Slashdot Mirror
Smartphone As Your Most Dangerous Possession
Hugh Pickens writes "CNN reports that now that smartphones double as wallets and bank accounts — allowing users to manage their finances, transfer money, make payments, deposit checks and swipe their phones as credit cards — smartphones have become very lucrative scores for thieves and with 30% of phone subscribers owning iPhones, BlackBerrys and Droids, there are a lot of people at risk. Storing a password and keeping your phone locked is a good start, but it's not going to protect you from professional fraudsters. 'Don't think that having an initial password set on your phone can stop people from getting in there,' says
Nikki Junker, a victim advisor at the Identity Theft Resource Center. 'It's a very low level of protection — you can even find 30-second videos on how to crack smartphone passwords on YouTube.'"
I believe you mean "risky" not "dangerous." The most dangerous item I own is probably a knife.
I live in constant fear of the Coming of the Red Spiders.
With passcodes, setting the phone to wipe on a few failed tries? Almost everyone I know lacks a passcode on their mobile device - giving anyone the freedom to dig into their personal lives. I just don't think people realize what a risk it is at all.
I'd also like to know which devices can be cracked in 30 seconds. With iPhone 4's full device encryption, I don't see how the key can be cracked in under 10 tries before it would wipe itself. But, I'd like to know.
Actually no I do not use a smart phone for banking etc.. I cannot control the OS installed on the phone, I therefore cannot add bits (apps) knowing for sure that they work as intended, so I do not use the smart phone for banking, or surfing to sites that need log-ins. Log-in type of browsing I use my Linux desktop / laptop for.
Those that do use a smart phone for everything, they should treat the phone just like cash, where if you loose it, you could be well forked, and out of pocket in more ways than one.
Take Nobody's Word For It.
It continues to make almost everything more convenient, including ruining you.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Throw in one of these, and you're looking at truly ridiculous amounts of pain if you lose your phone.
[End Of Line]
You don't own a car? That is probably the "most dangerous" class of item that people own.
If I have nothing to hide, don't search me
Close to (still not quite reaching that number, IIRC) 30% of device sales are smartphones, not 30% of subscribers (and as to "Droids"...Samsung seems to be positioning themselves firmly on top; unless the term starts becoming a genericized (shortcut of) trademark)
One that hath name thou can not otter
The late '90s were a zenith of Western society, a fair balance of regulation and freedom; technology and tradition.
Now the government's breathing down everyone's neck while they're neatly distracted by thinking they're such a big deal that they need to be contacted at every minute of the day or night.
Minimise your shitty gadgets. Do only what needs doing. Relax a little. If you think you need to bank from your 'phone, you're doing life wrong.
I don't own a car, but I do own a lightsaber. Not as clumsy or random as a car; an elegant weapon for a more civilized age.
I remember how not so long ago any new SIM card came with its PIN. Lately though, out of the box, they often don't require any authorization (a PIN can be still set up of course, but...)
It would seem people prefer it that way (at least at my place, but I doubt it's very unique)
One that hath name thou can not otter
I'm thinking my shotgun is a little more dangerous than my station wagon.
Semantic quibble, which comes down to people's ability to asses risk. Guns vs swimming pools.
The point is, the phone is a terrible choice for security related matters, because it wasn't specifically designed to be an e-wallet from the ground up.
You can never, ever just bolt-on security.
The risk appears to only be for Android phones, because the swipe-to-unlock leaves smudges that can be visually decoded to tell the thief the "password". I can't see how this security vulnerability affects iPhones with their tap-based passcode.
And yes, I have a passcode on my phone. It takes about a day for the annoyance factor to dissipate, and IMHO you're nuts not to have one.
Simon
Physicists get Hadrons!
That's a little harsh. Remote wipe is good enough. My corporate Blackberry can be wiped remotely. I think any smartphone should allow me to login to my account online and activate remote wipe to my device. Maybe they do already. I am sure many folks here have smartphones, does that exist on personal accounts?
You don't have to reload a station wagon on a crowded sidewalk...
Hardware that was even making a token effort at security, would need to be capable of cold zeroisation.
To remotely wipe data, it needs a power source AND a signal.
Sorry, I thought it was people, not guns, that were dangerous. Thanks for clarifying that.
It comes down to how much you perceive the risk of using a tool. You know your shotgun can potentially do a whole lot of damage. That's its express purpose after all.
A car doesn't seem as dangerous, but even though it wasn't designed for that purpose it can do a lot of damage, and I wouldn't be surprised when the relevant statistics show that percentage wise, a lot more people get accidentally hurt by cars than by shotguns.
The same partly applies to blunt vs. sharp kitchen knives, with people getting cut by the former way more often than by the latter, and also how most accidents happen in people's homes, where they feel secure and safe and thus become careless.
To get back on topic, smartphones are not perceived as the high risk devices they are, making them more dangerous.
Truth arises more readily from error than from confusion. -Francis Bacon
If you store the most critical things in the cloud, specially things that you access thru your phone, is your password your most dangerous possession, mainly because stealing your phone is not a requirement for getting your data (if your password is unsafe or used from an unsafe location, i.e. with a keylogger). Of course, that have as advantage that if your phone gets stolen, and you are fast enough, you could change your cloud password and disable your phone number.
You could also store directly in the phone sensitive information like passwords, but there are apps that are meant to manage that information that have a master password to enable you to access (and that password will be the important one there)
Sorry, I thought it was people, not guns, that were dangerous.
Well, that's true. Any suitably light-fingered individual is well qualified to attempt to lift my phone out of my front pants pocket, provided that they don't mind taking the chance that I might smash their brains in.
But then I personally think it's incredibly stupid to put any kind of financial details on anything that is so easily and casually stolen. I don't even leave such information lying around (at least in a form that is worth the trouble of attempting to decrypt) on my computers at home where I can guarantee a larger degree of security.
errr i mean iOS4 not the iPhone 4
I would also like to know what devices that can be cracked in 30 seconds. In fact, I can't find an iPhone crack on googling.
So don't bother to RTFA. That might inform you of the casual smudge-track left by those crappy 3x3 gesture-passcodes.
Of course, the simple solution here is not to use it, but what the hell. Anything for a lame story...
android phones have numeric or alphanumeric passwords that can be enabled as of version 2.2
Android users: use KeepassDroid for storing your passwords in a keepass database, and then randomize your important accounts.
Now all you need to remember is one good password. When you tap on an entry after decryption, keepassdroid puts a notification item up, that when activated, pastes the password in your clipboard for pasting into nearly any app or web page. It does smart things like clear the clipboard after a delay, etc.
You can combine it with Dropbox for unified password management on all platforms; just use a 1.x database if you have a Mac, because KeepassX doesn't "do" v2.x databases, for some reason.
Please help metamoderate.
Looks to me as if that system is best suited to card-skimming operations. The convenience seems to fall entirely on one side of the transaction.
it's not going to protect you from professional fraudsters. 'Don't think that having an initial password set on your phone can stop people from getting in there,' says Nikki Junker, a victim advisor at the Identity Theft Resource Center. 'It's a very low level of protection -- you can even find 30-second videos on how to crack smartphone passwords on YouTube.'"
Complete BS.
Blackberries offer real security. The flash memory can be encrypted with solid AES. They can be set to wipe after a certain number of bad login attempts. They can be locked or wiped remotely. They can be set to wipe after a certain period of time off the network. There is a background process which continuously overwrites unused RAM to make sure decrypted data in memory is kept to a minimum.
And most importantly, you can enforce all of these settings from the Blackberry Enterprise Server so that you can protect idiot users from their own stupidity.
The blackberry platform has been tested, audited & certified by many security organizations. Iphone & Android have been certified by... nobody.
If you want real security, the choice is clear.
The risk appears to only be for Android phones, because the swipe-to-unlock leaves smudges that can be visually decoded to tell the thief the "password". I can't see how this security vulnerability affects iPhones with their tap-based passcode. And yes, I have a passcode on my phone. It takes about a day for the annoyance factor to dissipate, and IMHO you're nuts not to have one. Simon
OK, I don't have an iPhone, so what is a tap-based passcode? Just typing digits on a 10-key style screen interface or something like that? I've got a smartphone,but not an iPhone, and have been reluctant to keep anything too valuable (or personal) on it for lack of password protection, and I've resisted using password protection because of how annoying I imagine it to be. Am I totally wrong about how big a hassle it is?
I am not a crackpot.
I'm not dumb enough to place any form of important info into ANY device connected to a network. Privacy can not be maintained when so many people have access to the servers and software directly connected to your smart phone or computer. I remember when phones made phone calls...and that was it. No ring tones, no aps, just a basic fully functioning device use to communicate with others. Now people are shocked that the "smart" phone is considered a prize to thieves. It's a key to the bank you use and you keep it under your door mat...what did you think was gonna happen. If people want security then use the brain you were given to memorize said info...and don't say some people can't. Information of utmost importance can be retained and locked away behind lies and deception and can not be stolen without the owners participation. (see social engineering) Phones makes no judgment on who is holding it and will open itself to whoever wants in. So the reality of the matter is people who are foolish enough to place personal info into a network deserve being ripped off. Jump into a fire, you will get burned. Simples.
I'd also like to know which devices can be cracked in 30 seconds. With iPhone 4's full device encryption, I don't see how the key can be cracked in under 10 tries before it would wipe itself. But, I'd like to know.
Couldn't they just dump the memory of the device in its encrypted state and crack it at their leisure?
Anything can be found funny, from a certain point of view.
Yes but remote wipe would take care of 99% of the dumb criminals. There is very little defence against the smart ones. TFA talks about posting to Facebook and using your device as a credit card which would imply connectivity.
Sorry, I thought it was people, not guns, that were dangerous
True, but since the 13th amendment passed you're not allowed to own any people, only guns.
I am TheRaven on Soylent News
...with 30% of phone subscribers owning iPhones, BlackBerries, and Androids...
FTFY. Droids are only a subset of Androids
Which is cool, for those phones that are allowed to be able to upgrade to that version...
Simon
Physicists get Hadrons!
Generally speaking, guns almost never kill people.... bullets, on the other hand, are another matter.
The World Wide Web is dying. Soon, we shall have only the Internet.
Not really completely different. Quite symptomatic.
One that hath name thou can not otter
The iPhone unlock is a 4-digit PIN. I think you can use more digits, but 4 is enough, given that you only get 5 tries.
As I said, I found it annoying at first, but after a day or so, I don't really notice it. You don't need to unlock the phone to answer calls, so it's about 2 seconds to unlock then use the phone. Well worth it IMHO.
Simon
Physicists get Hadrons!
If your car is the most dangerous thing you own you should probably think about visiting an optometrist.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
err, the grass is greener on the other side buddy. Here you are saying you want to get an iphone and here I am saying I'm going to get an android (well, the dual core one when it comes out at least... assuming it doesn't have any gating issues)
TBH unless you need an ipod touch there isn't a lot of good reason to get an iphone at this stage. I have to turn my phone off and back on at work sometimes because of its inability to get any data throughput despite having a connection. Granted, the iphone 4 for verizon might not have this issue, but another issue is that my hard drive died and now I can't update the firmware without doing a sync and I can't sync without worrying that everything that isn't considered "a purchase" that I absolutely must remember to transfer pior to syncing else it will get wiped from the phone.
Finally, the iphone requires you have X gigs of hard drive available where X is the size of your phone. My wife's sister had a low end computer where 14.5 gigs of space is a premium and guess who was the culprit who devoured all that without telling her?
Your wife could just wipe her pinky on her shirt then swipe with her pinky
If you miss the password three times on my phone, the thermite security feature is triggered, slagging both the phone and the hand holding it. That's why I never drink and text anymore.....
You don't own a car? That is probably the "most dangerous" class of item that people own.
Are you married? *ducks for cover from the feminists*
These posts express my own personal views, not those of my employer
I'd like to see more phones have the option to completely erase contents after "X" period of time with no network signal. This way, someone can't just pull a SIM card to keep access.
As for remote wipes, sometimes phones do provide non-corporate customers the way to do this. Apple does, (you used to need a .me.com account, but apparently with iOS 4.2.1, not anymore.) Motorola's Motoblur accounts also have this ability as well.
I do think having E-mail with an Exchange provider (that supports OWA) is a good thing even with these options, just because of the ability to wipe the contents using a different mechanism.
When someone has access to your hardware, the only thing that will protect you is strong encryption. Having the CPU prevent access to your data is like sticking a post-it on a stack of money saying "you may not take this".
That'll work.
Until someone wipes your phone maliciously.
I own an android tablet and I can ascertain that yes, they show.
The thing is, you need to do it in one swipe - and you're going to do it pretty commonly. So there'll be a long continious smudge where you left it unlocked. It'll 'overwrite' previous smudges, and chances are you're not doing long swipes on other things. Unless you have swype or something.
Nah. Now Owning people is called Work.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
No, that's risk. The car is enormously dangerous whether you can see well or not. If you intend to use it to harm, having good eyesight makes it *more* dangerous. It is indeed the most dangerous thing most people own, with the possible exception of a gun (if they own one).
Funny. I consider my brain to be more dangerous than all of the other things I own combined, by several orders of magniture.
Actually the danger from cars is over-rated. A gun can kill far more people more quickly, even if you drove into a crowd you'd be very unlikely to kill as many people as you could with a gun.
Cars are also a lot more clumsy, and once off a road are prone to being stopped very quickly by any number of things.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If the keys moved around randomly on the screen at the beginning of typing the password and after typing each character, the positions of smudges on the screen would not give any information about the password. (Yes, this does have an obviously funny reply. Not sure how to upstage it from here. Go ahead and say it, then.)
You, sir, are clearly not a lobbiest for the Banking industry.
No, but he's lobbier than most.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
What's "financial details"?
If you have a phone that stores e-mail, and you've ever had your bank/paypal/credit card/amazon/etc send you a "I've forgotten my password" email.... then that info is fairly easy to access. Even finding out answers to your typical "security questions" would be fairly trivial.
I would be surprised if your average smartphone user has thought this through.
