Security

11:35 AM
Omer Eiferman
Omer Eiferman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Is Your Corporate Data Being Auctioned on eBay?

Researchers purchased 20 used Android phones to see what data they could retrieve using off-the-shelf recovery software. The results were astonishing.

The bring-your-own-device (BYOD) movement has turned enterprise mobile security into a never-ending game of "Whack-a-Mole," and one serious vulnerability has been poking its head out for too long. Antivirus software provider Avast noticed that more than 80,000 used smartphones are listed for sale on eBay every single day. Their researchers decided to purchase 20 used Android phones and see what data they could retrieve using off-the-shelf recovery software.

The results were astonishing. In July, Avast reported that it had recovered more than 40,000 photos, 750 emails and text messages, 250 contact names and email addresses, four previous owners’ identities, and one completed loan application. A thousand of the recovered photos included nudity. The built-in factory reset was clearly insufficient for deleting data. A cyber criminal would have had more than enough information to stalk, blackmail, or impersonate the previous owners.

Now that most people participate in workplace BYOD -- whether their employers permit it or not -- cyber criminals have tens of thousands of opportunities to scrape sensitive corporate data from personal devices sold on marketplaces like eBay. The combination of personal and corporate data could be used to orchestrate large-scale social engineering attacks. This risk calls for IT departments to help employees establish stricter separation between their personal and professional mobile lives. Specifically, a multi-persona approach to BYOD will help keep corporate data off public marketplaces.

Cyber criminal lead generation
Mobile devices are becoming a source of identity theft and corporate data leaks because they have become a "Swiss-Army Knife" for life and business.

Consider the extent of personal and corporate data that can blend on a smartphone. On one hand, we have text messages, emails, photos, videos, and voice memos that live on the phone. On the other hand, we may have multiple apps like Dropbox and GoogleDrive that allow us to conveniently download or upload information -- sometimes with the intention of getting information onto or off corporate systems.

For instance, we often use smartphones as scanners. Tons of people take pictures of their IDs and passports for applications or scan important documents with apps like Genius Scan. Remote or mobile employees, in particular, often don’t have access to scanning or fax machines and are therefore more likely to use a mobile device for copying, signing, and sending important work-related documents.

A device that blends personal data and corporate information would be a jackpot for cyber criminals targeting enterprises. They might have enough information to create convincing phishing emails or impersonate employees, much like the hackers that hit a French multinational last year and managed to wire company money to multiple offshore bank accounts. For criminals, buying used phones on eBay could become a form of lead generation.

Multi-persona + encryption
Clearly this is not a problem that can be solved with rules and policies. A laundry list of mobile “dos and don’ts” will be summarily ignored by employees. Carrying two devices -- one personal and one professional -- is impractical and expensive for the employer. Many mobile device management (MDM) and enterprise mobility management (EMM) solutions are also detested because employers can lock and wipe devices, blacklist apps, track communications, and geolocate devices. This is why we need to begin dividing mobile devices into multiple personas at the operating system level, the deepest level possible.

We need to combine this multi-persona approach with encryption, the most effective way to protect sensitive data. Even if the factory reset is incomplete and a phone goes on eBay with leftover data, criminals would have a very difficult time accessing encrypted data. However, with a single persona smartphone (one login), employees would need to encrypt everything on the device to protect anything. Every time they want to check the weather or answer a text, they would have to plug in a long, complicated password. A multi-persona approach, with multiple personal and professional personas, would allow them to use encryption discriminately.

When an employee first purchases a smartphone, he could, for instance, create four personas: one for generic personal use, one for healthcare and finance, one for work, and one for the kid’s games. He could encrypt the healthcare/finance persona and work persona, so no matter where he leaves the device or how well he wipes it before selling, that sensitive data couldn’t be viewed. He could still check text messages with no password or a very short one.  

