Saturday, March 10, 2012

Finders of lost smartphones likely to skip good samaritan mode: study

A social test run by a security firm has exposed the seamy side of humanity. It has, however, exposed the need for better security on mobile devices, which is possibly why the firm ran the experiment in the first place.

Symantec intentionally "lost" 50 smartphones in cities across the U.S. and Canada. They were left in places where they could be easily found, but they were also loaded with tracking and logging software, so the company could not just track the devices, but also track everything anyone who found them did with them.

In general, despite the fact that the contacts app on the phone had only two contacts, including one clearly marked as the owner of the phone, the finders of the smartphones did not immediately turn around and return them.

Curiousity killed the cat, and apparently got the best of these people, who were led away from being Good Samaritans, and into being ... what? About 53 percent of them clicked on a filed named "HR salaries." About 43 percent of finders clicked on an app labeled "online banking."

Let's not forget a file named "saved passwords," which was opened by 57 percent of them (and some of them attempted to use "online banking" right after the "saved passwords" file, with an obvious reason ... and not a good one ... coming to mind).

A folder named "private photos" attracted the attention of 72 percent. Email and social networking apps were checked by 60 percent. It could be that they were checking at least some of these areas for clues to the owner, perhaps having missed his ID in Contacts.

Kaspersky Mobile Security 9
However, if that was the case, why was it that only 50 percent attempted to return the smartphones? All told, 89 percent of finders clicked on something they really didn't need to.

Kevin Haley, director at Symantec’s security response team, was disappointed in humanity's failures. He said, of the unscientific test,

"I wasn't surprised, but I wish I had been. At the end of the day people’s curiosity is so strong, if you present them with the opportunity, they will do it. You would have hoped most people would have made every effort to return the phone."

The report goes further. It gives two rather horrific examples of the behavior of finders.

In one example, on Feb. 2 at 3:05 p.m. PST, Symantec "lost" a phone in a restroom at the Santa Monica Pier in California. 18 minutes later, a finder tried to access the phone's contacts application. Remember that there were only two contacts, one clearly labeled the owner.

Just a little later, the finder accessed files labeled “passwords,” “cloud-based docs” and “social networking.” Later, the phone was moved into a nearby restaurant, then into a mall, and still later, to a dog park. About two hours later, at about 5 p.m., the finder opened the Contacts application three times, perhaps mulling over calling the owner.

After the phone seemed to settle in East Los Angeles, the finder opened the passwords file three times, and then went into online banking, social networking, contacts, pictures, remote admin and some other files in rapid succession. Eventually, though, the "new owner" hard reset the device, removing all the logging software from the device.

You might think that was a sad end to the story, and it was, of sorts, but apparently the finder felt guilty. Nearly a week later, on Feb. 8, the finder wrote an e-mail to the "original owner," which read:

"Hi. I found your phone at the Santa Monica Pier last Thursday (Feb. 2). I used it for like a week but now I feel bad and want to return it. I'm really sorry. :/ What do you want me to do to return it to you?"

Example two ended up with less honesty and more money in the wallet of the finder. A phone was "lost" near Rockefeller Center in New York City at 4 p.m. EST, also on Feb. 2. After finding the phone, the finder repeatedly opened and closed the contacts application (remember again that it only had two entries, including the owner's information).

Activity on the phone stopped at 10:30 p.m., but it seemed that the finder awoke at 4:03 with a purpose: to look into the “HR salaries” file. Two-and-a-half hours later, at 6:30 a.m., the finder opened the following apps: calendar, pictures, social networking, online banking, HR salaries, remote admin, corporate e-mail and (yes) passwords.

Eventually the phone's activity stopped, but one week later it resurfaced in New York City's Chinatown area at 5:35 a.m. Feb. 9. One week after it was lost, it was wiped clean, likely as part of a sale on the black market, Symantec said.

The teachable moment for smartphone owners is to a) PIN or password lock your smartphone, and b) invest in services like a security app. Most of them offer lost devices services (although those services usually require a subscription fee). If you lose your device, not only to they allow you to remotely lock your device, you can force it to display a custom lock screen message, make your device "scream," or even wipe your device (if you have the proper account type, that is).

Based on the experiment, you can see there's not much of a reason to trust the generosity of folks.

No comments: