Half of Used Phones Still Contain Personal Info

jhernik writes "More than half of second-hand mobile phones still contain personal information of the previous owner, posing a risk of identity fraud. A study found 247 pieces of personal data stored on handsets and SIM cards purchased from eBay and second-hand electronics shops. The information ranged from credit card numbers to bank account details, photographs, email address and login details to social networking sites like Facebook and Twitter. According to data security firm CPP, 81 percent of previous owners claim they have wiped personal data from their mobile phones and SIM cards before selling them. However, deleting the information manually is 'a process that security experts acknowledge leaves the data intact and retrievable.'"

Re:manufactuers and telcos fault again

[Ritchie70]

It would not shock me if Microsoft took security more seriously than Apple.

Microsoft products are the target of more attacks.

Microsoft has more business customers.

I just got a new phone and have no idea if I successfully deleted everything from my old phone. It seems clean, but maybe I should just take it apart into little pieces and be done with it. I usually leave old phones in the donation bin at work, though.

Wiping should not be needed

[mmcuh]

The main problem here isn't that people aren't deleting their data, it's that phones don't come with block-level or at least filesystem-level encryption for all data by default. If you're marketing something to everyone, including the idiots, you should make it idiot-proof.

Re:Wiping should not be needed

If you're marketing something to everyone, including the idiots, you should make it idiot-proof.

If you make something idiot-proof, the world will make a better idiot.

Re:Wiping should not be needed

> Encryption is only effective if you require the user to enter a pass phrase every time he needs access.

That's not how you would use encryption here.

You would encrypt most of the desk with a randomly-generated key stored in the unencrypted part.
When the user of the phone then selects "Delete Everything!", you generate a new key and overwrite
the old. That really will get rid of the old data.

I Have To Join In

...With the chorus of responses above. Every time I get a new phone I have to go through a goddamn voodoo ritual of clicking around on Google for a couple of hours trying to figure out where the phone manufacturer and/or the original carrier of the phone decided to hide, password protect, lock out, or otherwise attempt to obscure the method for doing a "master reset" or full wipe of the phone's data. I think in the USA this problem is compounded by the ubiquity of contract phones -- non-nerds can basically only buy a cell phone from a service provided, tied to that service provider in this country -- and it's common practice for cell carriers to lock out, password, and hide features of their phones in their BS custom firmware (Which also probably locks you out of firmware updates from the manufacturer, at least on basic "dumb" phones. Oh, and it has a thirty-second slideshow animation complete with irritating jingle and the carrier's logo that plays when you power on and off, which can't be silenced or skipped.). Apparently they do this to force users to buy games and ringtones through them at exorbitant cost instead of just hooking up a USB cable and copying some MP3's/Java Apps from their PC, but this causes other problems like tucking the Master Reset option in a damn maintenance menu that's locked with a password that only the cell phone company is supposed to know. And sometimes they do other fun things like disabling Bluetooth file transfer, disabling tethering, disabling local video playback, etc., etc.

This is a practice that needs to stop. This article is just another example of why.