Original URL: http://www.theregister.co.uk/2006/04/20/poor_mobile_security/

Lax approach to mobile security

People, not technology, to blame

By Roy Bamforth

Posted in Security, 20th April 2006 11:09 GMT

Street-wise? When you're out in public places, there are certain things to do for reasons of personal safety and security, especially in unfamiliar locations. Look before crossing the road. Keep your money and credit cards hidden from view. Destroy credit card chits with copies of signatures to keep them out of the wrong hands. Avoid the large gang of drunken tearaways at midnight, and so on.

But technology does strange things to people's view of security, and expectations alter dramatically. Take PIN numbers on credit and debit cards for instance. Keying in a secret 4 digit code is not automatically more secure than openly writing a complex but only vaguely repeatable line of scrawl (did anyone ever really check them anyway?), and certainly not very secure when the secret code is shared. The technology does not make things more secure, but the process, and the way the PIN is kept closed and private, can.

When money is lost from an account, consumers immediately assume a bank error and rarely believe it is their fault, whereas banks act as if they only ever lose money through fraud. There are instances when the extreme views at either end are correct, but most often the truth will lie somewhere in the middle. Partly, security is the responsibility of the banks or issuing authorities and the way they deal with the retailer, and partly it is down to the individual card holder - a shared responsibility.

Keypads and screens have to be large enough to use and see, and that makes it easier to be seen by others. So the right thing to do as a minimum is destroy the PIN confirmation upon arrival, not write the PIN down on a piece of paper that others might see, and shield the keypad from view during usage.

Moving from personal security and one's own valuables, to those entrusted to employees by their employers, and the view of responsibility is still shared, but the reality shifts somewhat. This is particularly true for the attitudes of the users of various types of mobile devices. According to a recent Quocirca survey of over 2000 IT professionals, almost three quarters think there is a shared responsibility for keeping a mobile device safe and secure, but the attitude of users is best characterised as "irresponsible" by almost half of those in IT management who responded to the survey.

What has led to this perception, and have mobile users always been irresponsible?

At one time business users would cup their hand to their mouth as they spoke potentially sensitive information into a mobile phone in a public place. There were even aftermarket products to shield the mouth area from view. Today, not only are conversations engaged, even in the most crowded areas, but sensitive information can be heard on almost any train or city centre bus. Personal information might be regarded as non-confidential and shared this way, but commercial information should be better protected.

The picture is no better with a mobile computer. As screen brightness has improved, and viewing angles widened, not only does the user get a better view, but so does anyone else around. It probably isn't a huge problem for much of the information, but most businesses would still prefer it not to be shared. When we researched mobile security issues just under a year ago, two thirds of IT professionals rated data falling into the wrong hands by theft or loss of a device as the most important mobile security issue.

Snooping is only one way some information may be lost or accidentally disclosed, but it is indicative of a casual approach from the mobile user, which spills out into how they then look after the device as well as the data on it.

In some respects, the smart handheld devices - PDAs, BlackBerries and so on - are more discrete. Private messages can be sent as emails, rather than bellowed in earshot of passers-by, the screen can be angled from prying eyes to keep sensitive information private, and with suitable device management software, the device can be remotely backed-up, wiped of data and completely disabled.

Here too, however, the technology is not the issue, it's the people and processes. Smaller devices seem to be easier to mislay than larger ones, and according to our research, too many companies leave smart handheld security in the hands of the user, or treat it as less important than that of laptops. The potential privacy gains are eroded by a lax approach.

A change in attitude is needed, and this has to come from the top. Mobile security needs to be spelled out in policies and supported by appropriate technologies, but ultimately it is everyone's responsibility to behave securely and professionally to protect business assets.

Are your mobile phones and PDAs protected by a PIN? Is it the same one as your credit card? Oh dear.

Copyright © 2006, IT-Analysis.com

Rob Bamforth is a principal analyst working with Quocirca Ltd, focusing on the areas of service provision and mobility.