Blog General Infosec

Teach Your Parents Well: Smartphone Security and Aging Parents

I am of an age where I own Upstairs Ibuprofen and Downstairs Ibuprofen; and where the sharp pang of hearing the music of my youth on a classic rock playlist has settled into a forlorn ache. 

It’s no surprise, then, that as I find myself aging, my loved ones are as well. While novel technology still mostly delights me, it is much harder for my parents’ generation to keep up with, along with everything else. As an IT support professional turned Security Operations Engineer I’m often drafted for most technical problems. Some are thornier than others, but I learn from each engagement.

Recently a new “learning opportunity” appeared: my seventy-five year old father left his cellphone in a rideshare. Boy howdy, did we learn! So I took some time to review what we did ahead of time that helped, and what else we should’ve done to prepare for this. Below you’ll find two distinct parts: a narrative outlining the events, and for those only looking for the takeaways, brief concrete lessons learned at the end.

Taken For A Ride

A simple enough scenario: on the way to a doctor appointment, an older person forgets his phone in a popular rideshare. 

The first complication: all his contact phone numbers were… in the phone. Luckily he was able to contact another relative by contacting them from his doctor’s office.

The second complication: No one picked up the phone when my father called his own number. But sometimes audacity is the better part of valor, and so I overcame my millennial instincts and dialed his phone number directly. And someone answered! We talked for a few minutes, I promised cash when she brought the phone back, and she took our address and my phone number and promised she’d deliver the phone. 

The day is saved!

Well… the third complication: radio silence ensued. I sat on my hands for a while trying to be patient and let the driver likely pick up a few more rides, but four hours in I called again and it rang. And rang. And rang. And went to voicemail.

By 5 PM, seven hours after our contact, I switched into true Incident Response Mode. It became clear whoever had the phone was not acting in good faith, and it was time to treat the phone as stolen. Dad did not have his rideshare credentials and the company’s support was unresponsive. Further confounding issues: his driver was male, the person I spoke to was female, and identified herself as the owner of the car. And despite it being an iPhone, my father’s Apple credentials were not at hand and it would have taken his phone to sign in and track the device.

But not everything was dismal. So when the person holding onto the phone called the next day – more than twenty four hours after our last contact – and tried to extort more money for returning the phone, I had the distinct pleasure of letting her know that she missed her opportunity to make cash by doing the right thing, and I wished her well.

Sh…Stuff Happens, Dad

Lost phones are nothing new. It happens to just about every age bracket with varying direct and indirect consequences. In a prior role doing hands-on technical support for Congressional offices, I set up hundreds of phones, and dealt with multiple lost or stolen handsets for legislators and staffers running the country. So when my dad (who consented to this article being written and shared) came to me on a Wednesday morning and admitted he left his phone in a rideshare vehicle, the first things to overcome were his shame and embarrassment. Aging and other conditions will compound these feelings – the depressing frustration of diminished awareness leading to a mistake is an acute and intense emotion.

As with all things in security: the person is uniquely important, and how you engage there will have more lasting consequences than any technical aspect.

Since he lives with me we were not plunged into an emergency situation where he would have no way to contact people. And a few other things went our way as well: last year, we moved his phone under my mobile plan and insured the handset, which meant I could address all this directly without having to ride shotgun for him as he tried to understand and consent to the process. Last but certainly not least: when he got his new phone, we programmed in a passcode, so assuming the thief didn’t have access to Celebrite gear, the information on the phone was relatively safe.

A primary concern with a stolen device, though, is the ability of a crafty attacker to take over other accounts made possible by information displayed on the lock screen. While unlikely, after discerning the mobile number they could attempt SMS-based resets for vulnerable accounts. Immediately suspending service to the phone mitigated that. We couldn’t initiate a remote wipe with Apple due to unknown credentials, but were able to do so thanks to the mobile carrier. In addition, telco records confirmed no unexpected activity on the phone during the events.

To reiterate: moving my father’s phone under my plan (and my control) enabled the ability to immediately and easily perform the above – all on the telco’s online portal. 

Having mitigated the concerns and confirmed the scope of impact, I circled back to the above and talked about it all with my father.

“I’ve spent less than half an hour dealing with the issue, the phone is insured, and we’ll go out tomorrow morning to set you up on a loaner.” The relief in his face and posture were palpable, and it helped me feel better too. 

True to expectations, we moved him to a loaner iPhone I had in reserve the next morning. At that point and with his consent, I did the things I wish I had done previously to make things even easier. Namely, I set up an Apple account for him that I had credentials and access for, set up an Apple Family Plan, shared my iCloud storage plan with him and configured the phone to back up to the cloud, and then shared his location to my phone.

It is worth highlighting the role of consent here: at each step I ensured his understanding and comfort, and we established baseline expectations about under what circumstances I would utilize my access to his account or location. In security as in IT administration, user-admin trust is vitally important, and that doesn’t change when the user in question is your aging father. However, informed consent may not be possible depending on circumstances and capability, and should be the rule but subject to exception.

When USPS delivered the insurance replacement phone the next day, we were ready. Transition from the loaner to the replacement took ten minutes of work, and Pop has been up and running ever since. 

My wise and wizened father forgetting his phone in a rideshare and subsequently having it stolen by a bad actor served to underscore a number of lessons I’ve learned through both IT and security experience. Proper preparation prevented a poor outcome; mutual respect and informed consent support healthy user-admin relationships; and any plan facing operational realities can always be improved. Alongside those principles were new lessons about moving forward in a world not only dizzyingly digital but ever-accelerating in that respect, and what growing older looks like in that context.

Lessons Learned

If you have or share responsibility for aging loved ones that may be facing cognitive decline or other aspects of a world outrunning them, I suggest you sit down with them to talk, gain consent, and do the following. There are some small monetary and moderate privacy tradeoffs here that are important to note but, I believe, are worth it:

  1. Move the user’s mobile phone under your account rather than leaving it under their own.
  2. Ensure the user’s mobile phone is insured – it will cost an extra few dollars a month but bring immense relief if device loss occurs. That relief is more than worth the fee.
  3. Set up the phone with a main user account (iCloud or Google) that you have access to – and make sure you test this access of yours. 
  4. Set the phone to backup to the cloud on a regular basis. While this involves a privacy concern, if phone loss occurs it allows you to restore a temporary or replacement phone to a state the user is familiar with almost immediately. As users age, many are less resilient to interface change, and familiarity is often crucial to operability.
  5. Ensure a passcode lock is set on the phone – even a simple one prevents some data concerns but allows legitimate user access. (Please note guidance on passcode complexity differs according to risk/threat profile of the user and their operating capability. Most adults should have more complex passcodes.)
  6. Again with consent – set the user’s phone to share its location with you, and set clear and reasonable expectations with the user about what specific circumstances will trigger you accessing that information. Just because someone’s older and perhaps having trouble does not necessarily mean they deserve less privacy, but this can sometimes be a difficult discussion to have. 
  7. Ensure the user has several contact numbers in their wallet or another important spot so they can make contact if phone loss occurs.
  8. Remember to approach the situation and the person involved with compassion and empathy.