Fortifying Phones From Attackers AT&T Hires Ph.Ds for Security Lab; Verizon Wireless Teams With Start-Up on Data-Security App
By SPENCER E. ANTE DECEMBER 22, 2010
As consumers and companies embrace smartphones to do more of their computing, the wireless industry is taking its first steps to beef up security on mobile devices.
A trader talked on his cellphone outside the New York Stock Exchange in October. The wireless industry aims to beef up mobile security.
Carriers are deploying new services and cutting deals with start-ups to help protect people from malicious attacks and misuse of their personal data stored on a smartphone. Meanwhile, handset makers and chip firms are taking steps to fortify their hardware as the number of attacks on mobile devices grows larger and more sophisticated.
Yea, right. The wireless companies really want to protect their customers... I have a Verizon phone that has been spam free for years, until a month ago. An obvious spam message (phishing, actually) showed up an I went to a Verizon store to complain. The clerk duly sent a "stop" message and said all was OK. At the end of the month I was charged for the spam message and the "stop" message. The good lad did show me how to block text messages from certain numbers, however.
A second obvious spam message was received a couple of weeks later. I tried to block it, but it came from a "llist" that didn't have a 10 digit phone number, so it could not be blocked. It cost me two more text message charges. I complained to the store, but they didn't have any solution, except to send another text to stop the spam (and get charged for it).
So, it appears that that wireless providers have a great source of revenue from spam, thus they don't want to stop it. My contract calls for per message charges. I don't mind the occasional note from my kids or a pictue of my grandkids and paying the freight, but to have to pay for spam and a message to "try" to stop it is a load of stuff out of the south end of a north bound bull.
Wireless providers are really not intereseted in stopping illegal activity if they profit from it, If spam is OK, then personal info is clearlly at risk.
My first cellphone required you to key in a number before it would place calls. This was to prevent accidental dials (it had an exposed keyboard). The number, though, was fixed (something like 1234). A great security feature would be to require a user to key in a PIN before "starting a session" on the phone except for receiving a call. My current phone has a PIN lock feature, but you have to go in and unlock, then relock the phone when you're done. It's a pain. It seems that it'd be real simple to have a user configurable PIN and a user configurable timeout. You could receive calls, but not make calls without starting the session with the PIN.
Do any phones have such a feature? It seems that it would largely limit the market for stolen cellphones.
My Samsung Captivate (aka Galaxy S) has two options. One is a SIM card lock. Upon bootup it requires a code to unlock the SIM (note: this is not the same as a carrier lock on the SIM). The second is a screensaver type password that can be a 4-digit code or a pattern. I ended up disabling both because they were annoying.
The SIM card lock on the surface seems to be the most secure. But since I carrier unlocked my phone all a thief would have to do is pop in a new SIM. I believe my existing SIM would continue to be locked, I never tested that. This would prevent my bill from being run up, but I would still be out a phone and my data.
The second option was simply annoying and the fingerprint smear patterns on my screen probably gave away or at least narrowed down the PIN/pattern. And I have to think a determined thief could easily circumvent this.
At the time of theft a thief isn't necessarily going to know if a given phone has a security feature or not. He's going to take it and figure it out later. For this reason I loaded Lookout which allows me to locate my phone and if needed, disable and wipe it.
On Sun, 26 Dec 2010 12:13:10 -0800, firstname.lastname@example.org wrote: ......
That was a standard feature on an old Ericsson GSM handset I had years ago (auto-lock after dialling but still be able to answer), I would imagine that you just have to hunt around to find a model/brand that still does something similar.
Pretty much all smartphones do this. Blackberry, iPhone, Droids, e.t.c.
Phones with full keyboards even let you use passwords, not just a pin. Blackberries reset and wipe their memory after 10 failed password attempts. However, the phone is not locked. It is simply in the same state it was when new. Your data is protected but the phone can be activated. I doubt a carrier won't activate a blank phone - after all, an activation means money.
I thought all modern phones had this feature, largely to protect personal information such as address/phone books, or to avoid someone using all your minutes.
My Blackberry 9700 has an optional (user-settable) phone password. You set a timeout and the phone automatically locks after that timeout: 1, 2, 5, 10, 15, 20, 30, 60 minutes (infinite is not a choice, but you can enable and disable the password without changing it). I'm not sure how long the password can be but
The problem is that, well the second problem is that... the cellular carriers have e-mail and other gateways to their systems, letting people, including spammers, send messages out at no cost to themselves.
(The first problem is the charge-for-each SMS that's the default with most carriers).
typically the address to use is [phonenumber]-at-[modified-cellco-name]. For a made up example, you'd send an e-mail to: 5555555555[at]celco.example.com
Which,natch, means that a spammer will send to: 5555551000, 5555551001, ... 5555559999 [at] the domain...
My own cellular provider  gives me a choice of either leaving the account open to e-mail/SMS of this sort, or to shut it off completely. They offer a semi-solution where I can replace my "phone number" in that gateway, so to speak, with an alternate name. So instead of 5555555555, I'd have five-five [at] (the domain).
The problem is that... while it would work for an e-mail correspondent, it make things ugly for someone on another cellphone who has my number and wants to send a msg.
I've tried really, really, hard to get the cellco to offer what should be a simple solution set, namely:
a: leave the account wide open b: only accept messages that originate from a valid other cellphone provider's network c: only accept messages from their own subscribers.
They claim to not understand what I'm saying....
(While I don't routinely use SMS/e-mail, I'd like the option of receiving such messages on those periodic occassins where it would be useful).
 happens to be t-mobile. Don't know if other carriers have a similar choice.
Note that even though this option is listed on the web page, lots of customers have complained it doesn't work. Oh,and the TM won't fix it.
I haven't set it up myself so can't vouch one way or another.
Quite so: T-Mobile's EmailFilters.aspx page has been broken, for me, for the T-Mo CC reps who've tried it thinking it might be working again, and for others complaining about it in the T-Mo Forums, since June, 2009 (!) -- and quite possibly even a bit longer. ETtR? Don't even ask :-) .