Disaster Recovery Plan - Personal/Family

ChilliBob

Hey everyone,

With all the stuff in the news recently about the increases in mobile phone theft, and other factors, I've decided it's high time to evaluate my security posture. I've done this stuff from a corporate perspective, probably about 15 years ago, so I think my thought process isn't too far off, but I've probably got some gaps technically and otherwise.

So, just wanted to know what others do here, and what people think of the outline below:

* Identification - create a classified list of things -  e.g. physical devices (laptops, phones etc), services (e.g. banking, email, investing, communication)

* Risk and Impact assessment - in essence what 'things' are most/least important, what would happen if access to these things was lost (either temp or permanent!), what's the likelihood of the risk materialising

* Scenario planning - what happens if I don't have access to X, how do I achieve Y - that sort of thing

* Steps which can be taken - essentially how can I reduce the risks identified, and if these risks turn into reality, how can I deal with them?

It's still very much in the identification/planning phases, but thus far it's made me realise:

1. Two factor authentication is very much a double edged sword! - I've obtained backup codes from Gmail, an investing platform, and perhaps most crucially, BitWarden

2. I need somewhere to store the above backup codes, and other stuff like IMEI numbers - I was thinking somewhere physically printed at home, and perhaps in another BitWarden vault which only has single factor authentication. Still being mulled over.

3. The new settings in Android are probably helpful - so the Anti Theft type stuff has been turned on

4. The new 'Private Space' side of things, which came on for Pixel just a couple of days probably also has some very useful features

5. I don't know anyone's phone number anymore except my own and my parents! Or indeed any numbers for say my mobile provider, main investing and banking platforms etc

6. Stuff like finding an android/remote wiping etc would be useful to 'dry run' (except the wiping part!) - and understand how you'd do it on an iPhone (if say the only people you were with had such devices)

So yeah, whilst I realise this is a highly personalised thing, I'm sure there's common themes everyone should really follow.

Have you given this much thought, any nuggets you came across - Especially when it comes to stuff like multi factor, backup code storage etc 

Cheers for reading - hopefully we can dig up some stuff that helps everyone who reads this

km1500

I have done something on this over the past months and these are some of the conclusions I have come to 

1. I have turned OFF 2fa on my email and made sure I have a very very strong password. If you lose access to the 2FA method eg your phone it is definitely a two edged sword

2. I have put my email, any banking apps and anything that's has stored cards for example Amazon app in the secure folder on my Samsung phone. The secure folder only has a pin for access and only I know the pin. So if anybody gets access to my unlocked phone they cannot access the secure folder. the only apps outside the secure folder are things like weather, news etc. obviously only applicable if you have a Samsung phone that has a secure folder (is this the same as Pixel private space).

3. I have stored anything like backup codes etc in an Excel file on my laptop which is password protected and stored on a logical drive which is bitlocker protected (Windows 11)

4. I have removed all banking etc apps from my phone that I don't really need on my phone. I used to have all my banks on my phone now I only have have my main one. Evaluate what you need on your phone - just because an app exists doesn't mean to say you should use it. 

5. obviously check the basic things for example biometrics on your phone lock screen so you cannot be shoulder-surfed and PIN on your SIM card. Also, if available,  turn on 'require pin to power off' so that if someone grabs your phone they can't turn it off and you have a chance of either using find my phone or remote wipe.

Disasters that could happen

1. lost or stolen phone - locked

2. lost or stolen phone - unlocked

3. loss of access to email account eg Microsoft or google block access (make sure anything critical in you email is copied elsewhere)

tacpot12

To avoid losing access to 2FA via Google authenticator, I backup the tokens. I switched to using the 2FAS app instead of Google Authenticator about a year ago, because 2FAS requires you to enter a PIN to access the tokens. This reduces the risk of anyone being able to access the toekn if they snatch the phone from your hand. It also allows the toekns to be backed up and password protected. 

I backup the tokens to Dropbox, and only have Dropbox connected on my phone when I am backing up tokens (which I only have to do when I add a new one, which might happen every couple of months or so). At all other times, I am logged out of Dropbox. 

I have a Password Manager that allows me to us both Google Authenticator and a FIDO (physical) Key for 2FA. The FIDO key is stored in my fire safe. I use 2FAS day-to-day when accessing my Password Manager.

