It’s Time to Get Paranoid About Your Phone, Says This Security Expert

The FBI’s Internet Crime Complaint Center received nearly 56,000 reports related to personal data breaches in 2023. When the 2024 report comes out, that statistic will include me.

In April, I clicked on something I shouldn’t have, and presto, my life was turned upside down. The link installed malware on my desktop, allowing the perpetrators to control it from afar. These ghosts in my machine relegated me to watching helplessly as they seized control of my mouse and killed the volume on videos they didn’t much care for — like the one on how to rid your computer of hackers.

But that wasn’t the end of it. From my home computer, these intruders obtained my iCloud ID, which expanded their reach to my iPhone — to the point where they could prevent me from texting or using the internet.

I’ve never felt so vulnerable in my life.

One place I turned to for help was the Identity Theft Resource Center, in San Diego County. This nonprofit provides free, personalized plans to victims of a data breach. They’re used to hearing from Californians like me — among the states, California was No. 1 last year in terms of overall complaints and No. 6 per capita.

“One of the things we have learned over 25 years is that if you have that first indicator of compromise, there are probably more,” said James Lee, the organization’s chief operating officer. “And there are things you need to do to protect yourself.” In May, Lee testified on the topic before a Senate Commerce subcommittee, where he said, “We may, in fact, be at the very beginning of what is a golden age of identity crime.”

His organization now routinely sees victims with financial losses in the six- and seven-figures due largely to crypto and romance scams, in which fraudsters enter into an online relationship with someone for the sole purpose of inveigling money out of them. Probably not coincidentally, the rate of victims who have said in an annual survey conducted by the center that they have considered suicide has increased almost eight-fold, from a steady 2%–3% pre-2020 to 16% in 2023.

I recently spoke to Lee about the specific situation of somebody gaining unauthorized access to your phone, which is not something I thought could happen. Before it did, that is.

This interview has been edited for length and clarity.

Jon Brooks: One thing I realized during this episode: Literally everything is available through people’s phones now. Banking, health info, personal emails, contact info, sending money and buying things. Criminals having unfettered access to all that was truly frightening.

James Lee: Yes, we have to be far more protective of our phones than we are now. The level of paranoia has got to go up. This device is increasingly your lifeline. And we’re getting to the point where you’ve got all your credit cards and all your account access on it. Even your driver’s license and your passport, because we’re rapidly moving to that digital ID realm.

What are the things you should do to protect your phone?

The first thing you do when you get the phone is set up the biometric security and the lock screen. When you’re not using the phone, it will lock, and you have to use your finger or your face to unlock it. You can also unlock it using a PIN.

The second thing is to configure the device so you can turn it off at any time with the Find My applications for either Apple or Android. Those tools allow you to shut down the phone if you do lose it, which would help keep the bad guys from taking advantage of the fact that they now have your device.

And what are the immediate things you should do if your phone is lost, stolen or otherwise compromised?

If you know for a fact that your phone or other device has been taken by a criminal or even if you just leave it in an Uber or something, you can “brick” it — delete everything through the Find My function. Or if you think you have a chance of recovering the phone, you can turn it off through that and report it to your carrier so they can flag it on the network. If someone then attempts to add it to a new or existing account, it will trigger an alert and the phone will be blocked from the network.

Next, you change your passwords. (Preemptively, you might want to note what passwords will be the most important to change if you do lose the phone.) ID thieves are all about scale and speed, and if you throw up a roadblock, they’re going to leave you alone; they’ll just move on rather than try to dig in.

Is subscribing to an antivirus program useful, either for desktops or phones?

On desktops, if it helps you feel safe, yes. But most people don’t need separate antivirus protection because it’s built into their OS, browser and cloud-based software from mainstream software providers. One thing to keep in mind: It’s risky to download third-party software from a website unless it’s from one of the mainstream app markets or from a well-known and secure software company.

Phones and tablets are architecturally different from laptops and desktops and don’t need antivirus software at all.

The key to maintaining safe and secure software today is making sure you’ve configured the auto-update feature on all of your devices. Auto-updates are the reason you no longer need separate antivirus software. Though, you will need to double-check sometimes on certain apps and programs to make sure an update was installed.

Eventually, I got free of the hackers by going to the Apple Store and changing my Apple ID, the one I use to get into iCloud and download apps, etc.

Yes, in the Apple ecosystem, your Apple ID, which is also your iCloud credential, is the keys to the kingdom because it connects all your devices. So if that Apple ID was somewhere on your computer or device in a document online that was compromised, then somebody in this world of identity crime is immediately going to see its value because, with your Apple ID, they can get to anything on any of your devices — they can add, delete, change your configurations, privacy settings, passwords. The fix for all this is exactly what you did: You go to the Apple Store and change your Apple ID. If you lose control of your Google login, that can lead to similar bad outcomes — it’s actually more common to see Google credentials than Apple in ID marketplaces.

As discussed, I foolishly kept all my passwords on one page on Google Docs, which I thought would be safe. But if not in the cloud, where are you supposed to keep your passwords and login info?

That’s a great question, which we get all the time. We do ourselves a disservice in cybersecurity because we forget to update people. So you see a lot of advice that was great 10–15 years ago but not so much today. We used to tell people to never write down your passwords. You know what? It’s perfectly acceptable to write down your passwords. Just keep them somewhere where other people won’t see them.

