The Smartphone Theft Prevention Act has been proposed primarily as a mechanism to reduce the growing theft of smartphones in the US, estimated at $30 billion a year. The hope is that this would also reduce the sometimes violent and deadly theft of these devices, with a few cases being profiled in the media which serves to raise awareness and support for the bill.
In short, the bill is designed to prohibit the use of stolen devices, which would be rendered worthless to anyone but the owner once reported stolen to the carrier.
The premise of the bill is sound, the desire to reduce violence is both commendable and desirable, and despite carrier reluctance this technology already exists to some degree through current mobile device management solutions. Beyond the obvious benefit of reducing consumer costs associated with replacement devices, there is a potentially huge security implication, as this better positions the cell phone as a form of personal identity.
Using a cell phone as an extension of one’s identity is not a new idea. Near field communication (NFC) permits data exchange and contactless payments, and a variety of one time password apps are available for most mobile platforms to enable two-factor authentication for banking and secure login. This past January the CTO for TeleSign, Charles McColgan, wrote about the cell phone number becoming more integrally linked to identity – but this is just the first step.
The phone number is just part of what ties a device to a user; depending on the technology used, the SIM, electronic serial number (ESN), mobile equipment identifier (MEID), or International Mobile Station Equipment Identity (IMEI) all serve to associate a device to an account. With a prospective federal law removing much of the risk of tying individuals to their phones, a new day may be dawning for not only personal identity, but for protecting consumers against fraudulent charges.
Today, many financial institutions use consumer buying habits and primary geographical regions to flag accounts for unusual activity and alert customers of potentially fraudulent charges. The primary issue with this technique is that it is often reactionary, occurring only after a transaction happens at a far-flung point of sale. While the consumer is protected against the erroneous charge, a vendor or financial institution takes a loss which is ultimately passed along to all consumers through higher costs. This is where a cellular device, with built-in GPS or cell tower triangulation can come to the forefront of fraud prevention.
Security experts recommend multiple factors of authentication for added protection with banking and other sensitive accounts. This solution is typically comprised of a combination of three authentication categories; something one knows, such as the traditional username and password; something one has, such as a passport, license or phone; and something one is, think fingerprints or retinal scan. Adding a new category to this group, where a person (and their phone) is located, increases the complexity further and helps break the chain of deception by distant thieves.
Want a possible scenario? An individual associates their phones to their credit card account, and when they make purchases using their card, the company references the current phone location to the point of sale or the last known location. So a purchase made in their hometown would be fine, one in a neighboring town an hour later – fine, but the next transaction an hour later from across the country would be denied.
Additionally, if the phone indicates the individual was some distance away from his or her primary address, say 100 miles, a banking app could prompt them with a security question challenge requiring a response, with the correct reply leading to an approved purchase. A text message verification or secondary phone app solution would be beneficial for online transactions as well, limiting the value of credit card data alone. These solutions already exist in some form today, so these scenarios merely extend proven cell phones technology, but with fewer identity risks.
Privacy concerns spring to mind of course, but how much additional data would really be mined? Many smart phone users freely share personal data and enable location services on social networking apps, parking helpers, map and navigation apps, and restaurant and services locators. Entrusting a company one currently relies on for financial services with an actual location at the time of a transaction is not all that intrusive, consumers tell their financial institutions where they shop every time they purchase something, this just ensures it is really the account holder.
If this proposed bill becomes law, the phone could easily morph into the long-promised electronic wallet and improve consumer protection. One long standing barrier to adoption has been the risk of a lost or stolen device being used to destroy one’s identity. With the proposed smart phone kill-switch mandate, this obstacle may finally be overcome.
About the Author: Brent Hutfless is the IT Director for Austal USA, a defense shipbuilder located in Mobile, AL. Brent has twenty years of progressive experience and leadership in technology and security within service, healthcare, education and training, and manufacturing environments, with a concentration in defense-related industries. He currently holds CISSP and GSLC security certifications, serves on the Gulf Coast Industrial Security Awareness Council board and is the membership chair for the Panama City chapter of (ISC)2. Brent is a contributing writer for several editions of a health informatics textbook, and taught medical informatics and health records topics at the University of West Florida. He can be found on LinkedIn at http://www.linkedin.com/in/hutfless/ and you can follow his ramblings on Twitter under @Ironcars, where he talks about cars, technology, and security issues.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- 20 Critical Security Controls: Control 3 – Secure Configurations For HW and SW On Mobile Devices, Laptops, Workstations, And Servers
- Siri Is A Snitch: Interrogate Your Way Past the iOS 7 Lock Screen
- 20 Critical Security Controls: Control 7 – Wireless Device Control
- Penetration Testing with Smartphones Part 2: Session Hi-Jacking & ARP Spoofing
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock