Like most families these days, my family has gone mobile. My husband carries an Android phone and a Google tablet everywhere. Our 14-year-old has a Chromebook issued by his school, a Windows phone, and an iPad. I have an iPad and iPhone, as well as a traditional laptop.
I’m a computer security nerd, and while most of our mobile devices are more secure than the average smartphone or tablet, two of them — my husband’s Google tablet and Kameron’s Chromebook — are nearly impossible for me to secure. Kameron’s tablet is unsecured because his school set it up that way, and we lack administrative access to change it. And my husband’s Google tablet is insecure because he saw no reason to secure it — there isn’t even a pass code to turn it on and off.
So naturally, it was my husband’s tablet that somehow got left behind after a shopping trip to Target yesterday. (Don’t ask me why he had his tablet in a Target store — I assume he had a shopping list on it, but I can’t imagine taking my iPad with me while shopping.) The loss of that tablet could have been devastating to our family’s security, safety, and privacy. In many ways, that little 7″ tablet, was a backdoor into our lives that could have given a thief or hacker everything required to hijack our finances, our identities, or compromise the security and safety of our home.
My husband has never been as concerned about mobile security as I am. But in the three hours between realizing that his tablet was lost and the moment a store security guard called to say it had been turned in by an honest employee, he got a quick lesson in just how damaging a lost or stolen mobile device could have been. Initially, his biggest worry was the cost of replaing the (uninsured) device, and the amount of lost information on the tablet, which included everything from the his entire family reunion invitation list to our family Christmas card list, as well as irreplaceable photos that existed only on his tablet.
Reality set in for him when I came up with a list of more than 25 passwords that needed to be changed, a dozen accounts that needed to be monitored, and the 10 companies that had to be notified. I think that’s when he realized just how dangerous the information on that mobile device could be to our family if it got into the hands of a criminal.
The list of passwords to change on his mobile device included:
- His email account.
- His Google Drive and all of his cloud storage accounts (Box, Dropbox, etc.).
- Bank passwords, since he had accessed our joint checking account, his personal accounts, and our credit card account yesterday using his tablet, and those passwords might still be accessible to a knowledgeable user.
- His online brokerage account.
- All of his social media accounts — Instagram, Facebook, Twitter, Reddit, StumbleUpon, GoodReads.
- His Amazon.com, Netflix, Hulu, and eBay accounts. (Stores where you make frequent purchases, such as iTunes, Amazon, and eBay are especially vulnerable, since most of us also store payment information there for “one-click” purchases.)
- Passwords for websites where he pays bills directly to the vendor (like AT&T.com, the local utility company and the home security company that monitors our home).
In addition, that tablet contained family photos we wouldn’t necessarily have wanted to share with strangers, such as photos of a newborn grandchild, photos from our “second honeymoon” trip to New Zealand, and pictures of a loved one in the final days of life. It also contained travel itineraries for an upcoming trip, and photos of the interior of our home that would have given any thief a clear idea of when the human and canine occupants of our house would be gone — and what might be worth stealing while we’re away. Of course, there was plenty of correspondence in the tablet that includes our home address and other identifying information, too.
A Target employee’s honesty saved my family from a host of problems, and I am grateful for that. But it reminded me once again how important it is to secure mobile devices with on-device encryption, strong passwords or biometric unlock tools, and avoid storing the passwords to other accounts on mobile devices.
Legal Liability & Lost Mobile Devices
To paraphrase an annoying TV commercial, what’s on your smartphone or tablet? And what kind of trouble could you be in — legally or personally — if it got into the wrong hands?
My husband is retired, so there was no company data on his tablet that we had to be concerned about. That wouldn’t have been the case if it had been my iPhone or iPad that was lost, because I use both for a wide range of communications and projects for clients and companies where I am a board member or advisor.
Most of us don’t think twice about using a personally owned smartphones or tablets on the job. But a number of recent court cases around the U.S. have made it clear that employees who use personally owned devices for work can be held personally liable if lost, stolen, or hacked devices result in a loss of data under the Computer Fraud and Abuse Act (CFAA). I won’t attempt to explain all of the issues around the CFAA here, but for more information on what can happen to those who are held personally liable for lost or hacked data from a personally owned mobile device, I recommend Shawn E. Tuma’s excellent Business Cyber Risk blog.
The question of personal liability also comes up. What is your credit card company’s policy about online purchases made using your tablet, your password, and your credit card — through a lost or stolen mobile device? What’s your bank’s policy about online funds transfers under the same circumstances? What does your insurance company say about a break-in that occurs at a time when the thief knows you aren’t home — especially if he has the ability to change the codes to your alarm system? I don’t know the answers here, but I know that my husband and I were confronted with the questions in light of the loss of his tablet.
Then there’s the question of what happens to your personal data if you use a personally-owned mobile device at work and your employer’s policy calls for the device to be remotely wiped as soon as it is reported lost or stolen, or in the event you quit or are fired. A recent Texas case holds a couple of simple but important lessons for implementing BYOD (mobile) policies for employers and employees alike. In Rajaee v Design Tech Homes et al., (Dist. Court, SD Texas, 2014), Saman Rajaee sued his employer, Design Tech Homes, for remotely wiping personal data from his iPhone shortly after Rajaee gave notice of resignation. Rajaee cited violations of both federal and state law. Although the case was dismissed in federal court, the state court claims are still pending.
The case has two clear lessons for mobile device owners who use their smartphones or tablets to work. First, know and understand your employer’s BYOD policies. Second, backup your personal data. How often do you back up the data on your smartphone or tablet? What would you lose if your mobile device(s) were lost or stolen?
Make Your Mobile Less Attractive to Thieves
Back in February, it was widely reported that smartphone kill switches have made smartphone theft much less attractive to thieves. The kill switches that allow users to remotely wipe phones of personal data and make them unusable are behind plummeting cell phone theft rates according to a new article in Fast Company. Smartphone thefts in San Francisco, New York City, and London have nose-dived as politicians have rallied behind the idea of using kill switches to make smartphones a less appealing theft target. California became the first state to require that smartphones have kill switches installed by July 2015, while Minnesota has also passed a law requiring them to be installed next year.
The problem with kill switches is that to be an effective deterrent to thieves, they have to be turned on. Is the kill switch on your phone turned on? I honestly thought the one on my iPhone was turned on — but when I checked this morning, I was surprised to find that it was turned off.
Kill switches have been installed in iOS devices since 2013, and iPhone theft has declined 40% in San Francisco and 25% in New York city since the switches were installed. Samsung added kill switches a year later, in August 2014, and the latest version of the Google Android operating system Lollipop also includes a kill switch. Windows phones get kill switches in July 2015 when Microsoft releases a new software update.
Despite widespread adoption of kill switches by device manufacturers, only 1.6% of Android users run Lollipop, and Samsung’s kill switch is installed only on Galaxy S5 and Galaxy Note 4 phones through specific carriers. 97% of iOS devices run an operating system with a kill switch, but it is not turned on by default and requires a connection to the iCloud service.
Don’t learn your lesson about mobile device security the hard way. Let my husband’s panic last night be a warning to take steps now to minimize the potential impact that a lost or stolen tablet or smartphone could have on your family.