Ensuring the Security of Your Smartphone

With all of the amazing advances in technology there are many exciting topics we could address, but one technological advance enjoyed by most is often left unsecure: the smartphone. This versatile device can make calls, take pictures, enable text messaging, stream videos and other Internet content. Applications like email are available as native applications and browsers place the Internet at your fingertips. Most people never consider the ramifications of using a smart phone to access personal, work, or school data, or their financial institutions, but we should, as we may be putting ourselves, our employers and our families at unnecessary risk.

Using free Wi-Fi is a great way to access the Internet while preserving our data plans, but consider the risks: If you are looking for an address, store hours, or other publicly available information from a website, free Wi-Fi is useful. Accessing any website that requires authentication (i.e., requires entry of a username and password or other credentials) like an email account, social media or banking allows anyone using the same unsecured Wi-Fi access to view your credentials or record the credentials for later review and use.

It’s especially important for those working to protect our nation’s critical infrastructure to maintain security standards on their cellphones as well as other devices. (Credit: AVG)

Should you avoid all free Wi-Fi and the freedom and flexibility smartphones provide? No, but there are some precautions you should implement. The following are a few best practices to keep you, your data, and your accounts safe:

Never use free/open Wi-Fi to access accounts requiring authentication unless using a virtual private network (VPN), and only if absolutely necessary

Disable Wi-Fi when not in use

Disable Bluetooth when not in use

Never send confidential information like social security numbers in email or texts

Clear unnecessary data including images, texts, call logs, etc.

Have a password, pin, or other authentication on your phone

List contacts by name, not relationship

Do not allow apps to track you by disabling GPS

Install antivirus software on your devices

Keep the operating system and antivirus patched and updated

Consider the reasons for these best practices.

Never use free/open Wi-Fi to access accounts requiring authentication for the reasons shared above. If you ever accessed accounts using free Wi-Fi and have not experienced a loss or negative consequence — like an unflattering or hostile post made on your behalf — consider yourself extremely lucky and immediately change the password for the sites you accessed while using unsecured access. If in doubt, change the passwords anyway. A thief or practical joker may not use an account immediately, so changing the access method is the first defense. Using a VPN is helpful, but only the information exchanged after the authentication process has been completed is sent encrypted. It is possible to compromise the credentials used to establish the VPN. If you have received an email from an account like Google email (gmail) that identifies a login from an unknown or different account you were probably alerted to a hack in progress. Change those passwords now.

Never send confidential information like social security numbers in email or texts as that information may be accessed from your device, the receiver’s device, and if sent over unsecured Wi-Fi, any device within range. If you did send personally identifiable information (PII) in this manner delete the messages and do not repeat the practice in the future. If possible, ensure the receiver of the information also deletes the email or message. ‘Dumpster Diving’ of email trash is a common hacker practice, so remember to empty the trash of your email program.

Have a password on your phone. While it may stop a good Samaritan from calling to alert you the phone was found, how likely is it to end that way as opposed to a thief helping himself to whatever your phone contains? The most likely scenario is that your phone would be found or stolen, and one in the possession of a less ethically observant individual may become the means to cause you embarrassment, loss, or even a criminal investigation. Embarrassment is the least damaging possibility and may cost you friends (rude posts to friends or family, inappropriate language, inappropriate images), raise concerns for law enforcement (false calls about emergencies, threats posted publically), financial loss (access to financial accounts, PII stored on the phone, and charges for calls that exceed your calling plan or data usage), and even criminal consequences or becoming the focus of an investigation (cell phones have been used as triggers for bombs, to communicate by criminals and terrorists, and to access accounts to fund illegal acts). Remember to follow a secure password format that requires upper and lowercase letters, numbers, and special characters, and no PII or easily guessed words.

Afraid of losing or forgetting a password? Some phones allow the use of a passphrase, personal Identification number (PIN), or a biometric instead. A passphrase is a series of letters and numbers that mean something to you and not anyone else, or are easily remembered with a prompt. For example, if you really hated trying to remember a password a passphrase used might be ‘I really hate creating and remembering passwords!’ and you could translate that into the password ‘!1rHc&rPW’ — but that example is not recommended for obvious reasons.

Biometrics include the ability of some phones to authenticate fingerprints or facial recognition software. The main problem with a biometric method is if the stored record that is used for comparison is tampered with or swapped for another. A change in appearance such as the growth of facial hair or the reflection of light or images off of eyeglasses has rendered some low-end versions useless.

Install antivirus software on your devices. The options for antivirus include good freeware versions available in the phone manufacturer’s app store, or online on the vendor’s website. (Be careful to verify the authenticity of the antivirus program or use the links below.) Full-featured programs with annual subscriptions or fee-for-use options are also available. Freeware versions may provide basic antivirus capabilities and offer the security most of us need. Those seeking premium features have options that may include remote wiping of data on the device, the ability to take and transmit a photo or video of where the phone is at a given time (useless if the phone is face-down on the floor or a table, but useful otherwise), noise features to allow identification if it is nearby (similar to clicking the “lock doors” option on an automobile’s key fob to find a car in a parking lot), GPS locator, and other options.

Both Find my iPhone and Android Lost are free programs available to help you find a lost smartphone for IOS and Android devices respectively. Options include remote locking of the device, data erasure, GPS locator and audio alarms. Each program has additional features beyond those shared, and as the program is free, there is no excuse for not installing it immediately. Each is available in the respective app store for the operating system.

Installation of antivirus and phone finder apps is not a “one and done” activity. While there may be no requirement to update subscriptions or maintain specific licenses as in the fee-for-use versions, there are still updates and patches that should be applied. As soon as a vulnerability is detected most manufacturers release software updates or patches to remedy the issues and minimize or eliminate the threat. To be effective, the update must be installed. Instituting auto update is an option on most devices, but the risk is only specific applications and the operating system should be updated regularly. Some applications may push an update, but when reading the fine print, one learns that the update does not fix any known problem, but instead increases the access of the program to additional tools and data areas.

Free antivirus vendors include:

Avast Mobile Security for Android, IOS, and Windows: www.avast.com

AVG Antivirus for Android, PC and MAC (also in premium versions): www.avg.com

Comodo Antivirus for Android: https://antivirus.comodo.com/antivirus-for-android.php

There are many more free options for Android than for IOS or Blackberry, subscription and license-for-purchase versions are available in the respective app stores.

Never download an app you are not familiar with and have not researched. Just because everyone else is doing it doesn’t mean it is safe. Pay attention to the access and permissions an application is requesting prior to installation, and to acceptance of the end user license agreement (EULA) or terms of service agreement. If you are not comfortable with the requested access, abort the installation process. When installing a tool or application, consider if it is logical for a calculator or flashlight app to have access to your credit card or account information, as no in-app purchase should ever be offered or required. When in doubt, abort the installation and do some research on the application. Research of an application is a good use for free Wi-Fi but should never be used for the installation of an app as other data, known as Trojan malware, could be installed on your device during the installation process.

If I haven’t convinced you to password-protect yourself and your smartphone, consider the latest social engineering ploy used to trick people out of large sums of money. It is called the Grandparent Scam, and has been publicized in many news broadcasts, social media, and on the websites of several state attorneys general. (See references below.) A thief places calls to family posing as a loved one who has been arrested/incarcerated in a foreign country or a local jail — how believable would it be when the call is made from your phone to a loved one listed by name in your contacts?

Listing contacts by name and not relationship helps limit the success of a Grandparent Scam from your smart phone when the thief only knows a contact as “Tom” or “George” or “in case of emergency” (ICE) instead of “grandpa” or “wife” which provide information to the thief. Clearing out unnecessary images, texts and call logs deters a thief as well as the frequency and types of information shared do not help identify the type of relationship you have with each contact in the address book or contact list.

Parents can find additional tips for protecting their children when using smartphones and the Internet at the Federal Bureau of Investigation’s (FBI) Parent Guide to Internet Safety, linked below.

References:

Federal Bureau of Investigation (FBI). (2016). “Dangers for Kids in Cyberspace.” Retrieved from https://www.fbi.gov/scams-and-safety/protecting-your-kids (Scroll down past drug abuse information)

Federal Trade Commission (FTC). (2016). “Family Emergency Scams.” Retrieved from https://www.consumer.ftc.gov/articles/0204-family-emergency-scams

Schuette, B. (2016). “Grandparents Scam.” State of Michigan Attorney General Consumer Alert. Retrieved from http://www.michigan.gov/ag/0,4534,7-164-18156-205169–,00.html

This article is not an endorsement or advertisement for any of the applications mentioned herein. Purchasing an anti-virus program over use of a freeware version from a reputable vendor is not a guarantee of increased protection. The author uses AVG for Android and has been satisfied with its performance.