The Scary Consequences of A Lost Smartphone

If you're one of those people who tend to lose their phone shortly after putting it down, then you'll want to read this. According to a new study, if you lose your smartphone, you have a 50/50 chance of getting it back. But chances are much higher -- nearly 100 percent -- that whoever retrieves it will try to access your private information and apps.

According to a study by Symantec, 96 percent of people who picked up the lost phones tried to access personal or business data on the device. In 45 percent of cases, people tried to access the corporate email client on the device.

"This finding demonstrates the high risks posed by an unmanaged, lost smartphone to sensitive corporate information," according to the report. "It demonstrates the need for proper security policies and device/data management."

Symantec called the study the "Honey Stick Project." In this case the honey on a stick consisted of 50 smartphones that were intentionally left in New York, Los Angeles, Washington, D.C., San Francisco and Ottowa, Canada. The phones were deposited in spots that were easy to see, and where it would be plausible for someone to forget them, including food courts and public restrooms.

None of the phones had security features, like passwords, to block access. Each was loaded with dummy apps and files that contained no real information, but which had names like "Social Networking" and "Corporate Email" that made it easy for the person who found it to understand what each app did. Each phone also was loaded with programs to track what finders did with the devices, and to send that information to the researchers.

Among people who found the phones, 72 percent tried to access photos, 57 percent tried to open a file called "Saved Passwords," and 43 percent tried to open an app called "Online Banking." Most of the apps on the phones were protected by passwords, but the username and password fields were already filled out, so that users could simply press a button to access them. Well over half of the people who discovered the phones, 66 percent, clicked those buttons to try and start the programs. The fact that the finders had to click a button to access the apps indicates that their attempts were likely intentional.

"This might be considered to be an unethical access attempt," according to the study. Also disturbing, only half the people who found the phones ever tried to contact the rightful owner, even though the owner's phone number and email address were prominently listed in the phones' contact lists. "This finding highlights the fact that in many cases, regaining possession of lost device may be a losing battle," according to the study.

If this sends shivers down your spine, here are some tips for how to protect yourself:

--Always protect your phone with a password or a "draw to unlock" pattern.

--Use security software designed specifically for smartphones to lock up programs on your phone. Some of these programs can be used to help locate the phone, or to wipe its memory from remote locations.

--Don't lose your cell phone. This falls under the category of "Well, duh." Nobody loses a smartphone on purpose, obviously. But try to make sure you keep it in you pocket or purse when not in use.

--Companies that issue phones to their employees should make sure to train workers on security, and should secure every phone with passwords.

This article originally appeared on


  1. Having found a cell phone where everything was safely locked, I have to ask: how are you supposed to know who to return it to?

    1. Um …usually the police station in the area where you found the item? People go to the police station to ask about lost property.

      1. Hah, sure they do. Number of times I have lost things: many more than one. Number of times I’ve contacted the police about it: 0.

        I’d imagine the majority of the population is the same way, especially if the lost item isn’t a car.

        1. No doubt about that.  Were not in 1960something Mayberry you know.  It would be a nice gesture though but unfortunately that would probably be the last place I would think of to go.

        2. On handing in a found purse at the police station we were  told that a lot of things were never collected as people assume nobody would hand stuff in, possibly as they wouldn’t themselves.

      2. When I found a smart phone in the back of a cab I immediately looked for “home” or “in case of emergency” (ICE) in their contacts. Not finding them I called the last number they had called, told the person who answered that I found the phone, and asked them to call the person who owns the phone and tell them to call the phone. The next morning I handed the guy back his phone in the lobby of my building.

        Help us all, symantec!

        1. This study proves you are despicable ;-)

          I went through items in a lost wallet in detail looking for a way to track down the owner. I was hoping to return it personally, but none of the phone numbers led anywhere. I took it to the Tokyo police station. It was a bit of a disappointment.

    2. Take out the SIM card to determine the carrier and then report the lost phone to the carrier.

        1. In any case, I bet if you took it to the carrier’s shop they’d be able to look up the owner and return it to them. The CDMA carriers will have silk-screened their logo onto any phone you can use on their network if you can’t identify the carrier any other way.

          edit: commenters below beat me to it :)

    3. All my smartphones (PalmOS and Android) have had the ability to put contact information on the lock screen. Isn’t this a universal feature?

      1. I made a 2D barcode with my contact info and use it as the lock screen on my iPhone.  Although, the number of people who find a smartphone and know how to use the barcode aren’t too high, I’d bet.

        I also don’t have it pass-locked, maybe I should…

      2.  Nope. Not on Android, anyway. There’s no option for it under the default OS, and the only free app I could find for it doesn’t work on 90% of Android phones.

    4.  I would identify the carrier and walk over to the nearest store and drop off the phone.  

  2. I hope they let the honey sticks go or rewarded the peeps that returned their sticky phones. 

    My smartphone is equipped with an RFID reader that requires a ring I wear to function. If someone without my ring tries to use it sets off the small C4 charge inside and automatically calls my mom.

    1. That sounded pretty cool, up until the point where you said it calls your Mom. Really, your Mom?

      1. Maybe his mom is really mean and she will come over and kick your ass for messing with her boy’s phone.

        Conversely, maybe she is really hot and she will come over and kick your ass for messing with her boy’s phone.

      2. Maybe he is 15 years old, still living at home, and light years ahead of you in terms of technology.

    2.  It sets off a small C4 charge and THEN calls your mom?  Maybe a better idea would be for it to call your mom and then set off a larger C4 charge.

  3. “96 percent of people who picked up the lost phones tried to access personal or business data on the device. In 45 percent of cases, people tried to access the corporate email client on the device.”

    Well, obviously. First thing I’d do would be to try to find their email so I can use it to help return their phone (assuming there’s no lost and found area where the phone was left). What else am I going to do, call them?

    “72 percent tried to access photos, 57 percent tried to open a file called “Saved Passwords,” and 43 percent tried to open an app called “Online Banking.”

    Oh. Okay, never mind, people are scum who don’t deserve the benefit of a doubt after all.

    1. One might be tempted to open a file called “Saved Passwords” in order to leave a helpful message like “Yer doin it all wrong, bro”, then, because that is very good advice, pay themselves a dollar or two from the persons bank account, and finally as an act of good faith, to open the photo album so as to leave a penis pic as a reminder of their careless blunder.

      Have faith.

    2.  Hey! Returning the phone is only neighborly. But if you don’t also check for boobies, you’re just not doing it right.

    3. This part of the “report” really tickles me – they don’t think it might have affected the results that this “honey stick” had an app named “Online Banking?” If I opened up smartphone with apps named so descriptively, I’d be incredibly curious too. What happens when you open up “Social Networking, The App” ???

    1. That page says the software is in beta, unavailable, and advises “Do not use this is situations where security or stability are critical.” I hope you sleep well with one eye open, darlin’.

          1. and in case you can’t, here’s some reading for you…

            First is a technical explanation of the Boot Loader and how whispercore (WhisperYAFFS) encrypts the data partition at boot time.


            Some background on YAFFS


            and some source code for you…


            Second, an overview of AES (the encryption scheme)


            and a theoretical “brute force” analysis.


            (apply to DES, but still a good read)

            Third, an analyses of the only plausible attack method, Evil Maid, and how it relates to the Boot Loader and Whispercore. (note the vonerabilty only apples to the old model Nexus phone)


            and yes, it would appear that Whisper System has taken the links offline after the Twitter buyout, however if you want it, it can be found. 

            I don’t trust anything unless I can see the source for myself… ;)

  4. Oh holy crap.  This is so scary.  But, also sad:  that’s how we are, generally, to each other’s stuff?  

    1. Remember, these are the people who picked up the phones.  Many more honest people might have left them there, hoping the person would return for them.

      1. So, it’s safe to leave the house again, post-Symantec’s study?  

        Also, what of this dilemma:  leave it there (because I am honest) and hope that the owner returns… but what if the next person who comes along is not the owner and is less “honest” than me?  And, because I didn’t act, that person shops online or peeks at corporate data or calls Italy for hours.  :(

        Now I want to go back in the house and lock all of the doors.

    2. That’s how we are, generally, to anonymous strangers’ stuff.  I have lost valuable items more than once at my workplace and every time had them returned to me intact and unopened.

  5. It’s “Ottawa, Canada.” It’s the capital city of the big country immediately to your north.

  6. Just as a perspective reminder, I’ve had:
    –  2 credit card incidents due to physical accessing of the card number
    –  1 bank account incident due to physical theft of snail mail
    –  3 losses of cash and valuables due to physical home break-ins and car theft

    It was always ugly.  Before we did everything online, we barely even had passwords to protect things.

    1. True, same here.  I am this close {} to switching to single-use credit cards instead of my debit card due to various incidents.  And in VT, I used to say, “oh there’s no crime here.”  Bah, people are a bunch of freaks, taking anything not locked down.  Neighbors have had stuff stolen and I am nervous about my computer equipment.

    2. Right. I switch up my critical passwords regularly, and am even paranoid about being shoulder-surfed by store security cameras if I check my bank balance in public… and I had someone break into my apartment through my bedroom window to steal petty cash from my dresser.

    3. Bingo. With basic security measures in place online transactions are more secure than regular ol’ Mayberry transactions. Now, if only I can keep Target from knowing whether or not I am pregnant . . .  

