With mobile technology integrated into our personal and professional daily lives, technology has made it easier and faster to access most information. Devices have become more powerful, opening up usage to everything from content generation to video editing and professional photography. With speed and ease of use as criteria, manufacturers have also made logins, passwords and other identity credentials as simplistic as possible. Often, only a screen lock password or other generic protection separates us from instant access to all of the information. Who remembers the last time that they had to use their Facebook password or sign into the complicated password used to secure our email? For most users, it is a “one and done” event with our mobile devices remembering those passwords and rarely logging out. We do need the passwords when we upgrade to a new device, but once logged in, we save the credentials to ensure fast access to the data as well as auto-population of new data from the associated application. This usage highlights the dichotomy between rapid, free access versus security. Although ITAM focuses on the business aspects of mobile devices, let’s make it easy to empathize with the organization through a personal example.
I recently had my cellphone stolen and with it, the gateway into my entire life. Facebook, several email accounts, banking information, calendar appointments, geological data (such as my home address when using the navigation application) and other information was now in the hands of an unknown entity. My heart sank and the threat of identity theft felt very real. Facebook could provide my name and birthdate. Navigation apps could provide my home address and my banking app could provide an account number. With a name, birthdate, address, and bank account number in the hands of someone devious, I could now be the proud owner of a condo off the Florida Keys and there would be little recourse. I also wasn’t comforted knowing that the only thing standing between me and financial hell was a fingerprint scanner and a 4-digit code.
Consumer Reports says that I have lots of company. According to their latest projections, 3.1 million smartphone thefts occurred during 2013. To put that statistic into perspective, that means there are almost 8,500 smartphone thefts per day or 353 per hour or almost 6 per minute. Of these smartphone thefts, 1.4 million, or 45%, were lost and never recovered. I was determined to not be part of that statistic.
I immediately tried to find my phone. I searched the area where it was taken, tried locating it through phone location apps and security apps as well as searching for it through that internal GPS system that would soon betray me with the location data it held inside. All of these measures were of no use because the phone needs to be on and connected to the internet to work. Unfortunately, I was dealing with a criminal smart enough to immediately shut the phone off. That action does not require any passcode to perform and prevents all location, wiping and tracking capabilities. Even if I had located the phone, what could I have done? What if the thief was armed or ready to defend their new ill-gotten gains? Those thoughts lead me to call the police.
I contacted the local sheriff’s department and their response was almost instantaneous. Within 5 minutes of placing the phone call, I was meeting with the sheriff to give a description of the events. By filing a police report, I would be able to provide a substantiated claim on the device should it ever be recovered. The sheriff was also able to take steps that I could not such as reviewing security tapes and speaking officially with security personnel. I had an authority figure on my side which put my mind at ease a little.
After the police report was filed, I had a decision to make. Should I disconnect service for the phone through my service provider, “brick” or wipe the phone clean through my phone’s manufacturer? Or, should I wait to hear from the sheriff and hope it was recovered? I was leaving the location the next morning so I decided to wait until morning to hear from the sheriff before I decided on a course of action.
The next morning came and the sheriff responded to the incident and informed me that they were unable to find and recover my phone. At that moment, I knew that I probably would never see the device again so I decided to start the process of ensuring that the thief would never recover any data inside the phone.
I contacted my service provider and asked them to disable service to the device. A short conversation with the customer services rep (CSR) was enlightening. The service provider has little authority to do much in the case of a lost or stolen device. The CSR told me that all that a service provider was allowed to do by law was disable the device from connecting to their cellular network. The device could not be wiped from their end nor could the device be flagged if it came back online.
At this point, the thief had a device that only connected via Wi-Fi locations. This would have been more comforting if free Wi-Fi wasn’t available everywhere from Starbucks and McDonalds to college campuses, libraries and the occasional unsecured neighborhood Wi-Fis. I knew I would need to take this one step further.
I used my manufacturer’s programs to establish a series of protocols should the device be turned back on and connected to the internet. First, I had to identify the cellphone through a series of serial numbers, IMEI/MEID identification numbers, my phone number and personal identification information. This gave me a few options including: attempting to locate the phone, displaying a message on the screen for the thief to see (to possibly offer a reward for its return) and wiping the data from the phone. I decided to wipe the phone clean and call my insurance company to order a new phone. This meant that even if the cellphone was found, there would be little I could do with it other than possibly sell it for parts. This is the most complete and secure option but also the most damaging to me personally because the financial cost of replacing the phone is now unavoidable.
This was an exhausting situation, but some valuable lessons were learned that may help within the organization as well:
- Ensure all security features on your device are enabled: There is little time between when you suspect a device has been stolen and when the device is likely gone forever. All options for device recovery at your disposal are essential for success.
- Contact the police: It is important to get the police involved early to help immediately and with any long-term issues. If you find your phone, have the police recover the device for you. If your identity is stolen and erroneous charges on your bank account or credit report are found it is in your best interest to have a documented claim that explains how the charges could be fraudulent. Taking this step reduces the risk of being liable.
- Understand your organization’s data protection policies: In hindsight, wiping the phone data faster would have been my best course of action. This will protect organizational data that may be on your device as well as protecting your personal data.
- The data is what’s important, not the hardware: A phone is expensive and an attachment to the device is common. Knowingly wiping the data on the phone early on in a potential theft situation is a difficult decision because of the financial repercussions. But, trying to avoid paying for a replacement device is not worth the risk of a stolen identity. If a police report has been filed, seriously consider wiping the data shortly thereafter.
With all of the emotions and concerns running through your head when a cellphone is stolen, it is easy to see why the organization’s procedures for corporate devices and/or data have to be clear and published frequently. Whether corporate or personal, the data on the device is the most valuable thing that was stolen. While recovery of the data might be ideal, it is a higher priority to ensure that the thief doesn’t get to use that data.
“Smart Phone Thefts Rose to 3.1 Million Last Year, Consumer Reports finds,” Donna Tapellini, Consumer Reports, May 28, 2014,