Slashdot Mirror
Smartphone As Your Most Dangerous Possession
Hugh Pickens writes "CNN reports that now that smartphones double as wallets and bank accounts — allowing users to manage their finances, transfer money, make payments, deposit checks and swipe their phones as credit cards — smartphones have become very lucrative scores for thieves and with 30% of phone subscribers owning iPhones, BlackBerrys and Droids, there are a lot of people at risk. Storing a password and keeping your phone locked is a good start, but it's not going to protect you from professional fraudsters. 'Don't think that having an initial password set on your phone can stop people from getting in there,' says
Nikki Junker, a victim advisor at the Identity Theft Resource Center. 'It's a very low level of protection — you can even find 30-second videos on how to crack smartphone passwords on YouTube.'"
I believe you mean "risky" not "dangerous." The most dangerous item I own is probably a knife.
I live in constant fear of the Coming of the Red Spiders.
Give me a phone which will self destruct if someone tries to tamper with the security.
Preferably in a painful way to the person doing it.
With passcodes, setting the phone to wipe on a few failed tries? Almost everyone I know lacks a passcode on their mobile device - giving anyone the freedom to dig into their personal lives. I just don't think people realize what a risk it is at all.
I'd also like to know which devices can be cracked in 30 seconds. With iPhone 4's full device encryption, I don't see how the key can be cracked in under 10 tries before it would wipe itself. But, I'd like to know.
Actually no I do not use a smart phone for banking etc.. I cannot control the OS installed on the phone, I therefore cannot add bits (apps) knowing for sure that they work as intended, so I do not use the smart phone for banking, or surfing to sites that need log-ins. Log-in type of browsing I use my Linux desktop / laptop for.
Those that do use a smart phone for everything, they should treat the phone just like cash, where if you loose it, you could be well forked, and out of pocket in more ways than one.
Take Nobody's Word For It.
It continues to make almost everything more convenient, including ruining you.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Throw in one of these, and you're looking at truly ridiculous amounts of pain if you lose your phone.
[End Of Line]
You don't own a car? That is probably the "most dangerous" class of item that people own.
If I have nothing to hide, don't search me
Close to (still not quite reaching that number, IIRC) 30% of device sales are smartphones, not 30% of subscribers (and as to "Droids"...Samsung seems to be positioning themselves firmly on top; unless the term starts becoming a genericized (shortcut of) trademark)
One that hath name thou can not otter
The late '90s were a zenith of Western society, a fair balance of regulation and freedom; technology and tradition.
Now the government's breathing down everyone's neck while they're neatly distracted by thinking they're such a big deal that they need to be contacted at every minute of the day or night.
Minimise your shitty gadgets. Do only what needs doing. Relax a little. If you think you need to bank from your 'phone, you're doing life wrong.
I don't own a car, but I do own a lightsaber. Not as clumsy or random as a car; an elegant weapon for a more civilized age.
I remember how not so long ago any new SIM card came with its PIN. Lately though, out of the box, they often don't require any authorization (a PIN can be still set up of course, but...)
It would seem people prefer it that way (at least at my place, but I doubt it's very unique)
One that hath name thou can not otter
I'm thinking my shotgun is a little more dangerous than my station wagon.
I would also like to know what devices that can be cracked in 30 seconds. In fact, I can't find an iPhone crack on googling. The "cracks" on youtube for iPhone don't work.
Someone should mod this up. It made my day.
Semantic quibble, which comes down to people's ability to asses risk. Guns vs swimming pools.
The point is, the phone is a terrible choice for security related matters, because it wasn't specifically designed to be an e-wallet from the ground up.
You can never, ever just bolt-on security.
The risk appears to only be for Android phones, because the swipe-to-unlock leaves smudges that can be visually decoded to tell the thief the "password". I can't see how this security vulnerability affects iPhones with their tap-based passcode.
And yes, I have a passcode on my phone. It takes about a day for the annoyance factor to dissipate, and IMHO you're nuts not to have one.
Simon
Physicists get Hadrons!
You don't have to reload a station wagon on a crowded sidewalk...
Sorry, I thought it was people, not guns, that were dangerous. Thanks for clarifying that.
It comes down to how much you perceive the risk of using a tool. You know your shotgun can potentially do a whole lot of damage. That's its express purpose after all.
A car doesn't seem as dangerous, but even though it wasn't designed for that purpose it can do a lot of damage, and I wouldn't be surprised when the relevant statistics show that percentage wise, a lot more people get accidentally hurt by cars than by shotguns.
The same partly applies to blunt vs. sharp kitchen knives, with people getting cut by the former way more often than by the latter, and also how most accidents happen in people's homes, where they feel secure and safe and thus become careless.
To get back on topic, smartphones are not perceived as the high risk devices they are, making them more dangerous.
Truth arises more readily from error than from confusion. -Francis Bacon
If you store the most critical things in the cloud, specially things that you access thru your phone, is your password your most dangerous possession, mainly because stealing your phone is not a requirement for getting your data (if your password is unsafe or used from an unsafe location, i.e. with a keylogger). Of course, that have as advantage that if your phone gets stolen, and you are fast enough, you could change your cloud password and disable your phone number.
You could also store directly in the phone sensitive information like passwords, but there are apps that are meant to manage that information that have a master password to enable you to access (and that password will be the important one there)
i think the average user doesn't realize what they are risking, or just assume that it couldn't ever happen to them.
i've personally known a number of people that left their wireless open, despite me explaining very clearly the risk and ease that people can get at your info; i even showed one of my ex-coworkers how easy it was to record her vonage calls with wireshark while parked some distance away... she still didn't care; she didn't want to deal with the hassle of her router.
Sorry, I thought it was people, not guns, that were dangerous.
Well, that's true. Any suitably light-fingered individual is well qualified to attempt to lift my phone out of my front pants pocket, provided that they don't mind taking the chance that I might smash their brains in.
But then I personally think it's incredibly stupid to put any kind of financial details on anything that is so easily and casually stolen. I don't even leave such information lying around (at least in a form that is worth the trouble of attempting to decrypt) on my computers at home where I can guarantee a larger degree of security.
errr i mean iOS4 not the iPhone 4
The point is, the phone is a terrible choice for security related matters, because it wasn't specifically designed to be an e-wallet from the ground up.
If you actually look at the design of iOS4 you might find that security has been built in very deeply with a hardware key among other things the OS. If you have access to Apple's WWDC 2010 sessions, take a look at session 209.
You can never, ever just bolt-on security.
As a shameless plug, I believe that we have 1Password for iOS (a password management system) well designed to use both our own security layer on top of what is built into iOS.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
I would also like to know what devices that can be cracked in 30 seconds. In fact, I can't find an iPhone crack on googling.
So don't bother to RTFA. That might inform you of the casual smudge-track left by those crappy 3x3 gesture-passcodes.
Of course, the simple solution here is not to use it, but what the hell. Anything for a lame story...
android phones have numeric or alphanumeric passwords that can be enabled as of version 2.2
Android users: use KeepassDroid for storing your passwords in a keepass database, and then randomize your important accounts.
Now all you need to remember is one good password. When you tap on an entry after decryption, keepassdroid puts a notification item up, that when activated, pastes the password in your clipboard for pasting into nearly any app or web page. It does smart things like clear the clipboard after a delay, etc.
You can combine it with Dropbox for unified password management on all platforms; just use a 1.x database if you have a Mac, because KeepassX doesn't "do" v2.x databases, for some reason.
Please help metamoderate.
*sigh* This whole "you can read the unlock swipe pattern" really needs to be put to rest. That requires that. 1) You clean your screen before unlocking it. 2) You unlock your phone. 3) You immediately hand your phone to a hacker with specialized equipment. I think I can avoid doing that.
because...? Anyone?
A clear case of forgetting to include security in your considerations from the start, forcing it to be bolted-on later.
Looks to me as if that system is best suited to card-skimming operations. The convenience seems to fall entirely on one side of the transaction.
it's not going to protect you from professional fraudsters. 'Don't think that having an initial password set on your phone can stop people from getting in there,' says Nikki Junker, a victim advisor at the Identity Theft Resource Center. 'It's a very low level of protection -- you can even find 30-second videos on how to crack smartphone passwords on YouTube.'"
Complete BS.
Blackberries offer real security. The flash memory can be encrypted with solid AES. They can be set to wipe after a certain number of bad login attempts. They can be locked or wiped remotely. They can be set to wipe after a certain period of time off the network. There is a background process which continuously overwrites unused RAM to make sure decrypted data in memory is kept to a minimum.
And most importantly, you can enforce all of these settings from the Blackberry Enterprise Server so that you can protect idiot users from their own stupidity.
The blackberry platform has been tested, audited & certified by many security organizations. Iphone & Android have been certified by... nobody.
If you want real security, the choice is clear.
