Smart phone security: Beware the Swisha Splash Boys

If you are a federal employee in the D.C. area, there is a good chance you take the Metro. If you are like many people on the Metro, you probably have some type of smart device with you, often reading from it while in transit in or out of the city. In other cities with subways, the scenario is pretty much the same.

I always take note when I am on the Metro of the ratio of paper media to electronic devices in use. I am a member of the media, and the media is a changing world. A great place to survey that changing world is while people are in transit – it is a captive audience trying to stay productive or stave off boredom between work and home. There is still a healthy dose of books and newspapers, but the electronic world is equally prevalent on the Metro these days.

There is also a fairly good chance that you purchased your smart device (smart phone, iPad, tablet or e-reader) with the intention of being able to use it for both work and play. The buzz-phrase for this is “the consumerization of IT,” and just about every CIO in the federal government or private enterprise is dealing with employees demanding that their shiny new devices be able to work within the enterprise infrastructure.

Mobile security professionals often ask “What if your phone is lost, stolen or somehow your data is breached via hack or leak?” There is a small army of developers and companies working on mobile security solutions. That is all very well and good from an outsider or employee theoretical perspective. Most employees, unlike their respective IT departments, do not think about security until it actually becomes an issue or they do something terribly wrong.

Then, some young man with "freakishly large lips" grabs your smart phone out of your hands while you are on the Metro and jumps out the door as the train comes to a stop.

It happens in D.C. A lot. According to a report from local news website TBD.com, it happens every single day.

This is what keeps the security guy in your IT department up at night.

TBD reports that police arrested a young man caught jumping fare at a Metro station and then learned that he was in possession of an iPhone stolen from a coffee shop near Metro Center earlier that day. The young man worked in conjunction with other young men who called themselves the Swisha Splash Boys -- a cool name for some bad guys. The report says that there is a good chance that these phones are being wiped clean, provided a new SIM card and resold.

My question: What if they are not?

What if these would-be snatchers actually knew what secrets you were keeping on your phone and the value that information could have on the market? What if you had the personal address and home line of the secretary of your agency on your phone? That is valuable information. The kid who stole your phone may not know that, but the person he sells it to next might. It is a short jump from trafficking in stolen hardware to trafficking in stolen data.

Next thing you know, you are the central figure in a whole new Veterans Affairs Department 2006 lost-laptop type of incident. That cost the VA $20 million. Or maybe you're involved in some type of WikiLeak. Or worse.

The lesson, of course, is not just to secure your phone, nor is it to be careful when you are sticking your device in the air in front of you on the train to read the New York Times. It is to be cognizant of the information that you retain on your person, be it your briefcase, backpack or, in the case of these Metro bandits, your smart phone.