X

Yahoo's Mayer gives phone passcodes a pass

<b>commentary</b> Yahoo CEO Marissa Mayer confesses that she doesn't use a passcode to protect her smartphone, which goes to show you how hard it is to get people to take reasonable precautions. But it's also an improper risk for a major corporate leader.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
4 min read
Watch this: Yahoo's Mayer admits she doesn't use a phone passcode

No gasps were heard wafting up from the audience at Tech Crunch Disrupt as Yahoo CEO Marissa Mayer admitted that she doesn't use a passcode to protect her smartphone, but there should have been.

"I don't have a passcode on my phone," she told Michael Arrington of TechCrunch during their on-stage interview on Wednesday in San Francisco.

Maybe that's not news to you, but I was surprised.

She implied that she was too busy to type in the passcode multiple times in a day, and that the new iPhone would be a good solution for her. "Building in some of these smart sensors into the phone is really exciting," she said, referring to the new iPhone 5S's new Touch ID fingerprint sensor.

Mayer is right, at least when it comes to Touch ID and basic security. The presence of the sensor is expected to lower the security barrier for iPhones by making it easier to unlock your phone and pay for apps. Very soon, as people are expected upgrade their iPhones to the 5S or jump on an iPhone for the first time in the droves that they have in the past, the Touch ID sensor could become the first mobile fingerprint reader in the hands of millions of people.

And by placing the sensor in the hands of millions in such a short time, it has the potential to tear down the wall for biometric sensors of all kinds in mobile devices in the near future as Apple's competitors follow suit.

But unless Mayer users her smartphone in an atypical manner -- meaning that she doesn't check e-mail on it, bank with it, or access the kind of sensitive personal information and accounts with it that most people do -- she's also copping to a major mistake.

Mobile security expert Jonathan Zdziarski said that it would take him only "five seconds" to "pair with it, load spyware, replace her banking apps with fake software to phish her passwords, sniff her packet data, redirect her APN (Access Point Name) to a proxy, and access all of her content wirelessly for as long as I like including her app data, contacts, SMS, photo reel, and location data, and without her knowledge."

"And all that without a jailbreak," he added.

Zdziarski wasn't the only expert who was shocked. Chris Wysopal, Veracode's chief technology officer and information security expert, said that Mayer's lack of use of even a four-digit pin number is a "very bad" policy.

"What if she loses it in a cab? All that Yahoo corporate e-mail and attachments would be exposed to anyone who finds it," Wysopal said. "A four-digit PIN is a reasonable compromise between security and convenience."

We don't have to look further than Mayer's own words as to why she refuses to use even a simple pin code to protect her phone or tablet comes from a place.

"I just can't do this passcode thing 15 times a day," Mayer told Arrington.

Yahoo's Mayer admits she doesn't use a phone passcode
At TechCrunch Disrupt in San Francisco, Yahoo CEO Marissa Mayer explains why she doesn't like using a passcode on her smartphone and why she's a fan of fingerprint sensors. CNET

Assuming that Mayer uses her phone to keep tabs on critical information as many people do, to answer e-mail, take photos of our families, open work documents, communicate with friends and colleagues, and check on our bank accounts, Mayer's attitude toward security is sadly arrogant.

It's a massive risk for any company that employs a senior executive who refuses to implement basic security protocol. Senior executives, who handle sensitive corporate information at a level to which few others in a given company have access, ought to be subject to at least the same security protocol as their employees 15 steps down the corporate ladder.

It's possible, of course, that Mayer is not using her phone as most of us do. Maybe she only checks her e-mail and opens attachments on her laptop, protected with a two-factor authentication USB key.

"Perhaps she feels the personal slowdown is more costly than it would be if someone stole her phone and got whatever data was on it," said Jeremiah Grossman, chief technical officer at WhiteHat Security. "So, that's the risk tradeoff. Given her role, I'm not sure she is wrong either."

The uneven relationship between security and convenience, often heavily tilted toward security, is one of the most common consumer complaints about how to keep your data and devices secure. The Touch ID could be the beginning of another sea change in the security world, as biometric sensors become the kind of common identity authentication mechanisms that society has hoped and feared will some day replace passwords.

"It doesn't really matter which answer is right," Zdziarski said. "I wouldn't want her in charge of my company's big data decisions."

Eventually, and it looks like much sooner rather than later, Mayer might be right. But for right now, I'll side with Zdziarski: if you're not protecting your phone with even a simple passcode, you're taking an unnecessary risk.