How secure is your smart phone?

As if you didn't have enough to worry about, two British chaps have demonstrated how a phony Wi-Fi hotspot can intercept data from your smart phone. It's the strangest thing we've seen since Firesheep was declared the "threat of the month."

• How dicey is your credit score?

In a BBC video, Tom Beale of security firm Vigilante Bespoke gathered sensitive information from the iPhone 4 of BBC tech writer Rory Cellan-Jones as the smart phone accessed the Web via a fake Wi-Fi network Vigilante had set up. Then Cellan-Jones logged on to Facebook and it went downhill from there.

"Now that Facebook is connected to people's phone numbers and contact information, the hacker essentially has access to all of this data," Lydia Leavitt wrote at TGDaily about the BBC demonstration.

To drive that point home, Beale used information from Cellan-Jones' Facebook contact list to send a text that appeared to be from the writer's wife, asking for their credit card PIN. (Hopefully Cellan-Jones would be too smart to provide the answer via his phone.)

How worried should you be?

The BBC pointed out that this situation could occur not just with an iPhone but other smart phones as well. But how likely is it that your smart phone (or laptop) will be connecting to a phony Wi-Fi network? Paul Lamkin acknowledged that "tech-savvy Pocket-lint readers like yourself will probably dismiss the BBC video above as scaremongering."

Jeff Cohn, writing at Dead Zones, also expressed some skepticism:

Are smart phones secure on open Wi-Fi networks or are they vulnerable to attacks like PCs and laptops are? As mobile phone users start preferring to offload data to Wi-Fi, will security be the fear factor sales pitch? … I still have yet to hear about one concrete example of a phone user getting hacked while using a smart phone at a hotspot or while offloading data from an application.

However, it's not outside the realm of possibility. SC Magazine reported recently that an experiment by CPP, which sells identity protection services, "showed that more than 200 people unsuspectingly logged on to a fake Wi-Fi network over the course of an hour, putting themselves at risk from fraudsters who could harvest their personal and financial information." (It also found that "almost half of home Wi-Fi networks in the UK can be hacked in less than five seconds.")

 Post continues after video.

What can you learn from this? People don't realize that their smart phones are little computers subject to the same threats as the larger devices.

What can you do to protect yourself?

• Keep the Wi-Fi and Bluetooth functionality turned off when you're not actively using them with a secure network. There are apps for that. "Of course, the downside is that you may find you use up your 3G Internet allowance more quickly every month," Seamour Rathore wrote at Mobile Choices.
• Connect only to networks you know are secure. (Keep in mind that bad guys can name a fake network anything they want.)
• Elinor Mills advised at CNET: "If you are doing something sensitive on your phone, like checking a bank account or making a payment, don't use the free Wi-Fi at a coffee shop or other access point. Use your password-protected Wi-Fi at home or the cellular network to avoid what is called a man-in-the-middle attack in which traffic is intercepted."
• Reader "Valdemar" wrote at Cellan-Jones' blog: "To be perfectly frank, common sense makes this a total nonissue for anyone. Want to check Facebook? Use a browser with HTTPS and VPN, as someone else stated. OH NOES, looks like this killer problem is nipped in the bud."

For more tips about secure Wi-Fi on the go, see this article at Wired, and, for a broader view, check out this mobile security guide.

Meanwhile, Facebook sent this statement to Cellan-Jones:  

Facebook takes the security of people using the platform very seriously. We advise people to be very careful about the information they access or send from an unsecured public wireless network. We're working hard to make Facebook the safest platform online, and are currently investigating how to best roll out more secure login processes, including SSL, that will enable people to use Facebook on unsecured Wi-Fi networks with total peace of mind.

Beale also demonstrated another hack on Cellan-Jones' iPhone. Leavitt explained:

To bypass the first level of security, the onscreen passcode, Beale employed a well-known iPhone hack, which requires typing a certain combination of numbers and a few buttons. It took Beale all of one minute to bypass the passcode and get into the phone. Similar hacks exist for Android and other smart phones.

According to the BBC, "Apple has responded to the way that the latest iPhone is unlocked in this video, by saying that a recent update can be downloaded to prevent this."

More from MSN Money:

• Is your smart phone spying on you?
• 3 dumb ways to buy a smart phone
• Bank fraud? There's an app for that
• 3 ways you can thwart identity thieves
• Is free Wi-Fi killing the coffeehouse?
• The 'friends mugged abroad' scam