My client was in a panic.
It was a Friday and I had just wrapped up a case when the phone rang.
“I need to get my laptop back,” he said, conversational formalities left at a minimum. “It has everything. All my company files, all my passwords. Everything.” The man’s voice revealed a cocktail of frustration and anger with a generous twist of helplessness.
He explained the situation in succinct detail. My client had arrived in Boise the previous night on a business trip. After an exhausting day, he managed to drag his luggage up to the fifth floor of his hotel, and all that mattered was getting a few hours of sleep before his morning flight. He inadvertently left one important piece of luggage sitting out in the hallway: his briefcase, containing a company laptop and a notebook with a detailed list of every user account and password he had ever used. It was a security consultant’s nightmare.
Of course, the briefcase had vanished the next morning like smoke in a rainstorm. To make matters worse, the fifth-floor security camera was out of order that night. It seemed almost too convenient and led me first to suspect a member of the hotel staff.
But the briefcase could just as easily have been a target of opportunity. Staff, hotel guests, guests of guests, even a pizza guy could have been a suspect. With the camera out, there wasn’t anything to go on.
Fortunately, the same level of obsessive-compulsiveness that led my client to record his passwords also caused him to write down the serial number of his laptop. Before he called me, he filed a police report, detailing every crack and bump of his missing laptop. If it showed up in a pawn shop, the police would know, but short of that, there wasn’t anything else they could do.
The more I thought about it, the more it made sense that the thief wasn’t a pro. The thief had likely been in the hall, spied the briefcase late at night, and thought he or she could make a quick buck. It wasn’t likely the thief was experienced in fencing stolen goods. To put it simply, the culprit probably wasn’t very smart. Since I knew the laptop’s serial number and model, I turned to the most likely place a less-than-brilliant criminal would try to flip it: Craigslist.
Sure enough, a quick search of the manufacturer turned up an ad posted eight hours earlier. The price was a good $200 under the item’s market value, which told me the seller either had no idea what he or she was selling or wanted to move it quickly. Probably both. A quick phone call later and I had an appointment with the seller in an hour.
The laptop matched the description of my client’s, down to the slightly uneven touchpad and the sticky “3” key. A quick glance at the BIOS – which I explained to the seller was to check the processor speed – revealed the serial number. It was a match, of course. I handed the woman the cash (I had already recorded the serial number of each bill) and went on my way, discreetly recording her license plate number and address. The client had his laptop back. I was sure that once I passed that information along to the police, he’d have his book of passwords back as well – hopefully just in time to feed them into an industrial shredder.
This case is a prime example of why data security is important, especially when traveling. My client’s laptop was password-protected. That was a nice start, but without encryption, it doesn’t mean much to someone with even a modicum of computer skill. It means even less if you keep your laptop bundled with a book of passwords. It’s like taping your house key to your front door with a neon sign that says “OPEN ME.”
Password security is one of the most important concepts in digital security. Any password that needs to be written down might as well never be used at all. Memorization is key and cannot be emphasized enough. Anytime you write down a password, you are risking unauthorized access.
I recommend using a password system that combines, at least, three separate memorable elements, such as a four-digit PIN, an important phrase (possibly spelled backward), and another keyword. For example, if my anniversary is May 25, my dog’s name is Oberon, and my favorite color is green, I may have “05Norebogreen25” as my password. Or maybe I’ll have “GreeNorebo0525.” Come up with a system that works for you.
Had my client’s laptop been encrypted (and not bundled with the password book), he wouldn’t have needed to worry about important company data falling into the wrong hands. Sure, he’d have been out a few hundred dollars, but the larger risk would be mitigated because all data on the hard drive would be unreadable without the password. If his business instituted a companywide encryption policy, the risk would be far less severe.
I managed to recover my client’s laptop – and, more importantly, find the thief – only because he recorded the serial number. It wasn’t recorded because of a company policy, but due to an employee attentive to detail. If a company takes the time to log and categorize its technological devices, the record allows the potential for recovery in the case of theft. A little preventative effort goes a long way.
This article originally appeared on the IdahoStatesman website.
