My iPhone is the least valuable thing I carry. But I didn’t realise that until my iPhone was stolen (pick-pocketed in Barcelona).
The thief didn’t get my keys, passport or wallet. If he had taken any of those items then I would have been unable to start my car, unable to leave Spain, or unable to pay my hotel bill.
Instead, he stole my iPhone4, which basically meant I couldn’t call, email or tweet. Within three days of the theft I was using a replacement iPhone5 (free upgrade from O2), and all my family photos & apps were restored from an iTunes back-up.
What surprised me, and what I learnt from this experience, is that when I became a victim of smartphone crime I cared about the following things, in order of priority:
My wallet, passport and car keys are more important than being able to communicate with people or check mail. Being financially independent and being able to move freely are my fundamental basic needs.
Risk of password change on critical apps: I didn’t like the idea of anyone being able to use my phone to change my passwords on email or social networks. This is the fear of loss of control.
Risk of abuse: I didn’t like the idea of someone else sending out emails or tweets from my phone in my name. This is not a critical problem. Its more a risk of social embarrassment.
I didn’t like the idea of strangers looking at family photos & videos without my permission. Which is funny, because that’s practically the definition of Instagram and Facebook.
30 minutes after the crime I called O2 to cancel the account and order a replacement using my wife’s phone, and wiped the content of the iPhone4 remotely using the “Findmyphone” app on our iPad.
The next day I reset all passwords on all relevant services; signed out of every parallel session and disconnected all ‘apps’ that I’d previously granted access to services like Facebook, Twitter and Gmail.
I also swore I would always PIN protect my phone, from this point onwards, forever.
This experience has left me thinking seriously about two things:
I don’t know how I feel about initiatives like “mobile wallet” or “using my phone to open my car” or “using my phone to start my central heating” or “passbook” anymore.
I don’t know how my Mum is going to be able to do what I did if her phone is ever stolen. My mother is a metaphor for everyone else out there who doesn’t run a mobile consultancy and doesn’t have a PhD in Computer Science.
As the mobile phone takes on an increased role and responsibility in our lives then it follows that the phone becomes a bigger liability.
The liability exists on two levels. Firstly, we risk becoming severely incapacitated through the loss of the phone and, secondly, we risk becoming a victim of serious crimes carried out when someone accesses your phone.
Broadly speaking I like a good back-up plan. I like to leave my car keys and passport and a spare credit card in the hotel safe when I go out. That means if I do run into trouble then I’m not completely vulnerable.
New phone features like Passbook and Mobile Wallet give me more options for more back-up plans. Suddenly I can have multiple ways for paying for stuff: cash or card or by phone. Or multiple ways for travelling: boarding cards or electronic boarding cards.
There’s an argument that increasing the capability of a mobile phone is a good risk mitigation strategy against incapacitation.
But as the phone increases in importance and function there needs to be a corresponding and parallel set of mitigations against the second liability: the risk of becoming a victim of “phone crime”.
Preventing unauthorised “mobile approvals” are now critical areas of research and development. On a recent visit to Orange Labs in Caen, France, I was given a demo of a new “secure authorisation” system which was tied to the SIM card in my phone.
With this technology I would be able to authorise third party payments, transactions, or access to my personal data simply by tapping in a 4 digit PIN when prompted. The idea being that I would only have to remember this “one master PIN” to authorise transactions from multiple vendors.
It’s a good plan in theory. But in reality the SIM-PIN becomes yet another PIN I have to remember.
At this point in time I carry in my head six PINS: my phone; my credit and debit cards; my (multiple) online banking accounts. I just don’t know how many more PINs I will be able to remember.
The issue here is that the more security gates I have to pass through to use a high-value function on my phone then the less likely I am to find that experience “easy and simple”. If its not easy and simple then I’m not going to use it.
If I’m not going to use it then I don’t want the liability or risk of having it on my phone so that potentially someone else could hack it.
I’d like to see a phone authentication system developed which didn’t rely on my memory but which does uniquely identify me as the authorised user of the mobile-mini-computer in my jacket pocket.
Perhaps this means biometric identification. Or perhaps it means the creation of a physically separate “private key chip” hidden elsewhere: as a ring or a button.
Alternatively, perhaps the phone should go back to being a phone and nothing more. A cheap, small, unattractive, lump in my jacket. It won’t start my car or tell Google where I am in the world.
It won’t take photos of my family or tell me about special offers in stores. It won’t tell me what planet I’m looking at or buy me a coffee. Nor will it deliver bad-news emails when I’m on holiday. It would be a mono-function device that if I misplace it then, well, it just doesn’t matter.