How secure are your devices? Our phones typically look after many of our day-to-day needs, from email and messaging to shopping and banking. But phone thefts in some places are rising, and it is not the value of the phone that is at stake: it is the data it contains. That is far more valuable than the device itself.
Here are five steps you need to take to try to protect yourself.
Protect your pin
We are all conditioned to protect our pins from prying eyes at cash machines or when we are paying at a till. But how many times have you used your phone’s security code without a thought about who could be watching?
“Shoulder surfing” is one tactic used by thieves to target phone users. The unsuspecting victim unlocks their phone with their security code, unaware that someone is watching nearby. They are later targeted, the phone taken and, with the phone and the code in the thieves' possession, it can be unlocked and the data accessed.
James O’Sullivan, founder of mobile security app Nuke From Orbit, fell victim to this on a night out in Dublin. Shortly after paying for a drink at the bar, he realised his phone was missing. Since he had used facial recognition on his phone rather than his pin when buying his drinks, he wasn’t overly concerned that his data could be accessed.
It was only later that he realised his phone had been compromised, probably through someone spotting his pin code as he used it throughout the night when facial recognition was not working for him.
It spurred him to create Nuke From Orbit, which offers a way to cut off access to bank cards and financial apps and to create new passwords for critical services in the event of your phone being stolen.
The service is set to be launched later this year and is operating a waiting list for users in advance of its official opening.
In the meantime you should be wary of using your phone’s pin or unlock pattern in public, and make sure no one is looking over your shoulder when you do.
If you reuse that pin elsewhere on your device, you may be in more trouble than you think, as it opens up access to other apps in your phone. Which brings us to…
Go unique
Whether it is your password or security code, make sure you aren’t reusing log-in data. For passwords to online accounts, you should create unique passwords for each one and store them in a password manager that has a strong, unique password protecting it.
For apps on your phone that require you to provide a numerical code to log in, ensure it is not the same as your main phone’s security code.
That means if one password or pin is compromised somehow, it won’t give whoever has gained access to your account a free pass to all the rest of your private services.
The problem is that human beings aren’t random, and what we think is a secure, random password is a little less random than we think. This is one job where technology definitely trumps the human touch. Password managers can help you to create unique security credentials for each account and, even more importantly, it will remember them for you and autofill them into services as they are needed, provided you have already inserted the strong master password or used biometrics – facial or thumb recognition – to unlock it.
There are password managers built into Apple – the Passwords app – and Google’s Android system – the Password Manager feature – so you can get going without having to download any additional software or put your hand in your pocket.
If you want an independent service, though, there are some great free options. Open-source password manager Bitwarden, for example, will allow you to save an unlimited number of passwords to your account, and it can be accessed across mobile and desktop platforms without a subscription.
The core functions – securing apps, websites and accounts with passwords or passkeys – are free, although a premium subscription opens up more advanced features for the princely sum of $10 a year.
Proton Pass is another free option, one that comes with the added benefit of access to the free tier of Proton’s other services – Proton VPN, Mail, Calendar and Drive. You get unlimited log-ins and notes, up to 10 email aliases to hide your email address, and it can share your details with one other user.
Two-factor authentication
Strong passwords are great but if you want to keep people out of your personal data, two-factor authentication provides another layer of protection. Two-factor authentication requires not only your passcode but a one-time code or authentication from a trusted device before you can log in.
The most secure method of two-factor authentication is generally considered to be a hardware key that plugs into your device. However, more common methods are authenticator apps, such as Microsoft Authenticator or Google Authenticator, which generate a new secure code regularly, or SMS authentication, which will send you a code via text message.
Authenticator apps are generally more secure as they are harder to intercept but, as with text messages, it means you have to have your phone on you to get the code. Make sure your authenticator app is locked with a strong passcode or facial recognition to keep prying eyes out.
Enable two-factor authentication on everything that supports it, whether it is email or your social-media accounts.
The data that can be harvested from your social media is significant when it comes to identity theft – everything from your birthday to the names of close family members, where you grew up or your first pet could be contained in posts on those pages – in fact, the answers to a lot of the usual security questions.
Lock apps and data
You can add yet another layer of protection to the most sensitive apps on your mobile device by locking them down and requiring a facial scan or passcode to enable access.
Apple allows you to lock any app from the Home screen by long-pressing on the app and choosing Require Face ID from the pop-up menu. It can also be unlocked with your passcode, so keep that protected too.
Android phones allow you to create a secure folder that keeps apps you choose hidden away. Their data will not be visible on the phone unless the secure folder is unlocked. It could be referred to as a secure folder (HMD) or private space (Pixel phones).
Pixel phones, for example, allow you to create a separate Google Account for use in the Private Space, so you can download applications into the secure folder and put a new security code on it, distinct from your device code. HMD’s devices create a secure folder you access with a gesture on the screen, and a separate security code.
If you keep scans of passports or other ID on your phone, make sure to lock them away in a hidden folder on your phone that is password protected with either your face scan or a unique pin.
Those photographs, useful as they may be to have at your fingertips, could give a malicious user the last piece of the puzzle they need to set up bank accounts and other fraudulent activities in your name.
It is a good idea to regularly review the permissions you have granted to some of your most sensitive applications
Audit access
Who has access to your accounts? What apps have been authorised to use your data? It is a good idea to regularly review the permissions you have granted to some of your most sensitive applications, and revoke access to anything you either don’t recognise or don’t need.
In Google, this information can be found under Google Account > Security and scroll down to connections to third-party apps and services. On Apple devices, go to Settings > Apple Account > Sign in with Apple.
- Sign up for push alerts and have the best news, analysis and comment delivered directly to your phone
- Find The Irish Times on WhatsApp and stay up to date
- Our In The News podcast is now published daily – Find the latest episode here
