When a smartphone is stolen, it is a disaster. You have just given the keys to your online life, your email, social media accounts, and credit cards you have synced with an app. If you have the new smart locks on your home or office, you also gave them literal keys, the ability to open those locks. If you have live camera feeds from a video surveillance system, you gave them an actual view into your personal spaces.
A pair of June 8th posts by the FTC and US-CERT highlight the importance of properly securing your smart phone. The FTC post is the personal story of the author, Cheryl Roth, who recently had her handbag stolen. She lost her driver’s license, credit cards, and her cell phone. She started her recovery plan at IdentityTheft.gov, which we reported on back in May.
For many people, the phone is now the PRIMARY online device, the one they reach for first and most frequently. Securing your smartphone from thieves and attackers requires the same sort of vigilance and tool set that we are familiar with for laptops and PCs.
Here are the steps to smartphone security:
- Physical security – This means protecting the actual location of the phone, and the phone itself. Leaving your phone unattended anywhere is a bad practice, but it happens all the time. As we learned from Cheryl’s story, a purse is not a secure location either. Keep an eye on your phone when in restaurants, bars, or when shopping. Do not leave your purse in a shopping cart. If you have your phone out and are using it in public, be aware that can cause you to become a target of a pickpocket. Where you stow and carry the phone is important. Back pockets in pants are the easiest to lift.
- Update your phone – Smartphone operating system and app updates are usually more about plugging security holes that they are about providing new features or functions. Let your phone update automatically, or run the updates manually when your phone notifies you about them.
- Lock your phone – Use a six digit or longer passcode to lock your phone. Set the phone to lock automatically when not in use. This is the first line of defense against a thief or other person in possession of your phone.
- Backup your phone – Use the cloud backup service offered by your phone provider. Android phones can be backed up to Google, and Apple phones to your iCloud account. Make sure you are saving those important photos and videos.
- Use encryption – If you encrypt your phone data, it will be useless to the thief without the encryption key or passcode that activates it.
- Disable remote connections – When not using Bluetooth, turn it off to prevent Bluejacking attempts.
- Use care on Wi-Fi – Wi-Fi connections save minutes on your data plan. But remember that unsecured wireless connections, those that don’t require a password, do not encrypt your traffic between the phone and the access point. Your Wi-Fi sessions, including user IDs and passwords, can be read and recorded for later use by an attacker.
- Phone finder app – Install and configure Find My iPhone (iOS) or Find My Device (Android). These apps can locate your device, take a picture of the thief, and erase your phone if necessary
- Notify your carrier – If your phone is missing, they can temporarily or permanently disable the SIM card and keep the phone from being used. Keep a record of the phone’s serial number and IMEI.
- Use strong passwords – Six digit passcodes or 12 character passwords are my recommended minimums for password length, due to their ability to withstand automated brute-force password cracking.
- Use two-factor authentication – 2FA makes brute forcing a password meaningless. Even if an attacker has your password, without the one-time passcode provided by 2FA, the password is useless.
- Change password when necessary – If you think an account has been compromised, change the password. You can always check if your user IDs and passwords are in the wild at HaveIBeenPwned.com
- Account access by device – Know which devices are accessing your online accounts, and make sure they all belong to you. Most service providers can show this information in your account settings or profile settings.
- Set up connection notifications – Many online services will alert you to connections made by new devices or from new locations. Set these up when possible, any learn if there is unauthorized access to your accounts.
These 14 steps will make your phone and the phone connected parts of your online life more secure. They will keep you from becoming a victim of identity theft if the phone is stolen. Recovering from identity theft can be a long and expensive process, so prevention is your best solution.
- US-CERT – Security Tip (ST05-017) Cybersecurity for Electronic Devices
- FTC – An identity thief stole my phone!