A PIN code is not enough to protect you phone, experts warn

Mobile phone theft is a pest that manufacturers try to deal with by means of remote blocking or geolocation systems. Up until now, the devices used to end up being sold in the second-hand market, but a new intention has been detected behind this criminal act: access to the user’s digital identity, with the greater potential for economic damage it entails. In a recent article, The Wall Street Journal brings attention to this growing trend that is taking place in bars and cafés throughout the United States: the thieves keep an eye on their victims until they see them enter their PIN code (sometimes even getting it on video), and then, in a moment of distraction, they steal the phone.

Six digits: A fragile lock, the prelude to the nightmare

The operation is quite simple and profitable, and its success lies in a series of combined vulnerabilities. First, human comfort. It is much easier to unlock a phone by entering a few digits than to do it with several characters that include numbers and symbols. The user’s mind is set at ease by the thought that a biometric system protects their information; however, all mobile phones can be unlocked with a PIN code in case the biometrics fail.

This is where the tricky balance between comfort and safety comes into play. A four-digit pin allows you to quickly unlock the screen and is very easy to remember, especially if it is the same sequence that you use for other things, like ATMs. Humans are practical beings and always try to find the shortest route between two points, and regarding passwords, the brain continues to opt for shortcuts even if we are aware of the risks of not using complex combinations.

A study carried out by researchers from the University of Zhejiang in China showed that the brain has a particular way of behaving when it comes to remembering (or forgetting) passwords: it retained random sequences with no particular importance better than those that the participants were actually trying to memorize. Say a person was trying to remember a new password, 1564, and while walking home they saw a house’s number, 1345; they were more likely to recall the latter.

“A four-digit numerical pin is not very secure against any attacker who knows about ‘brute force’ techniques,” explains José Manuel Ávalos, general manager of cybersecurity firm BeDisruptive, “which consist of trying different combinations of characters until you find the right one.” The expert recommends using “an alphanumeric password with special characters, and make it much longer.”

Make it long and complex, not comfortable

“Once the PIN to unlock the phone is known, not only is there access to the device’s contents, but also to some apps that use this blocking system as an access verification method. Most bank apps, for example,” explains Christian Collado, coordinator of Andro4all.com. In this way, the PIN is the last door through which attackers access all the information of the phone’s owner, including bank accounts (if they are configured on the device).

How paradoxical that the same manufacturer that invests in sophisticated biometric unlocking solutions, allows all this security to be broken by just six digits. “We trust the entire supply chain,” explains cybersecurity expert Adrián Moreno, “from the manufacturer to the store that sells it to us; we trust the designers, the company that writes the software and the antivirus program.”

But it is the user who, ultimately, chooses between convenience and security – possibly taking the latter for granted. “The best is to use biometric methods (fingerprints or facial recognition) to unlock the phone in public places,” recommends Collado. “If this is not possible, use a PIN of six or more digits, or an alphanumeric password with a combination of letters, numbers and symbols.” The ultimate goal is to prevent someone from spying on the activity on the screen and then stealing the device.

When they do get away with it, everything happens very quickly. The criminals access the smartphone’s control panel in a matter of minutes. Then, they change the password of the Google or iCloud account. With this, they prevent it from being recovered from another device, in addition to deactivating the geolocation.

What you can do to protect yourself

Joanna Stern – the writer of the Wall Street Journal piece – interviewed a woman who discovered that her iPhone had been stolen in a New York bar. Three minutes later, she had lost access to her Apple account, and in less than 24 hours $10,000 in investment funds had vanished.

Luckily, being such an obvious method, the solution cannot be simpler: just make it as difficult as possible for them to get the password. In this regard, experts emphatically suggest avoiding simple strings of four or six numbers and making the password as complicated as possible. It is best to make it long, to include special characters and to mix upper and lower case.

By complicating the password, you clearly lose the swiftness and convenience of entering a few-digit pin, but it is a price we have to pay for the sake of security. The experts go even further in their recommendations, urging users to unlink, as far as possible, the mobile unlock code from the access to certain accounts. In this way, the second vulnerability is minimized, preventing access to sensitive apps.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition