I was visiting a friend abroad (tiny Poot country with bad internet- for context). One day her phone got stolen. She had her window cracked and the thief reached in and grabbed the phone from her hand in the middle of a call - nasty stuff.<p>I told her Apple’s encryption is quite good and her data was likely safe. She immediately set it to lost mode and successfully got a ping for a few seconds. The only issue was , like most people, her sim was unlocked. I told her this was the weak link, otherwise the phone itself would be secure. She went straight to the police and I told her to call he phone company to block the sim.<p>Unfortunately we were a bit too late. Public service is quite slow and transport isn’t great in this country so by the time we filed the police report and contacted the phone company , the attacker placed the sim in another phone and intercepted the text 2FA. Initially the thief tried phishing my friends contacts to reveal the password but none of them fell for it.<p>This struck me as very odd. It was just way too easy. Gmail passwords are probably the most important passwords for most people. Can you really change someone’s password with only their sim? Doesn’t Gmail ask for more forms of verification? Pets name, location history , other logged in devices etc… ? Im 100% sure the thief knew none of these. How could the thief place the sim in a new unidentified phone and successfully change the password with only access to the sim? Surely this must have set off all kinds of alarms bells with the fraud algos. I suspect she didn’t have other forms of 2FA but even then a series of basic questions about the account usage and history could have prevented this. I haven’t changed my password in a while, maybe I’m missing something.