By: Sammi Sheppard
With the rise in cell phone usage, mobile phones are becoming more and more like miniature computers. You can browse the Internet, send emails and talk on video chat. Some people even feel lost without their phones. It’s become a part of who they are.
The CIA World Factbook states about 270 million people in the United States use a mobile cell phone device. This makes the U.S. the third highest country for cell phone usage behind China and India. That’s 87 percent of a population last estimated to be 310 million people.
That identity, however, might be susceptible to being compromised. Cell phones may not be as secure as people may think. Information stored on phones, with or without your knowledge, could be in danger of falling into the wrong hands.
The convenience of cashing a check by scanning it with an iPhone might be putting your credit, identity or bank account information at risk. But that’s not the only thing threatening the security of your phone. A mobile forensic expert gives tips for keeping your cellular and you safe.
What information is being stored?
Cell phones, especially smart phones with applications, have the ability to store information you tell them to record. They also are able to store information you may not want.
“I got an iPhone because of all the cool features and the apps. It does everything a phone could possibly do,” said Shannon Righetti, sophomore communication studies major and iPhone 4 user. “I don’t think it has any sensitive information on it except my e-mail.”
The company viaForensics, a specialized computer and mobile forensics firm, tests mobile applications to see what information is stored on a mobile device. They also check how vulnerable that information is.
“When developers, who are traditionally used to writing programs for computers and browsers, get into the mobile world, they’re not really familiar with all the nuances of how the data is stored or how long the data lasts,” said Andrew Hoog, viaForensics chief investigative officer. “They apply a lot of the techniques they’ve done in their past programming to the mobile phone and it ends up causing issues.”
Hoog has found that sometimes systems will mark information as deleted when it’s actually not. Some of the more serious things viaForensics uncovered were usernames and passwords that were stored on the device without any sort of encryption.
“We also found that a lot of applications will end up storing information about you on your phone,” Hoog said. “Like a list of all your banking accounts, a list of all your transactions, account numbers and routing numbers.”
How safe is that information?
Lookout Mobile Security, the leading provider of cloud-based smart phone security software, released a study with shocking facts on the likelihood of owning an unsafe application.
They found users have on average 31 applications on their phones that have access to their identity information. Users also have an average of 19 applications that can access their location and five applications that can access their SMS messages, like a regular text message, and MMS messages, text messages with multimedia embedded in them.
“I had no clue that applications had access to my information,” said Tara Donavanik, senior liberal studies major, who has the T-Mobile smart phone Motorola Cliq. “It’s crazy how accessible that information can be.”
AppWatchdog also tested several banking applications and published the results for people to see on their website. They want people to know if the application they use leaves the user vulnerable or not.
“I don’t want to use a mobile banking app just because you never know where that information could go,” Donavanik said. “I wouldn’t want anyone to see that information but me.”
While the techniques for getting information stored on phones may not be the easiest according to Hoog, more exploits are being discovered. Recently, a problem with the Android was found that allowed someone access to the web browser and all the information it stored.
“As the different exploit issues pop up, people who have criminal intentions use that to get as much information as they can to steal people’s identity, steal their money, or whatever,” Hoog said.
According to Hoog, people will approach his company with concerns that their phones have been invaded. An important factor to remember is that the less encrypted or protected the information, the easier the intruder is able to get what they want.
“The big message we’re trying to get out to the public is that banking applications–or any application that stores sensitive information–need to be careful about what they store because there will be security holes and vulnerabilities in these mobile platforms,” Hoog said. “It’s inevitable. It’s unstoppable.”
Updates for applications don’t necessarily mean all the information stored is now protected. People may still be able to access your sensitive information, even though the update may have fixed the application’s security issues.
Hoog believes that companies are more concerned with getting their products out the fastest to be better than their competitors than with security issues.
“For the big time companies, it’s more profitable for them to get the next feature out and then deal with any fallout on a security issue than for them to actually go back and do sufficient testing to try to eliminate the security flaw,” Hoog said.
Apple and Verizon had not responded to attempts to contact them at the time of this publication.
