Firstly I must apologize for my long absence here. I've just been extremely busy with some great new clients. However, one of my clients had an experience
recently that made me think that I should write a little about
security in general, and mobile phones in particular.
What happened to that client is that
their smart phone was stolen. It's something we all dread, we all
think will never happen to us, and therefore, something most of us
don't prepare for.
So here are a few recommendations that
I'll be making to my clients . . . all of them, because
frankly, everyone
should
know these, but not everyone does.
Firstly,
most smart phones come with the ability to set a combination or
screen-lock of some sort, which is the first line of defense.
Mine is an Android, and has one built-in, located in
Menu/Settings/Location & Security. This particular one uses dots
and you create a pattern sliding your finger through them. I'm sure
that both BlackBerrys and iPhones both have some version of this kind
of screen-lock, and if it doesn't come with it (like my previous
Android didn't), you can most likely download a free app that does
this.
Next,
if you have any confidential data that is accessible on your phone,
it should absolutely be password-protected. And under
no circumstances
should you EVER leave the, “keep me logged-in” box checked. It
might be a pain to keep typing in the password on your bank app, but
trust me that you'll be very glad you did if your phone is lost or
stolen.
I
think it should
go without saying that you should be careful who you trust with your
phone, as well as any confidential information. I also have a client
who showed a college assignment file
to a classmate they thought
trustworthy, only to have a good portion of their
work stolen and presented as the work of the thief,
thus also getting my good-natured client in trouble as well.
You
should also obviously be extremely careful with regards to passwords.
Please, don't keep your passwords on a sticky-note on your desk. If
they're so
hard to remember that
you need to do that,
then they're too complicated; the
whole purpose is defeated.
At the same time, you need to keep track of them, and you shouldn't
really use them for more than one account. I know, I know . . .
who can come up with
–
let alone remember
– the number of passwords you'll need, if you use a distinct
password for each account?
So
what you really need is one of two things. The first would be a
place you can keep your passwords written down that is not
accessible online (don't put a file called “passwords.doc” on
your desktop – and yes, I actually know of more
than one person who
did this!).
This
would be a low-tech solution,
such as a notebook that is stored someplace secure, but that you can
access yourself, like in a journal mixed in with a bunch of other
books on your shelves. If
you have something offline like this, it means no one can hack into
your home network and retrieve them. It also means that you're going
to have to remember the ones you need most often, and that, if you
need a less-frequently-used password, and you're not home, you're out
of luck (or
you have to have someone else you trust know where to look for them).
But on the plus
side,
it won't be wiped out if you get a virus and have to suddenly
reformat your hard drive.
The
other option is to use a password “vault” program, such as
LastPass (the only one I've used thus far, which
is recommended by Leo LaPorte, The Tech Guy, and Steve Gibson of
Gibson Research Corporation, though I'm sure there are other ones
that are equally good). The basic idea of these is that they record
and encrypt your passwords and then you no longer need to remember
one for each site . . . you need only remember one:
your Master Password. LastPass
(and probably others) will also create a random string of characters
as a password if you tell it to, and use a different one for each
site, which is extremely hard to crack. Remember
the client whose phone was stolen? I signed them up for LastPass.
The one thing you need to remember is to NEVER, UNDER ANY
CIRCUMSTANCES, SHOULD YOU CHECK THE BOX THAT SAYS “KEEP ME SIGNED
IN,” in
LastPass,
or you've just negated all that work you just did setting up
the
program. Not
to mention making yourself just as much or possibly even more
vulnerable than you were without
LastPass.
Also be extremely careful with whom you
share your passwords, because if you ever do
reuse them for more than one site or program, and you give out, say,
the password to your Facebook account, so a friend can post photos
for you, and you've reused that password, what's to say that “friend”
won't try to get into Amazon or some other store site where you've
stored your credit card information? If the passwords are the same,
not only have you just bought your so-called friend some new tech,
but who knows what else?
If you
have to share an account for any reason, before you give your account
name and password out, check to see if there's a sub-account you
might be able to set up, in order to maintain ultimate control over
that account. (Also, never,
ever give any account information to your employer or potential
employer. Aside from being an invasion of privacy, it's also against
the End User License Agreement, which means
that account could be canceled for no other reason than that.)
This
is where something called Two Factor Authentication (or
Multi Factor
Authentication) comes in.
Even if you have to share a password, if you have this, it helps
protect you. This is when you create a password, and then are asked
for your alternate email
address, phone number, and
possibly to select and complete security questions like, “What was
the make and model of the first car you owned?” or, “Who was your
first girlfriend/boyfriend?” or even, “What was the name of your
third-grade teacher?” Don't ignore these! They're there to help
you; take them seriously! (You can and should make up the answers,
as long as the answers are something you will remember. I
never use my mother's maiden name or other such easily-obtained
information.) So if someone
steals your phone and tries to change your bank password, and your
phone gets the text message with the verification code, you may also
get an email alerting you to the fact that someone is trying to
tamper with your account, so you can take appropriate action. In the
meantime, the person with your cell phone still may be trying to
answer some question like, “Who was your favorite singer in high
school?”
Now,
if your phone does go
missing, there are several ways to approach it. If you think you
just left it somewhere in your daily travels, or, as I have done more
than once, had it fall out of your pocket in your car, the first
thing to do is call it, and see if you hear your ringtone. But if
you think it's actually been stolen, may
want to track it (there are apps that will allow you to do that; I
believe all iPhones have that installed by default), you may want to
call your phone company and have it disabled, or you may use software
you previously installed (yes, there's an app for this, too) to brick
it, or wipe the entire phone, thus rendering it as useless as a
brick.
I have some advice
on passwords and other security measures as well, but they can take
up their own articles, so I'll deal with them separately.
The
whole point here is that you really need to set things up ahead of
time. You need to set up
the apps for screen-lock, phone location, or wiping your phone now,
before anything can
happen. You need to be careful to whom you give access to
your mobile phone and your
passwords. You need to set up Multi
Factor Authentication on any
account with confidential or financial information. Basically, you
need to prepare for the worst and then, if you're lucky, you will
never have to use any of these tools. The best time for this is when
you get a new phone, because you're setting everything up anyway.
But if you're reading this and you haven't really given much thought
to this, start with the easiest thing (the screen-lock) and work on
the rest as time allows.
You can thank me later.
Update: 6/23/13: I've just found an Android app called "Lookout" that's supposed to protect your (Android) mobile phone by detecting malware and allow you to track your phone, and even wipe it if need be. I'm installing it right now. At some future point I will probably post more about it, once I've lived with it a while. Watch this blog!