Ten dangerous claims about smart phone security

Our columnist sees Barack Obama with that BlackBerry and shudders

1 2 3 4 5 Page 3
Page 3 of 5

5. E-mails and messages are secure from prying eyes.

Whoever controls your smart phone application server has access to your data. While smart phone service providers and software packages all provide a modicum of access control, administrators with root access can always get at your information if they want.

While your corporate IT department might not be spying on marketing on behalf of finance, Obama might want to take note that congressional IT organizations that serve both Democratic and Republican senators have had several incidents involving e-mail disclosures to other parties. In the midst of the Mark Foley scandal, it was interesting to note a person described in the media as a "Democratic operative" was able to retrieve and forward messages sent months earlier from a Republican representative's smart phone.

Know where messages and other data reside when sent from a smart phone. If service is provided by a neutral vendor, make sure you have a service-level agreement that considers whether your data may be commingled with other businesses -- possibly your competitors -- on the same systems. Those with specific competitive concerns ought to run their own systems using their own administrative staff. Obama would do well to use a device controlled by the Democratic National Committee or his own campaign, rather than one managed by Senate IT staff and easily influenced pages.

6. Using a mobile phone constitutes out-of-band communication.

A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?). This worked because the desk phone was isolated from the network and system resources to which you were being given access.

Not so anymore. If you lose your smart phone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers? Of course not. Possession of the number means little if anything anymore, especially since most phones will allow answering of an incoming call even when locked. 

IT help desks should cross callbacks off the list of acceptable methods of identity verification for anything to do with mobile devices or remote access. The new BlackBerry Smart Card Reader is a viable option for those who need to authenticate using something they possess, and while similar options lag a little on other platforms, they are available.

1 2 3 4 5 Page 3
Page 3 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon