People are honest, except when it comes to phones, apparently.
Symantec recently conducted a very interesting study into the weakest link in security – people. They did this by preparing 10 Smartphones to be “lost” by adding applications that would track what happened to the phones once they were found. They also made sure that the only entry in the phone was “Me” and it gave details of the researchers so that it could be returned.
The results are bad news for people who think that honesty is not only the best policy but that most people are honest.
Now to be fair, the phones were just left around and were devoid of a PIN and so we are not talking about people “hacking” the phone to get access, but the result are frightening.
Here’s what the finders accessed:
- Contacts – 81% (although this makes sense if they were looking to call someone and return it)
- Social Networking – 64%
- Cloud based Documents – 47%
- Passwords – 57%
- Salary Information – 45%
- Online Banking – 43%
The researchers had a wide range of reactions from the finders. Everything from someone running after them as they “lost” the phone, to someone using the phone for a week and then returning it with an email saying they were sorry and felt guilty! They even had people attaching the phones to computers and then trying to hack corporate networks using the credentials found on the phone.
In the end more than half the phones were returned, but the damage would have been done.
As a point of reference dear reader, there are documented black markets for bank account information where the credentials are sold for $500 – $1000.
So, don’t be a victim by enabling your thief. Use a PIN. Don’t store information that is not password protected. Use the technologies that enable phones to be remotely wiped if they are lost. Don’t expect people to be honest – it’s clearly a very poor risk management tactic.