The only weakness on a BB with full encryption enabled is a weak password. Note the flash memory would have to be moved to different hardware and the hardware keys extracted from the phone board, since the phone hardware checks firmware signature so you can't just load your cracking software on the phone hardware
"Politicians and diapers must be changed often, and for the same reason."
Give me a phone which will self destruct if someone tries to tamper with the security.
Call me crazy, but I wouldn't want to carry around explosives near my ear or crotch. My phone crashes enough, I'd prefer it not have the option of crashing then burning my nuts off.
I think you underestimate what one can do with a car.
See for example the Queensday attack in the Netherlands almost 2 years ago:
http://www.spiegel.de/international/europe/0,1518,622342,00.html
5 people dead at an event with about the highest level of security that you could find in the Netherlands at the time.
RogerWilco the Adventurous Janitor
But a phone is dangerous. You can use it for coordinating terrorist attacks, or even to remotely trigger a bomb. You can use it to contact a professional killer. Oh, and there's of course that dangerous mobile phone radiation ... :-)
The Tao of math: The numbers you can count are not the real numbers.
Yes the iPhone 4 has full device encryption but Android phones don't. A thief can root a phone and read all unencrypted data from it when connecting it to a computer. example: http://www.androidcentral.com/android-passwords-rooted-clear-text
There are a number of open issues about it on the google android site; ex. https://code.google.com/p/android/issues/detail?id=10809
It's funny, I didn't bother with a password on my smartphone until I had a 2-year-old. I didn't bother using keylock until said toddler learned he could dial 911 without entering the password. It turns out kids are a great motivator to lock down your systems.
Ten seconds of Google and I found this (http://blog.crackpassword.com/tag/iphone). They feel the weakness is in the iphone backup, where they can use a PC to do a brute force attack to break the encryption.
I think more googling would probably provide even more results.
My Chimpanzee owns both drivers and firearms licences. I've seen him drive with a hunting knife between his teeth while making bank transfers on his smartphone. I aggregate my dangerous possessions.
Task Mangler
"Generally speaking, guns almost never kill people.... bullets, on the other hand, are another matter."
Bullets? Nah... It's not bullets what's dangerous, it's the speed they come with.
It's not even the speed. It's the inertial delta of the bullet and [part of] the person.
You don't have to reload a station wagon on a crowded sidewalk...
Sssh! If Carolyn McCarthy finds that out she'll be introducing legislation to limit all new automobiles to 1 gallon gas tanks.....
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I wouldn't be surprised when the relevant statistics show that percentage wise, a lot more people get accidentally hurt by cars than by shotguns.
The wording of that is interestingly chosen, and also completely correct (at least if you replace "shogun" with "firearm"). There are roughly only 10% more vehicles per capita in the US than there are firearms per capita in the US. From 1999 to 2007, the overall death rate by firearm in the US was 10.33 per 100,000. During the same period, the overall death rate by motor vehicle was 14.76 per 100,000. 10% more vehicles, 43% more fatalities. If you remove the number of deaths (both categories) of 18-19 year olds who died as a result of being willfully and knowingly involved in violent criminal activity, and all those who committed suicide, the difference is even more starkly apparent.
Cars, like smartphones, are convenient. People overlook the negatives of those things that provide them with an opportunity to use the bare minimum effort to complete a given task more often than not.
There are countries I can think of where firearms are likely more dangerous than vehicles, but the US is not one of them.
From 1999 to 2007, the total motorized vehicle death rate was 14.76 per 100,000. The firearm death rate during the same period was 10.33 per 100,000. That said, I'm not sure it matters much. Each side will frame the numbers in ways that support their bias, and will argue endlessly over which comparison is "more accurate." In the end, the only quantifiable "fact" is that one kills people more often in relation to how many of them exist. Whether that is of import to any argument is another matter entirely.
The numbers are obtainable from the CDC NCIPC if anyone cares to verify them.
With smartphones of today - or even so called "feature phones", when used as an audio player for example - people run out of juice quite often.
(and you think I don't know how SIM's PIN work if going through enough of them to notice some pattern?)
One that hath name thou can not otter
Greece fell once, people where complaining all the time. The fifty year thing sure sounds good, but it's total bollocks.
The one thing I learned from reading stuff from all ages is that the past was _always_ better, youth is _always_ going downwards and apocalypse is _always_ just around the corner.
Just saying.
Self-destruction does not have to be explosive. Though GP sure seems to think so.
You don't own a car? That is probably the "most dangerous" class of item that people own.
I thought most people died in household accidents, making your own house your most dangerous enemy.
To have a right to do a thing is not at all the same as to be right in doing it
So when was the last time one of your guns stood up and attacked you?
Uh huh... that'll work until your kid/friend/parent decides to try and get into your phone by guessing your password over and over.
The most dangerous item I own is an app that can mimic the sound of an ak47. Now I just need to find an amp