A quarter of smartphone owners don’t lock their devices because they don’t believe they have any data worth protecting. Even more refrain from doing it because they feel like it’s too much of a hassle.
That’s at least according to a new study carried out by six researchers, four from the University of California Berkeley and two from Google, that examines how many device owners choose to leave their phones locked versus unlocked – and why.
Authors behind the paper, “Are You Ready to Lock? Understanding User Motivations for Smartphone Locking Behaviors,” (.PDF) are set to discuss their research in a session at the ACM Conference on Computer and Communications Security in Scottsdale, Ariz. on Wednesday.
For the study the researchers sat 28 smartphone owners down to ask them questions about if and how they lock their phones.
While the researchers found users exercising a great deal of rational behavior – 70 percent of smartphone owners who locked their devices locked them as soon as they got them – they also discovered that many users fail to make the connection between security and privacy. Many users suffer a lapse in judgement when it comes to realizing how much sensitive information they store on the phone and the ramifications of if their phones were stolen.
Users who had implemented protection, PIN codes and patterns, to unlock their phones did so for logical reasons. Participants were worried about their privacy and locked their devices to prevent either friends or family from snooping.
Many of those who chose not to lock their phones simply lacked the desire to do so in the first place.
“The most common explanation was lack of motivation: they simply had not gotten around to setting it up, but were not averse to it,” the report states.
The researchers carried out an additional online experiment to try to quantify the risks those people were exposing themselves to and revealed that 35 percent of those users were leaving sensitive information, birth dates and even social security numbers, out for anyone who could access to the devices.
For the experiment – which was based on the fact that all 28 of the original interviewees always left the email on their smartphones logged in – the researchers asked 1000 participants to search through their email for personal information.
“While many of the interview participants who did not lock their devices had fewer applications installed, and therefore potentially less sensitive information, every participant’s smartphone still had access to email, which did not require additional authentication,” the researchers wrote, “Thus, it is possible that these email accounts might be a fruitful target for an attacker.”
At least in this situation, fruitful they were.
Three quarters of respondents were able to find their home addresses in their emails while almost half of the users were able to find their birth dates. To illustrate the dangers further, 20 percent were able to find their social security numbers, 26 percent their bank account numbers, 30 percent their email passwords and 16 percent their credit card numbers.
All of the users that participated in the experiment acknowledged that they used email on their phones, but the few realized how successful email accounts can be as an attack vector.
The researchers go on to point out that some passwords for bank accounts like Wells Fargo, Chase and Fidelity can be reset with a combination of some of those sensitive pieces of information while passwords for some banks, like Bank of America, can simply be reset via email.
Perhaps the more startling fact is that only six of the 28 participants the researchers sat down with in the initial study were concerned about the financial implications of a stolen phone. Five of them were concerned with a stranger accessing their banking information while only three were troubled with the idea of a criminal making charges on apps they installed like Amazon and Uber.
When all is said and done the researchers claim that while locking one’s phone may be beneficial for some, it doesn’t have to be an all-out stipulation. The paper acknowledges prior research that’s shown users spend on average an hour each month unlocking their phone – and ultimately the value of the resources may not be equal to the amount of time spent to protect them.
“Locking one’s device may not be a one-size-fits-all security practice…” the paper states, “while many users are likely to benefit from the practice, this may not be universal. Instead, systems need to be designed to accommodate some amount of nuance with regard to security policies, weighing user needs with risks.”
