Seems like everyone has a smart phone. And each user has his or her own unique passcode, PIN, or swipe pattern. They are secure so nobody will mess with them. Right?
I did it.
I left my smart phone alone. Sort of.
Recently, I attended a wealth management conference in Huntington Beach, California and treated myself to one of the complimentary early morning physical fitness Boot Camps workouts on the beach.
I had removed my socks and running shoes and set them beside the workout towel laid upon the sand. Then, I stuck my smart phone and conference badges inside the left and right shoe. I prepared to warm up when the instructor yelled, “let’s take a jog down to the water and back to get the blood flowing.”
Without hesitation, I started jogging, really quickly trudging through the soft sand, toward the water. If you haven’t been to Huntington Beach, it is at least one hundred yards from the top of the beach to the water. The beach is HUGE!
I was maybe twenty-five yards away from the towels and realized I left my smart phone alone. “Oh wait,” I said to myself. I turned slightly looking over my left shoulder and noticed one of the instructors stayed at the site to keep watch over the group’s properties, so I continued my slow trudge to the ocean and back. Upon returning, I quickly inventoried my personal property including my smart phone – all present and accounted for – and continued to have an exhilarating Boot Camp.
I didn’t exactly leave my smart phone alone, but I didn’t need to create angst for myself by not taking it with me unless I planned to plunge into the ocean which I didn’t. Let me give you a couple of real-life scenarios where you may not want to leave your phone unattended.
You are at a bar waiting to meet a friend or two. You pull out your phone so you can check texts rapidly for when your friend arrives. You are no security rookie, so you have the phone set to lock when not in use after thirty seconds. Plus, you have a six-digit numeric pass code for your iPhone or a swath pattern for your Android to unlock it.
You approach the crowded bar and find an empty space between occupied seats. You pull out your phone and unlock it with your 6-digit code to check the texts for a friend update – nothing. Being right-handed, you naturally set the phone atop the bar near your right hand. A few moments later, the bartender approaches you, “what’ll it be,” she says. “Buffalo Trace, neat,” you reply. You gaze across the bank of TVs in front of you looking for something of interest.
The guy sitting to your left leans over to you, points to the hockey game on the bar TV to the upper far left and asks, “who are you rooting for?” You take a moment staring at the screen to see who is playing. That looks like New York and…Nashville? Oh, who cares who else is playing against New York, you think, “Rangers. They are my team.”
“Yeah, they are pretty good this year. Ever been to a game in the Garden. Bet it is pretty nuts.”
“Oh yeah, the Garden fans get into it.”
“I’m visiting from out of town. Maybe one day, I’ll make it to a Rangers home game. I’m more of a soccer fan myself but hockey is fast and a lot of fun to watch. I love the way the Ranger crowd sings ‘GO-OH-OAL’ after a score.”
“Where ya from?” you ask.
“Florida. Near Miami.”
“Very nice. Enjoy the Big Apple. Nothing like it.”
“Hey, thanks for taking time. I didn’t expect a New Yorker to be so friendly. I always hear about the hustle and bustle of big city people not having time for anyone else.”
“Fake news, I guess,” you reply with a shrug.
“That’s right!” replies your new acquaintance with a big smile, “Have a good night.”
“Thanks. You too.”
Congratulations on building bridges. You now have malware on your phone.
Wait. What happened?
Let’s pause for a second. When the phone industry boomed several decades past and the nation moved away from multiple party lines and verbal area codes like, “Operator, give me Lexington 4562,” Ma Bell, aka the original AT&T, instituted the ten-digit phone number: three digit area code plus the seven digit number. One, it would accommodate the growing number of users. Two, most people could remember a seven-digit number (SDN) and commit it to memory. You didn’t have to dial the area code unless the number was outside your area code. That also meant it was likely a long-distance phone call and Dad was not going to be happy if you busted the family budget.
For the record, I still remember the SDNs of the house where I grew up and my friends home number’s all of whom have long since moved. If you ever find yourself in a situation when you must recall a full ten-digit number, here is the trick. Remember the area code as a picture and recite the SDN in your head like a TV ad announcer. “That’s 8-6-7; 5-3-oh-9. Once again, that’s 8-6-7, 5-3-oh-9,” until you can write down Jenny’s full number.
If remembering a seven-digit number is doable, then remembering a six-digit PIN is even easier. When you walked up the bar and waited for the bartender, you pulled out your phone and input the six-digit PIN to check the texts. Nothing. You set down the phone and waited for the bartender. The auto lock on the phone sets. After you order a drink, the curious Miamian gets your attention for a minute or two with all the attention and discussing occurring to your left.
Meanwhile, the person to your right whom you paid no mind had watched you input your pin. While your encounter occurred, the person to your right picked up your iPhone, input the pin, and opened Safari. Then, he input a short Bitly-type URL that took him to a known malware site, and he clicked on the download link. Within seconds, the download is complete. The bad actor closes Safari and sets the phone down to your right side near where you left it.
The malware logs all your activity and keystrokes beaconing back to the mothership that is collecting whatever you input. Hopefully, you can enter some key sites with facial recognition and not keystrokes. Maybe, the damage won’t be too bad.
By the way, a creepier version rendition occurs vicinity Austin, TX where bar acquaintances incapacitate the victim and use their unconscious face to unlock the phone and clean out the on-line bank accounts stored on the phone.
You attend a banking conference at a swank hotel in southern California. You’re lounging at the pool enjoying a Minneapolis Mule, soaking up some rays, and chilling. The phone rings and you answer. The boss wants to know if you can jump on a call in the next thirty minutes. Sure, you can and you hang up. First, though, a quick dip in the pool.
You set down your phone next to your drink and head for the pool. Nobody is going to steal my phone at a place like this. Everyone has a phone. Besides, this place is swank. The staff is all bonded and will be fired in a hurry. You slip into the pool and do a slow freestyle to the other end where you exit the pool. Your cooled off and can be ready for the call in 25 minutes. You return to your lounge chair and your refreshing drink. Wait! Where is my phone? Who took my phone? Don’t panic. You have it locked and nobody can break into it because nobody was nearby to steal my PIN or swipe pattern.
Get moving. You have maybe 24 hours before everything on that phone is exploited.
Someone stole your phone. No kidding.
You think nobody else knew that this swank hotel was having a banking conference? Oh my, people with a decent amount of money all gathered in one place. The bad gal stole your phone and beat feet back to her room. There, she and her well-financed cronies applied expensive code cracking software to breach the phone. First target, your on-line banking. Next, maybe your brokerage assets since she likely has access to your email and can reset every password. Hope you enabled MFA – but not that phone for SMS texts – for those accounts.
Just when you thought it was safe to go back in the water.
Folks, smart phones are great, but from a risk management perspective, we entrust too much of our livelihood to them. Make no mistake in that smart phone manufacturers won’t slow down in adding capacity to them. Plus, businesses won’t stop moving processes to their customers and their smart devices. Here are a few recommendations.
- Protect your phone – don’t leave it unattended – unless you work in a secure facility with cameras.
- Apply better security measures than the system default. I don’t use the standard iPhone six-digit PIN for my phone. Instead, I use a fourteen (14) character, alphanumeric, special symbol mix. Hey, you are going to work for it if you want to breach my phone.
- Vary the multi-factor authentication to SMS, Authenticator, and email. For instance, Authenticator still requires facial recognition in addition to inputting the proper PIN as part of the process.
- Don’t leave your phone on the bar – place it in your pocket, purse, backpack, arm band, fanny pack, etc.
- Document your accounts, especially those maintained with an app on a device, and have a plan to contact each vendor in an emergency to limit damage. Consider this your personal incident response plan.
- For good measure, disable Bluetooth in public and enable a VPN whenever possible.
- Oh yeah, limit your phone apps too.
The last two are nothing new but the bad guys are out there, and we all must be ready.