Losing A Phone - A Social Media Security Breach?
Image via Wikipedia
I lost my Nokia N95 this morning riding around Paris on a Velib. By the time I realized that it had fallen out, I was back in our neighborhood and there was no way I was going to retrace the ride. Plus, it most likely got crushed by a car on the streets we were riding on.
But there’s a possibility that it didn’t and that someone could have picked it up. And that’s where things get a bit interesting. Before I lost the phone I installed a twitter client on it (twibble) and shozu which is like a bulk uploader for all kinds of social media services (Facebook, Typepad, Flickr, YouTube, etc). And I had configured both to work on the N95.
So if someone picks up the phone and chooses to post to this blog, my facebook account, my Flickr account, and my YouTube account, it’s possible on that N95 without needing a password. It’s a north american phone and doesn’t work on the european carriers but it works fine over wifi.
I’ve alerted shozu and hope there’s a way to de-activate my shozu account. The twibble client is more problematic.
Anyway, this brings up an interesting point regarding social software and services on mobile devices. This problem is not limited to mobile devices. The same thing is true on a laptop computer. But I suspect that mobile devices are lost/misplaced/etc a lot more than laptops.
And so it seems to me, based on my experience this morning, that the developers of social media software and services for mobile devices ought to build some easy ways to de-authorize their services.
And it’s entirely possible that both Shozu and Twibble have done that. If so, I’d love to hear how to do it. If not, then I’ll just have to wait and see if anyone starts guest posting here or elsewhere under my name in my accounts.
Comments (Archived):
It would be nice if every phone had a remote wipe feature for situations like this.
Remote wipe would be nice, and is imperative for enterprise users. Entering a PIN helps but is really annoying, fingerprint/biometric authentication would be better.One time I found a phone left in a bar. It was fun to call the person most recently called from the phone, and have them come to the bar and pick it up. So yeah, security matters, but design the device so it can be returned if a helpful person finds it.
Sounds frustrating, particularly when traveling. Are you sure you dropped it? There are some pretty good pickpockets over there. An apparently pregnant teen once pickpocketed me in Italy. All she got were postcards I had stuffed in my front pocket – but they were already written and ready to mail. Arrrgghhh!Regarding deauthorizing accounts, good idea. Users should be able to pause or put a lock on their account until resolved. Good luck resolving and enjoy the rest of your trip.
Most services don’t bother with de-authorization because they have already set up a system to change passwords. It gets roughly the same job accomplished, even if it is a pain for the user (especially if the user, like you, juggles many devices). At least you didn’t have a bunch of sensitive emails on the thing.
Sorry to hear about the phone. That stinks. I ran into some similar problems with my laptop that was stolen from my apartment a few weeks ago. Lots of the services I use were setup with automatic login (my fault since I didn’t setup better security). Interestingly, that problem might help me get the computer back. A week or so after the computer was stolen, someone inadvertently sent an email from my Gmail account, presumably thinking that they were in their own Gmail without realizing that the computer automatically logged them into my account. They sent an email from my Gmail to a person selling furniture on Craigslist and included their name and number so the seller could contact them. The police are now trying to track that person down and *hopefully* get my Macbook back. Perhaps the phone will find it’s way back to you through similarly strange circumstances.Hope you have better luck the rest of your trip.
I use a keypad-lock password on my iphone. It is easy and fast, I think the n95 has an option to do that as well. It is sort of a catch-all for this kind of thing.
This is exactly why I use a pin on my iPhone. I originally used it when traveling to Spain & Portugal, worried that if the phone was lost/stolen, I’d be forced to pay some hefty roaming fees.Once I got back to the States, I decided to keep the pin. I’ve stored far too many passwords in the browser to feel comfortable leaving it unlocked.Friends laugh at it, but at least it’s secure.
Thank sucks! I remember hearing that the new iPhone will have a remote wipe feature, but until then I use a password lock on my phone just for situations like you just experienced.
One of the first apps I install on a new S60 phone is called Phone Guardian. It allows you to lock the phone remotely with a specially formatted SMS and it also automatically locks the phone if the SIM is changed. I have it set to display the message “Phone locked! Please contact [email protected] for reward!” I imagine the allure of a reward is the only thing that will entice someone to return the handset…There is also a similar app that will deliver your phone’s GPS / cell location in the event it is lost; beyond locking it down as above.
So, you’e saying that like fake Steve Jobs, we will now have fake Fred? I don’t know if I can handle that.
fake fred hasn’t shown up yet. if he/she does, i’ll let you know
Oops, I am also sorry that you lost that phone, It’s a pricey piece of gear.
Bummer about the phone…the poor mans solution is to change the things you still have in your control (so change your password for XML-RPC posting and at your other services)…it’s a painful thing to have to do (which is one of the nice ideas of everyone implementing openid I guess – you would only have to change one password in one spot) but it’s the best way to assure that nobody uses the found phone to hack your systems…Of course I think the reality that someone will find the phone, and know what/how to use it to actually post anything to any of your services is slim…even though it doesn’t feel like it to those of us online, the world is still mostly full of non-tech. savvy people…so you probably don’t have to worry too much. The lucky person to find the phone will probably just admire the photos you have on it, and then use it as their own nice new camera.
Also, with the increasing capabilities of phones to have actual data, it’s interesting that we aren’t seing more pushes towards strong encryption of phones similar to that which has been seen of laptops. I guess we have to wait for the high-profile “cell phone lost, credit card/social security numbers nabbed” stories for that to become apparent…
Why carry your phone on a bike ride? I suppose there’s possible opportunities for pictures or whatnot, and of course the need to be reached in an emergency, but still…..an hour long bike ride without the phone wouldn’t be the end of the world! I mean, we made it to the cell phone age as intact humans (except for Keith Richards, of course), so no reason not to go totally off the circuitry for a few minutes now and then….! Still, there should be solutions for this. I like the remote wipe idea.
i was using it as a camera. it didn’t work as a phone over here
Can’t you change all your passwords on the server end? That’s what I did when I lost my Blackberry. It’s a total PITA but the only way to be sure.
that’s exactly what i will do if someone starts posting into my accounts
I’d do it now, pre-emptively, in case someone gets there first and changes them, thus effectively taking ownership.
Can’t you just change your password on twitter and shozu? I know it would probably be a pain if you are using a lot of different tools but at least you can control the risk without having to wait on the companies involved. That being said, I have a lot of information security and privacy experience and there is no easy solution. The best is being able to remotely wipe the device like you can with lost Blackberries. Perhaps it is a service the mobile phone companies should provide…or maybe a startup:-). What an excellent idea! Do you think there would be a market? Another option is for someone to start a company that works on the same principle as the companies that track all of your credit cards so that if you lose them they can all be disabled immediately. Not as elegant though. Either way the way it stands now you have to put out a bunch of effort or do nothing, accept the risk, and hope nothing happens.- Doug K.
Fred….is that you? Can’t believe I’m the first one to get that out there…
Sorry to hear you lost your phone. You raise a good point and I had an interesting experience in social media breach of security. A week ago I was mugged in Ft Greene for a very crappy phone, but one that received Tweets from friends. The thugs responded twice to incoming tweets and, unbeknownst to them, they were twittering to the whole world on my account with my stolen phone. I blogged about it at: http://hud.tumblr.com. Scroll down to first post for June 20. At first I desperately wanted to erase the tweets, but @alexlines wisely advised otherwise. The detectives were a little confused exactly what Twitter was when I tried describing it to them. I dont see a good way Twitter could prevent that without impairing UX. I could delete the tweets later of course and also have someone i trust remotely deactivate my account for the device notifications. The far worse scenario is that on the same night at the precinct I met a lady who was mugged while using her iPhone and she was very worried about the easy access to personal information.
At kniham.com we’re trying to solve the problem in this way… to allow login from mobile, the server generates URL with one-time token that is stored on mobile phone for easy access. You can’t change password from mobile phone. If the phone is lost, you log in to the website, change your password, reset your mobile token, and the phone won;t be able to connect kniham.mobi
Fred,If only Twitter has about one million accounts, what is the chance that (French !!) guy/girl who “found” your phone, is on Twitter? Rather small I think.If not it could be a great PR campaign for Mr Bezos … ;)Have fun and enjoy the wine
what happened when you called it?
you can’t call it. i messed up and bought a north american version of the phone that doesn’t work on european networks. i didn’t even realize that they still made phones that don’t roam automatically. my blackberries have always worked perfectly well in europe
i’ll call it
oh, it completely wont function… forgot
Another thing is that social networks (e.g. myspace, thefacebook.etc) is the possibility of creating a new account and migrate state from your old account (after authentication). this way you could remove your old account and prevent other people from using it ..
sorry for your loss fred. third parties should allow for you to deauthorize accounts in case something like this happens.I think flickr has that feature and twitter should definitely implement it when/if they implement developer keys.safe travels
Sorry to hear this. I suppose you don’t want to change the twitter and shozu passwords and that is why you want twibble and shozu deactivated. Nevertheless, it would be wise to change them anyhow for, even if the app providers block access to your account, your passwords stay in the device and who know what one might do with them.
The YouGetItback guys here in Cork, Ireland have built a solution to this problem on phones and laptops. I have their Mobile Superhero app installed on my N95-8GB. If the phone is lost/stolen, they can remotely lock it down and display a “please ring this number to arrange to return the phone to its owner”. It has some very very smart features coming in the near future too.