I also have a spare phone that I never take out of the home. It's screen is clearly cracked, which I hope will make it less desirable to any theives who might gain access to the house.

Your planning might also dovetail with planning for what to do in the event of your death, when you executors might need access to details of your accounts with various institutions. 

ChilliBob

km1500 said:

I have done something on this over the past months and these are some of the conclusions I have come to 

1. I have turned OFF 2fa on my email and made sure I have a very very strong password. If you lose access to the 2FA method eg your phone it is definitely a two edged sword

2. I have put my email, any banking apps and anything that's has stored cards for example Amazon app in the secure folder on my Samsung phone. The secure folder only has a pin for access and only I know the pin. So if anybody gets access to my unlocked phone they cannot access the secure folder. the only apps outside the secure folder are things like weather, news etc. obviously only applicable if you have a Samsung phone that has a secure folder (is this the same as Pixel private space).

3. I have stored anything like backup codes etc in an Excel file on my laptop which is password protected and stored on a logical drive which is bitlocker protected (Windows 11)

4. I have removed all banking etc apps from my phone that I don't really need on my phone. I used to have all my banks on my phone now I only have have my main one. Evaluate what you need on your phone - just because an app exists doesn't mean to say you should use it. 

5. obviously check the basic things for example biometrics on your phone lock screen so you cannot be shoulder-surfed and PIN on your SIM card. Also, if available,  turn on 'require pin to power off' so that if someone grabs your phone they can't turn it off and you have a chance of either using find my phone or remote wipe.

Disasters that could happen

1. lost or stolen phone - locked

2. lost or stolen phone - unlocked

3. loss of access to email account eg Microsoft or google block access (make sure anything critical in you email is copied elsewhere)

Thanks, I will look at require pin to turn off, I didn't know that was an option - interesting.

The private space thing is super new, so I'm not too sure yet how it works, I know Google said you may be best to create a separate Google account to use within it, and that you need to download apps from scratch as opposed to migrating already in use apps across to the folder. I actually use something called Norton App Lock at the moment, but only really to test. It's a bit clunky but works. 

I know what you mean about banking - when I got my new phone I was fairly selective - I actually still use my old phone for lots of banking stuff - this never leaves the house either. 

ChilliBob

tacpot12 said:

To avoid losing access to 2FA via Google authenticator, I backup the tokens. I switched to using the 2FAS app instead of Google Authenticator about a year ago, because 2FAS requires you to enter a PIN to access the tokens. This reduces the risk of anyone being able to access the toekn if they snatch the phone from your hand. It also allows the toekns to be backed up and password protected. 

I backup the tokens to Dropbox, and only have Dropbox connected on my phone when I am backing up tokens (which I only have to do when I add a new one, which might happen every couple of months or so). At all other times, I am logged out of Dropbox. 

I have a Password Manager that allows me to us both Google Authenticator and a FIDO (physical) Key for 2FA. The FIDO key is stored in my fire safe. I use 2FAS day-to-day when accessing my Password Manager.

I also have a spare phone that I never take out of the home. It's screen is clearly cracked, which I hope will make it less desirable to any theives who might gain access to the house.

Your planning might also dovetail with planning for what to do in the event of your death, when you executors might need access to details of your accounts with various institutions. 

Thanks, some very interesting points. It reminds me I did look into a Yubikey and haven't ruled something like this out, although if it goes missing it seems it's somewhat troublesome! 

Your tokens thing confuses me, if I take say logging into LastPass on my PC, this will often ask for a code from Google Authenticator...

It sounds like you're using a replacement for GA, which I get, which also has a pin to access (biometrics too?). What I don't get is the backup of tokens? - Do you mean say the backup codes you can generate in Gmail, like 10 of them? I sense not! 

