In an experiment, a security firm deliberately "lost" 50 Android phones in certain cities
More than 40% of finders of the phones tried to access corporate e-mail, online banking
Avoid storing passwords in your mobile apps to protect your accounts from being hijacked
Notify your carrier if you've lost your cell phone so it can shut off the service
Editor’s Note: Amy Gahran writes about mobile tech for CNN.com. She is a San Francisco Bay Area writer and media consultant whose blog, Contentious.com, explores how people communicate in the online age.
Do you use a passcode to protect access to your smartphone? And if so, do you do that consistently? Every day, many smartphones get lost – and found, not always by their owners. What happens with those missing devices?
Security software provider Symantec recently conducted a test to answer that question. It deliberately “lost” 50 Android phones in Los Angeles, San Francisco, Washington, New York and Ottawa. These phones were loaded with identical apps, files and data – and none of them was secured by a passcode or swipe unlock pattern.
Symantec found that in the vast majority of cases – more than 95% – the people who found these missing cell phones tried to access personal or sensitive information, or services such as online banking or e-mail.
Being honest doesn’t mean people won’t snoop either. Even though about half of the finders made some attempt to return the lost phone (a contact e-mail and phone number for the “owner” was listed in the contacts app on each decoy phone), the vast majority of these people also tried to access data on the phone.
“We did get some nice e-mails from people who said they found the phone, sometimes expressing remorse for using it for a while,” said Kevin Haley, Symantec’s director of security response. “And some of them actually tried to arrange to return the phones. We weren’t trying to research people’s motives and guilt – that would be a project for a sociologist. But we did learn a lot about the kind of stuff people try to do with phones they find.”
On 72% of the lost phones, finders looked through stored photos. Attempts were made on 60% of the phones to access social media. More than 40% of finders tried to access corporate e-mail and online banking. Symantec also placed text files containing a list of passwords for services on the phone (57% of finders accessed those) and a fake list of employee salaries (accessed by 53% of finders).
Dubbed “Project Honeystick” (the name is an homage to the “honeypot” lure of attractive data or access often employed by cybersecurity practitioners), Haley emphasized this project was not trying to trap people who breached the privacy of others.
Symantec configured the fake apps to appear to have a stored user name and password, so all the finder would have to do was hit “login.” Two-thirds of phone finders tried to do this. When they got an error indicating that there was a technical problem accessing the service online, “many people then would look at the ‘passwords’ file planted on the phone and then would try again,” Haley said.
Obviously, Symantec has a stake in this problem. The company wants to sell mobile security software (which it offers for businesses and also for consumers under the Norton brand). And software from this and other vendors (such as Lookout Mobile Security and McAfee) can help users track the location of a lost phone and remotely lock it or wipe the data.
Haley noted that Symantec software was not installed on the decoy phones, and it was not used to track snooping and access activities by finders of the lost phones.
But even if you decide not to buy and install mobile security software, there are some basic steps you can take in advance to protect your phone.
First, set a passcode or swipe pattern to lock your smartphone and keep it on there. It’s tempting to disable the passcode if you’re at your home or office, where you might be alone or only around people you trust – but it’s too easy to forget to re-enable the passcode when you’re heading out the door.
Also, you could avoid storing passwords in your mobile apps. But that makes it tempting to use the same password for several services – a significant security risk not just for your phone but online in general. You might try a password management service such as 1Password or KeePass – just be aware that these services can get hacked.
If you don’t take these precautions and end up losing your phone, it’s a good idea to find a computer quickly and log on to your e-mail, online banking and other services that you access from your phone and change your passwords. Whoever has your phone could change your passwords and hijack your accounts.
If you can’t find your phone, you might want to notify your carrier that it’s been lost, to shut down the service until you can get another phone. People who find or acquire your phone may use it to make a lot of international phone calls, running up your bill.
This happened to a friend of mine – when she reported her lost smartphone, AT&T found that over two days it had been used to place dozens of lengthy calls to Yemen. (Fortunately it waived the bill; she didn’t have to pay for those calls.)
Losing your phone isn’t the only risk to the data it contains. Some police departments are warning citizens that smartphone thefts are a growing trend. Often muggers or snatch-and-run phone thieves just try to sell stolen phones for cash – but the people who buy them may try to access your data or services.
The opinions expressed in this post are solely those of Amy Gahran.