Friday, April 16, 2010

Are our cellphones a growing security risk?


I'm growing more and more concerned about the use of cellphones to do a huge number of different tasks. These expose us to more and more loss of privacy and/or criminal exploitation of their vulnerabilities.

For example, it was recently announced that the TSA is looking into using cellphones to track delays in movement through airport security checkpoints. It sounds innocent enough, a way to inform people about likely delays in real time, and so on - but it's also a means to track people who've committed no offense. What happens if that technology is taken out of the airport and installed in a city, to track everyone moving through it? What about our expectation of privacy? There are those who affirm that we have no expectation of privacy in a public place, but I don't agree. There's reasonable and appropriate monitoring of spaces from a public safety perspective, and then there's Big Brother. I don't want the latter.

Then there's the growing use of cellphones as a replacement for credit and/or debit cards. In Japan it's already commonplace to use one's cellphone to pay for purchases at shops, from vending machines, and so on. The phone transmits a signal that is picked up and processed by the point-of-sale machinery. That's all well and good . . . but what's the fraud rate like? I imagine it'd be relatively easy to set up a receiver to intercept such communications, decode them, and re-transmit them to buy items using another person's credit information. How often is this already happening? No-one's saying, but I'm sure it's already a reality.

There's also the immense number of different applications running on 'smart phones'. I've been looking into them this week, considering an upgrade to my cellular service. A single 'smart phone' can replace a GPS navigation device; an MP3 music player; a camera; a credit card (see above); a portable computer (it can handle e-mail and Web browsing with no problem); and so on. All those things are most convenient . . . but if we lose our cellphone? We're left without any access to all those areas, and the loss might be crippling to many. Even worse, if we haven't encrypted our personal information on the phone, and someone steals it, they can get access to our bank accounts, e-mails, address list, photographs stored on the phone (which can prove very embarrassing indeed), and so on. All those things in one device look more and more like a very expensive loss just waiting to happen.

What say you, readers? Are cellphones becoming so multi-faceted as to be an indispensable tool, but carrying with them all the dangers of a one-stop-shop do-everything device?

Peter

9 comments:

Anonymous said...

Battery removal is the only way to disable it completely ,

Popgun said...

The iPhone / iPad from Apple can be set to erase all contents after a number of failed logins - or it can be done remotely if you have a MobileMe account. You can also use MobileMe to locate the device if it has a GPS chip.

Anonymous said...

I wonder if that dufus carried nude photos of his wife in his wallet in case he lost it. But it's the fault of McDonalds that he lost his phone and someone else found it and the pictures.

Anonymous said...

Tracking: As an opt-in thing, it is a matter of choice, otherwise it is Big Brother's first little step.

Credit Cards: Forget it.

Data loss: As bad an issue as it sounds. Don't put anything into a phone you don't want your grandmonther or a judge to see.

Security: Don't do anything on a cellphone web browser that involves logging in to a site, that is just begging for trouble.


They certainly have their uses, but there is great potential for harm, too.

Jim

The Old Man said...

I am a cellphone Luddite - if I wanted people to reach out and touch me I'd tie a string to my belt. If necessary, I carry a pool cellphone provided by work and the battery comes out of it after work hours. Paranoid? Perhaps. But it cuts down on my list of worries considerably.

(BTW Peter, when did you replace your visage with the ostrich?)

Phyphor said...

This brings to mind a little incident I remember from this last week. I was listening to the local rock station on the radio and the DJ was talking about his Blackberry he'd lost a year ago and just recently found out it was still active. He called his own number and some guy answered it and the DJ asked for his phone back. The douchebag in question refused to give it back and had the nerve to ask how one set up the email access on it!

All that money spent on the damned thing, yet there was nothing he could do to get it back / stop the other guy from using it.

Peter said...

The Old Man: I replaced my picture during the series of articles on the clergy sex abuse crisis in the Catholic Church. Reliving all those bad memories made me feel all fuzzy and bird-brained, so I figured my blog profile picture ought to match!

:-)

Hecate said...

As an IT professional, I've had to do damage control for "upper-level" types (why does it always seem the higher up the food chain, the less responsible they are?) who couldn't keep track of their mobile devices.

Remote-wipe capability is mandatory, as is the ability to GPS-track your device if lost or stolen. There's no excuse for that Blackberry still being active on the same number a year after it was lost. The wireless provider and RIM should have been able to brick it immediately upon notification.

Since I carry a gun as close to 24x7 as possible, I find I'm very careful of all items I carry. Just as using a holster with appropriate retention is necessary for responsible gun carry, a smartphone should be carried in a secure holder. My preferences are the Maxpedition PDA pouch attached to my Jumbo Versipack (my "purse") and a Golla Bag on my belt. No cheap clip-on crap that the phone can fall out of for me.

Physical security is the foundation upon which all other security is built. Your firewalls are worthless if someone can get into your data center with a crowbar and break things. It's a lot easier to keep physical track of one device that does many things than it is to keep track of several single-purpose devices.

Data security is second nature for a pro-geek. I won't root my Droid because that weakens some security features built into the Android OS. Most of the rest of staying safe online is the same whether you're using a desktop computer at home or work, a netbook on wi-fi at Starbucks, or a smartphone.

Backing up is also an ingrained habit. Android can be configured to back up selected data to Google automatically. It goes without saying that none of this data should be sensitive. Everything else I back up manually to the SD card, which I then back up to my computer. Which is itself backed up every day.

Governmental misuse of GPS on your phone is just one small part of a bigger problem that should be addressed at its source. People have no idea how many times a day they're photographed. I've worked on law-enforcement implementations of surveillance video that can run facial recognition on people three blocks away from the camera, and systems that automatically scan, record, and geocode every license plate they see. Supposedly they'll only use it to check for stolen cars. Yeah, right.

That said, I would never own a GPS-enabled device that didn't have a removable battery.

Betty said...

I enjoy the fact my iPhone is a camera, wireless flash drive, remote TV show recorder, police scanner, cookbook, portable baby entertainer, MP3 player and more.

I check my email on my phone, which enables me to work while playing with my son without being forced to stay near my computer. My email is set to delete from the server only when downloaded from my computer, so if I download first to my iPhone, I will always have a copy on my computer.

I do appreciate the GPS and use it when I'm a passenger navigator. It's secondary to pre-planning with a paper map, but it's very handy for alternate routes and finding eateries and other places.

But I will NOT use a phone as a credit card. I can password protect my phone and have it set to erase.