Essential steps for securing your phone, and what else can be done to foil thieves
As smartphone theft grows, handset owners need to do all they can to secure their devices. Read the steps you can take and find just what else the industry is, and is not, doing.
It could happen to you any time, or maybe it already has: You're on the bus playing Angry Birds or browsing Facebook on your phone, when someone snatches your handset, sliding out the closing doors and slipping away into the crowd. Or, worse, a thief takes your phone from you at gunpoint. However it happens, there's no recourse. Your phone is gone, and while you always can buy another handset, all your personal information now lives in the hands of a criminal, petty or otherwise.
According to the San Francisco Police Department, more than 50 percent of the robberies that occurred in the city in 2012 involved the theft of a smartphone (the robberies are referred to as "Apple Picking"). That's nothing to discount, and remember that the SFPD only tracks data for crimes that were reported. The fate of your phone after it's stolen could be just about anything. A thief may keep it himself, she may sell it to a friend or an unsuspecting buyer on eBay, or it may have been stolen only for the parts. Other phones may even be smuggled out of the country where they can fetch a premium price in developing markets. For more on that market, check out this comprehensive story from Huffington Post.
That's why if you own a smartphone and bravely brandish it on the street or the train, it's essential that you take every step necessary to protect your data from thieves, and to track and manage your smartphone once it's gone. In this feature, I've described the essential security features available for each smartphone operating system and the major US carriers. Also, read Jessica's Dolcourt's smart tips for safe phone use in public. The wireless industry is taking some steps to confront phone theft like the creation of a national phone "blacklist," but that's as far as it's willing to go for now. Some law enforcement agencies, particularly those in San Francisco and New York state, want a "kill switch" that would essentially brick a phone, but carriers and OEMs are balking at that idea. I'll discuss both issues in more detail below.
Before I begin
First, there are a few things that you should know. In the first section, I've divided each operating system into two parts: the basic security features that come on the smartphones for preventing data theft that use an OS, and the more sophisticated app-based services available for tracking and wiping a device. Note also, I purposely did not include any third-party security apps. Though such titles exist, and many will do the job quite well, my intent is to focus on the default solutions that are either already on a handset, or officially endorsed by an OS provider.
Also, keep in mind that no security feature is completely foolproof. A sophisticated thief with the right equipment may be able to bypass any security measure. What's more, there's always the chance that a thief is stealing your phone just for parts, and has no intention of reusing it. In that case, a password isn't going to stop him from just taking it apart.
iOS
Preventing data theft and casual hacking
Lock code
You can use either a four-digit number (a "simple passcode") or a longer "complex passcode" of case-sensitive letters, numbers, spaces, and characters. And if you prefer, you can activate a feature where entering a passcode incorrectly 10 times will wipe the phone. The
Lock screen features
This is important. iOS can give you access to some features without entering your lock code. Though sensitive personal information is not accessible, you can use some functions of Siri, such as placing a voice call or sending a text message, as well as reply to a missed call with a canned text message. Though you might find those shortcuts convenient, your handset will be more secure if you turn them off. Go to Settings > General > Passcode Lock.
Similarly, you'll also need to turn off access to the Control Center and the Notification Center from your lock screen. To get there, go to Settings > Control Center, and Settings > Notification Center.
Tracking and wiping your phone
Find My iPhone
This feature enables you to track, manage, and secure your phone once it's missing. To use it, you'll first need an iCloud account, though you do not need to sync any of your data, like e-mail and contacts, to the cloud. After you're set up, then go to the iCloud page of your iPhone's Settings and slide the Find My iPhone toggle to on.
Once your phone has been stolen, the first step is to sign on to iCloud.com or use the free Find My iPhone app on another iOS device. Once in, you'll be able to find your device on an Apple map, but only if it is connected to a cellular or public Wi-Fi network (both secure and not). If the phone is connected just to a hidden Wi-Fi network (that is, one that does not appear in your handset's list of available networks), you may not be able to track it. Other restrictions also apply, but I'll get to those later.
After locating your phone and clicking on the icon, you can do a number of things. The first is to make the phone make play a sound at full volume for 2 minutes (even if it's in silent mode). As this step is more useful if you just happen to lose your phone in your sofa cushions, I'd advise not using it if you're certain that your handset is stolen. It just won't do a lot of good except annoy a thief. You also can erase your handset completely, but this step is rather premature. Instead, first try activating Lost Mode as soon as you as you can. Not only does it give you more options for controlling your phone, it also adds a stricter level of security.
