Experts warn: the PIN is not enough to protect the mobile

Mobile phone theft has become a scourge that manufacturers try to deal with using remote blocking or geolocation systems.

The terminals, to date, had only one destination: the second-hand market, where they ended up being sold on buying and selling portals.

However, a new intention has been detected after the theft of terminals: access to digital identity, and with it, much greater economic damage.

The

picks up on this growing trend in bars and cafes in the United States: the victim is watched, observed (and in some cases, recorded) as they enter the password on the screen, and in an oversight, the device is stolen .

Six digits: a fragile lock, the prelude to the nightmare

The operation for thieves is very simple and profitable, and its success lies in a series of chained vulnerabilities.

The first of these, human comfort: it is much easier to unlock the mobile by entering a few figures, than to do it with several characters that include numbers and symbols.

The user's conscience rests easy thinking that it is a biometric system that protects their information —in the event that the device has it—, but all mobile phones are unlocked with a code in case the biometrics fail.

And this is where the difficult balance between comfort and safety comes into play.

A four-digit pin allows you to quickly unlock the screen, and of course, it is very easy to remember.

Especially if it is the same sequence that is used in ATMs, access code to the portal... Human beings are eminently practical and always try to find the shortest path between two points.

In the case of passwords, even knowing the risks that exist when complex combinations are not used, the brain continues to opt for shortcuts, ignoring this risk exposure.

In fact, a study carried out by researchers from the Chinese University of Zhejiang showed that the brain behaves capriciously when it comes to remembering (or forgetting) passwords: it more easily stored in memory those sequences that it did not know about. he had taken a special interest in remembering.

That is, if one, for example, made an effort to remember a new password (let's say 1564) and, walking back home, looked askance at a portal number (for example, 1345), it would be easier for He will remember the second before the first.

“The use of a 4-digit numerical pin is not very secure against any attacker who knows about the use of “brute force” techniques”, explains José María Ávalos, general director of BeDisruptive, “which consists of trying different combinations of characters until find the right one."

This expert recommends “an alphanumeric password with characters and much longer”.

The password does not have to be comfortable, but long and complex

“Once the PIN used to unlock the mobile is known, not only is there access to the content of the device, but also to that of some applications that use this blocking system as an access verification method.

Most bank apps, for example”, explains Christian Collado, Andro4all coordinator.

In this way, the popular pin is the last door through which attackers access all the information of the owner of the mobile, including bank accounts (if he has them configured on the mobile).

It is paradoxical that the same manufacturer that invests in sophisticated biometric unlocking solutions, allows all this security to be broken by just six digits.

“We trust the entire supply chain,” explains Adrián Moreno, a cybersecurity expert, “from the manufacturer to the company that sells it to us;

We trust the designers, the company that writes the

, and the antivirus program.”

But it is the user who, ultimately, chooses between convenience and security, possibly assuming the latter.

"The ideal is to use biometric methods —fingerprint reader or facial recognition— to unlock the mobile in public places," recommends Collado, "if this is not possible, have a PIN of 6 or more digits configured, or a password alphanumeric combination of letters, numbers and symbols.

The ultimate goal is to prevent someone from spying on the activity on the screen and proceeding to steal the device.

Once the latter is perpetrated, everything happens very quickly.

Criminals access the mobile control panel in a matter of minutes and change the password of the Google account (if it is an Android), or iCloud (if it is an iPhone). With what objective?

To prevent it from being recovered from another device, on the one hand, and on the other, to deactivate its geolocation.

What to do to protect yourself

Joanna Stern, author of the report in the

, points out that her interviewee discovered that her iPhone had been stolen in a bar in New York;

After just 3 minutes, she lost access to her Apple account and in less than 24 hours, she saw $10,000 of investment funds in her possession vanish.

The good news is that since it's such an obvious method, the solution is just as simple: make it as difficult as possible for them to copy the password.

In this regard, experts propose to urgently avoid simple strings of numbers (four or six characters) and instead make the password as complicated as possible.

Ideally, it's best to make it long and include special characters and mix case.

Obviously, by complicating the password, you lose the agility and mnemonic of entering a few-digit pin, but it is a toll that must be paid for the sake of security.

The experts go even further in their recommendations: they urge to unlink, as far as possible, the mobile unlock code with access to certain accounts.

In this way, the second vulnerability would be minimized: allowing access to accounts with compromised content using the same password that protects the screen.

You can follow