The implications of phone theft
The age-old issue of smart phone theft continues to haunt us
8/05/2025 Podcast
Back to Insights
In this episode of You Gotta Hack That, Felix and his guest Alex explore the serious problem of mobile phone theft, especially in London. They explain how quickly someone can lose more than just their device—they can lose access to bank accounts, personal data, and even their identity. One story they highlight involves a man whose phone was stolen on the Tube. Within hours, thieves drained his accounts and even secured a loan in his name, costing him a total of £27,000. The story is a powerful reminder that a small slip in vigilance can have huge consequences.
Taking Control of Your Security
To protect himself, Alex took major steps: he removed all banking, credit card, and online shopping apps from his phone during the holidays. It made things less convenient, but gave him peace of mind. Felix uses a different method—he carries two phones. One phone handles sensitive apps like banking and email, while the other is for general browsing and entertainment. They also discuss how many people believe fingerprint or facial recognition unlocks are foolproof. However, these systems can be tricked more easily than people realise, especially by attackers using older or less secure tech.
New Tech to the Rescue?
Felix mentions a recent Android update that introduces a theft detection feature. If the phone suddenly accelerates—like when it’s snatched—it will lock automatically. This mirrors Apple’s “Find My” system and adds another barrier for thieves. Felix and Alex argue that phones should offer layered security, such as combining a PIN with biometrics, to make it much harder for unauthorised users to break in. Though this might seem annoying to some users, it’s a strong defence for those who value their digital security.
Your Online Footprint Matters
The conversation then shifts to online identity. Felix recounts a case where someone was nearly denied a job because of an old social media post from their teenage years. The post, still publicly visible, became a liability even though the account was no longer in use. Alex reflects on how past generations had the luxury of forgettable mistakes, whereas today’s youth live in a world where a single post or photo can remain online forever and be rediscovered at the worst possible time.
Staying Safe in a Digital World
To close the episode, Felix and Alex share practical advice. Use long and unique PINs. Act fast if your phone is stolen. Enable additional security features on banking and other sensitive apps. Most importantly, be aware of how your phone connects to the rest of your digital life. Phones today are more than communication tools—they’re keys to your online identity. Losing one could mean losing far more than just a bit of hardware.
Felix (00:10)
Hello, I’m Felix and welcome to You Gotta Hack That. This is the podcast all about the security behind the internet of things and operational technology. in this episode, I’m joined by Alex. what are we going to talk about today?
Alex (00:21)
Well, I wanted my opinion on horrible number of 50,000 telephone thefts on the streets of London, specifically poor individual who lost 27,000 pounds within.
Couple of hours and I just thought we should just chat through the basics of making sure if You lose your phone or worse get it stolen by nefarious characters in the SW one postcode You can at least protect your dignity and finances
Felix (00:53)
If you’re outside SW1, this does not apply to you. no, I joke…
Felix (00:58)
You Gotta Hack That has a new training module. It’s all about the nerdy bits of PCB and electronics reverse engineering. We explore topics such as defeating defensive PCB designs, firmware extraction via chip to chip communications, and micro soldering to perform chip off attacks. The module is a week long deep dive and it starts on the 23rd of June, 2025. As it’s brand new, our beta testers get 1000 pounds off the normal price.
There’s more information on our website at yougottahackthat.com/courses and we recommend booking as soon as possible as spaces are limited. But for now, let’s get started on today’s topic
Felix (01:31)
You know what, Alex, I’ve got to be honest, I haven’t seen this bit of news.
Alex (01:35)
yeah just before Christmas there was an article in the daily telegraph, and this is this was the a young man, 25 26 years old was by the tube doors scrolling on his phone and as the door shut a hand reached in grabbed the phone He was on the way to a client meeting. So he got out of the tube walked Went and did his customer meeting
which I understood takes an hour and a half to two hours. And only then did he find an internet cafe and solve the problem of the phone being stolen. Okay. And then he realized in that amount of time, and it was either a morning or an afternoon, it was about between two and four hours. He had been totally cleaned out with 20,
Felix (02:07)
Wow. Okay.
Alex (02:19)
7,000 pounds worth of his on current account and his savings account plus The perpetrators had raised a seven thousand pound loan and the irony was He had gone through the process of raising some money and it had But the but but but the perpetrators got away with it because they probably lied They probably lied on the form and they went for the one that was 11 percent
Felix (02:30)
Oof.
Alex (02:44)
APR rather than 4 % can understand how that happened so it’s a happy ending. It took him four months to get all his money back Because he had facial recognition on his app on his banking app and on his credit card app and They had broken through it This led
Felix (02:45)
Mm.
