Birthday robbery highlights tech wins and fails
Last night was my wife’s birthday, it also marked the first time she was held up at gunpoint and pistol whipped. This is a story of some of the tech wins and fails that followed and some security woes I’d not considered I’d be seeing in today’s connected world.
The birthday night was a lady’s night out (someone had to tend to the kiddos and the band wasn’t my scene,) with three of her friends which would have ended fine except when the DD was dropping off a friend two men pulled guns and demanded money, purses, phones.
At one point one of the gunmen decided to hit my wife upside the head with the gun, most likely because she probably looked like a threat being taller, louder, and not particularly acting terrified. Birthday drinks can do that to someone who thinks she’s being pranked (which she thought she was at first as this was at a friend’s house).
She’s alright, but what happened next was what I learned is a standard robbery in 2016 – they stole the cell phones so they couldn’t call the police, keys so they couldn’t get in the house in the random event they had a landline, and booked it.
I was up when my wife burst through the door telling me she needed to use my phone. I didn’t notice the blood running down the side of her face as, well, colorblind and was not wearing any of my color correction glasses.
She called 911, I was in the back of my mind terrified that a kiddy Bluetooth product I was reviewing that I was connected to was going to pick up and I was going to have to tell her to go speak into the rubber ducky, but fortunately this didn’t happen.
The police showed up, I popped open Kim’s laptop and we used Android Device Manager to locate her phone which had been ditched about five blocks away. The DD’s iPhone was located using the Find My iPhone in the same general area.
The other passenger had an HTC One M8 so she attempted to log into Android Device Manager from a new computer (mine,) and promptly was greeted with the two-factor authentication requirement she’d set up for security purposes.
Not having Google Authenticator handy (it was on her phone,) or a cheat sheet with 8 codes for the two-factor authentication (in her stolen purse,) nor being able to receive a phone call from Google (her phone was stolen,) this left her as the one person who was completely SOL in getting her phone back while the cops were at my house.
I mentioned that perhaps since she was low on battery she should head back home and look it up on a trusted computer at that moment before the unit finally died (other friends were there at this point and taking her home).
Around 3am last night/this morning someone out for a creeper stroll ran across the DD’s purse/wallet/credit cards/ID and turned it in. By 9am the other friend had her phone, purse, keys, etc back. My wife? Phone recovered 12:30 or so last night. Nothing stolen because her purse was in the trunk for some reason. Just a tear in her scalp where some scared little man hit her with a gun, which at least it was hitting and not shooting. Kids still have their mom.
What I learned
- Smartish thieves will take your cell phone so you can’t call police
- Will take your keys so you can’t get in your house / drive car
- Two factor authentication is great for keeping people out of your account, but you need to store an emergency key somewhere public or accessible where you can get it if you have an internet connection
Potential workarounds
- That old cell phone will always be able to call 911 if it has a charge – keep one in the car
- Stash a key, or use a keypad entry (or have a car with keyless ignition)
- Pick a place on the internet where you can stash a two-factor authentication code and some way to obfuscate it. You’re welcome to here, although I might caution against it.
I’m going to expand on the last one and offer a suggestion. Two factor codes (for Facebook and Google at least,) are generally eight digits long. Google’s look like 761 11 486, Facebook’s look like 3781 7622. But either way they’re both just eight digits.
Pick a place to stash your scrambled code where they won’t mind (such as a long running tech website talking about it). I currently have some obfuscated codes on Dropbox and a couple in an email account’s drafts folder (also scrambled,) hidden among several hundred drafts. Also have a letter code spelled out in an article here and a unique set of spacing errors on XDA but that’s another story.
Pick a method of obfuscation that’s easy for you to remember such as adding, subtracting, multiplying a number (examples include your SSN, your childhood telephone number, your current zip, your birthday, etc.)
Example completely fake source data birthday 6/14/1976, birth house address 6621 Nville Pike, 37210, Birth phone number 5555659289, fake Google two factor code 761 11 486.
Adding birthday: 06141976 to Google code results in 82253462. Subtracting first phone numbers = -5479547803, you get the idea.
Basically come up with some way to store that one time two factor emergency access key publicly even if that means just throwing it into your signature or interjecting it for no reason in somewhere you can remember.
That way if it’s 1am and you’re trying to help the police get your phone off of a friend’s laptop, or if someone has burglarized your house and taken your laptop, phone, etc, there’s a way for you to get back on with life, locate phone, lock out anyone from using your Google connected computer.
Misc
The plates of the suspected getaway car (90% certainty unless someone else got into a car and fled unrelated,) were memorized, written down, conveyed to the police. The car was not reported as stolen. The plate matches the description of the vehicle. The vehicle was not at the registered address when the police checked at 1,1:15, 1:30, etc.
Two people are facing 15 years in jail for assault with a deadly weapon. Everything but the cash was retrieved. Total stolen was about $70.
