A Tiered Security System for Mobile Devices

A Tiered Security System for Mobile Devices S COTT B ARDSLEY T HEODOSIOS T HOMAS R. P AUL M ORRIS Scenera Research Labs, Cary, NC 27518 Abstract We have designed a ti ered security system for mobile devices where each security tier holds user- defined security triggers and actions. I t has a friendly i nterface that allow s users to easily de fine and configure the differ ent circumstanc es and actions they need according to c ontext. The system can be set up and activated fro m any browser or directly on the mobile device itself. When the se curity syste m is operated from a W eb site or serv er, its configuration can be readily shared acros s multiple devices . When operated directl y from the mobile device, n o server is need ed for activati on. Many different ty pe s of sec urity circumstan ces and actions can b e set up and emp loyed from its tiers . Security circumstance s can rang e from tempor ary misplacement of a m obile device at ho me to malicious theft in a h ostile regi on. Security acti ons can range from ringing a simple alar m to automatically erasin g, overwriting , and re-erasing driv es. People and organiz ations are m o re likely to pro vide their comput er systems and devices with advanc ed security systems af ter they’ ve been infected, l ost, or stolen, than before. A 1981 s tudy on human judgment and decision- making show ed that when p eople chose bet ween a defin ite positive result and a stronger but less cer tain positive result, they ch ose the definite positi ve result eve n though the o verall risk was exactly the same for the t wo choices. But wh en people ch ose between a definite n egative resul t and a stronger, but less c ertain negative r esult, they c hose the less certain n egati ve result even though the two options had th e same overall ri sk 1 . For examp le, if a dozen people are gi ven the choice between definitely receivin g $250 and a 50 perc ent chance of r eceiving $ 500, they cho ose the definite $250. But when given the choic e between d efinitely losin g $250 and a 50 percent chan ce of losing $500, they opt for the 50 percent ri sk of losin g the larger amount. Th e overall risk is the same for both options, but the choice people make differs dependin g on whether the outcome is positiv e or neg ative. Th is phenomenon of consu mer behavi or, called the Prospec t Theory, is well kno wn to computer security marketing groups. I t explains why governm ents, corp orations, and individuals d o not invest more hea vily in protecting their co mputer systems and d evices. News media regular ly cir culate informati on about the tens of millions of cell phon es and laptops that are l ost and stolen and millions of identity thefts that are performed every year, but they do n ot convince users and organizations to adequately protect their software and hard ware. Whil e most may have some protecti on, they are often n ot upgraded regularly, not used, or not used pr operly. Worldwid e expansion in the use of mobile d evices has expand ed the problems caused by in adequate secur ity. Continuous advanc ements in the functi onality of mobi le devices such as s mart phones, PDAs, and la ptop computers, and the commun ication between them h ave given hackers new territory to develop their expertise 2 , and it is expecte d that smart phones so on will require the sa me level of attention to security as desktop computers 3 . Additionally, a s mobile device s become smaller and their mem ory, their functionality, and the ease of co mmunication betw een them grows, the nu mber of people using their devices while tra veling and telecommuting will contin ue to increas e. This makes the de vices and the data they hold more valuable, while at th e same ti me they become more prone t o accidental loss and more accessibl e to intention al theft. The poor usability of the security to ols that are availab le for many mobile devices has been found t o make their prot ection an even bigg er problem. Most mobil e device securit y systems are difficu lt to set up and use and the us ers of the device s typically are t heir own syste m administr ators. Consequently , mobile devices that b elong to the typical user are les s likely to be adequately secured, if at all 4 . As long as the use and value of mobile devic es grow, the n eed for m ore sophisticated, easier- to -us e security tools will also gro w. To help address these concerns, w e designed a se curity syste m that helps make i t easier for people to protect their mobile computin g devices. It is easy to s et up and allows users to apply different types of security to differ ent circumstances. It is a tiered pr otection syst em where us ers associate the different types of security with the types of si tuations in which they are needed. For example, if a us er misplaces her laptop at h ome, she can find it by activating its alarm or using a GPS track er. If a user a ccidentally leaves his cell phone in friend s’ offices and nobody answers it when he calls, he c an t rigger it to display a text message that tells them where to reach him when they find i t. If a person’s PDA is stolen and i t holds highly confid ential data, it can be triggered to en crypt or erase i ts memory. The tie red system can be activated fro m a network or automa tically by