Alex (03:00)
a couple of follow-on articles about what to do how to keep yourself safe and then interesting journalist Said well, how many of these are there a year? 50,000 phones are reported stolen and all you get is the crime number So that you can get insurance.
Felix (03:15)
Are we talking about SW1 or are we talking nationally or globally? That’s in London. Okay. Okay. And presumably they’re not all related attacks like the one you just described.
Alex (03:17)
No, London. Yeah, probably greater London.
all over,
mostly the motorcycle and cyclists.
Felix (03:30)
Right, see, OK. So snatch and grab kind of,
Alex (03:32)
Yes, snatch and grab 100 %
so i’m the old boy on the conversation here. So During christmas, I took my banking app off I took my credit card app off and I even took the amazon app off because if they can get through my little password And they can get through facial recognition then they can clean me out
So the only thing they can do now is to get parking
Felix (03:55)
good luck to them on that front anyway.
Alex (03:55)
it is, this
is inconvenient, That’s the problem. We all live our lives. mean, my wife will ring up and say, I’ve just seen this. And I’ll go click, click, click, day it arrives. Now I have to go on, sign in, go onto the website. However, I sleep better at night.
Felix (04:11)
you know, it’s really interesting for years I’ve split my devices into two. so I’ve had a, a phone for kind of random apps that are, you know, fun or non-work related or non-critical to my life. ⁓ and then I’ve tethered that device to my other phone, which, has a, actual SIM card in it so on, which is for just messages.
Alex (04:24)
Yep.
Felix (04:32)
Bit of emails, the more critical things, but I’ve got to be honest, I keep my banking one on that phone, kind of on the critical one. I suppose that means that I would maybe be scrolling on the phone that got stolen and it would be the kind of doesn’t really matter phone. But it’s not that simple either, is it? It’s also double the price, right? And there’s not many people who can afford that.
Alex (04:46)
But
No, so so.
I go to the pub like everybody else and everyone thinks I’m the IT guru, which clearly you know I am not. And everyone goes, how can they break through the pin? How can they break through the facial recognition? And I don’t know, but clearly they are.
Felix (04:57)
Don’t tell them.
Yeah. This is just because it’s Android doesn’t mean it’s doing it in the same way. for example, of Samsung like to do their own version of these apps or they’re like an earlier
sometimes it’s not necessarily as straightforward seems on first glance. There are other forms of attack, which are kind of, for whatever better way putting it, like side channel attacks. I believe with some of the providers, could log into
And because you can do that on a desktop, you don’t necessarily do the facial recognition it was sort of like a backdoor version of turning the facial recognition off as opposed to defeating it in the first place. just to think about the older stuff, you know, it was the case for a while that you could take a very short video of somebody
and then use that and play that to a phone and it would go, that’s clearly somebody and they’re alive because they’re moving a little bit and that kind of stuff. I don’t know how successful that is in 2025. I haven’t looked. But you know, there are lots of variations on this that can work. And obviously, we’ve got Mission Impossible style, lifting of fingerprints and turning them into…
rubberized things you stick over your thumb and then you’ve suddenly got somebody else’s fingerprints and that kind of stuff. And you know, in theory that sort of thing does work.
Alex (06:12)
But if it’s open already, you’ve got into the phone, can you then go into the settings and start switching stuff off?
Felix (06:17)
this is going to be device dependent, with, I believe pure Android, you can’t without then re authenticating. but I don’t know for all of the different variations or for interesting question. It should be by default in my opinion, that way around.
But then I’m a security-minded person, so I’ve turned all of my stuff on to like most difficult and most annoying the reality is it’s not necessarily on by default. Secure by design is in play in some areas, but not others and it tends to be the low user friction stuff On this related note, and as it happens, I got an update from…
Google relatively recently on my Android phone. And, it was about theft prevention. and it was a whole series of, functionality in which if it thought it had been snatched from you, it would just lock, and require you to reauthenticate with like the pin instead of, know, like if you’ve got some form of biometric turned on, it would require the pin as well as the
and so that stuff seems to be a fairly hot topic at the moment. I have turned all that stuff on and Interestingly enough, I didn’t necessarily do it because I wanted to protect myself I wanted to be nerdy and see how it worked, what I have found is that every now and then it gives me a little alert saying that it thinks it’s been stolen so therefore locked it.
But I’ve only noticed this after I’ve unlocked the phone, and I hadn’t realized it was doing it in the first place. So it’s kind low user friction, so quite useful in that regard, assuming it works in the right circumstances I mean, maybe Alex, you and I should experiment, and you can run past me whilst I’m holding my phone and see whether or not it triggers.