The average person now has somewhere around a hundred different account passwords and logins to keep track of. That’s impossible for all but the rarest of individuals to remember. So, all of the browsers today have a password manager and password creation tool built in, where they have the ability to create a unique password and keep track of it. For most people, that’s fine. The browsers are some of the most secure software that exists. For people who need a little more protection or want a little more peace of mind, they can download a password manager.

These tools will also prevent you from having the same password on every account. People who try to avoid the issue of remembering all those passwords get in trouble with that: The bad guys know if they get one of our passwords, the chances are it’ll work on our other accounts. It’s very important that people pay attention to the issue of not reusing passwords. A lot of massive company data breaches are the result of somebody’s password being compromised.

Some victims of people infiltrating their phone or computer have reported there were no attempts to steal from their financial accounts, which was also the case in my incident.

The perpetrators are not really interested in your money; they’re interested in attacks they can automate or scale. Attacking individual by individual and taking their money out of their bank account or running up their credit cards would also increase the likelihood of getting caught. What they do depends on their ultimate motivation. If it’s purely financial, most likely, they’re harvesting your personal information to turn around and impersonate you by trying to open up a bank account where maybe they’re going to hide the money they’re stealing from other places. Or they’ll impersonate you to try to get a government benefit like unemployment or to get a credit card. These are things they can convert to cash quickly then move on to the next target. You won’t find out about it for months or years.

And now there’s also the element of nation-states collecting information purely for intelligence purposes and to test-drive the tools they have. In some of the largest data breaches the last few years, the information has never appeared in an identity marketplace. We know those were nation-state attacks, and we know they were done for the purpose of gathering information about where people travel and if they could be co-opted or used to gather information for espionage or intelligence. There are also countries who are very skilled at using these techniques to gather information about businesses for the purpose of gaining competitive advantages. So, the kinds of attack you and others have experienced could very well be executed by nation-states.

Recently, I was at two different phone stores where I heard customers who failed these intricate tests about their personal information, which their cell providers were requiring in order for them to regain access to their accounts. These people just couldn’t remember what sounded like fairly obscure details about their past financial transactions or long-ago residences. Has digital security gotten too complex for the average consumer?

Actually, yes. That’s a general trend that’s frustrating and, in many cases, harmful. But it’s a direct result of the sheer volume of data breaches we’ve had over the years. The way we authenticate people by and large is by providing information, but that information has been compromised year after year after year. So it makes it very easy for the bad guys to impersonate someone and makes it difficult for the person who is the real individual to say, “Hey, that’s not me. I’m me.” This is probably most evident in wireless telecom because that tends to be one of the first places identity criminals go to take advantage of a stolen personality or to create what we call a synthetic identity. That’s where they might steal my Social Security number, your name and a third person’s address. Then, because of the way a business may verify you, it will allow that account to be opened, and the bad guys will actually pay the bill because the longer that identity is used without a problem, the more legitimate it becomes. Then they open other accounts, and eventually, they get to the point where that synthetic identity that’s taking advantage of three different people’s information becomes a real identity in the system we set up for our economy to function.

What do people frequently get wrong about protecting their cybersecurity?

Probably the most common misconception is “It will never happen to me.” Or “I don’t have anything a criminal would want.” The reality is everyone is at risk. Even if you are not the direct target, your information can be used any number of ways to commit an identity crime, from applying for government benefits to infiltrating a company or having their driver’s license information stolen in a data breach and then converted to a physical license with the criminal’s photo and description but the address and license number of the rightful owner. Driver’s licenses have become very valuable since the pandemic. In the last two years, because that credential is so good, entire state driver’s license databases have been stolen. We tend to view taking care of our cyber security as the responsibility of somebody else. The company will take care of me; the phone manufacturer will take care of me; the phone carrier will take care of me. My bank will take care of me. That’s all true to an extent. But we also have personal responsibility to make sure we’ve configured that phone correctly, that we keep our software updated. You know, we have to get much more comfortable in being active participants in our own protection than we have been historically. And that’s a culture change, which is tough.

Can you talk about the growing importance of what the industry calls “passkeys” — not passwords — when people log in to their accounts?

We’re entering this transition from passwords to passkeys, which is a device-based protection. Passkeys replace passwords with a token on your actual device. You’ll never see it, and you’ll have no access to it. How it works is once you open your phone or tablet or laptop, you authenticate yourself with a biometric like your face or your finger or maybe it’s a PIN code. Then, you can access accounts and services without further authentication.

So that means we have to be far more protective of our phones than we are today. If someone accesses your phone and all you have are passkeys, they can access everything you have if the phone isn’t locked.

So why, then, is the industry moving toward passkeys?

Because with passkey, you cannot self-compromise, getting tricked into telling somebody your password as part of a phishing or social engineering attack. And because on the receiving end, there is no database sitting there with credentials. So somebody cannot break into the company, access the database and steal your login and password. Logging in becomes a much more secure transaction, and that will eliminate a lot of identity crime and data breaches. Google has already moved to this on all of its services. Uber uses it, too. But it’s going to take years to be fully implemented.

So, if I understand you right, using passkeys is a safer way to access your apps because there is no password that can be stolen. But it’s a double-edged sword because if somebody gains access to your phone, they could have the same easy no-password access to your data that you have.

Correct. Passwords and credentials are one of the first things the bad guys want because they have more value than even a Social Security number. In an identity marketplace, buyers get your Social Security number free, but your Gmail account may cost $60.

But while very effective in keeping remote thieves away from your data and accounts, passkeys make it very important that you use the security tools built into your phone or other device to keep criminals out.