. You can lose a lot of money. Even worse, some phones/apps seem to allow contactless payments even if the phone is locked. Payment security settings are confusing and tend to change quite a bit, which makes it difficult to set it up correctly. If you really want to use phone payments, use a dedicated virtual credit/debit card for that, and set a very low daily limit for payments (e.g. no more than 100 EUR) in your bank. Any limits, additional authentication or any other "security" features provided for your phone are completely useless if an attacker can unlock your phone and change them.
Mobile banking apps pose the highest potential risk if your phone is stolen. If the thief can get it, they can empty your account, even putting additional debt on you. Secure mobile banking apps properly, assuming that the thief will be able to unlock your phone. Use long PIN (at least 6 digits), which is different from your screen lock PIN. Do not use simple PINs. Nothing really bad happens if you forget your mobile banking PIN, it is just a minor inconvenience. You can restore that PIN quite easily. However, if the thief gets in, all your money is gone. Never use biometrics for banking apps. The thief can register his own biometrics when he gets into the phone.
The importance of keeping your screen lock active and your PIN secret cannot be overstated. The PIN grants access to everything on your phone. The PIN can be used to reset biometrics, granting access to anything that is protected by biometrics. Therefore, do not use biometrics for anything critical, such as banking apps. Also, do not use the same PIN you use for screen lock for anything important. Make sure your banking app PIN is different from your screen lock PIN.
Then it happens, when you expect it the least. Your phone is gone.
What to do immediately after theft:
If you are able to do it, try to remotely wipe the phone. However, this requires access to the platform that the phone runs on (Google, Apple, Murena, etc.), which probably requires remembering your (long and random) password, and also the second authentication factor, which is most likely gone together with your phone.
Contact your bank. Suspend access to any mobile banking applications that you had on your phone. This is the highest risk at the moment. Banking apps could be used to empty your account, even to take up new debt. Consequences can be catastrophic. Suspend any payment cards that you have enrolled for mobile payments. Also suspend all cards that you have saved in various applications (booking, parking, public transport) or shops. When in doubt, suspend all access to your bank and all your cards.
Contact your mobile operator. Suspend the SIM card, disabling access to your phone number. Authentication using SMS messages is still way too common, it can be easily abused by a phone thief. Some phones show a part of SMS message even if the phone is locked! This may be enough for the thief to gain access.
Contact your employer. You probably won't have the right numbers with you at that moment, they are gone with your phone. Therefore, use any means necessary. Borrow a phone to send e-mail to several of your colleagues, leaving a phone number of your travel companion as a communication channel. Try to reach public phone number, you can find it in "contact" part of company website. Reach out to your friends that might have contact to anyone in the company. Even try to use a contact form on company website if you do not have any other option.
If you had access to any kind of company systems, data, e-mail of chats, ask your employer to suspend your access. Ask to suspend the access even if you did not have access to the data, but you had authentication app or keys on your phone. Even though that authenticator is supposed to be used as second factor, it may still pose a risk if someone already phished your password, or is going to phish your password in the future. Remember, this theft might not be random, you might have been explicitly targeted. Do not cover up, do not pretend that you had no access to the data, even if that means you have violated company rules. If you do not want to admit it openly, just say that you are not sure, and you would rather be safe. Just make sure the access is suspended.
Contact your close ones, especially if they could be vulnerable to scam or fraud. The thief could call your close ones and friends, making up stories that you had an accident, and you need money. Contacting them first, explaining the situation and leaving a phone number of your travel companions can be an effective way to avoid that.
Overall, it is better to over-react that under-react in this situation. At this moment your are probably confused, angry and stressed. You may not remember all the important apps that you had on the phone. The data and apps on our phones make up a huge part of our digital lives, putting us in significant danger when the phone is stolen. It is better to suspend access unnecessarily, than to forget about a rarely-used app that could cost you money and cause a lot of trouble.
Stolen phone means a lot of trouble, even more that you would imagine possible. Many of the necessary mitigations cannot be done immediately after theft. When your phone is stolen, you are probably left without any means of access, without contacts, not remembering all the systems and passwords. If you follow the best practice, you have random passwords unique for each site an app. In that case you do not really have any means to secure your digital presence until you gain access to your password manager. As soon as you get home, there is still a lot of work to completely remedy the situation.
If you have not already done so, now it is the time to remotely wipe the phone. However, it may be already too late to avoid all the damage and risk. Do not rest when your phone is wiped. Phone wipe is a good thing to do, but it is not sufficient just by itself. There is still a log of things to do to make your digital life secure again.
Change your platform password (Google, Apple, Murena). The thief should not be able to get your password from the phone operating system directly. However, you cannot be sure that the password was not remembered somewhere, that you have not mistyped it in some form field which was remembered and so on. Platform password is protecting access to large part of your digital life. One cannot be too careful here. It is better to be sure and change the password.
After changing the platform password, explicitly check the list of devices that are registered for your account. If you see the stolen device there, explicitly delete/wipe/revoke the entry.
