One morning last December, I dropped into my favorite coffee shop and found myself about 12th in line for some much-needed caffeine. The guy in front of me was on his cell phone, his voice booming all over the crowded café as he ordered last-minute gifts.
By the time he reached the counter, he’d clearly recited his name, full address, credit card number and the card’s security verification code -- twice. After paying for his order, he launched into a third call, sharing the same details.
It’s hard to say whether his credit-card account was in more jeopardy from some distant wireless eavesdropper -- or from the laptop-equipped customers at the next table who might well have been quietly typing down the information as he repeated it.
Either way, it illustrates a hard fact about cell phone security: Your safest strategy is to assume that you have unwanted listeners. Chances are that you don’t. But when it comes to confidential information that’s transmitted across radio frequencies, as cell phone calls are, your best bet is to conduct yourself as if you do.
Caution is especially important if you find yourself using an analog signal; that’s when someone using a scanner can pick up your call. Digital signals are scrambled, but security experts say it’s still possible that hackers armed with sophisticated equipment could intercept and decode them. And, of course, someone who can overhear your half of the conversation before it enters the phone -- as in the coffee-shop case -- doesn’t need any special devices to capture some highly valuable information.
With cell phone use at an all-time high -- manufacturers shipped more than 1 billion handsets worldwide in 2006, up from 833 million in 2005, according to Framingham, Mass.-based IDC Research -- related crime is likely to keep growing as well. Following are three other cell phone security threats, along with advice for preventing them:
Many people save sensitive information -- account numbers, passwords, customer billing information, emails on confidential matters -- on their cell phones. Having those details at your fingertips is certainly convenient, but the device is misplaced or swiped, whoever winds up with it might know far more about you than you’d like.
If you must keep such data on the phone -- if, for instance, it doubles as your electronic address book -- at least protect it by using the password feature available on most contemporary models. You should also set the phone to automatically lock the phone after a certain period of inactivity. Those measures won’t foil professional hackers, but they may keep the casually curious from accessing the details of your life. As an alternative, you might consider keeping especially sensitive information on a removable memory card, if your phone is equipped to hold one -- and if you can train yourself to remove the card and store it in a safe place when you’re not actively using it.
When you buy new phones, remember that you can’t be too careful about wiping the data off your old ones. Consider the results of a recent experiment by Trust Digital, a McLean, Va.-based maker of security software for mobile devices. In mid-2006, the company purchased 10 used cell phones in eBay auctions. While the phones’ previous owners apparently believed they’d deleted all their information, technicians recovered plenty of potentially damaging data from all but one device. The information retrieved -- 27,000 pages of it -- ranged from passwords to confidential customer records to emails about pending business deals to text messages chronicling a love affair.
The problem: On many phones, permanently purging data requires a series of complicated steps so that customers don’t erase information accidentally. So even if you’ve deleted those your records and the phone’s memory seems empty, someone with the right software may be able to resurrect data once stored there. The solution: If you’ve got telecom specialists on staff, ask them to thoroughly clean all phones before you sell, donate or toss them. If not, call or visit your carrier so that their technicians can do the job for you. Or you may want to follow Trust Digital CEO Nick Magliato’s half-serious advice for making sure an old phone doesn’t give up your secrets: “Run over it in a car.”
As socialite Paris Hilton learned in a particularly high-profile case, a serious thief doesn’t need the actual phone to swipe confidential information. In early 2005, a hacker broke into a major cell-phone carrier’s systems, accessed Hilton’s account, stole racy photos and private celebrity phone numbers and posted them on the Internet. (The culprit, a Massachusetts teenager, later pleaded guilty and was sentenced to juvenile detention and supervised release with -- no surprise -- no Internet access.)
While most of us won’t individually attract our own personal hackers, it’s worth checking with your carrier to find out what, if any, data it’s capturing from your phone. If you find that everything you’ve keyed into the phone is also sitting in the company’s computer systems, you may want to rethink what you’re storing on the device.
Bottom line: You need to determine acceptable-risk levels not only for yourself, but for your staff as well. Establish and enforce policies, especially about what information people store on their phones. After all, as with any other scenario involving corporate secrets, your security is only as good as the practices of your most careless employee.