the d evice itself, ensur ing the pr otection of m obile devices under th e widest rang e of circumstances. Security Tools The principal categori es of computer s ecurity are data confidentiality, integrity, an d av ailability (also known as “ CIA ” ). The most common to ols for each of those categories, plus the authenticati on category, are described here. Confidentiality Data confidentiali ty refers to li miting data acces s to specifically authorized people , or to preventing access to data by unau thorized people . It is what is typically th ought of as data s ecurity, and it incorporat es tools that provide c onfidentiality and pre vent unauthorized pe ople from reading sensitive information, such as p ersonal data, credi t card and payment inf ormation , corporate data, and passwords. Theft of confidential da ta can cause l ong-term damag e to individuals and organizations that is difficul t to resolve. Today, one of the most com mon and most se rious threats to confiden tial data is iden tity theft . In 2007, 8.1 million identity thefts wer e reported in th e U.S., costing A merican s $45 billi on. In 2006, there were 8.4 million identify th efts in the U.S., costi ng $51 billion 5 . While not a ll identity thefts are related to mobile d evices, a substantial nu mber are. T he top ten inf ormation leak s from mobile device s, occurring May 2 006 to Janu ary 2007, resulted in well over 50 million iden tity the ft victims, with a potential cost of over $49 bil lion 6 . American identity theft has dropped slig htly each year as more security measures are put to action. But as the se num bers clearly sh ow, much more is need ed. The continuing develop ment and implementation of security tools is imper ative. Many types of securi ty tools are imple mented to pr otect data confid entiality. Th e most common one is also the oldest : the user name an d password. As most of us know, its success dep ends on creating complicated passw ords and chang ing them frequentl y. Most of us also kn ow that difficu lt- to -guess passwords are also difficult to re member. Writing the m down is count er-productive, and chan ging them frequently makes them more difficu lt to conjure and r ecall. And if a m obile device is l ogged onto a network or account when th e device is lost or stolen, even the most complicated user name and password are useless until the login s ession expires. Lastly, even succ essful passwords opera te on the theory of “securit y through obscurity,” which ha s been proven ti me and agai n to be weak 7 because any password can be br oken using the hacking technology that exists today. For these reasons and more, using passwords alone is an inadequ ate way to secur e confidentiality. Data encryption als o protects confid entiality. Encr yption of files and drives is an effecti ve way to pr otect data that is view ed, copied, or stol en from being read ; however, it can slow the n ormal performance of devices because enc rypted d ata must be unencrypt ed and encrypted as it is read and written. More importantly, all f orms of cryptography are ultimatel y breakable, s o to prevent ac cess to information on an encrypted driv e or from an encryp ted file requires the user to enter an elaborate key. And a key is , essentially, just ano ther password . Encrypti on is adeq uate protection under cert ain circumstances, and when using it, the most advanced rules go verning password pr otection must be adhered t o. The most definit e form of confidentialit y protection is data erasur e. Erasing tools are used b y people and organizations that are the most det ermined ab out preventing unauthorized access to their softwar e and data . Data erasur e tools can be valu able in protect ing information on l ost or stolen cell phones, PDAs, or laptops as l ong as data backup mechanisms a re in place. N etwork-based security monitoring ce nters that erase data on mobil e devices pro vide no option for backup or re covery befor e data is erased. And when m obile devices are outside netw ork range, are powered off, or are in any wa y prohibited from net work access, network-based secur ity systems cannot function until access is restored. Because there may be no way to know whe n that will occur, it i s better to have security operations that can b e invoked and carried out au tomatically by the mobile devi ce itself. Erasing data may be a valuab le action to take under the most formidable circum stances, but it is over kill if it turns out that a d evice is te mporarily misplac ed. It is bett er and more efficient to have a context- based security syst em with a broad rang e of secur ity mechanisms that c an be im plemented according to the severity of the circumst ances. Integrity Data integrity ref ers to protecting th e consistency and accuracy of the data and the content of software , ensuring that neith er is mod ified without auth orization . Integrity doesn’t mean th at t he information cannot be accessed ; it only means that it is pr otected from being modified. So, tools that pro tect data confidentiality d o not necessari ly protect int egrity. Nothi ng may happen if your data is seen by unauthorized pe ople. But if your data is alter ed by any one, regardless of whether the person is authorized or unauthoriz ed, the pr oblems that may ensue are vast. For instance, so