Symantec experiment shows lost phones often lead to personal and corporate data theft
In the pre-digital age, theft of mail from the postbox or the loss of a wallet was often considered a sure sign that your personal, financial or sensitive business data may be at risk. Today, however, there’s a much more valuable source of such information for would-be data thieves - one that is unfortunately much easier to lose. It’s your smart phone, an indispensable extension of our ever-connected lives and a treasure-trove of information about our families, our finances and our business interests.
Online security company Symantec recently sought to discover just how damaging the loss of a smartphone can be to both individuals and corporations. The company also endeavored to find out what steps, if any, professionals in IT security jobs can take to mitigate the loss.
Called the “Honey Stick Project,” Symantec designed a plan to intentionally “lose” 50 Android smartphones in various cities across the U.S. and Canada. The phones were each loaded with fake personal and corporate data and equipped with remote monitoring software before being placed as if to appear a forgetful owner had left them behind. On subway cars, in mall food courts, even inside bathroom stalls, all 50 phones were found, and Symantec employees then monitored carefully the activities of the discoverer.
Researchers saw in nearly every case (96%) the finder made at least some attempt to access personal information on the phone before either contacting the listed owner to return it (which happened about half the time) or keeping the phone for themselves. Optimists may think the digital snooping was just the result of a Good Samaritan’s necessary efforts to track down the phone’s rightful owner, but further data casts a much more pessimistic picture.
A full 40% of those who found the phones tried to access corporate email accounts and online banking records stored on the decoys. Another 60% attempted to login to social media sites using the original owner’s credentials. In fact, Symantec rigged each phone to appear as if the username and password for popular online services was already filled in at the various login screens. When the finders hit submit and received an error, 57% then dove into the phone’s files and accessed a fake list of usernames and passwords in an attempt to complete the login.
Each phone was also loaded with a dummy list of employees and their salaries at the owner’s fictional workplace. That tempting bit of information was spied by 53% of those who found the phones. More than 72% of finders took the time to browse photos on the lost phones while they were at it. Another 49% tried to access a fake app called “Remote Admin.”
In all, Symantec watched 89% of phone finders access personal apps (social media, personal email, online banking, etc.) and 83% attempt to access corporate information (the salary spreadsheet, corporate email, remote admin). More than 70% of finders spent enough time with the phones to do both.
While Symantec is in the business of selling security software to prevent just this sort of accidental data breach, the company admits a very simple security feature already present on every smartphone would eliminate all the risk uncovered in the study. A simple passcode lock would have thwarted every finder’s attempt to access the lost phones in the Symantec experiment, and setting a passcode is the company’s primary recommendation to corporate professionals in a cyber security career to help secure their devices in the field.