Brilliant question from an A4A member today about Android’s new feature that allows you to remotely lock or erase data on your Android phone in case it is lost or stolen. This security feature is great for financial advisors because you can lock or erase data on your Android device remotely by logging into your Google account and using Google’s free device manager.
The question that came in today is what happens if your Google account gets hacked and you have enabled the remote-lock/erase feature?
“If anyone hacks my Google/Gmail account, can they reverse the process and lock/erase my HTC?” asks dmorton.”What protections are there for that, if any are needed?”
The answer: If your Google account gets hacked, the hacker can lock you out of your cell phone and/or erase all of your data.
This Website Is For Financial Professionals Only
The screen shot above shows the Google account device manager interface, which displays your phone’s location and enables you to erase or lock your phone or tablet if it is ever lost or stolen. (For details, see my post from last week
.) To change your lock-screen key, Google device manager asks only for a new password. So a hacker who gains control of your Google account would simply input a new password to lock you out of your phone or wipe it.
I locked my phone just now using the Google device manager to try it out. (I always try to do this stuff before I tell readers to do it, a practice that should be required of all practice management "experts.") Seconds after I used Google's device manager to change my Android phone's lock-screen key, I was indeed locked out of my phone. It worked like a charm. And all that was needed was creating a new Android lockscreen-key using Google's device manager. To be clear, anyone with credentials to your Google account can lock you out of your Android tablet or phone if you enable the new Google-Android security feature released last week.
On the bright side, Google device manager’s remote-lock feature for Android tablets and phones only allows a hacker who gains control of your Google account to erase or lock you out of your phone; it does not give a hacker to access your phone’s data.
As long as you have not synched your Android contacts, pictures, and other data with your Google account, a hacker who takes control of your Google account cannot see your phone contacts, pictures and other data on your phone or tab.
Software companies, Google included, launch features in simple form to gain wide adoption. Then slowly add bells and whistles. My guess is Google will fix the weakness highlighted by your question by adding some form of authentication of a phone’s lock-screen password. For example, Google could simply require users to submit their current lock-screen password for their Android before they can change their lock-screen password. This simple security measure would safeguard against hackers disabling your access to your phone or erasing data stored on your tablet after breakign into your Google account.
Until the issue is addressed, prudent advisors that have an Android device can use the new lock-screen feature but must be conscientious about using a strong password and mindful of key-loggers
Not many advisors are storing client data on Gdrive, Gmail or other Google Apps. So I suspect most advisors don't have client or personal data at risk in their Google account. If you are using Google to run your advsory business, please let us know. If it is prudent, of even possible to use Google to run an advisory practice, please let me know.
While many advisors use Google as a spare email account, the vast majority of advisors do not use Google for client communications--as a system of record for regulatory purposes--and I do not believe Google is tightly integrated yet with any professional apps for portfolio accounting, financial planning or CRM. Google is cutting-edge technology but adisos are know for prudence. Adopting the newest technology is not characteristic of advisors.
Which makes dmorton's question all the more important.
Because advisors are probably not routinely using Google for sensitive client or personal data, most have probably not thought much about the security aspects of adding this new feature for remotely locking an Android phone or tablet to from a Google account. Dmorton's question underscores the need for advisors who use this new Google/Android feature to create a strong passwords for their Google account and o consider the risk of someone hacking their Google account and locking them out of their Android phone.
One final thought: In the event someone hacks your Google account and erases your Android phone or tablet’s data--and that the device has not been stolen or lost--you can take your phone to your service provider and it should be able to get you back into your device. You may even be able to recover any data wiped by the hackers.
Let me know what you think.