  7. I don’t know about this… If you find a wallet do you look to see how much cash is in there? Do you look at the cards? I know I do.. and then after thoroughly looking through it I take it to the first police station I find and hand it in as I found it. I accept that I may be the exception not the rule, but I don’t think there’s anything wrong with found-object voyeurism.

    The bottom line here is NEVER SAVE PASSWORDS – EVER. You can find my phone. You can find out who my bank is. You can find which sites I’ve browsed. You can’t do anything with that information because I’m not stupid enough to save user names or passwords. Don’t be lazy… how hard is it to remember your important U/P combinations (banking/email)? As a web & graphics guy I have an ungodly number of passwords. I also have a terrible memory. Just make sure your email has a strong password and you can endlessly reset the ones you forget.

    It’s also quite funny that anyone is foolish enough to think that an app named “Saved Passwords” or “Corporate Email” would actually be what it is named. Do you label your apps that way?

    1. It is really fake looking. The social networking apps on my phone are called “Facebook”, “twitter” and such. The saved password app is called “1Password”, mail is called, well, “Mail”, and if you open it, you see two accounts named “personal” and “[name of my employer]”.

      This setup looks like it’s straight out of a 1980s sitcom where people shop at “Grocery” for “Beer” (Both labelled exactly like that).

      I wonder if this fakeness causes people to be more curious than they would be otherwise. Also, I’d imagine most people who do snoop justify it by telling themselves they’re nit going to do anything unscrupulous with the info. You might think it’d be fun to see how much money’s in a random stranger’s bank account without intending to steal it.

      1. This setup looks like it’s straight out of a 1980s sitcom where people shop at “Grocery” for “Beer” (Both labelled exactly like that).

        I believe you’re thinking of Repo Man :)

  8. The names for these apps would make me highly suspicious. “Corporate Email”? Gimme a break!  Curiosity would compel me to open up all the apps to get to the bottom of this.

  9. The article does not state how high a percentage of the bait phones were picked up only to be THROWN TO THE GROOOUND!

  10. Geez, you’d think a boinger would know better. The study was commissioned by a firm looking to cash in on exactly this kind of fear, and get people to pay for cloud back-up services and whatever else. There are enough weasel words in the description of the outcome that it’s probably the case as soon as someone tried to see if they could figure out whose phone it was, it counted as “attempting to access personal and/or corporate data”. I found an agenda in Heathrow airport several years ago, with no name in it, and it was written in Finnish, a language I knew nothing of. I didn’t hand it in to Heathrow security where it would have disappeared in a huge box, I took it across the Atlantic with me and through a friend of a friend we managed to contact someone on the address list in the back, who was able to guess whose agenda it was based on the travel dates. A couple of weeks later it was back in the owner’s hands. But I first had to “access personal data” in the agenda!

    1.  Good for you. I found a German passport once and turned it into the nearest police station… and almost immediately realized that I’d made a mistake, as the cop made it very clear that they would make it no priority at all to get it back into the hands of its no-doubt frantic owner. I should have called the nearest German consulate or simply mailed it in.

      1.  I lost my passport once and the police got it back pretty smartly.  I had handed it personally to a visa-getting travel agency, who gave it to a courier to take to the relevant embassy in London, who put it on the front seat of his car, but his dog got out, and in the confusion my passport and paperwork fell out into the gutter.

        Within about an hour and a half of handing over my passport the police rang me at work to say someone had found it and handed it in, and I was able to collect it and go back round to the travel agent and inform them of the situation before their own courier – who hadn’t noticed the loss till he got to London, obviously – told them.

  11. Corporate Blackberry. I don’t own a cell phone. Since it’s a Blackberry it’s encrypted, and if it’s lost it gets remote wiped.

  12. I won’t buy a smartphone because I am way to scatterbrained and would lose it for sure.  They are nice though. 

  13. Leave it to Symantec to come up with such an alarmist study.

    Its a big leap from opening a file named “saved passwords” to actually trying to steal something.  Its an even bigger leap from looking at a few photos to something like identify theft. The real test would have been to set up some bank account, and see if anyone tried or succeeded in withdrawing money from it. Or set up a gmail account, and see if anyone did something obnoxious like log in and change the password.

    But alas, all they’ve managed to measure is the curiosity of the people who find the phones. The only meaningful statistic is that about half the people returned the phones, which of course they frame as some horribly low proportion. Personally, I think its great that fully half the people who find a $200+ device try to return it to the owner.

  14. I am shocketh as no man has ever been shocketh before!
    A study by Symantec, using fake apps prolly named “About me” and “Discover my Bank Acct” or sth similar found out that people found out everything about me and discovered my bank acct”

    I don’t want to live on this planet anymore!

  15. My wife left hers in a Kohls dressing room (she assumes).  It was found along the curb of some side street in some neighborhood we’re never in.  The jogger sent my wife an email from her one email address.  

