People are too honest to snoop through your lost phone, right? Symantec study says 'HAH'

Symantec study shows 96% of finders will snoop, almost half try to get into your bank account

Numbers aren't precise because reporting is spotty, but cell-phone users lose something like 70 million phones per year in the U.S. – about 30 percent of all the phones in use at any given time.

Only seven percent are recovered according to a study published recently by Kensington, which makes locks for mobile devices.

A lot of those devices have valuable data on them, but most aren't protected in even rudimentary ways, the Kensington study showed.

Only 57 percent had any security, but 60 percent have confidential contact lists, emails, Internet and security codes and credentials for business apps or mobile-payment services.

The data on a smartphone is valuable enough and the headaches involved in recovering it are big enough that 50 percent of Americans would rather give up all of a year's vacation time than lose all the files on a computer or other mobile device, according to a study published in November by online storage company Carbonite.

(Twenty-three percent would give up their cell phone for a month to avoid losing data on a laptop, which just begs the question of whether laptops or cell phones are more valuable to the people who have just lost one or the other.)

So it's not good news that there's not only very little chance of recovering a lost phone, but that even honest people trying to return a lost phone will look at the confidential data stored on it, according to a real-world sting/psychological experiment by security companies Symantec and Security Perspectives Inc.

During the Symantec Smartphone Honeystick Project, Symantec dropped 50 smartphones in five North American cities, each seeded with fake corporate information that would look real and sensitive to anyone picking up the decoy phones.

Some of the honest folks who found the phones pried into them to find the owner, but 96 percent did some prying and even the most honest went further, according to the report (PDF here).

Six out of 10 who found the phone tried to read the email and social-network data on the phones; eight of 10 tried to read corporate info including files salaciously labeled "HR Salaries," "HR Cases," and other terms that indicate red-flagged "sensitive" files to anyone living in Corporate America.

The decoys also had an ersatz remote-access/VPN app that looked as if it would give viewers automatic access to the private network of a corporation whose name the finder might not even know.

Half tried to run the app to access the network anyway.

More damningly, just short of half tried to use social media, email and credential information to access the phone owner's bank– not just reading data on the phone about it, actually trying to get into a stranger's bank account which is just slightly more illegal than browsing through documents marked "HR."

The point, according to Kevin Haley, director of Symantec's security, technology and response group, isn't that everyone is dishonest; the point is that everyone is curious, even about things that are so private that accessing them is likely to be a crime.

Most of the probing would have been prevented, Haley wrote, simply by protecting the phones using the password screen-lock that comes with almost every cell phone.

Simplistic as it seems, one password will deter most casual probers.

Real security is more demanding, but most would be covered with a mechanism to remotely wipe out any sensitive data left on a phone that's been lost or stolen, Haley wrote.

For most corporations, that would end the risk; for personal phones or companies that want the hardware back, it would be useful to have software that will phone home to tell you where a lost cell phone is so you can recover it.

That is, if you still want it, after having to retrieve it from someone honest enough to admit they have your phone but curious enough to pick up a lost cell phone and nosey enough to go digging through all your private data and pictures before you arrived to catch them at it.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies