With smartphone users facing all kinds of security threats, from malware and spam to unscrupulous reporters hacking voicemail accounts, it’s time for service providers to start making security a default option rather than something users must implement themselves.
So says online privacy researcher Christopher Soghoian, a Graduate Fellow at the Center for Applied Cybersecurity Research at Indiana University, who writes in an essay that major social networks, email providers, and cellcos “offer products with insecure default settings, needlessly exposing their customers to hacking, identity theft, and government surveillance.”
Soghoian points to companies like Verizon, who until recently was the only cellco in the US to require customers to enter a PIN to check voicemail. AT&T implemented a similar policy earlier this month. T-Mobile and Sprint only recommend that customers enable a PIN for voicemail checking.
Says Soghoian:
Voicemail hacking in the US is shockingly easy. By using free, Web-based services, anyone, regardless of technical skill, can "spoof" caller ID information and break into millions of vulnerable wireless accounts. […]
Shifting security decisions to the user means that the companies can avoid all blame. If only more of the company's subscribers would listen to vague advice regarding the PIN bypass feature, instead of foolishly trading security for convenience, then the problem of voicemail hacking would disappear.
Soghoian also says that web-based email providers should enable HTTPS by default to help users avoid having their accounts hacked. Google has been doing it for Gmail since 2010. Microsoft’s Hotmail still makes HTTPS opt-in.
To be sure, such security default options only protect against certain kinds of attacks. But without them, says Soghoian, the result is “products and services that can be hacked in seconds with idiot-proof, freely available tools.”
In possibly related news, a survey released this week by PayPal and City University of Hong Kong reveals that 70% of Hong Kongers use the same password for an average of seven online accounts, and 60% never update their passwords except when required. 67% of them are also interested in using phones as payment devices.