Lost Mode
Lost Mode does a couple of things, the first of which is give you more features for controlling your device. To begin, if you haven't yet secured your device with a passcode (and, really, there's no reason why you shouldn't), you'll be able to select a four-digit simple passcode and lock the screen remotely. At the very least, that will prevent all but the most sophisticated thieves from accessing your personal information. Remember, though, that to make your phone as secure as possible, you should have already deactivated lock screen access to the features I mentioned previously.
The next step is to send a custom message to your handset's lock screen that can't be erased. You can write whatever you want, from your name or phone number, to a plea to contact you, to a more colorful message telling thieves what you really think of them. The latter, however, probably isn't the wisest course of action.
Lost Mode also lets you see a history of your phone's location over the last 24 hours with points displayed as pins on the aforementioned map. Finally, if all hope is gone, you can erase your device completely. Once you erase it, you'll lose the ability to track it further, but your lock code and onscreen message will remain.
Comparing Security features by OS
| Feature | iOS | Android | Windows Phone |
|---|---|---|---|
| Mobile app | Yes | Yes | No |
| Device tracking | Yes | Yes | Yes |
| Remote wipe | Yes | Yes | Yes |
| Remote screen lock | Yes | Yes | Yes |
| Play a sound | Yes | Yes | Yes |
| Onscreen message | Yes | No | Yes |
| Prevent new activations | Yes | No | No |
| Lock code choices | 4-digit PIN or password | 4- to 17-digit PIN, password, pattern, or face unlock | 4- to 16-digit PIN only |
| Features accessible from lock screen | Siri (including placing a call, or sending a text), Notification and Control centers | Missed calls & text messages | None |
Activation Lock
Lost Mode also plays a role in Activation Lock, which is a new feature added in
Running in the background from the moment you turn on Find My iPhone, Activation Lock pairs your Apple ID and password with the serial number of your handset in Apple's servers. Your ID and password are then required before anyone can turn off Find My iPhone on your handset, attempt to erase any data (that's assuming they aren't stopped by your password), reactivate your phone under a different account, or claim a new phone under your warranty. Activation Lock also remains in place if a thief tries to swap out your SIM card. If you happen to get your phone back and can't remember your password, you can retrieve it by calling Apple support and properly identifying yourself.
Now, the fine print
Don't forget that Find My iPhone only works as long as your device is online through your carrier's cellular network or Wi-Fi. If a thief turns off your phone or manages to activate Airplane Mode, you won't be able to track it. You can send commands to erase the phone, lock it, and add an onscreen message, but those commands won't be carried out until the phone reconnects. There may be a short gap between when a phone comes back online and when your request to erase it comes through, but setting a passcode ahead of time will keep a thief from accessing anything during that period.
The bottom line
Between Find My iPhone and Activation Lock, iOS has the most comprehensive solutions for protecting your phone (iPhones also are the most popular smartphone targets for thieves). As a result, though, you need to spend more time getting everything set up and running. And with so many features accessible from the lock screen at default, there's more responsibility on the user to lock down the phone as tightly as possible.
Android
Preventing data theft and casual hacking
Lock code
You can secure your handset with either a numerical PIN of four to 17 digits, a password of case-sensitive letters, numbers, and characters (but no spaces), or a pattern. If you use the latter, though, remember that a thief may be able to see your unlock pattern by following the finger smudges on your display. That's another reason why it's a good idea to wipe your handset's screen often. Android phones that run
Lock screen features
Like with iOS, Android will let you access some features from the lock screen. The list here is smaller -- just your missed calls and a preview of any missed texts -- but you must disable access by going to the Security page of the Settings menu.
Tracking and wiping your phone
Android Device Manager
Similar to Find My iPhone, Android Device Manager lets you control access to your phone if it's stolen. Activate the feature by going to the Google Settings menu and choosing Android Device Manager option. Then, check the boxes for remotely locating, locking, and resetting your phone.
To locate a lost device, you'll first need to sign on to the Android Device Manager site using your Google ID and password. Initially, Google didn't have a corresponding mobile app, but the company added one to Google Play on December 11, 2013. On both the Web site and the app, you'll see a list of all devices connected to your account. Clicking on each device will show you its location on a Google Map. Of course, the device must be connected to a cellular network or a public Wi-Fi or you won't be able to locate it.
