Smartphones Need Security Too

When a smartphone is stolen, it is a disaster.  You have just given the keys to your online life, your email, social media accounts, and credit cards you have synced with an app.  If you have the new smart locks on your home or office, you also gave them literal keys, the ability to open those locks.  If you have live camera feeds from a video surveillance system, you gave them an actual view into your personal spaces.

A pair of June 8th posts by the FTC and US-CERT highlight the importance of properly securing your smart phone. The FTC post is the personal story of the author, Cheryl Roth, who recently had her handbag stolen.  She lost her driver’s license, credit cards, and her cell phone.  She started her recovery plan at IdentityTheft.gov, which we reported on back in May.

For many people, the phone is now the PRIMARY online device, the one they reach for first and most frequently.  Securing your smartphone from thieves and attackers requires the same sort of vigilance and tool set that we are familiar with for laptops and PCs.

Here are the steps to smartphone security:

  • Physical security –  This means protecting the actual location of the phone, and the phone itself.  Leaving your phone unattended anywhere is a bad practice, but it happens all the time.  As we learned from Cheryl’s story, a purse is not a secure location either.  Keep an eye on your phone when in restaurants, bars, or when shopping.  Do not leave your purse in a shopping cart.  If you have your phone out and are using it in public, be aware that can cause you to become a target of a pickpocket.  Where you stow and carry the phone is important.  Back pockets in pants are the easiest to lift.
  • Update your phone – Smartphone operating system and app updates are usually more about plugging security holes that they are about providing new features or functions.  Let your phone update automatically, or run the updates manually when your phone notifies you about them.
  • Lock your phone – Use a six digit or longer passcode to lock your phone.  Set the phone to lock automatically when not in use.  This is the first line of defense against a thief or other person in possession of your phone.
  • Backup your phone – Use the cloud backup service offered by your phone provider.  Android phones can be backed up to Google, and Apple phones to your iCloud account.  Make sure you are saving those important photos and videos.
  • Use encryption – If you encrypt your phone data, it will be useless to the thief without the encryption key or passcode that activates it.
  • Disable remote connections – When not using Bluetooth, turn it off to prevent Bluejacking attempts.
  • Use care on Wi-Fi – Wi-Fi connections save minutes on your data plan. But remember that unsecured wireless connections, those that don’t require a password, do not encrypt your traffic between the phone and the access point.  Your Wi-Fi sessions, including user IDs and passwords, can be read and recorded for later use by an attacker.
  • Phone finder app – Install and configure Find My iPhone (iOS) or Find My Device (Android).  These apps can locate your device, take a picture of the thief, and erase your phone if necessary
  • Notify your carrier – If your phone is missing, they can temporarily or permanently disable the SIM card and keep the phone from being used. Keep a record of the phone’s serial number and IMEI.
  • Use strong passwords – Six digit passcodes or 12 character passwords are my recommended minimums for password length, due to their ability to withstand automated brute-force password cracking.
  • Use two-factor authentication –  2FA makes brute forcing a password meaningless.  Even if an attacker has your password, without the one-time passcode provided by 2FA, the password is useless.
  • Change password when necessary – If you think an account has been compromised, change the password.   You can always check if  your user IDs and passwords are in the wild at HaveIBeenPwned.com
  • Account access by device – Know which devices are accessing your online accounts, and make sure they all belong to you.  Most service providers can show this information in your account settings or profile settings.
  • Set up connection notifications – Many online services will alert you to connections made by new devices or from new locations.  Set these up when possible, any learn if there is unauthorized access to your accounts.

These 14 steps will make your phone and the phone connected parts of your online life more secure.  They will keep you from becoming a victim of identity theft if the phone is stolen. Recovering from identity theft can be a long and expensive process, so prevention is your best solution.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment