TORONTO – Canadians who lose their smartphone or have it stolen should have little hope that their private information will remain private if their device is left unlocked, according to a new study.
The experiment called The Honey Stick Project, conducted by security software firm Symantec, involved leaving 60 smartphones loaded with personal and corporate data around major Canadian cities and tracking what information was accessed once the phone was found.
Even those who were honest enough to try to return the phone were overcome by the urge to snoop through it, according to the researchers.
In total, 56 out of 60 phones were accessed for some sort of information.
Eighty-three per cent were accessed for personal information or apps, and 63 per cent were accessed for corporate-related apps or data.
Only 55 per cent of the phones were picked up by someone who attempted to return the device.
“The surprising part to me was even after they attempted to return the phone they still had an awful lot of fun trying to access information and applications,” said Stefano Tiranardi, information protection specialist at Symantec Canada.
“Individuals who have their phone misplaced or stolen should have no hope that their private information actually remains private.”
The devices were left deliberately unsecured without any kind of pass-code protection, in order for the finder to snoop to their heart’s desire.
READ MORE: Debate over cellphone kill switches heats up in Canada
One phone left at a bus stop in Calgary was found by someone who seemed quite eager to return it; however, while waiting for the owner to contact them, the finder snooped through everything from the contacts list and social networking apps, to an app labelled “HR Salaries” and the passwords app.
“We were trying to figure out whether the individuals who found the phones were going to be able to make the link between ‘password list’ and the banking application – and they did rather quickly,” said Tiranardi.
“The results we have here are very representative of the real world.”
Tiranardi said the experiment drives home the point that smartphone users need to be aware of how quickly sensitive private information stored on their mobile device can fall into the wrong hands.
But experts caution users not to jump to conclusions about the study’s findings.
“It’s important to distinguish dishonesty from curiosity,” said Graeme Hirst, professor in the department of computer science at the University of Toronto.
“I suspect that many of the people that toured through the phones they found were simply curious – the motivation wasn’t to do anything bad, it’s just naturally human.”
Hirst also pointed out that the finders may not have been familiar with the type of phone, which may have led them to do more snooping than intended in order to find contact information for the owner.
“Experimenters may have naively thought that the competent finder would immediately go into the contacts list, assuming they know this kind of phone,” he said, adding that iPhone users may not immediately recognize the contacts app on an Android phone and vice versa.
Hirst speaks from experience – a few years ago he found a Mac laptop quite similar to his own abandoned on the side of the road.
But when he opened up the computer and began looking through its files he could not find anything that linked it to its owner.
“I toured all around that thing trying to find any indication of the owner’s identity and I didn’t in the end – they were perfectly anonymous,” he said.
- Canadian man dies during Texas Ironman event. His widow wants answers as to why
- ‘Shock and disbelief’ after Manitoba school trustee’s Indigenous comments
- Several baby products have been recalled by Health Canada. Here’s the list
- ‘Sciatica was gone’: hospital performs robot-assisted spinal surgery in Canadian first
In Symantec’s experiment each phone had an entry clearly labeled “Home” in the contacts app; however, in a real-life scenario it may not be that clear.
Identity theft a real risk for those who don’t protect their devices
Privacy experts agree that Symantec’s experiment drives home the point that if users do not password-protect their mobile devices they are leaving themselves vulnerable to information loss and theft.
“A smartphone is not that much different than a desktop or a laptop computer,” said Hirst, who warned that there is enough information on a smartphone to commit some form of identity theft.
Identity theft could come in many forms, including stealing credit card or banking information, or using someone’s personal details to impersonate them online.
READ MORE: Your digital footprint – Steps to personal data privacy
But Avner Levin, director at the Privacy and Cyber Crime Institute at Ryerson University, warns that as users increasingly turn to cloud technologies for data storage their devices can become portals to more detailed information for thieves.
“Not only is the phone a holder of information, but it’s the entry point to cloud information as well,” he said.
Levin added that as mobile payment options become more popular it increases the risk and the ease of which criminals can steal banking information.
“It’s not just that the phone could be used to steal your identity, but it could be used to commit the fraud directly instead of just taking your bank card and going to the bank with it,” he said.
Hirst also pointed out that tech companies like Apple are making it easier to store credit card information in the cloud.
Apple’s iCloud Keychain allows users to save their credit card information so it will auto fill in payment fields when online shopping, for example.
Keychain does not save the CCV security code on the back of the credit card, which most sites will ask for when checking out, but Hirst warns it still provides a lot of information to someone if they get their hands on your device.
Comments