Alex (07:44)
Well, if I’m running, I’m suing someone. My days of running are well
Felix (07:48)
come on, sure we can get you, I don’t know, on a scooter or
Alex (07:52)
So I did the same thing. So I ticked all the boxes. And this is to do with the speed. So suddenly, if it’s like here, one minute, and then it accelerates quickly, it’ll just lock, which means if you drop it, it’ll lock, and things like that,
Felix (07:58)
Hmm.
This is a clearly not an situation to deal with. Because I mean, we started off with phone theft, but it is so intrinsically a part of your identity because of the likes of multifactorial authentication and you know, your, banking apps checking that you are in the location you claim to be before you pay for it’s, hard to…
to see them as anything other than like an identity token almost the wider problem of identity theft hasn’t gone away. It’s just, think, I mean, in many ways, some people seem to have become quite blasé about it, well, obviously my data’s online, everyone’s been breached at some point kind of thing. And whilst that might well be true, it’s not the same as having your identity stolen in terms actively used bad way, a naughty way.
and then emails are that secondary thing, the number of services that require you to verify your email address, to be able to have an account on something or, use it as a multifactorial authentication route, just for the record, if anybody is thinking about putting MFA via email, it is not a good idea please don’t do this.
These communication mechanisms have replaced snail mail for good reasons, but they are basically the way that the world proves that they are talking to the right people. when you’re starting to working for the guys who are trying to create phishing emails and
nearly human chatbot looking things. know, that kind of gets a bit scary and the potential for voice manipulation and so How do establish trust in this world that then protects your identity that you are who you claim to be?
Alex (09:31)
if you, don’t have a lot of data and there’s not a lot of consequence it’s a bit inconvenient.
If someone steals it, well, I’m talking some let’s not non working Okay, so they’re just chit chat chit chat someone but there there aren’t a lot of consequences the the further up the food chain you if my work email was compromised and customers were approached and sent purchase orders you see what I mean? The consequences are much much bigger
Felix (09:37)
Cool.
I’m not sure I necessarily agree with you about there being no data particularly of consequence for the teenagers of the world.
Alex (10:04)
They don’t
think there’s a consequence. Me as the old boy, I’m saying value your data, I beg you. And they’re going, nah. Yeah, they don’t see the value in the data yet.
Felix (10:06)
Yeah.
Meh, bothered.
Alex (10:16)
of the horrible horrible crimes, you know, revenge porn stuff I mean I’m of a certain age now that when I went out with the rugby boys and got drunk and threw up, no one took a photograph of it and posted it on Facebook. Whereas that’s happening to young people all the time. And so someone who is trying to go up a career could have a photograph produced on Facebook of them being sick.
Felix (10:37)
You’re right in that a lot of the way we operate now makes us highly susceptible to some of these big issues. Now, those kind of incidents when you’re a teenager, they haunt you forever. If you are somebody who relies on having a good reputation online, it’s over. You know, it’s gone.
I’ve actually had somebody I know get in contact with me as a result of a very similar situation. They were already they moving from one area to another the new place had done a bit more digging than the first one had
and found something that was on a very old Facebook account that he didn’t operate anymore. And it was during his later teenage years. it was, I won’t go into the details because I don’t think it’s important, but it was a little bit controversial. Not wildly so, but it was a bit. And he, he contacted me and said, look, I don’t really know what to do. I’m being told that this is a problem and I can see why. However, I can’t.
Alex (11:18)
and
Felix (11:31)
get rid of it. can’t access the account anymore because I’ve not got it anymore, but it is very clearly me. It’s got pictures of me on it. It’s got my name on it. And it is public enough for this to be found. I don’t know how to get ahold of anybody who can help me with this one. Have you got any ideas?
there is a school of thought, is, well, you said it, it’s part of history. You know, the internet doesn’t forget there’s the way back when machine and all that kind of stuff. So, but he genuinely,
was at risk of losing his job and not being able to move house and all sorts of stuff as a result of this. But it was something that happened over a decade before. is that a good thing? I don’t know, to be honest with you,
But it’s all intrinsically part of your
Alex (12:06)
I agree. But if we go to the, 50 year olds around there now, my bad behavior would have been witnessed by three or four people, two of which will have forgotten totally about that night. So there’s only two and they’ve gone off and had babies and families and you don’t see them again. And they have no input in
Felix (12:17)
Hahaha
Alex (12:25)
there’s no real recourse there’s no photographic evidence whereas some poor chap It goes up on Facebook and then ten years later. He’s a senior guy and a local Reporter is there to embarrass him is an argument well you’re young you’re having a laugh he wasn’t he wasn’t a police inspector when he was 17 years old So there was no big deal
Felix (12:31)
Yeah.
