So it's not good news that there's not only very little chance of recovering a lost phone, but that even honest people trying to return a lost phone will look at the confidential data stored on it, according to a real-world sting/psychological experiment by security companies Symantec and Security Perspectives Inc.
During the Symantec Smartphone Honeystick Project, Symantec dropped 50 smartphones in five North American cities, each seeded with fake corporate information that would look real and sensitive to anyone picking up the decoy phones.
Some of the honest folks who found the phones pried into them to find the owner, but 96 percent did some prying and even the most honest went further, according to the report (PDF here).
Six out of 10 who found the phone tried to read the email and social-network data on the phones; eight of 10 tried to read corporate info including files salaciously labeled "HR Salaries," "HR Cases," and other terms that indicate red-flagged "sensitive" files to anyone living in Corporate America.
The decoys also had an ersatz remote-access/VPN app that looked as if it would give viewers automatic access to the private network of a corporation whose name the finder might not even know.
Half tried to run the app to access the network anyway.
More damningly, just short of half tried to use social media, email and credential information to access the phone owner's bank– not just reading data on the phone about it, actually trying to get into a stranger's bank account which is just slightly more illegal than browsing through documents marked "HR."
The point, according to Kevin Haley, director of Symantec's security, technology and response group, isn't that everyone is dishonest; the point is that everyone is curious, even about things that are so private that accessing them is likely to be a crime.
Most of the probing would have been prevented, Haley wrote, simply by protecting the phones using the password screen-lock that comes with almost every cell phone.
Simplistic as it seems, one password will deter most casual probers.
Real security is more demanding, but most would be covered with a mechanism to remotely wipe out any sensitive data left on a phone that's been lost or stolen, Haley wrote.