A modern smartphone knows a lot about its owner – and will know even more in the future. Whether it’s credit cards, health and insurance data, location information, car or apartment keys, airline tickets, or soon even official documents such as driver’s licenses and ID cards: smartphones are already increasingly replacing the collection of plastic cards in our wallets and will probably make them dispensable in the near future. So, what should we as users keep in mind in the future to ensure that no unauthorized persons gain access to the devices and misuse our digital fingerprint?
The smartphone as an archive of important IDs, payment data and documents
For many people, it would be an enormous relief in their everyday lives: Just use your cell phone, and all kinds of data, such as health insurance, digital patient files, or wallets are immediately available. The days when cards could no longer be read because they were kept permanently in the wallet, or were simply forgotten at home, would be over. The smartphone would have all the relevant information and would always be at hand. Usage of a smartphone as an ID document is planned for summer 2021 in Germany. Austria is already one step ahead. Starting from spring, people will be able to carry their driver’s license on their mobile device. The necessary changes to the law were passed by the Council of Ministers in November last year. However, many users are still unaware of the amount of personal data that a smartphone already tracks and stores.
What does a smartphone know about its owner?
- credit cards and payment data
- health and health insurance data
- contact data
- smartphone usage
- location data
- travel and leisure documents (concert tickets, airline tickets, hotel bookings)
- web behavior
- car keys and vehicle information (rental cars, private cars)
- photos and videos
- smart home (apartment keys, heating and lighting controls)
- social media
- insurance policies
- ID card data
The list clearly shows how much information a smartphone tracks and combines. Some of these points may not be so significant when viewed individually. But if an unauthorized person gains access to the device and to the information, they can also gain access to the owner’s entire digital identity and could misuse it for their own purposes.
From this point of view, it is important to secure the mobile device so that third parties are not able to gain access. Biometric authentication via face or fingerprint is standard on most modern smartphones. Nevertheless, the user should not neglect to keep the operating system up to date, otherwise the best prevention will be useless.
Update situation is a weak spot
The proportion of overdue and/or missed updates has improved in recent years, especially for smartphones with Android operating systems. In the past, it happened that some manufacturers did not even provide top models with updates after one year. That is fortunately no longer the case, but there are glaring gaps between Google devices and devices from other vendors. It is still difficult for users to keep track, especially before buying a new device. Vendors often have a large number of models in their portfolio with different update plans: Top models, for example, receive monthly security updates, whereas mid-range devices are only provided with updates once a quarter. Another problem was that numerous manufacturers offered their smartphones with outdated Android versions. In this case, Google changed their policy last year, so that manufacturers’ newly announced smartphones have to run at least Android 10.
Apple’s strategy is different: Older iPhone models are kept up to date for a long time and regularly provided with updates. Users can also transparently see when a device will go into end of life. Apple devices are supplied with the latest iOS versions for about four to five years. For example, even 5 years later the iPhone 6s from 2015 is receiving the update to iOS 14.
Security of access and authentication is crucial
If the smartphone is to replace the analog wallet, IT security on these devices must be top priority. To avoid PIN or password chaos for authentication, biometric authentication is, of course, a convenient alternative. However, the question is whether this protection layer is enough. In Germany, around a quarter of a million cell phones are stolen every year. The statistics show not only how important it is to secure communication, but also to make authentication on these devices tamper-proof.
Many apps that rely on biometrics to log in users require at least Android version 6. Starting from this version, an implementation standard for authentication via fingerprint is included. Google specified several requirements for this in its “Compatibility Definition Document”. However, there have been repeated reports that facial recognition could be faked. Often, a photo was enough to unlock the devices. Why is facial recognition so susceptible to fraud? It is due to the hardware of many smartphones. Secure devices rely on e.g. infrared technology for face scanning and are able to recognize and process three-dimensional facial features.
Prevention is better than aftercare
The Covid-19 pandemic has given digitalization an enormous boost. Administrative procedures that can be completed using a smartphone or computer are not new, but suddenly they are more relevant than ever. It will be crucial to increase trust on the user side here, while at the same time making online services available conveniently and, most of all, securely. Especially when it comes to IT security in authentication, it would be important to develop standards. As long as this standard is not foreseeable, users should look carefully before buying a smartphone. How long will there be security updates for the device? If biometrics methods replace passwords and PINs, a fingerprint scanner is a good choice, especially for Android devices. If facial recognition is also to be included, buyers should take a closer look at the technical equipment beforehand.
Christian Lueg is PR Manager at ESET Deutschland GmbH. He has been working in the IT and especially the IT security industry for almost a decade. With a soft spot for technology, he started as an IT journalist at a computer magazine.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.