The risk appears to only be for Android phones, because the swipe-to-unlock leaves smudges that can be visually decoded to tell the thief the "password". I can't see how this security vulnerability affects iPhones with their tap-based passcode. And yes, I have a passcode on my phone. It takes about a day for the annoyance factor to dissipate, and IMHO you're nuts not to have one. Simon
OK, I don't have an iPhone, so what is a tap-based passcode? Just typing digits on a 10-key style screen interface or something like that? I've got a smartphone,but not an iPhone, and have been reluctant to keep anything too valuable (or personal) on it for lack of password protection, and I've resisted using password protection because of how annoying I imagine it to be. Am I totally wrong about how big a hassle it is?
I am not a crackpot.
I'm not dumb enough to place any form of important info into ANY device connected to a network. Privacy can not be maintained when so many people have access to the servers and software directly connected to your smart phone or computer. I remember when phones made phone calls...and that was it. No ring tones, no aps, just a basic fully functioning device use to communicate with others. Now people are shocked that the "smart" phone is considered a prize to thieves. It's a key to the bank you use and you keep it under your door mat...what did you think was gonna happen. If people want security then use the brain you were given to memorize said info...and don't say some people can't. Information of utmost importance can be retained and locked away behind lies and deception and can not be stolen without the owners participation. (see social engineering) Phones makes no judgment on who is holding it and will open itself to whoever wants in. So the reality of the matter is people who are foolish enough to place personal info into a network deserve being ripped off. Jump into a fire, you will get burned. Simples.
I'd also like to know which devices can be cracked in 30 seconds. With iPhone 4's full device encryption, I don't see how the key can be cracked in under 10 tries before it would wipe itself. But, I'd like to know.
Couldn't they just dump the memory of the device in its encrypted state and crack it at their leisure?
Anything can be found funny, from a certain point of view.
Sorry, I thought it was people, not guns, that were dangerous
True, but since the 13th amendment passed you're not allowed to own any people, only guns.
I am TheRaven on Soylent News
...with 30% of phone subscribers owning iPhones, BlackBerries, and Androids...
FTFY. Droids are only a subset of Androids
I remember how not so long ago any new SIM card came with its PIN. Lately though, out of the box, they often don't require any authorization (a PIN can be still set up of course, but...)
That's a completely different problem. The smartphone has a lot of useful information stored on it, and you want to protect the contents of the smartphone from the bad guys.
Protecting the SIM with a PIN stops bad guys from putting the SIM into a different phone and making phone calls/SMS/data that you get the bill for.
Which is cool, for those phones that are allowed to be able to upgrade to that version...
Simon
Physicists get Hadrons!
Generally speaking, guns almost never kill people.... bullets, on the other hand, are another matter.
The World Wide Web is dying. Soon, we shall have only the Internet.
Not really completely different. Quite symptomatic.
One that hath name thou can not otter
No, actually, it doesn't.
My wife has an Android phone (I bought her an HTC Hero when it first came out) which clearly has the swipe marks on the front of the phone, when held up to the light. I know what her swipe is, so I can tell what to look for, but they're definitely there and I have to assume that evil-bad-people can figure out which ones they are. They're pretty prominent.
In my wife's case, I think it's the lotion she puts on her hands. It sticks to the surface way beyond the usual time, and she generally taps rather than swipes to use the other functionality. The swipes stay put.
This is a definite Android vulnerability. I looked into getting the later version of the OS, but it seems I cannot upgrade this phone. Just Fscking great, that. The chances of getting my wife to change her hand-lotion are somewhat smaller than Satan skating to work one day, so I guess the Valentines day gift will be a new iPhone. At least Apple *cares* enough to do something about problems...
The iPhone unlock is a 4-digit PIN. I think you can use more digits, but 4 is enough, given that you only get 5 tries.
As I said, I found it annoying at first, but after a day or so, I don't really notice it. You don't need to unlock the phone to answer calls, so it's about 2 seconds to unlock then use the phone. Well worth it IMHO.
Simon
Physicists get Hadrons!
If your car is the most dangerous thing you own you should probably think about visiting an optometrist.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
err, the grass is greener on the other side buddy. Here you are saying you want to get an iphone and here I am saying I'm going to get an android (well, the dual core one when it comes out at least... assuming it doesn't have any gating issues)
TBH unless you need an ipod touch there isn't a lot of good reason to get an iphone at this stage. I have to turn my phone off and back on at work sometimes because of its inability to get any data throughput despite having a connection. Granted, the iphone 4 for verizon might not have this issue, but another issue is that my hard drive died and now I can't update the firmware without doing a sync and I can't sync without worrying that everything that isn't considered "a purchase" that I absolutely must remember to transfer pior to syncing else it will get wiped from the phone.
Finally, the iphone requires you have X gigs of hard drive available where X is the size of your phone. My wife's sister had a low end computer where 14.5 gigs of space is a premium and guess who was the culprit who devoured all that without telling her?