I’m not sure that your assumption that more mobiles are lost than laptops is true.The issue of lost laptops containing Government data is a very hot one in the UK at the moment.In written answers to a series of questions by Members of Parliament earlier this year, various government departments have admitted to losing over 1,000 laptops and almost 500 mobile phones since 2001.The Ministry of Defence alone has admitted to having lost 96 laptops and 82 mobile over that period.Now, it may be that civil servants carry disproportionately more laptops than mobiles, or are disproportionately careless, but it’s not intuitive that this would be the case 🙂
Social Identity theft huh? They may not take out a loan in your name but they could create a personality variant.Given the ubiquity of social networks and the much debated longevity of anything posted on the web (especially those sites without a real delete option) this could be one of the most significant threats of the future. With more and more employers using social networks as a research device to identify character flaws, past indiscretions and questionable views this could be a whole lot more damaging than a bad credit record.Like Identity Theft, security is only as good as the weakest link in the chain (which these days seems to be major retailers, banks and government departments). Social Identity Theft will suffer the same issues. The credit card companies and banks have found that it’s still better for them to make it easy to take a credit card or get a loan and take the hit on ID theft and bad debt than it is to make loans and credit cards hard to get hold of (thus reducing spending and interest payments). I suspect the social networks will find the same, as the number of entries to Twitter may significantly decline if you have to go through a 5 level security check and give your mother’s maiden name and date of birth for each entry. And a Facebook retina scan may not be a popular option either.Perhaps there’s a gap in the market for an equivalent of Experian or Equifax to develop a centralised “Social Credit Score”, so you can check to see what opinions have been published by you (or someone pretending to be you).
This is a pretty flimsy excuse for whatever outrageously controversial thing you’re planning to say later today 🙂
I hate losing a phone.In the past if you lost your phone, you were really upset because it had all your phone numbers. Today, your life is on that device. Pictures, videos, contact information, access to your social circles, and access to your “voice”.Good luck recovering.
I just heard a talk from a guy who has developed a forensics package for the iPhone. It is stunning how much info you can recover if you obtain someone’s iPhone. Consider that flash-memory file systems go to lots of trouble to allocate new files in empty spaces, rather then overwriting old files, due to the write limitations of flash technology, for example. If you get tired of your iPhone, don’t give it away or sell it; apply a shotgun to it.
I use a PIN to secure my iPhone – similar reasons as earlier posters. However, I find it frustrating to enter my PIN nearly every time I open my phone. It would be much cooler to have one of the following:- a “gesture” that unlocked the phone – could use my muscle memory to do this, wouldn’t be much more work than unlocked iPhone swipe, and would be hard for anyone else to replicate- a “soft lock” system that periodically required the PIN, and shut down access failing to get it. This way you aren’t hampered in regular usage, but know that it wouldn’t stay open for too long out of your hands. (The iPhone kind of does this, but the delay isn’t configurable enough and is too short)Cooler would be an RFID jewelry piece that synced to the phone and locked it automatically out of range. :-).
That’s one of a thousand reasons why Twitter really needs to finally implement an API-key. (though they’re busy with other more fundamental stuff right now obviously)
REMOTE DATA WIPE- a point in favor of WinMo phones.My AT&T Tilt disappeared in Cambodia, more likely loss than theft. I went to my Exchange account and issued the data wipe command. A couple months later I saw acknowledgment that the command went through (I guess it took that long for someone to find it and get it online).Problem solved.
Hey there Fred,Sorry to hear that you lost your phone, but alas, here at ShoZu we have definitely thought of everything including a way to remotely deactivate your phone :-)Just log in to http://www.shozu.com on your computer, click the “My account” tab at the top, then “Application setup”, then “Deactivate ShoZu on my phone”ShoZu on your phone does not connect directly with your Facebook, Flickr, blog, etc, it goes through our server in the middle first which is what makes all of its functionality possible. So the good thing about all this is that you can step in here in the middle and totally deactivate it as well. You can then use your old account on any other phone you decide to install ShoZu onto, and all of your old settings will sync up with that device.Hope you manage to recover the phone but I fear it might have become a permanent part of the Paris tarmac by now!Let me know if you have any other questions.Best,[email protected]://shozu.vox.com
It’s interesting that I sent an email to shozu support yesterday about 10minutes after I realized that I had lost the phone and got back aacknowledgement but nothing else since. But my support question was answeredby a Shozu representative on my own blog! I am not sure if that’s good newsor bad news, but its interesting nonetheless.
hehe we have separate teams who look after email support and to the ones who look after blogs, and we both saw this one about the same time 🙂 Thought you and your readers might appreciate an answer on your blog rather than email in case others have the same question.ShoZu will now be completely deactivated and if anybody tries to do an upload it will just throw an error and tell them it’s not activated. Any feeds and sites on ShoZu’s home screen will also vanish.Hope this helps.Best,[email protected]
Thanks so muchI wish I had been able to use your service a bit more
And thanks MarkI just de-activated my account. Making it a lot less likely that someonewill be posting to this blog from my lost N95
I alternately use Hahlo and PocketTweets on my phone for twitter, and it’s been a gripe of mine that Hahlo signs me out once over week and I have to re-enter my information.But I hadn’t thought of it from a theft perspective. It’s probably a good feature in case anyone else ends up with my phone…
There’s a Singapore startup with a nice solution to this problem. http://www.wavesecure.com
There is a company in Atlanta working on a really cool solution to this problem. Not completely sure if it could help here, but I like what they’re doing: http://www.imhonest.com