Yes, the 'estate' planning has popped into my mind from time to time - especially as we are still dealing with a right mess when my aunt and uncle passed (fairly close together, about 5 years ago).. No wills, properties in their parents names still, US shares which have become escheated, a right mess! 

tacpot12

The chance of a physical key going missing at exactly the same time as you also lose access to your authenticator app is extremely low, plus it if is locked away, it's even less likely to go missing. My Password Vault allows me to use Google Authenticator and FIDO keys are the same time (It regards GA as the backup, but in practice, I use it as my primate and use the  FIDO key as a backup. (I use this key as is much cheaper than the equivalent Yubikey: https://www.amazon.co.uk/HYPERFIDO-MINI-FIDO2-HOTP-Security/dp/B0813YWZB2)   

The codes that Google Authenticator generate are called tokens, but underlying them is the information needed to generate them. It is this information that gets backed up when using the backup feature of 2FAS. There is an equivalent Restore feature that allows you to recover all the information so you can immediately generate tokens on a new phone if your old one was stolen. The alternative is to visit each website in turn, and re-enrol for 2FA on each service. Time-consuming, and potentially very difficult to do if you don't have backup codes that allow you to authenticate with the webservice. So, you're right, when I was talking about backing up the tokens, I wasn't talking about generating 'backup codes'. They are something else. (If a website provides me with backup codes, I store these in my password manager.)  

Google Authenticator isn't very secure, so I sought out 2FAS as an more secure alternative. I'm happy with it, both from the security and functionality. I've not had a problem with it. It works exactly like GA.  

ChilliBob

That sounds very useful, I will look into it. I had assumed if you moved to a new phone that GA settings would be moved over, as mine were. I guess that must be because of a setup from the existing phone as opposed to setting up without an existing device. 

When I looked into Yubikey, I think one of their selling points was the length of the key - much longer than 6 characters, as a human didn't need to read it. Hence why I thought it would be the primary, and indeed only source of mfa where it worked. I didn't look into it much but I assumed all GA instances could use something like Yubikey. That was my concern, much easier for me to loose a small key than loose access to Bitwarden for example, or a phone with GA on it (my children like to hide things!) 

So I'm guessing these tokens the authenticators generate is some combination of your email address and the guid you use when setting up a fresh login perhaps. Interesting. 

Well you've certainly given me food for thought for sure. Out of interest, what's your Password Manager? I did used last pass (well, I still do to a lesser degree, but thats a digression) now BitWarden, and eons ago KeePass. 

Vitor

How to prepare your Google account for when you pass away | Android Central

I rely heavily on biometrics (Android/Windows Hello) to secure access but have 'last resort' printouts of master passwords locked in a (reasonably) fire-proof save along with passports etc.

ChilliBob

Vitor said:

How to prepare your Google account for when you pass away | Android Central

I rely heavily on biometrics (Android/Windows Hello) to secure access but have 'last resort' printouts of master passwords locked in a (reasonably) fire-proof save along with passports etc.

Cheers, I'll look into that.

Further to the original post, I've given Private Space a small go, from what I can see:

1. It behaves almost like a new phone within a phone as far as apps etc are concerned. I set it up with a new Gmail account (as recommended), and tried installing an investments app as a test. Seems to work well. 
2. Apps need to be installed from scratch again - so in some cases, say Chase, you'd either have to have it on the 'main phone' or private space. I think from a convenience perspective - like authenticating payments I'd probably keep it in the main point of the phone.
3. Norton App Lock - which I currently use - it seems is has been discontinued - no updates as of June, and being retired! - Any suggestions for replacements most welcome - it's a fairly basic thing but seems to add a layer of security which you can put in front of something already installed and configured

So yeah, seems worth a go if you want your android phone more secure.

Still more to do in the plan, but baby steps!

Also looked into laptop safes earlier - which seems like another good idea.

Vitor

Private Space is akin to what Android Enterprise has had for 5+ years with Work Profiles. Work Profiles create a separate, managed environment for business apps and data, controlled by the employer, which is isolated from personal use. I don't believe Private Space is quite as sophisticated, although it's been a few years since I managed ,000s of business mobis.

ChilliBob

Vitor said:

Private Space is akin to what Android Enterprise has had for 5+ years with Work Profiles. Work Profiles create a separate, managed environment for business apps and data, controlled by the employer, which is isolated from personal use. I don't believe Private Space is quite as sophisticated, although it's been a few years since I managed ,000s of business mobis.

Interesting. I used to touch on that world many moons ago, seemed amazing to have remote wipe on Blackberries on Rackspace!

Who uses Blackberries now eh? Lol

As an aside, it seems like a good idea, I'll run it for a while with either non important apps, or double them up for a bit - with the obvious caveats something like that brings!