Yeah.
Yeah.
Alex (12:46)
go away, you’re just trying to embarrass him and perhaps society leans towards the older fellow. But it is a difficult one. And it’s just something you’ve got to if you’ve got young teenagers, you’ve just got to worry about, haven’t you?
Felix (12:51)
you
It’s interesting some ways the world has become quite risk averse on these sorts of That scenario there well, actually you said this thing many, many years ago and it’s a risk that it might look bad. So therefore we’re not going to say yes, as opposed to, like you say, being able to turn around and go, we’re going to just support this because it was a long time ago
Alex (13:09)
Yep.
Felix (13:17)
and you have demonstrated that you’re, a more mature individual now. So therefore we don’t
Alex (13:21)
Yeah, you’ve
Felix (13:22)
the implication of stolen identity and this sort of activity though is quite profound. everyone wants to think about the, you’ve stolen all my stuff. And your example before of the, guy who was 27 grand, worse off. It clearly shows that, but there’s, there’s also other problems, isn’t there? It’s not, it’s not the stolen phone that is the problem. It’s what you can do with the phone that’s the problem.
Alex (13:43)
Yeah.
Felix (13:44)
So embarrassing people on the internet, stealing all their photos, which may or may not include stuff that you’d prefer not to be shared. mean, a lot of my photos are like random objects I need to remember to pick up later or whatever. But the reality is some people take pictures that are more sensitive than that to them. And so I guess…
We need to start thinking about the risk of stolen phones and stolen identities being much more than just those first order financial impacts.
Alex (14:11)
that’s it. Just don’t lose your phone. Whatever you
Felix (14:13)
Well,
it’s one of the things I’ve thought about phones for quite a while actually is that there isn’t any layering. we talk about multifactor authentication for most systems, but you don’t have multifactor auth on your phone. You’ve got a biometric or you’ve got a pin or you’ve got facial recognition. You don’t layer them. You don’t have all of the above. If I could choose to have a short pin number, because it’s easier, my thumbprint, and it was also doing facial recognition at the same time. And.
that those three gates were required, I’d be okay with And I know that’s not everybody’s cup of tea, but it would be good even if it was just two of those, facial recognition and a pin number and your thumbprint or something.
Alex (14:42)
me too.
Felix (14:51)
the theft detection stuff. I think that’s a really good new feature. there are some interesting questions there about whether or not it’s a privacy violation, interestingly, because one of the features in the Google release is that you can do offline phone remote locking. And I find that as a really interesting concept, but
It’s if that phone goes online, then suddenly it will become locked and erased and that kind of stuff. But also they appear to be doing something very similar to the Apple Air Things Network. You know, the kind of air tags and the find my stuff one. That concept, that technology appears to be being adopted by Google. At a guess. I haven’t really looked into that in loads of depth, but one of the features appears to be
If it detects another phone and there is the ability to relay a signal, even if it’s just very short, then it can take advantage of that. And therefore it’s like an offline one, but, there are privacy implications there. do you want Google to be able to know where you are at any time and is that network secure and all that kind of stuff? Loads of really nerdy, deep questions
Then there is the use of pin numbers. I think it’s pretty much well established now that a pin number is the way forward if you actually want your device to be secure because any biometrics can be fooled. Not that they don’t have their place, they’re not designed to be a hundred percent. Otherwise they wouldn’t work. there is a margin of error every single time you use a biometric. There has to be by design. The one challenge with
Pin numbers is that there was a series of stories a while back now where people were watching you unlock your phone and then nicking it. So if they know what your pin number is, because they’ve just watched it, then that’s not ideal. I guess the answer here is to have a long pin number so that someone less likely to be able to remember it. it just becomes an annoyance and a bit of a tax on the honest. And then I think the really big take home is also if someone nicks your device.
don’t wait several hours to lock it. Because that example you gave earlier, they would have got less I also know that some of the new contender banks have a layered approach so you can
Alex (16:36)
Yep.
Felix (16:44)
also set it so that if you want to extract more than a set amount of money, you have to have a, additional bit of proof. you have to scan a QR code or be in a location that you’ve authorized or get somebody else to approve it. So it’s some really interesting concepts coming out there as far as trying to give you some protection under those circumstances.
Is there anything else you want to add to that before we sign off for the day?
Alex (17:05)
No. Thank you very much.