Reducing the risks of a stolen mobile phone

One for all to consider, and hopefully my infosec contacts to improve?

I’ve just been reading various accounts of people having their mobile phones and/or wearables stolen and then used to empty their bank accounts. These highlight the weakness that a mobile phone often has access to multiple forms of ‘authentication’ combined with weaknesses in password reset processes.

This got me thinking: What steps can we take to protect ourselves, assuming that we’ve already followed good practice keeping our phones locked, have MFA on our various accounts and don’t keep our PIN number on a post-it in our phone case?

• Disable SMS messages/emails from showing on the mobile phone lock screen – otherwise a thief can still see SMS and email authentication codes, even on a locked phone.
• Enable PIN lock and lock screen controls on your smartwatch for the same reason.
• Enable a SIM card PIN – otherwise, a thief can just swap your SIM from your stolen phone into a different phone and receive your SMS authentication codes.
• Ensure your mobile operator account is secure – it often provides the “PUK code” to reset the SIM pin (or even the ability to change your address and order a new SIM), and hence a route to bypass SMS based MFA. (You may not historically have been that worried about someone hacking your O2 account to see your mobile phone bills, and unfortunately some mobile operators don’t support MFA and have weak password reset processes.)
• Limit your use of tools that show your SMS messages on your laptop and other devices (e.g. Microsoft Phone Link, “Text Message Forwarding”, https://messages.google.com/ , etc ). Whilst it’s convenient to see your SMSs on your laptop, if your laptop is stolen or compromised with malware, it removes the effectiveness of SMS second factor authentication.
• Similarly, other stolen devices such as smartspeakers that can read your messages or even be used to answer calls, (which rarely have PIN locks) might be another attack vector …. “Alexa read my messages….”

Weaknesses I’m still a bit stuck upon:

• It’s still possible to answer calls on a locked mobile phone, and several of my banks use phone calls for second factor authentication.

What else have I missed? I don't claim to be an expert on this, but I know there are a few in my contacts that can perhaps help!