Security tips to use your phone as your wallet
Telstra security operations specialist Darren Pauli has spent nearly a year with his smartphone replacing a wallet – securely making payments for everyday items and services. There are some guidelines you should keep in mind if you’re considering doing the same.
Apple and Google have invested billions of dollars into information security, with the goal of making their phones harder to hack. The iPhone – with its closed iOS operating system – is the toughest of all, but Google’s Android platform has come leaps and bounds from its anarchic past.
Google had no choice: over 80 per cent of all phones sold in the last quarter of 2016 were powered by its Android platform.
Google’s effort means attacks that may have compromised thousands of users in recent years no longer work on updated phones, and it is now much harder and more expensive for attackers to get their malicious apps into official app stores.
Apple and Google, along with Microsoft, have also boosted security investment for services like Google Drive, iCloud, and OneDrive – making those more sensible choices for storing personal data, although there is still much work to be done.
Yet crucially, all of those billions of dollars in investment can be undone if a wallet-free maverick is reckless in their operational security practice.
The security mindset
Think of operational security (or ‘opsec’) as the measure of your security awareness in the world of technology. You win points for knowing how to spot phishing, and for making up a fake birthday and home address for Facebook and other websites.
In short, you become more security-savvy the more you think like an attacker and build roadblocks to frustrate your opponent.
In 2018 this is a necessary skill: You cannot force your favourite online chat forum to use better security that’s harder to hack, but you can change your forum password to something unique or disposable. You can keep your real information out of your forum profile.
And doing this means hackers who break into that forum will not be able to use your password to get into your emails, or use your real name, birthdate, and address to help open a bank account.
Bringing it together: a checklist
You cannot force your favourite sites to be more secure, but you can choose sites which are. You can also use tools that boost the security of the data you control while minimising or even reversing inconvenience.
These are some operational security guides I use to protect my data – see below. Many informational security experts would use much more severe controls, but the vast number of people use far weaker.
Password manager: Take the complexity out of password setting and use a password manager. I have used LastPass for years enjoying its fluid synchronisation and set-and-forget password management across mobile and laptop browsers. It’s free of charge.
Using password managers and setting your passwords to strong and unique combinations is one of the best security decisions you can make.
Two factor authentication: Absolutely ensure that you set two factor authentication for your important accounts. You will likely need to do this using a workstation web browser, rather an app, so that you can access the services’ full suite of settings.
Lock screen passwords: A lock screen password or PIN of at least six digits is essential. Set your phone up so that it erases the device storage after more incorrect password attempts than you would normally attempt, and be sure to turn on automatic back up functions for your photos and other personally precious data. Fingerprint unlock functions are an added convenience.
Lost device tracking: Apple and Android devices have this built-in, but many free-of-charge apps exist that will allow you to track your lost phone, make it ring even on silent, and allowing you to factory reset it remotely. Some apps will even shoot and email you front camera photos when wrong lock screen passwords are entered, sound loud alarms, and can disable the power button.
Phishing: Learn how to spot phishing. All the best passwords and updated handsets could be unwoven if you hand over your logins to an attacker.
Official apps: Install mobile apps only from your phone’s official store. This means Apple’s App Store, or Google Play.
Security settings: Set your lock screen password? Great, now poke around in your security settings and set up features like encryption and boot passwords.
Can you set an emergency contact or a lock screen message? This will help police and the civic-minded to return your lost phone, but limit the information to just a phone number. There are an impressive number of easy and non-intrusive features hidden here on new handsets.
Upgrade: New devices are not just for those who appreciate that ‘new phone feeling’. Manufacturers will only supply critical security operating system updates for a limited amount of time, after which point the phone model is considered end-of-life.
If you are undecided on your next phone model, consider a supported Apple or Google device. Supported iPhones receive updates as soon as they are released.
Apple also supports phone models for a lot longer than Android manufacturers and is still updating its iPhone 5 first released in 2012.
Google’s Pixel and Nexus lines are known as ‘pure’ Android because they run the operating system without any extra tweaks, so they get updates as soon as they are available.
Important accounts: Lock down your important accounts. Your email probably has enough personal information about you in it for an attacker to steal your identity. Consider using a big provider like Google or Microsoft which invest heavily in security and notifies you of suspicious activity.
Mobile antivirus: Do not rush to download mobile antivirus. The platforms are ineffective and, while they can help to prevent installation of known malicious apps, they may also encourage you to download risky apps you may not otherwise. They may also slow your phone.
It is much better to apply good password management, maintain an updated device and operating system, and stick to official app stores.
Apple and Google Pay (formerly Android Pay) are fantastic, pain-free, and security cutting-edge technologies. Australia as a whole is said to have the best credit card security in the world, and these technologies only increase that status.
If you want to ditch your wallet, you should consider some additional security measures too:
Delete: Go through your emails and search and delete personal information. You should look for attachments you may have sent to acquire loans, like driver’s licences, passports, and so on.
Double-down: With your sensitive data deleted, start to lock down your remaining single instance – like your driver’s licence. There are different ways to do this. I use sync.com which is a great so-called “zero knowledge” service, free of charge for up to 5GB of storage.
I previously stored my driver’s licence into a password-protected zip file and set the password to a long unique password.
Either of these strategies mean that if your cloud storage or email account is compromised, your super-sensitive information is still encrypted.
Contactless payment: Do not allow contactless payment when the phone is locked. Built in Apple Pay and Google Pay do not allow this, but at least one major Australian bank app I encountered offers this as an option – so always check just to make sure.
Subscribe for the latest news