    And if you find a cellphone and want to get it back to the owner, call “hubby”, “mom”, “dad”, “sis” or something like that from the contact list.   Done.

    I suspect boingers are 1000x more likely to do the right than than the average person.  We do it right,

    1.  Unfortunately Android still doesn’t display nicknames in the contact list, though there is a field for them, unless you put the nickname in the regular name field (which you don’t typically do on a smartphone because a smartphone contact is more than just a name and phone number).

      Not that it would actually be difficult to figure out who to call if you can access the call log, which is right there if you bring up the phone app.

      Unless the phone is password protected, of course, which is certainly a dilemma :)

  16. Maybe I’m in the minority, but I’ve found and returned 4 lost phones over the last few years, and the way I returned them was by thumbing through the persons contact list and calling the last few people they’ve called. If you discover a stray phone, and have the intention to get it back to the person, this seems like a legit thing to do.

    5 years ago, I attended my first SxSw Interactive. The first night I was in Austin, I dropped my week old Blackberry in a bar, and didn’t realize it until sometime later. (At the time Blackberry’s were expensive and semi-desirable!) A bartender found the phone, texted the last few people I sent texts to, one of whom happened to be in Austin with me. The next morning the bartender met me at an iHop and returned the phone to me. I showed up with a case of Sammy Smiths, and paid for his and his girlfriend’s breakfast. I would never have gotten the phone back if he didn’t poke around in my messages.

    Maybe 50% of the world are phone thieving shits, but the other 50% are phone returning Johnsons.

      1.  i was wondering the same thing. according to google, it’s either beer or a video editor/lawyer in california.

        if it’s beer, then emily dickinson gave the bartender that returned the phone a case of beer. isn’t it ironic?

    1.  I found a Blackberry on a wooded path in Cheddar Gorge once, placed so nicely it looked like an ad shot or maybe a “honey stick”. Anyway, though unsure how to operate Blackberrys I found the call history bit and called (from my landline, the phone itself did not call) some recent contact, who then contacted either the genuine owner or another friend masquerading as one (“some idiot in Cheddar has a free Blackberry!”) and gave me an address and I sent it off.

      Didn’t get any thanks, though, apart from smug satisfaction. Or when I found a plastic bag with airline tickets and other trip paperwork in a taxi late one night in London. I found a contact number and personally took the bag to central London and handed it in at the person’s office.

      Those were both valuable items. Last year I found a notebook and map on the steps of a London double-decker bus, obviously dropped by someone who had recently got off. No actual address of owner so I snooped through the book looking for possible contacts – it was a sort of journal and notes of phone numbers of shops and theatre box offices and whatnot. Eventually I found a possible name, got in touch with her, who was a friend of a friend of the owner, and eventually I got a message with an address in Canada. I sent the items off and got a small book of paintings by a Canadian artist in return as thanks.

  17. I’ve left my smartphone on the bus a few times.  Each time someone picked it up, called the number listed as “home,” which is my landline, and left a message along the lines of “I’ve got your phone and I gave it to the driver, who says it will be at the bus station.”

    I don’t actually want to password-protect my phone, because I really like the idea of getting it back if I leave it somewhere.  :)

    My mother left hers at a pub once, and the bartender called me – the most recent number dialed.  I promptly called my father, told him to snag mom when she got home and tell her to go back to the pub.  I live 3000 miles away from them, and they live a mile from the pub, so I found it quite amusing.  :)

  18. Seriously? Ottowa?  Comments later and you still haven’t changed it?  Typical American journalism there.  It’s “Ottawa, Ontario, Canada”.  Like saying “Wasingtun, United States of America”.  Our one province is bigger than your entire country!

  19. i found a blackberry in a walmart parking lot about a year ago.  it didn’t have ICE numbers in the contact list but the person had several credit cards tucked behind the silicon sleeve with her name on it so i called the last number dialed, asked if they knew so and so, told them to tell her where to find the phone, dropped it in a ziploc bag with her name on it and returned it to closest verizon (logo on the phone) location.

  20. Even worse, I had my iPad stollen and they added stations and likes to my Pandora! Still recovering from that trying to impress the Pandora robots how cool I am with my music taste. 

  21. I was recently amazed by the number of people who seem to dwell at the “finders – keepers”  level of morality with regards to stuff like this.  When the guy who “found” an iPhone 4 prototype in a bar and then sold it got arrested, I couldn’t believe the number of people in various forums thinking it was totally OK for the guy to sell it.  (He made only the lamest attempt to return it first).  It was easily 20-1 in favor of the guy, with the 1 usually being an Apple fanboy.

  22. Just install PREY should your stuff get stolen you can lock it  up.

Comments are closed.