How can you keep your information safe?
Since sensitive information is being stored on phones, people need to know how to protect that information from harm.
“If it falls in the wrong hands, it could lead into a bad situation,” Donavanik said.
One way to make sure your phone is not storing any valuable information on it is to wipe it clean, setting the phone back to its default setting. Since phones sometimes say something is deleted when it really isn’t, you may have to reset your phone to its original factory setting to ensure no information was left behind. This is only necessary if you fear the information on your phone is at risk to being stolen.
If you wipe your phone, you want to make sure you back up any information you want to keep. This includes pictures or contacts, since they will no longer exist. All the applications you once had will now be gone.
Most smart phones have the ability to remotely wipe the phone if it is lost or stolen. This clears all your personal information on the phone so no one can steal your identity or access your bank accounts.
“I would definitely invest in something that could keep my information safe because then other people wouldn’t be able to take advantage of me,” Donavanik said. “I could stop it before it costs me money.”
The Norton Mobile Security offers protection to Android users by providing services that keep information sealed. Through the application, users can remotely disable devices as well as block annoying and unwanted calls and text messages.
The service also automatically locks a mobile phone if its SIM card is removed and allows the user to delete personal information remotely.
The iPhone has more restrictions as to what applications can be used with it, but MobileMe users can locate a lost or stolen iPhone through the Find My iPhone application. This app allows the user to send a message to the phone as well as lock and wipe the phone remotely.
Hoog urges people to be mindful of where and how they are using the app if they choose not to wipe their phones.
“If you’re going to be checking very sensitive information, it’s probably best to do it in a place where you know it’s a safe environment,” Hoog said.
Righetti knows not to send sensitive information over the phone, like account numbers or social security numbers.
“I don’t ask for or send information through text messages that is important, nothing I wouldn’t want someone else to know,” Righetti said.
If information is taken through an application on someone’s mobile device, the user is the one to deal with the consequences, not the application producer.
“Right now the scales are not tipped in the favor of the consumers and ultimately those are the people who pay the price,” Hoog said. “If your identity is compromised, if people are able to get money out of your bank, you’re the one left holding that issue. It’s something where we have to try to turn the tables on that trend.”
Tips to keeping your information safe:
1. Be Aware of Your Whereabouts: People can get your credit card by listening to a phone conversation or watching you punch it in to your phone. The Department of Justice calls this “shoulder surfing.” Make sure you are aware of your whereabouts when checking sensitive information.
2. Zip the Lips: Many smart phones have a lock option to keep unwanted visitors accessing your phone. Put a lock into place. Don’t tell others your code and change it every couple of months.
3. Don’t Text Important Information: Some people will look in a phone for key names like “Mom” or “Dad” and will text that person to try to get information from them. If someone texts you asking for your social security number or credit card number, call them to make sure you know who they really are and why they need your information.
4. Use Wi-Fi Wisely: Free wireless can be helpful, but it is also more vulnerable. Don’t access sensitive information on open wireless systems you wouldn’t want someone else to stumble across.
5. Turn Off the Bluetooth: Information can be accessed via Bluetooth so turn it off when you’re not using it.
1. Lookout Mobile Security: Designed to protect mobile phone against apps that violate your privacy by doing security and privacy phone scans. This also allows remote wiping of information. Compatible with Android, Blackberry and Windows Mobile phones.
2. Norton Mobile Security: Allows users to remotely disable or wipe information from their mobile device. Lets users block unwanted numbers from calling or texting. This also locks the mobile phone instantly if the SIM card is removed. Compatible with Android phones.
3. Simple Vault 1.2: Allows users to store private information in a locked place. Compatible with iPhones.
4. iPortScan: Lets users check if services are spying on them. Designed to scan the phone to see if ports are open from the Internet to protect users. Compatible with iPhones.
5. MobileMe’s Find My iPhone: Allows users to remotely send a text message to a lost or stolen phone, as well as lock or wipe the phone’s information. Compatible with iPhones registered with MobileMe.