Lifecycle security
The takeaway from the Avast study is clear: In a BYOD environment, corporate data will be exposed long after employees resell, donate, or otherwise discard their smartphones. IT can write out policies, cross its fingers, and hope that employees wipe their data using specialized programs. Or they can use a multi-persona approach to ensure that sensitive data remains encrypted throughout the device lifecycle -- and they can do this without imposing on employee privacy and personal data. Indeed, employees will likely take advantage of multiple personas to protect their identities and organize their personal data.

We don’t need to "take control" of employee devices. We don’t need to stop selling old phones on eBay. We just need BYOD solutions that correspond with the way people actually live and work.

Omer Eiferman is the CEO of Cellrox and former pilot in the Israeli Air Force. He is a graduate of Bar-Ilan University with a degree in Computer Science and Statistics. Prior to Cellrox, Omer served in a variety of marketing, development and product management roles in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
pudnhead
50%
50%
pudnhead,
User Rank: Apprentice
9/3/2014 | 6:09:44 AM
more than just cell phones
Mobile phones are definitely a major danger to companies. However, all used technology contains company data, unless it is completely erased. For instance, one of the news shows did an investigation of used office copiers. Today, as you know, most copy machines are also scanners. Even though the copiers were being resold and supposedly "wiped" clean, most still contained thousands of scanned documents. 
Byurcan
50%
50%
Byurcan,
User Rank: Author
9/3/2014 | 8:53:14 AM
Re: more than just cell phones
That's a good point we dln't often think of. We usually think of mobile devices as being security conerns, but even something as seemingly innocuous as a copier can also be compromised.
pudnhead
50%
50%
pudnhead,
User Rank: Apprentice
9/4/2014 | 6:28:19 AM
Re: more than just cell phones
The news pregram randomly picked three or four copiers from a company who resells the used machines...there were hundreds of machines in the warehouse. One copier was from a school and it had thousands of worksheets and tests (no big deal). The next copier was from a local government office where they handled property tax payments. There were thousands of tax invoices and canceled checks (big problem). And the third apparently came from a large corporation and was used by the company's HR department. There were thousands of documents that contained personal information, addresses, social security numbers (big problem).
Byurcan
50%
50%
Byurcan,
User Rank: Author
9/4/2014 | 9:40:38 AM
Re: more than just cell phones
Thanks for the info, that's definitely something I would not have thought of.
Kelly22
50%
50%
Kelly22,
User Rank: Author
9/4/2014 | 3:20:15 PM
Re: more than just cell phones
That's scary to hear and definitely something businesses should take into consideration. There's a lot of attention on the security of mobile devices right now - which is deserved, as shown in this article - but as you point out, security measures should be put in place for all devices that handle sensitive data. 
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
9/3/2014 | 6:29:02 AM
Corporate data
Since corporate data seems to live on on mobile devices, even after they are wiped clean, what can companies do? Yes, companies reset phones and clean the data, but some software allows criminals to dig deep into a phones history.

For a large company managing thousands of mobile devices, what is the solution?
Byurcan
50%
50%
Byurcan,
User Rank: Author
9/3/2014 | 8:50:20 AM
Re: Corporate data
Good point, and at this time there doesn't appear to be any quick answer.
More Commentary
Shared Reporting Services on the Horizon, Genpact Predicts
The financial services industry is starting to adopt shared services, resulting in reasonable impacts to the bottom line. Genpact expects a push for reporting efficiency will come next.
Don't Let the Cloud Rain on Your Operations Strategy Parade
Avoid migrating large applications all at once to minimize risk during a cloud project.
Could Intel Lose Data Center Market Share to ARM Chips?
ARM chips could be an alternative for certain purposes in the datacenter, but many questions have to be answered before they pose a threat to Intel's market dominance.
Cost to Trade: Hey, Banks, Itís Time to Face the Music
Why is calculating the cost to trade so difficult for banks? The answer is as complex as the calculations themselves.
M&A Activity Will Continue to Grow in 2015
Data shows that the M&A market continues to improve, and forecasts indicate deal making will be healthy in 2015.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video