Secure access to your applications. Try to remember what applications you have installed on your phone, and change the passwords in all of them. In addition to changing the passwords, explicitly look for the list of devices that are registered for the application. Some applications allow access for registered devices even when primary password is changed. If you see stolen device in the list of registered devices, remove it explicitly.
Re-gain access to your phone number (re-issue a SIM card) from your mobile operator, and (obviously) get a new phone.
Log in to chat applications (Signal, Whatsup, etc.), which usually requires access to your phone number. Logging in these applications should log out the thief, disabling his access. Look at chat history if you can. If the thief managed to unlock your phone, they may attempt to scam your contacts. You may not be able to see messages that the thief sent, but you may get some clue from responses from your contacts after you regained access. If you see anything suspicious then reach out to your contacts and try to find out what happened.
Check your social network apps, posts and history. The thief might have tried to scam your followers and contacts on social networks.
Re-gain access to your banking apps and cards. Check history of all your bank accounts, look for unrecognized transactions. Cancel all affected payment cards, do not just unblock them. Have the cards re-issued. Cancel and re-issue any virtual cards in your banking apps. Never reuse (unblock) cards that were touched by your phone, or any apps that you have used on the phone. It is unlikely that you could remember where you used your card a year ago, and where the card number could be remembered. Just recycle them all.
Change all passwords that you have ever entered into the phone. Change passwords in all the shopping apps, public transport apps, chat apps, home automation, newsfeed and all the other, both important and mundane. If is a lot of work, yet it is necessary. There are good apps that do not remember that password after initial authentication, and there are bad apps that do remember the password forever. You can never be sure where your current password is stored. Changing all your passwords at this point is a very good idea. Do not just change the password in the apps. Change the password at all the places where you use the same password (e.g. your laptop login). Of course, you should never re-use the same password on several systems. However, let's not pretend, just go ahead and change them all.
Change password to all sensitive WiFi networks that you had remembered on your phone. Especially consider changing password to your home WiFi network. Generally speaking, WiFi password should not be critical for security of your network, but we all know that it is. You do not want all your smart IoT fridges and coffee makers exposed to attacks, do you?
Contact security personnel in your company. Re-gain access to your company systems. Security staff should discuss the incident with you, assisting you in further steps to recover and secure your access. Try to remember all relevant details. Your experience is a valuable lesson, which can be used to improve company security and processes.
If there was authenticator app on your phone, re-enroll all the secrets that you had in the authenticator. All the secrets in the authenticator must be considered as compromised. These are used as a second authentication factor, their importance should not be underestimated. Also, re-enroll the secrets that you are using as a second factor for your own or personal accounts (especially Google and github).
If the thief could somehow unlock your phone, they would gain access to all the data that were stored locally on the phone: photos, videos, text messages, chat messages, screenshots, contacts, notifications, downloaded files, audio recordings, browsing history, saved passwords. Try to recall whether there was anything sensitive. Was there photos that could contain passwords, QR codes containing secrets, photos of confidential documents, text messages that contained passwords or codes (except for short-lived one-time codes) or anything similar? If there was anything like that, contact security personnel of your company, or any relevant people that could get in trouble if the information falls into wrong hands.
If you have home automation apps or "things" connected to your phone, consider whether they are at risk. The good news is that most "things" require physical proximity to be abused (same local network or reach of bluetooth signal). Bad news is that the world of Internet things is not very security focused. It may be difficult to make sure that your stolen phone does not have any access to the things. The specific action that needs to be done depend on specific thing. E.g. it may be a good idea to "unpair" the stolen phone from your car and change password in your e-bike app. Unfortunately, some devices may not provide any means of making them secure.
There are things that cannot be helped. There is nothing to do about this. Just consider whether anything of the list below poses any significant risk for you or the people around you, and communicate that accordingly.
The thief might or might not have access to the data stored on the phone (photos, videos, etc.) You might be able to wipe the phone in time, or you might not. There is no way to be sure.
The thief might have access to your applications, including mail, chats and social networks.
Some applications receive push notifications even after the application password is changed. Explicitly unregistering the device in the application may or may not help. There seems to be no universal and reliable way to stop that, and it is not clear for how long it lasts.
Learn shortcut to take photo without unlocking the phone. Many phones have this functionality. You are exposing your phone the moment that you take a photo, especially at crowded locations. The thief may wait for such an opportunity. Taking the photo with your phone still locked lowers the probability that the thief can get your phone unlocked.
Consider uninstalling some apps before traveling to risky destinations. Especially consider uninstalling mobile banking applications, and applications that give you access to company data, communication channels (mails, chats) or sensitive personal data. You won't need these apps on your exotic vacation. Also, go to the phone settings, and explicitly remove accounts that provide access to sensitive data. Most applications can be easily re-installed after return.
Consider taking a cheap back-up phone with you on your exotic vacation. Enter important contacts into that phone, such as contacts to your close ones, your bank and your employer. Having it equipped with an active (pre-paid) SIM card may be a good idea as well. This will become very handy when your primary phone is stolen, and you end up with nothing, not even remembering a single phone number.