Your wife could just wipe her pinky on her shirt then swipe with her pinky
If you miss the password three times on my phone, the thermite security feature is triggered, slagging both the phone and the hand holding it. That's why I never drink and text anymore.....
iPhone and iPod touch can have either a 4 digit PIN password OR a full alphanumeric password (not sure maximum length). You can also set a number of behaviors around these passwords. For example you can set it to wipe the device after 10 incorrect passwords and you can customize the delay before a password is asked for after putting the device on standby. You can have the device ask for the password any time it is woken from sleep or you can set a time delay. For me I've found 15 minutes is a good balance between not having to enter my password all the time and security if I lose the device.
You don't own a car? That is probably the "most dangerous" class of item that people own.
Are you married? *ducks for cover from the feminists*
These posts express my own personal views, not those of my employer
Sorry, I thought it was people, not guns, that were dangerous. Thanks for clarifying that.
Most people aren't dangerous until you put a machine like a gun or vehicle under their control
When someone has access to your hardware, the only thing that will protect you is strong encryption. Having the CPU prevent access to your data is like sticking a post-it on a stack of money saying "you may not take this".
That'll work.
Until someone wipes your phone maliciously.
I own an android tablet and I can ascertain that yes, they show.
The thing is, you need to do it in one swipe - and you're going to do it pretty commonly. So there'll be a long continious smudge where you left it unlocked. It'll 'overwrite' previous smudges, and chances are you're not doing long swipes on other things. Unless you have swype or something.
Try owning a car in NJ. Y'know, when car insurance is 6000/year.
Yeah, I'll stick to working from home, and my knife. NJT does suck, however. Unfortunately, I wasn't raised by rich white parents like the rest of NJ, so driving isn't a privilege I'll ever experience. I'm only 31, though. I have time, I guess.
Most people aren't dangerous until you give them some kind of power - which happens to be a fundamental aspect of democracy: people must have access to power. The trick is discipline, which is also fundamental to democracy. Without discipline (which only comes from responsability and learning) there is no "people", only mob. Of course, only jocks can understand this. The rest can only wallow in their sense of helplessness and self-defeatism while we beat them up and shit on their faces.
Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
Not sine I downloaded the machinegun app.
Tap based passcode, easily decipherable from finger smudges as evidenced by all my friend's iphones. If you don't want your passcode cracked, wipe the grease off your phone after every use.
Nah. Now Owning people is called Work.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The SIM's PIN is only required when you turn the phone on. Completely useless in today's age, where no-one ever turns their phone off (you can't receive phone calls if you turn it off).
You can use a phone for 6 months without ever entering that PIN.
No, that's risk. The car is enormously dangerous whether you can see well or not. If you intend to use it to harm, having good eyesight makes it *more* dangerous. It is indeed the most dangerous thing most people own, with the possible exception of a gun (if they own one).
You, sir, are clearly not a lobbiest for the Banking industry.
Funny. I consider my brain to be more dangerous than all of the other things I own combined, by several orders of magniture.
Actually the danger from cars is over-rated. A gun can kill far more people more quickly, even if you drove into a crowd you'd be very unlikely to kill as many people as you could with a gun.
Cars are also a lot more clumsy, and once off a road are prone to being stopped very quickly by any number of things.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If the keys moved around randomly on the screen at the beginning of typing the password and after typing each character, the positions of smudges on the screen would not give any information about the password. (Yes, this does have an obviously funny reply. Not sure how to upstage it from here. Go ahead and say it, then.)
You, sir, are clearly not a lobbiest for the Banking industry.
No, but he's lobbier than most.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
What's "financial details"?
If you have a phone that stores e-mail, and you've ever had your bank/paypal/credit card/amazon/etc send you a "I've forgotten my password" email.... then that info is fairly easy to access. Even finding out answers to your typical "security questions" would be fairly trivial.
I would be surprised if your average smartphone user has thought this through.
Haha, losers, in yer face!
I think you underestimate what one can do with a car.
See for example the Queensday attack in the Netherlands almost 2 years ago:
http://www.spiegel.de/international/europe/0,1518,622342,00.html
5 people dead at an event with about the highest level of security that you could find in the Netherlands at the time.
RogerWilco the Adventurous Janitor
But a phone is dangerous. You can use it for coordinating terrorist attacks, or even to remotely trigger a bomb. You can use it to contact a professional killer. Oh, and there's of course that dangerous mobile phone radiation ... :-)
The Tao of math: The numbers you can count are not the real numbers.
