Is your phone set up to protect your data and to help it find its way home when lost?
Last night, while on a walk with my amazing wife, we discovered a lost phone on the ground.
Considering that within a half-mile radius of my house there are three churches, two schools, two parks and a golf course, this happens more often than you would think. I'd like to believe that I am a decent, responsible security professional. As such, my first thought wasn't "Hmmm. What can I do with this?", but rather "How can I quickly get this back to its owner?"
Sometimes this is extremely easy. Other times, not so much. This case met a few hiccups. To respect their privacy, I always try to touch as little of their data as possible. So, here’s what I tried to do to get the phone back to the owner as quickly as possible:
At this point, I had exhausted all of my non-intrusive options.
We walked to the house and returned the phone. In the spirit of full disclosure, I did let them know the steps I took to return it.
At this point, you might be asking why I am writing a "good Samaritan" story? The answer is simple; to serve as a cautionary tale.
What if I was not the one to find it, but rather a thief; or a general user without the knowledge on where else to look into a locked phone? What if it was their work phone, instead of the child's phone it turned out to be? There are many variations on the situation with potentially drastic impacts to the basic security precepts of confidentiality, integrity and availability.
Hopefully, you are reading this before you are the one with a lost or stolen phone and can use the below guidance to set yourself up for the best result.
- Enable total device encryption: Total device encryption represents one of the strongest methods to protect your data from snoops, thieves or unlawful searches. A device without encryption will easily hand over its secrets to anyone (e.g., app, computer, etc.) who asks. Remember, you are carrying a small computer with access to a lot of private information about you. Most mobile platforms have built-in encryption systems. While some new Apple and Android devices will have encryption enabled by default, most devices will require a manual change in the settings menu.
- Password > Pin Code > Pattern > Slide to Unlock: This guidance is pretty straightforward. It is pointless to have an encrypted device that doesn't require some sort of authentication method. Each step to the right on this list gets easier to access, both for you and for any good or bad guy. Ideally, we can keep the bad guys out and help the good guys return your device. See tips 3 and 4.
- Establish "In Case of Emergency" (ICE) contacts: Many phones, ranging from basic flip devices to the newest smartphone, have an option to flag specific contacts as ICE entries. This makes it so that when the phone is locked, they will show up under the "Emergency Dial" option, instead of it only allowing calls to 911. Good guys can let you know they have your device, while bad guys are still locked out.
- Enable "If Found" information: Many smartphones have a special setting for this instance. If an incorrect password is entered, it scrolls alternate contact information across the screen. This again allows you to be contacted, while your data is safe.
- Enable failed unlock force wipe: Brute-forcing a device is a real possibility. The only surefire way to prevent it is with this setting. Some devices allow you to set a threshold of failed attempts. Others have a default value, such as ten. Either way, the result is the same. Enter the password incorrectly too many times and the phone automatically starts a master reset. All device information, aside from the OS, is removed. Aside from destroying the device itself, your data can't be more secure than security wiped. Make sure you also follow tip 7 with this!
- Install a "Find My Phone" app with a secure password: There are many trusted options available in this arena. GPS tracking is the largest feature; but the ability to sound an alarm, take a screenshot, remotely wipe the device and so on, should certainly not be discounted. Just make sure whatever option you use have a secure password to its recovery site. Most of the time, these applications need to be installed and configured BEFORE the device is lost/stolen.
- Backup your data regularly: Many people don't back up their computers, much less their phones. I'm here to tell you that you should. A fragile, easily stolen device with tons of personal data, as well as things you just plain want (pictures, anyone?), that you take everywhere with you. What could possibly go wrong? Just about anything. Whether using a cloud solution or physically connecting your device to a computer, backup pictures, music, apps, contacts and whatever else you don't want to lose.
So please, dear reader, take a moment to thwart data thieves and help the good guys help you.