The next set of options includes the ability to lock the your phone with a new lock code, make it ring for 5 minutes at full volume (even if it's set to silent), and erase your handset completely. Though Android Device Manager does not have an official "Lost Mode," you still can take most of the same preventive measures that you can with iOS, except adding a message to your device's home screen (that option isn't available here). Android does not have its own version of Activation Lock, either, but such features are available through third-party apps.
Now, the fine print
Like with iOS, you won't be able to track a device that is powered down or offline. If you send any commands to the phone during that period, though, they also will be carried out when the handset reconnects. You will not be able to track a device after you wipe it, but you will be able to track it if the thief swaps out the SIM card. Also important: you can't wipe microSD cards remotely, only the phone's internal memory. So be careful what you store on a memory card.
The bottom line
Android delivers the essential protection features in an attractive, easy-to-use interface and it runs circles around its rivals with lock code options. Also, the later addition of the mobile app was a welcome change. On the other hand, the ability to add an onscreen message and a service comparable to Apple's Activation Lock would make Android Device Manager even more useful.
Windows Phone
Preventing data theft and casual hacking
Lock code
Though you can lock your phone only with a four to 16-digit PIN, Exchange users can add a separate code to access their e-mail. Windows Phone does not make features accessible from the lock screen.
Tracking and wiping your phone
Find My Phone
As this feature is active from the moment you start using your handset, there's no separate setup process. Yet, you can choose to save your handset's location periodically on Microsoft's servers under the Find My Phone option in the Settings menu. Doing so will make it easier to find your device and track its movements. If your device is stolen, sign in to WindowsPhone.com using your Microsoft ID, select your handset from the drop-down menu at the top right of the page, and choose the "Find My Phone" app. Microsoft does not offer a companion Find My Phone mobile app.
As long as your device has a cellular or public Wi-Fi connection, you'll see a Bing Map with your device's approximate location and three options. They include making it ring (even if it's in silent mode), erasing it completely, and locking it with a PIN. If you choose the latter, you also have the option to make the phone ring as it locks and add a message on the screen. Windows Phone does not have anything directly comparable to Apple's Activation Lock.
Now, the fine print
Here again, you won't be able to track a device that that's off or not connected to the network. But, if you send any commands to the phone during that period, they will be carried out when the handset reconnects. Also, if you can't find your device right away, Microsoft's system will keep trying to locate it, which saves you from constantly refreshing the page. And if you wish, Microsoft will send you an e-mail when it pinpoints your device's location. Like with iOS and Android, you won't be able to track a device after you wipe it, but you will be able to track it if the thief swaps out the SIM card.
The bottom line
There's no setup process, and Windows Phone deserves praise for offering features that Android lacks (an onscreen message and the automated e-mails). Yet Microsoft needs to give customers a mobile app for Find My Phone and its own version of Activation Lock.
Carriers
All US carriers will suspend service to your phone once you report it as lost or stolen. When you make the report, the unique number that identifies your phone to the carrier (called an IMEI on a GSM phone, and an ESN on a CDMA phone) will be entered in a "blacklist." As a result, the network will reject service (calls and data) to any device if its IMEI or ESN is on the list (it would be able to access Wi-Fi, though). Also, since the IMEI on a GSM phones is independent from the SIM card, swapping the SIM for the same carrier would not make a difference. It's a different story if your handset is unlocked, but I'll get to that later.
Sprint, AT&T, and T-Mobile have partnered with third-party developers like Lookout Mobile Security and Assurion to either load tracking and protection apps directly on the handset, or to make them available for download. The apps are similar to Android Device Manager and Find My iPhone, though you'll need to purchase monthly insurance programs to use them.
Verizon Wireless does things a bit differently by offering its own branded app for controlling a handset once it's gone. Like with Big Red's carrier rivals, you'll need to subscribe to Verizon's Total Mobile Protection insurance program ($10 per month).
The free app is available for both iOS and Android users (download it from the iOS app store or Google Play), but Android users get far more options. They'll be able to locate their handset on a map, sound an alarm, lock it, or wipe it completely. On the other hand, iOS users can only see their iPhone's last known location. As such, if you have an iPhone and are on Verizon, stick with Find My iPhone. It's free and has more features.
U.S. Cellular has its own app which is part of the carrier's Mobile Data Security Plan ($2.99 per month). Features include remote locate, wipe, and lock, and it's compatible with a long list of devices. MetroPCS' MetroGuard app is comparable, but costs $1 per month.
