Most Aussies don't wipe stolen phones: survey
Only 30 per cent of Australians who lose their phones take precautions to protect their data, according to the results from a survey commissioned by PayPal.
The PayPal analysis, which surveyed 1000 Australian smartphone users, showed that around one in six Australians have lost, misplaced or had their smartphones stolen in the past year. But, after losing their device, only about 30 per cent actually remotely wiped the data from it. Pilfering data from these lost or stolen devices is made even easier, with the survey finding that almost half of all respondents don't use a passcode on their mobile devices.
PayPal director of mobile security and risk Prashanth Ranganathan said that users still haven't come to grips with just how much information smartphones hold, and questions whether they should actually be treated with more care than traditional wallets.
"Unlike our wallets, I think we take our phones a little for granted. We're not as careful as we should be. These are connected devices that do, in some way, manage our entire lives — our digital lives, at least."
He also said that users' inability to understand how different phones are from wallets is leading to some strange behaviour.
"The ease of use is the primary driver for mobile usage, which is why people love leaving applications running in the background — they want long session times, and they don't want to be logging in constantly. That ease of use on the small form factor results in them being a little bit lazy in some ways, and that results in [the] ultimate compromise of data and identity."
Ranganathan said that users usually wouldn't dream of logging in to their bank account on a public terminal and then simply walking away, but the same essentially happens when users keep apps open and logged in on a phone without a PIN, and then leave it on a table.
He understands that there is a need for balance, and that placing a PIN on each individual app, while secure, is inconvenient for most.
"I'm advocating for [the] first line of defence. Have a screen lock on the device, so that if five minutes go by and your device is not active, it actually locks itself."
Ranganathan said it is great to have apps that can remotely wipe or recover data after a device has been lost. However, he said that like most problems in the information security industry, it is only a matter of time before ill-intentioned actors catch up — and users should not wait until it is too late to do anything.
"It's going to be a little bit of chicken and egg. As soon as a [thief] knows that there are such remote-install applications available, the first thing they're going to do is ... make sure that those applications don't get installed, or somehow block those applications on a private network.
"Every time there's a solution proposed, it works for a little while until the [thieves] work around it."
Even if they're not stolen, phones are becoming a greater target for hacking.
Centre for Internet Safety director and Council of Registered Ethical Security Testers CEO Alastair MacGibbon said, "With over 12 million Australian smartphone users expected in 2012, criminals are now making moves to target mobile users.
"Australians must stay alert and ensure they protect themselves across all their devices. As the technology evolves, and more Australians use their smartphone devices to fulfil a wider range of functions, consumers need to keep an eye out for fraudulent encounters, and be educated about ways to safeguard their smartphones from cybercrime."
Ranganathan said this means that users should think not only about what's on their device, but also about how it connects to the internet.
"If you're connected through the Optus network or the Telstra network, I think you're reasonably safe, because they've taken the required measures to guarantee security on the wire, but if you're connected through someone's free Wi-Fi network and accessing a ... website, that information that's going over the wires could be easily snooped," he said.
PayPal is looking at different ways that it can use technology to improve security. One of these is bringing contextual authentication to mobile devices. These systems have been in place for transactions conducted on desktop computers, allowing investigation teams to be alerted if a user logs on in one country and then shortly afterwards in another.
But, according to Ranganathan, it is something that has not been implemented in the mobile space very well. He said that most smartphones have the advantage of being able to truly pinpoint a user's location using GPS, and, with this information, systems could build a user profile to highlight normal and abnormal activity.
Ranganathan acknowledged that while technology can be of assistance, there is always a fine line between using it well and potentially invading users' privacy. Nevertheless, PayPal is conducting a trial of its contextual-authentication system in parts of the US as part of its research and development. While Paypal's contextual authentication is not yet available in Australia, Ranganathan said that the company has not struck the country off its list of potential testing grounds. In fact, Australia's mobile appetite has meant that PayPal has shuffled Australia up its list of guinea pigs for other products, for example PayPal Here, so it's likely that Australia will be one of the first countries to see the technology.
"When it comes to mobile, we will start to do more of that here. The appetite for technology is fantastic. Given that this is a good environment for us to tap, I think we will start to roll out stuff here.
"We definitely view the Australian mobile market as something we can learn a ton from."