STE WILLIAMS

The UK’s Met Police has been putting pressure on mobile device makers to enable screen locks on all new mobile devices, to encourage better security and reduce theft.

According to The Register, senior officers from the Met’s National Mobile Phone Crime Unit (NMPCU) have been meeting with the likes of Apple, Samsung and other major phone producers, as well as government representatives, to persuade them to introduce security by default.

The idea is that if phones come with a screen lock enabled, people will have to take action to disable it if they decide it’s too much of an effort to tap in a PIN each time they use their device, rather than having to take action now to enable it.

Technology is providing new ways to overcome our need for instant access, with fingerprint readers now standard in top-of-the-line models. But even when they can be trusted, these features are likely to be a luxury add-on for some time to come, leaving the majority stuck with PINs and swipe-patterns.

So it’s vital people are made aware that these features are really, really necessary. Phone theft is a major problem, with more and more of us carrying increasingly valuable hardware around with us, often held lightly in one hand while we pay minimal attention to the world around us, making simple snatch-and-grab theft very easy.

The preferred deterrent approach so far has been the introduction of remote-wiping kill switches, and the NMPCU acknowledges a major reduction in iPhone thefts since Apple introduced the Activation Lock system in iOS 7.

But being able to lock or wipe a lost or stolen device only provides limited protection. If the device has no screen lock enabled, all sorts of things can happen in the time between an unwanted person getting their hands on it and the rightful owner getting around to issuing a kill command.

All the personal data on the phone can be accessed, uploaded elsewhere and sold on. Calls can be made to costly premium-rate numbers, and for those who leave their phones logged in to their social media accounts, further harvesting and spamming of contacts is also possible.

Even worse, some shopping and even banking services may be accessible without further confirmation of identity, giving direct access to your cash.

Phone makers have worked on all sorts of tweaks to reduce the intrusiveness of locks, mostly by slowly enabling more and more of the device’s features while still officially locked. This of course has led to all sorts of gaffes, flaws and problems, but these are mostly remedied pretty quickly, and most devices are reasonably secure with the lock in place, with time-dependent functions such as snapping photos and making emergency calls still accessible.

So there’s no excuse for not using a lock, and having it switched on by default when we get a new device seems like a simple way of encouraging more people to do so.

There are of course a few caveats when introducing such a system, such as the temptation to start it off with a standard default passcode shared by everyone with the same model – an obvious security hole when your target audience is defined by its lack of impetus when it comes to protecting themselves.

Phone makers will need to either give each new device a random code, perhaps shown in a secure manner on the packaging, or simply require a passcode selection when the device is first switched on.

For further security, go beyond the basics and use a screen lock code longer than the usual standard of 4 characters, and add extra layers by logging out of anything you’re not using.

In business use, mobile device management solutions should be enforcing strict policies including screen lock requirements, again ideally with at least six-digit PINs.

With a little practice, it’s surprising how natural the unlocking action becomes.

Follow @VirusBtn
Follow @NakedSecurity

Image of locked phone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RX-5lOE6ZcM/