Yes the iPhone 4 has full device encryption but Android phones don't. A thief can root a phone and read all unencrypted data from it when connecting it to a computer. example: http://www.androidcentral.com/android-passwords-rooted-clear-text
There are a number of open issues about it on the google android site; ex. https://code.google.com/p/android/issues/detail?id=10809
It's funny, I didn't bother with a password on my smartphone until I had a 2-year-old. I didn't bother using keylock until said toddler learned he could dial 911 without entering the password. It turns out kids are a great motivator to lock down your systems.
Ten seconds of Google and I found this (http://blog.crackpassword.com/tag/iphone). They feel the weakness is in the iphone backup, where they can use a PC to do a brute force attack to break the encryption.
I think more googling would probably provide even more results.
My Chimpanzee owns both drivers and firearms licences. I've seen him drive with a hunting knife between his teeth while making bank transfers on his smartphone. I aggregate my dangerous possessions.
Task Mangler
"Generally speaking, guns almost never kill people.... bullets, on the other hand, are another matter."
Bullets? Nah... It's not bullets what's dangerous, it's the speed they come with.
Android makes it easy. You don't have to enter a password to pick up a call. It is irritating though when it times out and you are trying to use it. Though the benefit to a quick time out is that you don't accidentally press any buttons with your phone to your ear. Maybe a feature exists to which you can change it so it only times out when a call is sent otherwise slower timeouts occur. If you want to lock it then you have to press off (pressing off does already lock it). Now the down side I guess to Android is that it makes it easy to break the password. I imagine that if it is really that important to you then you should be changing the password frequently enough that this does not wear your phone where an attacker could detect it and therefore get easy access. Though I seriously doubt the protection of any device including the iPhone. Even with encryption you probably wouldn't have a hard time gaining access due to the design of these devices. They run on flash and I'd bet the password when it is entered gets stored to disk. Any forensics investigator could probably get in without a problem with or without the iPhones encryption features. At the end of the day you shouldn't be storing sensitive data on your phone.
It's not even the speed. It's the inertial delta of the bullet and [part of] the person.
Why is this even on here?
You don't have to reload a station wagon on a crowded sidewalk...
Sssh! If Carolyn McCarthy finds that out she'll be introducing legislation to limit all new automobiles to 1 gallon gas tanks.....
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
you could of course not give the phone to the child. crazy, i know.
I wouldn't be surprised when the relevant statistics show that percentage wise, a lot more people get accidentally hurt by cars than by shotguns.
The wording of that is interestingly chosen, and also completely correct (at least if you replace "shogun" with "firearm"). There are roughly only 10% more vehicles per capita in the US than there are firearms per capita in the US. From 1999 to 2007, the overall death rate by firearm in the US was 10.33 per 100,000. During the same period, the overall death rate by motor vehicle was 14.76 per 100,000. 10% more vehicles, 43% more fatalities. If you remove the number of deaths (both categories) of 18-19 year olds who died as a result of being willfully and knowingly involved in violent criminal activity, and all those who committed suicide, the difference is even more starkly apparent.
Cars, like smartphones, are convenient. People overlook the negatives of those things that provide them with an opportunity to use the bare minimum effort to complete a given task more often than not.
There are countries I can think of where firearms are likely more dangerous than vehicles, but the US is not one of them.
From 1999 to 2007, the total motorized vehicle death rate was 14.76 per 100,000. The firearm death rate during the same period was 10.33 per 100,000. That said, I'm not sure it matters much. Each side will frame the numbers in ways that support their bias, and will argue endlessly over which comparison is "more accurate." In the end, the only quantifiable "fact" is that one kills people more often in relation to how many of them exist. Whether that is of import to any argument is another matter entirely.
The numbers are obtainable from the CDC NCIPC if anyone cares to verify them.
With smartphones of today - or even so called "feature phones", when used as an audio player for example - people run out of juice quite often.
(and you think I don't know how SIM's PIN work if going through enough of them to notice some pattern?)
One that hath name thou can not otter
Greece fell once, people where complaining all the time. The fifty year thing sure sounds good, but it's total bollocks.
The one thing I learned from reading stuff from all ages is that the past was _always_ better, youth is _always_ going downwards and apocalypse is _always_ just around the corner.
Just saying.
You don't own a car? That is probably the "most dangerous" class of item that people own.
I thought most people died in household accidents, making your own house your most dangerous enemy.
To have a right to do a thing is not at all the same as to be right in doing it
So when was the last time one of your guns stood up and attacked you?
Actually, shoguns have been responsible for millions of deaths in Japan.
Uh huh... that'll work until your kid/friend/parent decides to try and get into your phone by guessing your password over and over.
The most dangerous item I own is an app that can mimic the sound of an ak47. Now I just need to find an amp