Security for Normal People, Part 1: Security and Phones

Firstly I must apologize for my long absence here.  I've just been extremely busy with some great new clients.  However, one of my clients had an experience recently that made me think that I should write a little about security in general, and mobile phones in particular.

What happened to that client is that their smart phone was stolen. It's something we all dread, we all think will never happen to us, and therefore, something most of us don't prepare for.

So here are a few recommendations that I'll be making to my clients . . . all of them, because frankly, everyone should know these, but not everyone does.

Firstly, most smart phones come with the ability to set a combination or screen-lock of some sort, which is the first line of defense. Mine is an Android, and has one built-in, located in Menu/Settings/Location & Security. This particular one uses dots and you create a pattern sliding your finger through them. I'm sure that both BlackBerrys and iPhones both have some version of this kind of screen-lock, and if it doesn't come with it (like my previous Android didn't), you can most likely download a free app that does this.

Next, if you have any confidential data that is accessible on your phone, it should absolutely be password-protected. And under no circumstances should you EVER leave the, “keep me logged-in” box checked. It might be a pain to keep typing in the password on your bank app, but trust me that you'll be very glad you did if your phone is lost or stolen.

I think it should go without saying that you should be careful who you trust with your phone, as well as any confidential information. I also have a client who showed a college assignment file to a classmate they thought trustworthy, only to have a good portion of their work stolen and presented as the work of the thief, thus also getting my good-natured client in trouble as well.

You should also obviously be extremely careful with regards to passwords. Please, don't keep your passwords on a sticky-note on your desk. If they're so hard to remember that you need to do that, then they're too complicated; the whole purpose is defeated. At the same time, you need to keep track of them, and you shouldn't really use them for more than one account. I know, I know . . . who can come up with – let alone remember – the number of passwords you'll need, if you use a distinct password for each account?

So what you really need is one of two things. The first would be a place you can keep your passwords written down that is not accessible online (don't put a file called “passwords.doc” on your desktop – and yes, I actually know of more than one person who did this!). This would be a low-tech solution, such as a notebook that is stored someplace secure, but that you can access yourself, like in a journal mixed in with a bunch of other books on your shelves. If you have something offline like this, it means no one can hack into your home network and retrieve them. It also means that you're going to have to remember the ones you need most often, and that, if you need a less-frequently-used password, and you're not home, you're out of luck (or you have to have someone else you trust know where to look for them). But on the plus side, it won't be wiped out if you get a virus and have to suddenly reformat your hard drive.

The other option is to use a password “vault” program, such as LastPass (the only one I've used thus far, which is recommended by Leo LaPorte, The Tech Guy, and Steve Gibson of Gibson Research Corporation, though I'm sure there are other ones that are equally good). The basic idea of these is that they record and encrypt your passwords and then you no longer need to remember one for each site . . . you need only remember one: your Master Password. LastPass (and probably others) will also create a random string of characters as a password if you tell it to, and use a different one for each site, which is extremely hard to crack. Remember the client whose phone was stolen? I signed them up for LastPass. The one thing you need to remember is to NEVER, UNDER ANY CIRCUMSTANCES, SHOULD YOU CHECK THE BOX THAT SAYS “KEEP ME SIGNED IN,” in LastPass, or you've just negated all that work you just did setting up the program. Not to mention making yourself just as much or possibly even more vulnerable than you were without LastPass.

Also be extremely careful with whom you share your passwords, because if you ever do reuse them for more than one site or program, and you give out, say, the password to your Facebook account, so a friend can post photos for you, and you've reused that password, what's to say that “friend” won't try to get into Amazon or some other store site where you've stored your credit card information? If the passwords are the same, not only have you just bought your so-called friend some new tech, but who knows what else?

If you have to share an account for any reason, before you give your account name and password out, check to see if there's a sub-account you might be able to set up, in order to maintain ultimate control over that account. (Also, never, ever give any account information to your employer or potential employer. Aside from being an invasion of privacy, it's also against the End User License Agreement, which means that account could be canceled for no other reason than that.)

This is where something called Two Factor Authentication (or Multi Factor Authentication) comes in. Even if you have to share a password, if you have this, it helps protect you. This is when you create a password, and then are asked for your alternate email address, phone number, and possibly to select and complete security questions like, “What was the make and model of the first car you owned?” or, “Who was your first girlfriend/boyfriend?” or even, “What was the name of your third-grade teacher?” Don't ignore these! They're there to help you; take them seriously! (You can and should make up the answers, as long as the answers are something you will remember. I never use my mother's maiden name or other such easily-obtained information.) So if someone steals your phone and tries to change your bank password, and your phone gets the text message with the verification code, you may also get an email alerting you to the fact that someone is trying to tamper with your account, so you can take appropriate action. In the meantime, the person with your cell phone still may be trying to answer some question like, “Who was your favorite singer in high school?”

Now, if your phone does go missing, there are several ways to approach it. If you think you just left it somewhere in your daily travels, or, as I have done more than once, had it fall out of your pocket in your car, the first thing to do is call it, and see if you hear your ringtone. But if you think it's actually been stolen, may want to track it (there are apps that will allow you to do that; I believe all iPhones have that installed by default), you may want to call your phone company and have it disabled, or you may use software you previously installed (yes, there's an app for this, too) to brick it, or wipe the entire phone, thus rendering it as useless as a brick.

I have some advice on passwords and other security measures as well, but they can take up their own articles, so I'll deal with them separately.

The whole point here is that you really need to set things up ahead of time. You need to set up the apps for screen-lock, phone location, or wiping your phone now, before anything can happen. You need to be careful to whom you give access to your mobile phone and your passwords. You need to set up Multi Factor Authentication on any account with confidential or financial information. Basically, you need to prepare for the worst and then, if you're lucky, you will never have to use any of these tools. The best time for this is when you get a new phone, because you're setting everything up anyway. But if you're reading this and you haven't really given much thought to this, start with the easiest thing (the screen-lock) and work on the rest as time allows. 

 You can thank me later.

Update: 6/23/13: I've just found an Android app called "Lookout" that's supposed to protect your (Android) mobile phone by detecting malware and allow you to track your phone, and even wipe it if need be.  I'm installing it right now.  At some future point I will probably post more about it, once I've lived with it a while.  Watch this blog!