Risk
10/4/2011
00:26 AM
Ed Hansberry
Ed Hansberry
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Most Consumers Don't Lock Mobile Phone Via PIN

44% of respondents say its's too much of a hassle, new survey reports.

People put a lot of sensitive info on their phones, but they often give little though to how secure their data is. In a survey by a security company, over half of the respondents said they didn't bother with a PIN lock. This takes on a whole new dimension when you begin to understand how many of these people keep corporate data on the device.

Losing an unlocked phone can be far worse than losing a wallet. Emails on the device alone can reveal a wealth of information about the person, including where they bank, where they live, names of family members, and more. If company email is on the device, and it often is, there can be competitive information, salaries, system passwords, etc. If any of those emails contain links, often clicking on it will take you into the website, be it Facebook or a corporate portal.

According to Confident Technologies, 65% of users have corporate data on their phone, even though only 10% actually have a corporate issued device.

For that majority that don't lock their phone at all, 44% said it is too much of a hassle to lock it and 30% said they weren't worried about security. These are likely the same people that store things like social security numbers, passwords, and other sensitive information in text files or basic note applications. They may even store their computer's password on a Post-It Note in their center desk drawer.

Ten years ago, locking the phone wasn't a huge deal. The only thing on it was call history, contacts, and maybe some text messages. Today, almost everyone has email on the device, and 77% have a social network set up, which often has enough personal information to make identity theft a fairly easy accomplishment. Around half have banking apps and 35% have online shopping or auction sites set up. If these people aren't PIN locking the phone, they certainly aren't logging out of these sites each time so that you have to re-key the password to get back in.

In conducting this survey, Confident Technologies is trying to show how people leave their devices wide open, and they do have a product to sell that is geared to make securing a device easier. That doesn't change the results of the survey though. If you have employees accessing company servers, you can enforce policies like requiring a PIN lock. Even if they aren't accessing emails though, there is a good bet they have a password list on the device, or they may have emailed themselves a few documents to have handy. It may be time for a bit of education in the importance of securing a device. Telling them it is against company policy to have corporate data on their personal device won't work anymore than would telling them they cannot take work home to finish up a project.

Whether using a security app from Confident Technologies, which involves image recognition, the built-in PIN lock, or something else, make sure your corporate data is safe.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jamescraig
50%
50%
jamescraig,
User Rank: Apprentice
4/30/2014 | 3:56:52 AM
Consumer Behavior
Consumer behavior is the key of the success of any business. The companies who care fore thye feedback about their machines and electronics can develop better products with the passage of time. 
herman_munster
50%
50%
herman_munster,
User Rank: Apprentice
1/24/2012 | 8:19:15 PM
re: Most Consumers Don't Lock Mobile Phone Via PIN
My co enforces a strict password policy on my phone. Sometimes when I get bored, I intentionally enter the password too many times causing the device to be wiped.

BigJohn11
50%
50%
BigJohn11,
User Rank: Apprentice
12/22/2011 | 1:02:59 AM
re: Most Consumers Don't Lock Mobile Phone Via PIN
David, the time out setting has been a capability for nearly 2 years. So most likely it's your IT team who has not set it to your liking. Options are Simple or complex passwords, require alpha numeric, min password length, min number of complex characters, passcode age, auto lock time 1-5 minutes or no auto lock, password history, grace period for device lock, and max number of failed attempts.
DavidMichael
50%
50%
DavidMichael,
User Rank: Apprentice
10/21/2011 | 3:19:17 PM
re: Most Consumers Don't Lock Mobile Phone Via PIN
I've just switched from a company provided Blackberry to company provided iPhone (both of which had required PIN's). On the Blackberry the PIN requirement only came on after a predefined timeout even on screen lock which is much more convinient than the iPhone which always requires the PIN. I like your suggestion here Duncan. Please take note Apple!
Denver IT Consulting
50%
50%
Denver IT Consulting,
User Rank: Apprentice
10/14/2011 | 10:51:41 PM
re: Most Consumers Don't Lock Mobile Phone Via PIN
This can end up being a nightmare situation for employees and even management staff that do not follow setting up their mobile devices for locking or at least some type of security measure whether it be remote via application or not. Getting authorized access to sensitive documents, emails and other data within the workplace can be easily prevented with measures like this.
Quazzi
50%
50%
Quazzi,
User Rank: Apprentice
10/8/2011 | 3:24:40 AM
re: Most Consumers Don't Lock Mobile Phone Via PIN
Keep in mind that there are applications available that can let you remotely disable and lock, and delete the phone content......assuming this functionality is activated at start-up!
Duncan Murtagh
50%
50%
Duncan Murtagh,
User Rank: Apprentice
10/5/2011 | 1:25:17 AM
re: Most Consumers Don't Lock Mobile Phone Via PIN
On the iPhone a simple solution would be to adjust the way the lock button at the top of the phone works. Right now one click locks the phone and the PIN lock kicks in after whatever number of minutes you've set it to. They could make 2 clicks of that lock bring on the PIN lock.
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
10/4/2011 | 11:32:27 PM
re: Most Consumers Don't Lock Mobile Phone Via PIN
I do use the PIN on my phone, though it's basically a result of having lost a phone that I didn't lock with a PIN and worrying about what was on the phone (luckily nothing too sensitive).
I can understand the frustration. It can be annoying to have to enter that PIN everytime you need to do something on the phone.
Legitimate Home Jobs
50%
50%
Legitimate Home Jobs,
User Rank: Apprentice
10/4/2011 | 11:31:37 PM
re: Most Consumers Don't Lock Mobile Phone Via PIN
I used to never lock my phone. That is, until a lot of friends kept telling me I was "butt-dialing" them. Now I always lock my phone. :-)
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.