The biggest cyber threat isn’t sitting on your desk: it is in your pocket or purse. I am talking of course about your smartphone. Our phones have become the prime hacking target, due to a combination of circumstances, some under our control, and some not.

Just look at some of the recent hacks that have happened to phones. There are bad apps that look benign, apps that claim to protect you from virus infections but are really what are called “fake AV” and harm your phone instead, and even malware that infects application construction tools. I will get to some of the specifics in a moment. If you are in St. Louis on August 3, you can come hear me speak here about this topic.

Part of the problem is that the notion of “bring your own device” has turned into “bring your own trouble” – as corporate users have become more comfortable using their own devices, they can infect or get infected from the corporate network.  And certainly mobile users are less careful and tend to click on email attachments that could infect their phones. But the fault really lies in the opportunity that mobile apps present.

For example, take a look what security researcher Will Strafach has done with this report earlier this year. He demonstrated dozens of iOS apps that were vulnerable to what is called a man-in-the-middle attack. These allow hackers to intercept data as it is being passed from your phone through the Internet to someplace else. At the time, his report grabbed a few headlines, but apparently, that wasn’t enough. In a more recent update, he found that very few of the app creators took the hint — most did nothing. He estimates that 18 million downloaded apps still have this vulnerability. Security is just an afterthought for many app makers.

Another issue is that many users just click on an app and download it to their phones, without any regard to seeing if they have the right app. Few of us do any vetting or research to find out if the app is legit, or if it part of some hacker’s scheme, and to do so really requires a CS degree or a lot of skill. Take the case of the “fake AV” app that infects rather than protects your phone. There are hundreds of them in the Google Play store. FalseGuide is another malware app that has been active since last November and infected more than two million users.

The Judy malware has infected between 8.5 million to 36.5 million users over the past year, hiding inside more than 40 different apps. DressCode initially appeared around April 2016 and since then it has been downloaded hundreds of thousands of times. Both look like ordinary apps that your kids might want to download and play with. Hackers often take legit apps and insert malware and then rename and relist them on the app stores, making matters worse.

Even the WannaCry worm, which was initially Windows-only, has been found in seven apps in the Google Play store and two in Apple’s App Store. Speaking of Apple, the malware XcodeGhost is notable in that it has targeted iOS devices and resulted in 300 malware-infected apps being created, although that malware infected Apple’s desktop development environment rather than the mobile phones directly.

So what can you do? First, make sure your phone has a PIN to lock its use, and if you have a choice of a longer PIN, choose that. There are still at least ten percent of users that don’t lock their phones. Having a PIN also encrypts the data on your phone too.

Next, use encrypted messaging apps to send sensitive information, such as Signal or WhatsApp. Don’t trust SMS texts or ordinary emails for this.

Use a password manager, such as Lastpass, to store all your passwords and share them across your devices, so you don’t have to remember them or write them down.

When you are away from your home or office network, use a VPN to protect your network traffic.

Don’t automatically connect to Wi-Fi hotspots by name: hackers like to fool you into thinking that just because something is named “Starbucks Wi-Fi” it could be from someone else. Apple makes a Configurator app that can be used to further lock down its devices: use it.

Turn off radios that aren’t in use, such as Bluetooth and Wi-Fi.

Don’t do your online banking — or anything else that involves moving money around — when you are away from home.

Don’t let your kids download apps without vetting them first.

Turn on the Verify Apps feature, especially on Android devices, to prevent malicious or questionable apps from being downloaded.

Keep your devices’ operating systems updated, especially Android ones. Hackers often take advantage of phones running older OS’s.

I realize that this is a lot of work. Many of these tasks are inconvenient, and some will break old habits. But ask yourself if you want to spend the time recovering from a breach, and if it is worth it to have your life turned upside down if your phone is targeted.

Most of us know by now that if you spot a random USB thumb drive sitting on the ground, you should ignore it, or better yet, put in the nearest trashcan. This action was an early plot point in the TV series Mr. Robot. I even saw a poster at Checkpoint’s Tel Aviv headquarters when I visited there in January warning employees to dispose of such drives when found on their campus.

But still, human nature gets the better of us sometimes. A recent academic paper shows just how tempting that drive can be for college students at the Universities of Michigan and Illinois. The study found that out of 300 drives that were sprinkled around the various campuses, at least half were retrieved and inserted into computers. In some cases, the drives were inserted within a few minutes of being left.

These drives contained special code that would “phone home” and alert the researchers that they were found, but they could have contained more dangerous malware. Which is the point of this depressing exercise.

What is interesting about the paper was the lengths that the researchers went to understand their target’s motivations and rationale for picking up the drives in the first place. They were asked to complete a survey (paying them $10 to complete, after all, these are college students). Two thirds of them said they took no precautions before connecting them to their computers.

They also tested the time of day, location, and branding of the drive itself to see if these factors made them more or less likely to be retrieved. For branding, the researchers attached a “confidential” sticker, a return address label or keys to see if that made a difference. Interestingly, the return address label actually reduced insertion rates. The researchers also monitored Facebook and Reddit to see if any students posted warnings about the proliferation of drives around campus. Despite several postings and the fact that word spread on these networks quickly during the experiment, the drives were still retrieved.

This isn’t the first, and certainly won’t be the last such study. Several years ago, the Department of Homeland Security found that 60% of folks who found drives planted outside government buildings tried them out, and this percentage increased to 90% when the drives had a logo on them indicating some sort of official use. And last fall, a study commissioned by the trade group CompTIA found that 20% of 200 drives that were sprinkled across five cities were retrieved.

Certainly, there are some drives that are truly evil, such as this drive reported by Gizmodo that will literally cook your motherboard. Or the infamous Rubber Ducky drive used by penetration testers.

Bruce Schneier complained about this meme years ago, and wrote in a blog post:

“The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that it isn’t safe to plug a USB stick into a computer. Quit blaming the victim. They’re just trying to get by.”

Certainly, better and more security education would be a good idea. The college survey found that students perceived the files on the flash drive as being safer because they used .html extensions. Uh, not quite. But there is some hope: a few students were suspicious and actually used a text editor to open these files and connect them to offline computers.