As we start to pay bills and surf the web from our mobile phones, it's not the handsets thieves will be after.
When was the last time you mislaid your mobile? If it was lost, what would you do? You would probably ring up your operator to get the SIM and phone blocked. But would you cancel your credit cards?
With new mobile phone payment systems for everything from car parks to cinema tickets, the SMS and email "sent items" on the average mobile phone may contain extremely useful information.
For example, parking meters are switching from cash to card payment via text message, so many people are now carrying their card details on their mobiles, unencrypted. When registering with the system, users are encouraged to send their credit card details via text. The transmission of this data is relatively secure, with SMS traffic being passed across mobile phone networks with limited chance of interception. However, the local storage of this information on the phone is woefully lacking. A pick-pocket stealing a phone could have free run of the card until their hapless victim's next statement thuds onto the doorstep.
The idea of paying via text message is a masterstroke for convenience; but more time needs to be taken to consider the implications. Some of the risks posed by this system can be mitigated only by allowing initial registration by telephone, avoiding the need for input of card details into the phone itself.
Next, many corporate users have recently been migrating to MS Exchange push-email capabilities with Windows Mobile. This solution can represent a significant cost saving if Exchange is already widely in use within a business. But there are pitfalls, not associated with Exchange itself, but with Windows Mobile 5 and 6.
Windows Mobile caches large quantities of user information in its cut-down version of Internet Explorer. Like most mobile applications, the browser doesn't actually close down when you've finished. Hence the browser cache is rarely emptied, and your last browsed page is displayed as soon as you navigate back to the browser. So, if you used your online banking facility, or checked any other applications using the phone browser, they are probably still cached. Even though your session may have timed out, data could still be available for all to see, so you should exercise the same level of caution with your smartphone as you would your laptop.
A simple four character PIN is often enough to secure the device against the casual attacker. All users should ensure that PIN protection and a PIN lock-out is enforced to prevent unauthorised access to your WM devices. Otherwise, the attacker has access to the contents of the mailbox, browser cache, etc.
Even with a PIN on the device, what about your removable media? Your email attachments, browser cache, photos etc are often stored on these. There are even forensic tools available to undelete images or text messages; virtually anything stored on the phone can be recovered.
Finally, something to try in the office: Windows Mobile devices are often connected to the PC/laptop they sync with. Users are getting better at locking their desktops when away from the desk. However, if the phone is left attached to the PC and isn't locked, anyone wandering past the desk has full and complete access to their email. ActiveSync works on the mobile, even if the PC is locked.
So what can we do? Encryption can be a pain to manage, but it does solve the problem at a stroke. It may even be worth having a third party check the security and configuration of these devices, just as you would your laptops, PCs and servers.
If a smartphone does go AWOL, a rapid process must be in place to deactivate it. The user should contact the helpdesk immediately to have their email account locked temporarily. But how does the user quickly find the helpdesk number, given that it was probably stored on the phone that's now missing?
Ken Munro is managing director of SecureTest. He can be contacted at firstname.lastname@example.org.