Symantec: 96% lost smartphones accessed by finders
While only half of stolen or lost smartphones will likely be returned to their owners, the mostly private data on a whopping 96 percent are likely to have been accessed by their finders.
This was one of the key findings of computer security vendor Symantec's "Smartphone Honey Stick Project," an experiment on what happens to stolen or lost smartphones.
"Only half of the people who found one of the phones made any attempt to return it. Maybe you think that having a 50/50 chance of getting a phone back is a glass half-full situation. Sorry, but I have to drain your glass: Even the people who attempted to return the phones made attempts to view the data on them. In fact, 96 percent of our lost smartphones were accessed by their finders," Symantec's Kevin Haley said in a blog post.
He said the finders of the lost devices attempt to access more than the identity of the found phone's owner. Citing the study, he said:
- Six out of 10 finders attempted to view social media information and email.
- Eight out of 10 finders tried to access corporate information, including files clearly marked as "HR Salaries," "HR Cases," and other types of corporate information.
- One of every two finders tried to run an app that appeared to allow access to a remote computer or network.
"It's just as bad for consumers. Not only does our research show that your private pictures, social media accounts, and email are going to be accessed if your phone is lost and found, nearly half of the finders tried to access the owner's bank account!" he added.
He said the study showed people are "naturally curious and when temptation is put in front of them they tend to bite the apple (some take many bites)."
"The lesson to take away here is that we have to protect our mobile devices. The good news is that it is really not that hard to do," he said.
Haley noted smartphones today have become integrated into people's lives, carrying even more valuables than a wallet does.
Among the "valuables" smartphones are likely to store are contact information of friends, and even the ability to carry out financial transactions.
"Nearly all have the capability to run apps that can access our bank accounts," he said.
Intentionally lost devices
With the help of Scott Wright of Security Perspectives Inc., Symantec intentionally lost 50 smartphones with simulated corporate and personal data on them - along with the capability to remotely monitor what happened to them once they were found.
The 50 smartphones were dropped in five different cities: New York City; Washington D.C.; Los Angeles; San Francisco; and Ottawa, Canada.
Smartphones in the experiment were left in high traffic public places such as elevators, malls, food courts, and public transit stops.
Haley said two things would have protected all of the data, personal and business, on these phones: password protection and remote data wiping.
"Just giving the phone password-based security would have prevented the casual finder from trolling through the data. The second thing is to have the ability to remotely wipe the data off the phones once it had been lost. In this way, even if the phone fell into the hands of a determined thief, there would be no data for them to find," he said.
Also, he said it is a good idea to have software on the phone to help locate it if lost as well.
For corporate devices, Symantec recommended the following steps to ensure that sensitive business information remains protected:
- Organizations should develop and enforce strong security policies for employees using mobile devices for work. This includes requiring password-enabled screen locks.
- Companies should focus on protecting information as opposed to focusing solely on devices—securing information so it is safe no matter where it ends up.
- Educate employees about the risks both online and physical associated with mobile devices, such as the impact of a lost or stolen device.
- Take inventory of the mobile devices connecting to your company's networks; you can't protect and manage what you don't know about.
- Have a formal process in place so that everyone knows what to do if a device is lost or stolen. Mobile device management software can help automate such a process.
- Integrate mobile device security and management into the overall enterprise security and management framework and administer it the same way. In essence, treat mobile devices as the true enterprise endpoints they are.
On the other hand, consumers are advised to take the following steps to ensure mobile devices and the personal information on the devices remains protected:
- Use the screen lock feature and make sure that it is secured with a strong password or "draw to unlock" pattern.
- Use security software specifically designed for smartphones. Such tools can stop hackers and prevent cybercriminals from stealing information or spying on users when using public networks. In addition, security software can often help locate a lost or stolen device and even remotely lock or wipe it.
- When outdoors, users should make sure that their mobile devices remain nearby and are never left unattended, being mindful of where they put devices at all times. It is also a good idea to make sure that they can differentiate their device from others that might be sitting in the immediate vicinity by adding distinguishing features, such as a sticker or a case.
— TJD, GMA News
Talk of the web