A national blacklist
As mentioned, individual carrier blacklists only go so far. If a thief unlocks an AT&T phone (or the handset is unlocked to begin with), for example, the IMEI of that device wouldn't be on record with T-Mobile. The CTIA, the wireless industry's lobbying group in Washington, D.C., worked with carriers to set up a nationwide blacklist that went into effect in October 2012, but it was limited to phones that used 3G networks (both CDMA and GSM). Granted, a thief probably won't bother stealing a non-3G phone, but you can't argue that the list was fully comprehensive.
Fortunately, that list will be expanded to include all LTE devices by November 30, but even then some gaps will remain. First off, it won't include phones that don't have LTE. While that's a fast dwindling group, it doesn't include the
A more pressing issue, however, is that a US-centric list does nothing to stop phones from being reactivated in other countries. Or as New York Attorney General Eric Schneiderman put it, "This is an international problem that demands an international solution."
The CTIA says that it supports an international list, but it stopped short of recommending a detailed plan for getting there. "We also need more countries and carriers to participate in the database so that when criminals try to sell them internationally, the stolen devices would be blacklisted and would not reactivate," said Jamie Hastings, the CTIA's vice president for external and state affairs, in a statement to CNET.
Is a 'kill switch' the answer?
The CTIA is not, however, signing onto the idea of a "kill switch" that some law enforcement officials support. Though San Francisco District Attorney George Gascón has not advocated for a specific technology or solution, he wants carriers to use a kill switch to remotely deactivate all features of a phone (possibly via a text message) and render it completely useless.
"The solutions we're demanding will eliminate the value of stolen devices on the secondary market," Gascón said in a statement to CNET. "We commonly refer to this technology as a kill switch, since it 'bricks' the central features of the phone, making its value equivalent to that of a paper weight. We know this technology exists."
Essentially, that's pretty much what Apple's Activation Lock already does. But Gascón wants carriers and manufacturers to put it on all phones and be more vocal about encouraging customers to use it.
"The only way thieves will stop robbing people for their devices is if they know there's no payoff," he said. "That's going to require a comprehensive deterrent that renders stolen devices useless."
But that's not how the CTIA or carriers see it. Though the organization would not provide CNET with a spokesperson to talk about the issue, it said via a position paper that a kill switch carries too many risks. For example, because the customer information and the related technology would be shared by multiple parties such as carriers and OS developers, there would be no way to keep it secret. As a result, anyone from terrorists to amateur hackers, to vengeful lovers and employees could steal and misuse the technology. What's more, if a customer happened to recover the device after using the kill switch, he or she wouldn't be able to use it again.
"Where mobile devices are permanently disabled by malicious use of a 'kill switch,' the safety of subscribers may be jeopardized as they will be unable to make emergency calls," the paper said. "Even if technically feasible to develop, a permanent kill switch has very serious risks."
Those are valid risks, but they may not be the whole story. In a CBS News story posted this morning, Gascón said that a kill switch would eat into the revenue that carriers make from customer insurance plans. Also today, the New York Times reported that carriers prevented Samsung from installing kill-switch-like technology in its smartphones.
As an alternative, the CTIA would support the Mobile Device Theft Deterrence Act of 2013 (S.1070). Introduced by Sen. Charles Schumer (D-NY), the legislation would impose a five-year criminal penalty for tampering with the IMEI or ESN of a cell phone. Changing the IMEI or ESN, which would a allow a stolen phone to be reused, is a loophole that skilled thieves have begun to exploit.
"We strongly support and need Sen. Schumer's legislation to pass that would impose tough penalties on those who steal devices or modify them illegally since it would help dry up the market for those who traffic in stolen devices," said CTIA's Hastings. As of last May, though, the bill is still in the House Judiciary Committee and has not come up for a vote.
More could be done
If cell phone theft continues to grow, and (heaven forbid) becomes more violent, then perhaps the industry will be open to more solutions like a better blacklist. No industry, though, loves government regulation, so the chances of more happening are slim. The CTIA in particular, will do what it can to stop anything resembling a kill switch. So, for now, smartphone users need to take care when using their devices in public, and take every available measure for securing and remotely managing their devices. And, if Google and Microsoft can develop comprehensive features like Activation Lock, then that will be even better. Because at least then, your phone may be gone, but you'll have the satisfaction of knowing that anyone else will have a hell of a time trying to use it.