Good Samaritans are few and far between when it comes to lost cell phones, according to the conclusions of a social experiment conducted by security firm Symantec. Smart phones are unlikely to be returned by those who find them, but very likely to be perused for sensitive data including photos, social media applications and banking applications.
The Smartphone Honey Stick Project [PDF] seeded public spaces in various cities with 50 smart phones, each loaded with tempting, albeit fake, personal and corporate data. The phones were equipped with spyware devices so that they could be easily monitored. Only half of those who found the phones made any attempt to contact the phones’ legitimate owners. All but two phones (96%) were accessed by their finder in some way, Symantec found.
The digital bait entered into the phones included personal photos, social media apps, a file labeled ‘passwords,’ human resource salary and case study information, remote admin apps, corporate email, and banking apps or other access to financial information.
That bait proved tempting. Out of all the ‘lost’ phones, 89 percent had personal data accessed, 83 percent had corporate data accessed, and 70 percent had both personal and corporate data accessed. Finders attempted to access banking apps 43 percent of the time and the ‘saved passwords’ file 57 percent of the time.
Ten phones were ‘lost’ in highly trafficked, publicly accessible locations in each of the following cities: Los Angeles, San Francisco, Washington D.C., New York, and Ottawa. New Yorkers were the least likely to return lost phones (30 percent returned them in the study). Their friendly neighbors to the north, in Ottowa, are the most likely to return a lost phone (70 percent of Ottowans returned the lost phone).
Only five percent of the devices were not accessed after being moved from the locations where they were ‘lost.’
Symantec said that consumers should take simple steps, including password-protecting their phone and installing some sort of application that gives them the ability to locate and remotely wipe all data from the device in the event that it becomes lost.
We reached out to Symantec to inquire what, if any, personal data the finders entered into the devices they found, but Symantec told Threatpost via email that they hadn’t monitored that information.
Symantec made an infographic to accompany the study results, which you can find posted on our Tumblr.
Symantec also published a blog that summarizes their findings here.