Updated at 1:26 p.m. ET Friday
If Jeff Bezos can't keep his phone safe, how can the rest of us hope to?
Sure, Bezos, Amazon's CEO and the owner of The Washington Post, is smart and presumably has good security people helping him, says Matthew Green, a computer science professor at Johns Hopkins University. But, Green says, "the bad thing about being Jeff Bezos is that there are a lot of people with huge amounts of money who want to hack you."
Still, a targeted hack like the one the Saudis allegedly used against Bezos to get troves of information off his phone — which involved a video file allegedly sent by Crown Prince Mohammed bin Salman to Bezos over WhatsApp — is costly and hard to pull off, says Green, an expert on cryptography and cybersecurity.
Green says that if you're not very wealthy and not a celebrity, a politician or a top executive, "you probably are not a target." At least for that type of attack.
That's the good news. The not-so-good news: Research shows that more general-purpose malware aimed at phones that the rest of us use is also on the rise.
So here's what you need to know to reduce your chances of getting hacked.
1. Don't "jailbreak" your phone and install dubious apps
There is a whole netherworld of questionable apps that exists outside the supported app stores run by Apple, Google and Amazon.
Many people "jailbreak," or alter, their phones so they can install apps from outside the mainstream app stores — apps that look like games or promise to let you watch a big Hollywood blockbuster before it's officially released. But "that dramatically increases your risk for installing malicious apps," says Tim Erlin, a cybersecurity expert at Tripwire.
Overall, phones are getting much harder for hackers to break into, Green says. He says even if your phone is compromised in some way by malicious code, that doesn't mean the hackers can open all your apps, look inside them and get your bank account numbers, emails with your tax returns for your accountant or whatever else.
"Every single app you have runs in what's called a sandbox. Basically, it's isolated from all the other apps on the phone," Green says. "So even if there's a bug in one app ... that could lead to something bad — some malware being installed that affects that app. But generally speaking, it won't spread throughout your phone."
So that's a crucial protection to make hacks much more difficult. But if you jailbreak your phone, you're throwing aside that digital security and leaving yourself much more vulnerable.
Green notes that if your phone is four or five years old, you also don't have some of these important newer protections and are more at risk.
2. Install all operating system updates
Hackers and the phone manufacturers are in an ongoing race. The hackers find vulnerabilities, and then fixes are included in the software updates for your phone.
Social media and messaging companies are in this race against the hackers too. Facebook, which owns WhatsApp, warned about and fixed a video file vulnerability last year, but it's unclear whether it was the same one that allowed Bezos' iPhone to be hacked in 2018. Where you play a role in all this is by installing the latest updates to your phone and the apps installed on it.
"Keeping your phone updated is an important step in keeping it secure as well," Erlin says. "It's important to install those updates when they're available."
This is where having an old phone can be a problem. "It's a choice you can make: If you don't want to move to a newer phone, you want to accept that risk. Lots of people do, but it does put you at greater risk, because you're no longer receiving security updates," Erlin says.
3. Beware of questionable attachments and links
In traditional phishing attempts, you might get an email on your computer asking you to click on a link or download a file that contains malware. But for hackers targeting phones, the threat might not be in an email.
"If you think about the apps that you use most commonly, maybe it's Facebook, maybe it's Instagram, maybe it's some other app where you have the capability to send and receive messages," Erlin says. "An example would be that in Instagram, you receive a link. Maybe it's not a file — maybe it's a link from someone you know or you follow that says, 'Here, I made this for you.' "
Just like with email phishing accounts, Erlin says, watch out for vague and general-sounding messages asking you to open a file or click on a link. Even if the message comes from someone you know, the person's account may have been compromised. "And so you click on that link and it compromises your phone," Erlin says.
Be careful about being tricked into giving away passwords or other sensitive personal or financial information. Erlin remembers a couple of years ago, an attacker was trying to get people to enter their credentials for their bank account so the hackers could steal them.
Erlin adds: "And they had compromised the phone in such a way that they replaced the phone number for the bank account with a phone number that they controlled, so that when you tried to call your bank to say, 'Hey, I can't get into my bank account,' you ended up with a person who was associated with this attack. That's a fairly sophisticated type of operation, but it was possible at that time."
4. Protect yourself from SIM-swap attacks. Don't use your cellphone as a way to verify identity
SIM-swap scams are some of the scariest phone hacks. They're more difficult and time intensive to pull off. So they're not that common, but they are on the rise.
Samy Tarazi, a criminal investigator with the Santa Clara County District Attorney's Office in California, works on a regional task force on the problem. He says he knows of about 4,000 cases nationally, "but there are more than that."
With a SIM swap, fraudsters take control of a victim's phone number. Tarazi says there are multiple ways they can do this. They might trick the phone company and claim they lost their phone and need to transfer the number. Sometimes it's an inside job where they bribe a phone company employee.
Once they get that number transferred over to a phone that the hackers control, Tarazi says, often "that phone number is linked to all of the victim's online accounts — their bank accounts."
Those accounts use the cellphone number to verify a customer's identity when the customer wants to do something like change a password. A bank might send you a text message with a temporary code that you then use to change your account's password.
So without knowing any of your actual passwords, a hacker can take control of an email account and then have control of both your phone number and your email. "From there, he can reset passwords to any other service — banks, cryptocurrency ... social media," Tarazi says. People have lost large sums of money this way, he says.
But Tarazi says there is a way to protect yourself: "We highly recommend that people not use their cellphone number as a form of verification of identity." Instead, he says, you should tell financial institutions and other services that you use that you want to use a password and some other form of two-step verification.
Tarazi says some companies may allow you to use a special authenticator app for this. Or he says you could use security questions that you know the answer to. But he says you should make up fictional answers if the security questions can be researched and figured out by others.
5. Be careful about public Wi-Fi when traveling abroad
This is actually an area where phones are getting more secure. Green says if you're running a relatively new phone with the most updated operating system, you don't have to worry that much about whether plugging into a public charging station or connecting to a public Wi-Fi network is going to let hackers break into your phone.
"There's still always a chance that somebody could look at the traffic going over the network. You should worry about that," Green says. "But really, hacking into your phone is getting much, much harder."
But Tarazi says you do want to be more careful when traveling abroad. He says many people want to use Wi-Fi to avoid roaming charges, and that's OK.
But, he says, be careful if you try to use a public network and it prompts you to do something suspicious. "Sometimes it's download this app and then use it to log in," Tarazi says. "If it ever requires you to download something, definitely do not do that."
Even with the improved security for smartphones, often you don't realize you've been hacked until it's too late. And if somebody opens a credit card in your name or steals money from an account, you also don't know how they got your personal information — from your phone, stealing your mail or the Equifax breach or some other massive hack of a corporation.
If the address book on your phone is compromised, an attacker would be able to email spam with malicious links to all your contacts. If one of those contacts clicks on the link and then does some online banking, "that lets the hackers steal credentials for their bank account and then they have access to that bank account," Erlin says.
Tarazi of the Santa Clara DA's office says that with so many ways to have your personal financial information stolen, it's a good idea to call the three major credit bureaus and tell them to put a freeze on your credit report. That makes it much harder for identity thieves to open a new bank account or credit card using your name.
LULU GARCIA-NAVARRO, HOST:
This week, we learned that Amazon founder Jeff Bezos allegedly had his phone hacked by the crown prince of Saudi Arabia. Malicious code was supposedly hidden inside a message sent to Bezos from the prince's WhatsApp account. Now, we should say we don't yet know for sure how Bezos' phone got hacked. And Saudi Arabia denies it. But all of this got us thinking, if Jeff Bezos can't keep his phone safe, can the rest of us? We're joined now by NPR's Chris Arnold to answer that question. Hi.
CHRIS ARNOLD, BYLINE: Hey, Lulu.
GARCIA-NAVARRO: All right. You and I presumably don't have security as good as Jeff Bezos. What can we do?
ARNOLD: Right. There are good things, I'm sure, about being Jeff Bezos.
ARNOLD: A bad thing about being Jeff Bezos, though, is that people with a lot of money and resources are trying to hack his phone. But the good news is the rest of us - we probably do not have to worry about a super sophisticated, expensive, targeted hack.
GARCIA-NAVARRO: Something tells me there's some not-so-good news for us who are not Jeff Bezos world.
ARNOLD: Yeah. The hackers are using more generic, low-cost malware against us. The good thing about that, though, is that, even if some of that gets into your phone, phone security is getting better. And it's very unlikely that that's going to let the hackers, like, open up all your apps and, like - ooh. Here, I'll open the banking app and get the account number - all this stuff. And here's why. I talked to Matthew Green, a computer science professor at Johns Hopkins.
MATTHEW GREEN: Every single app you have runs in what's called a sandbox. Basically, it's isolated from all the other apps on the phone. So even if there's a bug in one app - yes, it's possible that that could lead to something bad, some malware being installed that affects that app. But generally speaking, it won't spread throughout your phone. And so that's kind of the protection that phones have added to make these hacks much more difficult.
GARCIA-NAVARRO: So that sandbox sounds good, right? But don't hackers always find some new vulnerability that they're going to exploit?
ARNOLD: Yeah. That's always possible. And here's also a big and important safety tip from Green, so you don't make that too easy for them. He says some people do what's called jailbreaking their phones. And you could do that to, like, install games that you can't get at the regular App Store. And if you jailbreak your phone, a lot of these good protections disappear. And so it's, like, you're taking off your digital armor and leaving yourself wide open to attack.
GARCIA-NAVARRO: So do not jailbreak your phone is what you're saying here.
ARNOLD: Don't do it.
GARCIA-NAVARRO: Don't do it.
ARNOLD: Don't jailbreak your phone.
GARCIA-NAVARRO: (Laughter). All right. Let's talk about this thing called SIM swapping. It sounds scary. What is that?
ARNOLD: All right. The short version of that is the bad guys trick the phone company to transfer your phone number from your phone to a phone that they have. And then once they get that, they can get your passwords reset by getting that little six-digit thing - gets zapped to their phone. And then they're like, oh, here we go. Reset the password. And pretty soon, they're in all your bank accounts and everything. They steal a lot of money. We spoke to Samy Tarazi. He's an investigator with the Santa Clara County District Attorney's Office. Here's what he said.
GREEN: So we highly recommend that people not use their cellphone number as a form of verification of identity. And then there's alternative two-factor authentication methods that are free.
ARNOLD: Or you can use the security questions. But this is interesting. He says make up fictional answers that you'll remember so that people can't research the answers to those questions. Well, the bottom line in all this is, you know, whether it's a phone hack or something else, our personal data can get stolen in all kinds of ways. We have to be vigilant. And Tarazi says, look. You put a credit freeze to block anybody from opening new credit cards, new accounts in your name. That's always a good idea.
GARCIA-NAVARRO: Indeed. All right. That's NPR's Chris Arnold breaking it down. Thank you so much.
ARNOLD: You're welcome.
(SOUNDBITE OF KELIS SONG, "TRILOGY") Transcript provided by NPR, Copyright NPR.