me of the most valu able data integrit y tools are those desig ned specificall y to protect and audit a device’s configur ation files. Classic examp les of loss of configuration fil e integrity ar e the all too common man- in -the- middle attac ks that have ta ken place in cyber cafés and on secure Web sites, such as banking and pay ment sites. In one form of the se attacks, a user accesses a Web si te not knowing that an intruder ha s intercepted hi s site request and repl aced it with a pro xy. From there, the intruder can record every k eystroke the user enters, including passwords and personal inf ormation. This t ype of attack is caused by making changes to the network c onnection configu ration file on the user’s device. Protecting the int egrity of t he configuration file s preven ts the device fr om being taken over by man- in - the-middle attacks. Antivirus programs and firewalls are probably the most common t ools for protecting data integrit y, as they protect fro m damage caused by viruses, Trojans, worms, and other types of malware and intrusi on. A less common but valuable tool in prot ecting integrit y is the reporting of device use to a network-bas ed security manager. The se tools work by r ecording the p hone calls placed or received on a m obile phone, the Web sites visited, and any e- mails and text messag es sent or rec eived, then re porting that information to a c entral site. They protec t integrity by providing inf ormation abo ut whether or not tampering occurr ed and, if it did, wher e it originated a nd what happened. Availability Data availabilit y refers to how accessib le the device and its data and r esources are. Availab ility is important because ha ving inaccessib le data and r esources is nearly the s ame as having no da ta or resources at all. T ools that protec t data availability pr ovide protecti on to the device’s hardware and functionality. This inclu des p rotection from hardware l oss, technical malfu nction, and damage. Damage can range from som ething as simpl e as accidentall y dropping a lap top on a hard f loor or leaving a cell phone outside during a rainstorm t o something as ins idious as intentionall y destroying or erasing a mobile phone, lapt op, or PDA. The availability of ph ysical device s is protected using t heft-prevention tools, alar ms, and automat ed tracking tools. Hardwar e alone can be protected usin g anything that prevents ph ysical damage, such as cases and surge pro tectors. However, th e information stored on mobile devic es is typically more valuable than the de vices themselve s, so data is more rigorously pr otected than h ardware. Data availability is most reliably secured u sing backup mechanisms, and fr equent, automated bac kup is its most dependable fo rm. Authentication A less prevalent, bu t increasin gly important cat egory of data se curity is authen tication. It r efers to the validation that the pe ople you are dealing with are w ho they say th ey are. While integrity makes sure th at da ta has not chang ed, authenticati on does not min d if the data changes as lo ng as it is accurat e. Authentication is cri tical in paymen t transactions on the Internet. When an online purch ase is made, the items purchased, the ship ping address, and the credit card number may be differ ent from those of previous orders by the same user, but with authentica tion they are corre ct for the user’s cur rent order and the user is the correct p erson . Passwords and PIN s, fingerprints and retinal p atterns, and different types of images and watermarks are comm only used in auth entication. Authentication typically needs a person included in i ts security l oop. As more types and larg er amount s of data are s tored on mobile devi ces, the m ore valuable they will continue to becom e and the mor e prevalent it will be to use increa singly s ophisticated securi ty protection syste ms on mobil e phones, PDAs, an d laptops. Finding a security system that can pr otect confidentiality, int egrity, avail ability, and authenticati on was what we had in mind when we design ed the tiered security system. It requ ired a syste m that could han dle a variety of security ac tions that could be triggered by differ ent means un der different circu mstances. Design and Configuration Circumstances an d Actions Our tiered securi ty system stores a hierarchy of security ac tions that prevent the unauthorized use of mobile devices, pro tect the ir data, assur e their data av ailability, and ensur e their user authentication . Each tier can hold a variety of user-d efined securit y actions that trigger events t o occur under user- specified circums tances. The tiered system has a user-friendly grap hical user i nterface (GUI) that makes it eas y for users to define and configure the ac tions and circumst ances they want and need . It can be set up to invoke a vari ety of security actions under a wide rang e of circumstances. Programmable a ctions can range from ringing an alarm to deleting, overwriti ng, and re-deleting dri ves, with many levels in be tween . Circumstances may range from te mporarily mi splacing the de vice at ho me to malici ous theft in a h ostile country. Examples of tiered circums tances an d actions are listed in the table below. Table 1. Examples of types of data security available on mobile devices. Any type of security tool installed on the mobile device can be set up and activ ated using the tiered security system. Type of Security Security Description Availability Activate a ringer t o help the owner find the device. Availability Automatically send a text messag e to the device with instructions to call a number or send an email or text message. Availability Activate GPS tracking , base station triangulati on, or oth er tracking mechanis m. Availability Automatically place a call from a security manager and pla y a recorded message to the d evice. Authentication and Confidentiality Activate password- only and digital sig nature user access. Availability Force outgoing calls to a service nu mber. Availability and Confidentiality Deactivate functions, such as ph one call placem ent, data viewing, email sendin g, or I nternet browsing. Integrity Record and rep ort device u se to a security manager, such as calls placed, calls r eceived, Web sit es visited, e mails sent or received, text messages sent or r eceived. Confidentiality Partition sensitiv e data from non-sensiti ve data and move it to secure storage. Confidentiality Encrypt sensitive dat a. Confidentiality Delete sensitive dat a. Confidentiality Overwrite deleted data in corresp onding clusters. Confidentiality Re -delete clusters of data a set nu mber of times to b e sure that no data can be rec overed. The security levels, triggeri ng events, and ac tions are defined and configured by an authorized us er. The triggers that can be used and the actions that can b e taken depend on the device and the operations that are availabl e on it. Exa mples of triggerin g events i nclude: Entering a user nam e and password. Calling the de vice from a telep hone. Sending an email to the device. Sending a text message to the de vice. Invoking actions when acknowledg ment is not receiv ed from the user or the de vice. Activating securit y on a specific d ate or at a cer tain time of day. Activating securit y upon receipt of sensitive data. Server-based Tiered Security Our tiered securi ty system is a software pr ogram that is stored on the mobile device and downloadable electrical triggers that can be stored on the de vice or on a server. Net work serve r installation allows the settings to be download ed to many mobile devi ces and across many platf orms wh en needed. As shown in Figure 1 , some parts of the server-based t iered security system are i mplemented on the mobile phone, PDA, or lapt op being protected, and others are i mplemented on a Security Manager that resides on the ser ver. Figure 1. Configuration of the network-based tiered security system for mobile device s. Configuration can be implemented from a central source and do wnloaded to all mobile devices on the system. The Security Manag er allows secur ity configurati on, where specific securit y action instructi ons and triggering events ar e defined and associated with a ra nge of securit y levels. The s ecurity instructi ons, triggering events, the map pings between the m, and the securit y levels are stored in a securit y database that can be accessed b y man y users when needed. Th e Security Manager’s ne twork interfa ce is a TCP/IP protocol stack and th e conf iguration interface is a standard, browser-based us er in terface. The Security Manager also in cludes tools to handle us er- and group-specifi c needs, as sh own in Figure 1. They include: A client handler for accessi ng user-specific acc ount information . The cli ent handl er manages logon informati on, account nu mbers, and sensiti ve information for bank, credit c ard, cell phone, Internet, and oth er accounts, and store s this infor mation in its own databas e. A policy manager f or determining whether or not th e security level associated with the devic e is consistent with the security polici es of the organization that the user b elongs to, such as corporate or agency policies. A message handler for coord inating the communicati on between the se cured mobile devic e and the Security Manag er. Each secured de vice has a Security Ag ent that transf ers the securit y levels and th eir correspondin g security actions fr om the S ecurity Manager to the mobile phone, PDA, or laptop. When their securit y measures are set an d transferred, each mobile de vice on the syste m receives security instructi ons from the Securit y Manager plus t he current securit y level setting . The specific setting can also be s et locally on the device that is bein g secured. Once th e mobile device is activated, its Security Agent re ads its security le vel, actions, and triggering events an d determi nes whether or not there is a context as sociated with the current securi ty level. If a trigg ering event i s detected, the Security Agent implements the correspondin g action to pr otect the device. Device-based Tiered Security In 2002, 30 perc ent of laptops wi th network-based se curity that were reported stolen were not recovered becaus e they were ne ver connected to the I nternet 8 . Wi reless n etworking and tracking devices have help ed allevia te some of that probl em, but wirel ess mobile de vices still can be easily moved to buildin gs or areas that ar e outside network connection or t racking rang e. Therefore, we designed the syst em so that the Security Manager, its database, and it s tiered sec urity actions and lev els can be installed on the mobil e device itself. It is desig ned so that it s configuration interface can be either a remote browser or the devic e’s native user int erface. The devic e-based system is illu strated in Figu re 2. Figure 2. Configuration of the mobile device-based tiered security system. The Security Manager, database, tiered security functions, and u ser interface reside on the device instead of the network. No network is needed to set up or activate the many levels of security. The Security Manager i s con figured so that it periodic ally asks the user f or some type of securit y acknowledgement, such as a password or digital sign ature. If the Securi ty Manage r receives no resp onse within a preset tim e interval, the tiered security s ystem is automati cally triggere d. Hybrid Tiered Se curity A hybrid arrange ment that inclu des both a server-based Security Manager and a d evice-based Security Manager provides the convenience of network-based tiered securit y with the added secur ity of de vice- based tiered secur ity . In this hybrid arrang ement, the system oper ates as describ ed in the n etwork- based tiered secur ity arran gement but can swit ch to o perate as described in the device-based ti ered security arrange ment when the de vice loses c onnectivity with the server-based Security Manager . For example, the de vice can monitor connectivit y with the ser ver-based Security Ma nager through peri odic requests for respons es or through the r eceipt of unr equested signals p ushed from th e server . In either case, once a loss of connectivity is de tected, the devic e-based Security Manag er assumes c ontrol and begins to periodicall y ask the user f or some type of se curity acknowledge ment as described ab ove. Control reverts back to the serv er-based Security Manager once c onnectivity is re stored. The securi ty configurations are pr eferably synchr onized betwe en the server and d evice so tha t the control tran sition between the two is seamless. This approach pro vides the user wi th the added se curity of device-based ti ered security should connectivity with the server be lo st, but avoids th e annoyanc e of requiring repea ted security acknowledgements from th e user (i.e., even when connectivit y is availabl e). Security Levels When deciding wha t securi ty actions to tak e and configuring the tiers of securit y, it is best to firs t clarify what must be protec ted and what of value ma y be lost. The diffe rent circumstan ces under which the device may be lo st should also be listed. Once the lists are for med, they should b e arranged al ong progressive securit y postur es that will be used b y the mobil e device, similar t o the levels of defense readiness conditi on (DEFCON), which we use as a gui de in setting the a ctivation and readiness le vels for security of device s. Table 1 shows the gener al definitions of the five DEFC ON levels and th eir protoc ol definitions. The standard security pr otocol is DEFC ON 5; from ther e, the levels descend in in creasi ngly severe situati ons. DEFCON 1 represent s the expectati on of actual data or device co mpromise. Table 1. The defense readiness condi tion (DEFCON) levels and their corresponding protocol definitions. We used these progressive security postures to define and set the levels in the tiered securi ty system. Security Level Protocol DEFCON 5 Designates nor mal device readine ss. DEFCON 4 Normal, increased intelligence and the heigh tening of secur ity mea sures. The device might restrict specifi c communication vectors. DEFCON 3 An increase to force readine ss abov e normal. The dev ice may start prompting for actions that it would nor mally let pa ss without additional authorization . DEFCON 2 A further incre ase in force rea diness, ju st below maximum readines s. The dev ice is now known to be in the hands o f unauthoriz ed personnel. The data and s ystem are intact, but the device is non-o perational. It pr ompts the unauthorize d user to re turn the dev ice. DEFCON 1 Maximum read iness. It has bee n decided tha t the device is not recov erable, so the da ta and device are ren dered usele ss. Table 2 shows an exa mple of tiered s ecurity levels on a mobile device and the correspondin g actions to be taken by the use r and the Securit y Manager, b oth on and off a n etwork. As sh own, Security Levels may have more than one a ction and the Secur ity Manag er can be configured to automatically proceed to the next securit y level after a set p eriod of time. Table 2 . An example of tiered security level s, the triggers that activate each level, and the actions taken by the Security Manager at each level . All security levels, their triggers, the lengths of time spent at each level, and the actions at each level are configured by an autho rized user of the mobile device. Security Level Trigger to Next Level Action to be Taken DEFCON 5 Normal state of rea diness DEFCON 4 Networ k-based security: A phone call to the dev ice or its net work activates the Secur ity Manage r. Device-based secur ity: No response fro m the authorized user f or two hour s activates the internal Security M anager. Activate a ringer or alarm at one- minute intervals . Send a tex t message to the dev ice, asking the rea der to call a preset phone nu mber. Activate passw ord-only access. Send a text message w ith instru ctions on what to do with the device. Automatically pla ce a call to the d evice and play a recorded message. DEFCON 3 Device at Level 4 for one hour. Record and rep ort device use to the Security Man ager. Force outgoing calls to one a service nu mber. Force URL entrie s to one Web site or Web page. Encrypt specific sensitive infor mation. DEFCON 2 Device at Level 3 for two hours. Disable use o f the device. Delete specific sensitive infor mation from the dev ice. DEFCON 1 Networ k-based security: A phone call activa tes Level 1. Device-based secur ity : Automatically activated wh en the device is at Le vel 2 for four hours. Delete all infor mation from the dev ice drives . Overwrite all device drives. Re -delete all device driv es. Actions that are perf ormed on data can be hand led in different ways. For instan ce, when cer tain files or data are designated “sensitive, ” the Security Manage r can partition the m from the non-sensi tive files and treat them separ ately. Further, when the righ tful owner sends the Security A gent a list of files via the Web or an email, i t can notif y the Security Manager t o perform different acti ons on those fil es. Future Developments Security Expan sion and Up grades Rapid increases in the number of m obile telephones i n use and advances in their functional complexity have led most of the mobile devi ce securit y research that has been developed ov er the last few year s . Because mobile ph ones are so small, so casually han dled, and so widely used by so many p eople, many more of them are l ost or stolen than the typical lap top or PDA. Becaus e of this, n ew technologies are being designed t o increase their se curity. Biome tric tools are being de veloped to enh ance system security, such as user au thentication by r etinal patter n or fingerprint. Fac e recogn ition software has been developed f or cell phones with ca meras so that unauthorized users can not use a misplaced or stolen phone at all (Ijiri et al. 2006). As biometric technologies i mprove and they become m ore affordable, they will be come mor e common as cell ph ones continue their evolution to min iature mobile computers. With th eir evol ution will come the w onderful software benefits and f rustrating malware pitfalls of personal c omputers. Our research int o the security of mobile devices turn ed up dozens of publications on the devel opment of tools that protect mobile devi ces from mal ware, which is a fast-growing need for ever yone as mobile phones advance . Smart phones, like lap tops and PDAs , are being dev eloped for long ter m ownership these days, increasin g their life e xpectancies from ma ny months to man y years. As a result , they are being designed to expand beyond the mobile device or its local net work so they can be continuously upgraded by download s fr om comput ers and the Internet . While this offers mob ile phones new software, it also expos es them to the end less infecti ons that we ha ve all dealt with on our lap tops and home computers f or so many y ears. As a result, proac tive software t ools, rather th an the widespread reactive ones, are b eing devel oped to protect mobile device s from infection 7, 9 . Broadly upgradable smart phones will need more pr otection than teleph ones ever have bef ore, and our tiered security s ystem is flexib le enough to help tran smit and install the many types of con tinuously upgradable security software that are currently being developed . Bio metric security software can be added to our tiered security syste m and implemented by it , and our syste m’s networking capabilities can be expanded t o include the regu larly scheduled d ownloading of and scanning by virus protection and detection soft ware. We designed th e tiered s ystem so that it can, and will, e volve with mobile computing devices a s they advance int o the future. Acknowledgments The authors would lik e to thank Ju lie Tomlinson f or her writing and edi ting. References 1. A. Tversky and D. Kah neman, “ The Framing of Decision s and t he Psychology of Cho ice, ” Scienc e , vol. 211 , no. 4481 , 1981, pp. 453 -458. 2. A. Bose and K. G. Shin, “Proact ive Security for Mobile Me ssaging N etworks, ” Proc. 5 th ACM Wo rkshop on Wireless Security , ACM, 2006, pp. 95 - 104. 3. B. Prince, “The S ec u rity Threat in Your Pocket, ” eWeek , 7 March 2008 ; http://www.eweek.co m/c/a/Security/The -Security-Threat - in -Your-Pocket. 4. B. J. Halpert, “Auth entication Interface E valuation a nd Design for Mob ile Devices, ” Proc. 2nd Ann. Conf. on Information Security Curric ulum Development , ACM, 2005, pp. 112-117. 5. E. Mitchell, “Old - sch ool ID Thievery;” The Philadelphia Enquirer , 25 May 200 8. 6. A. Dolya, “Mob ile Device Security 2007 ; ” InfoWatch , 23 May 2007; http://www.infowatch.com /threats?chapter=1 62971949&id=207784708 . 7. H. Berghel, “Faith -ba sed Secu rity, ” Communic ations of the ACM , v ol. 51 , n o. 4, 2008, pp. 13 -17. 8. D. Pogue, “State of th e Art; Making Sure A La ptop Won’t Stray , ” New York Times , 14 Marc h 2002. 9. Y. Ijiri, M. Sakuragi, an d S. Lao , “Security Managem ent for Mobile Devices b y Face Recog nition, ” Proc . 7 th Int’l Conf. on Mobile Data Management , IEEE Compu ter Society, 2006, pp . 49. Keywords C.2.8.d J.9 K.6.5.e K.6.m.b