Liff Happens

Theft in Lost and Found: Don't ask for Passwords!

Ya... but why?

Like it’s not a big deal and super easy to verify a found phone… Wrong! Terrible security practices that leads to theft in Lost and Found!

Sure it’s easy but it’s also super easy to drain bank accounts, access private data, install malicious software, and generally wreck your customers’ lives. Plus, it’s a frequent behavior for phone thieves. 

Password on Phone

Still don't believe me?

Reporter suffering from Theft in Lost and Found fro giving out a passcode.
Seems like the newspeople got a little too close to this story...

Theft in Lost and Found

Impersonating Lost and Found or a “Good Samaritan” is a common practice for thieves to try and pry secure information from the former owner. This is an increasingly common behavior along with the increase of stealing phones, especially at Music Festivals!!!

Security is more important than ever...

A smartphone has become more and more essential in running your everyday life and that’s not slowing down. As the key tool to access all of your financial information, personal data, work info, (sometimes) your key to houses and cars, and now the point of contact to verify identity and behavior. Letting third-parties, like the Lost and Found, unlock your devices is just asking for ruin. 

Additionally, organizations that use this method as the key behavior to verify items, like asking for passcodes in webforms (dumb), through emails (super dumb), and text messages or calls on the device (so incredibly and unbelievably dumb), you are just asking to harm your customers. Also, you’ll be liable for your employees behavior so I hope you trust them with millions of dollars in potential damages. 

So... what's the alternative?

Having an owner unlock the item in person and not sharing that passcode directly with anyone is a perfectly reasonable approach to verify an item ownership. But context here is really important. 

The alternative may not be as simple as tell me the info you have in your head, but it’s way safer for your organization and your customer. Personally, we’re fans of using serial numbers, such as the IMEI number (we wrote a whole post about the practice here: IMEI and ME), which might require a bit of customer education but I can guarantee customers’ will appreciate the attention to detail… and the money staying in their bank accounts.

Have questions?

We have answers! Drop us a line: