Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half of Used Phones Still Contain Personal Info

Posted by samzenpus on from the what-do-we-have-here dept.

jhernik writes "More than half of second-hand mobile phones still contain personal information of the previous owner, posing a risk of identity fraud. A study found 247 pieces of personal data stored on handsets and SIM cards purchased from eBay and second-hand electronics shops. The information ranged from credit card numbers to bank account details, photographs, email address and login details to social networking sites like Facebook and Twitter. According to data security firm CPP, 81 percent of previous owners claim they have wiped personal data from their mobile phones and SIM cards before selling them. However, deleting the information manually is 'a process that security experts acknowledge leaves the data intact and retrievable.'"

51 of 83 comments (clear)

  1. manufactuers and telcos fault again by devboys · · Score: 1, Informative

    Phone manufacturers and telcos are making the wiping much harder than it needs to be. I guess they do that because they don't make any money from you selling your phone second hand. This is especially true for iPhones and Android. Are Blackberry and Windows Phone 7 really the only phones that have complete wipe feature built-in? I dont even mean the usual delete, but actual multiple times overwriting. While it's more important for business users (and why RIM and Microsoft pay more attention to such details), it's something casual people need too. It needs to be on other phones than business ones too. But like it is, you usually get what you pay for - if you pay for professional software companies like Microsoft, you get products that have been though over and made secure. If you get something amateurish, well, that's what you get. The kind of things business users need are the first things forgotten in those devices and software products.

    1. Re:manufactuers and telcos fault again by Ritchie70 · · Score: 3, Insightful

      It would not shock me if Microsoft took security more seriously than Apple.

      Microsoft products are the target of more attacks.

      Microsoft has more business customers.

      I just got a new phone and have no idea if I successfully deleted everything from my old phone. It seems clean, but maybe I should just take it apart into little pieces and be done with it. I usually leave old phones in the donation bin at work, though.

      --
      The preferred solution is to not have a problem.
    2. Re:manufactuers and telcos fault again by devboys · · Score: 1, Troll

      Also remember that the iPhone jailbreaks are actually remote exploits run on a website. iPhones are basically completely rooted just by visiting a website. Great security there, tho Apple users are posting is a "good" thing as it allows them to root their phone.

    3. Re:manufactuers and telcos fault again by Dan541 · · Score: 1

      I burn my old smart phones (literally) it's the only way I can know that the data is really gone.

      --
      An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
    4. Re:manufactuers and telcos fault again by alt236_ftw · · Score: 1

      I don't know about the WM7 implementation, but multiple times overwriting is hit and miss on flash media due to the wear levelling algorithm.
      Unless the chip directly supports it, multiple overwrites simply spread the writes on different sectors.

    5. Re:manufactuers and telcos fault again by Anonymous Coward · · Score: 1, Informative

      Yeah, wiping an iPhone is so hard. I mean you've got to go to Settings -> General -> Reset and then tap on "Erase all content and settings".

      Can you believe they made it that hard? It's just terrible!

    6. Re:manufactuers and telcos fault again by DrgnDancer · · Score: 1

      Actually it's trivially easy to wipe an iPhone. Dunno about Android, though I assume they have the same feature, but on an you can set up an iPhone to self wipe after four failed PIN attempts. That's right, if for some reason you can't figure out who to use the large "reset to factory default condition" button in iTunes, you can turn on the PIN function and force it to wipe itself after four failed attempts. But hey, it's a lot easier to bash products you know nothing about than to actually post accurate information.

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
    7. Re:manufactuers and telcos fault again by Amarantine · · Score: 2

      Yes. Apple makes computers for people who don't understand anything about computers. Microsoft makes computers for professionals.

      Didn't know that Microsoft makes computers. But you are aware that most people who don't understand computers, use Windows, right? "Oh, perhaps the printer didn't hear me. I'll just hit the print button again."

    8. Re:manufactuers and telcos fault again by PsyciatricHelp · · Score: 1

      Why bother spending the time to wipe a stolen device?

    9. Re:manufactuers and telcos fault again by tehcyder · · Score: 1

      Really? Do you not think it would be a bit subtler and more professional if was actually a professional being paid to write that post?

      --
      To have a right to do a thing is not at all the same as to be right in doing it
    10. Re:manufactuers and telcos fault again by Chrisq · · Score: 1

      However, deleting the information manually is 'a process that security experts acknowledge leaves the data intact and retrievable.'"

      I usually leave old phones in the donation bin at work, though.

      Where do you work?

      he works at Al Quaida. Plenty of second hand phones, they only get used once

    11. Re:manufactuers and telcos fault again by cayenne8 · · Score: 1
      Actually...I'm kinda surprised, I'd never even ever thought about selling a cell phone after I've used it...is there really a market for this?

      In the past, when my cell phone was off contract, it was usually so beat up, and outdated (2 main reasons I'd want to get a new one) I just usually chunk them in the trash. I kinda assumed most everyone did, I've never seen a used one before.

      I supposed with more phones like the iPhone and Android ones that are smartphones, I can see a market for used ones...I guess some people aren't as hard on them as I am (and I'm not as hard on them as some of my friends, mine usually at least last the 2 years of the contract).

      But really, do that many people on there resell their used cell phones...or are they as disposable as I've considered them in the past? Who wants to buy an older, obsolete phone? Is there much of a market for these? Is there really that big of one for the iPhone...since likelly by time you're out of contract on that....the battery is getting weak and you can't change the battery out yourself?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    12. Re:manufactuers and telcos fault again by somersault · · Score: 1

      You might be surprised how cheap some people are! My brother in law would totally buy a used phone.

      Here at work we re-use old handsets sometimes too, or give them to employees if they want to keep them.

      I've thrown one or two out, kept some as spare (then gave it to gf and she lost it, or it was stolen..), and had my last phone stolen (weirdly it was on the day before my new one arrived by post).

      --
      which is totally what she said
    13. Re:manufactuers and telcos fault again by somersault · · Score: 1

      I bet he thinks he's being subtle. He has been getting better sometimes, but now that we know to expect it, it's going to stay pretty obvious. I won't be able to take any new users seriously for a while..

      --
      which is totally what she said
    14. Re:manufactuers and telcos fault again by guruevi · · Score: 2

      Maybe they should do like the iPhone then. Encrypt everything by default and when you're done with it it erases the private key - all data unreadable in under a second. I don't know where GP comes from that Apple can't but Apple is the ONLY device besides the newer Androids and some old BB's that has it and does it reliably/remotely. Many businesses actually choose iPhone over other devices (even Windows) because of the Enterprise features.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    15. Re:manufactuers and telcos fault again by Igarden2 · · Score: 1

      There are many for sale on Ebay. I am presently using one I purchased at a very good price from a merchant there. One must exercise caution to avoid stolen phones.

      --
      Normally I ascribe all life to intelligent design, but in your case I'll make an exception.
    16. Re:manufactuers and telcos fault again by drinkypoo · · Score: 1

      You know, you could disassemble them and just burn the flash chips rather than the whole phone.

      I've never let go of a smartphone yet, I've only had one and it's still here. If I do, though, this is the route I'll go.

      I despise the necessity but it's not my fault. If the SIM had enough storage for more than a number and a partial name then I would have stored all my numbers in it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    17. Re:manufactuers and telcos fault again by mlts · · Score: 2

      iPhones, especially the iPhone 4, have a decent erase mechanism which allows for a secure method of zeroing it out. When the device is told to erase itself, it just zeroes out the master key and replaces it with another from a cryptographically secure RNG. This is a quick, but secure way of ensuring that the data on the device is rendered inaccessible.

      Just to be safe, if I were packaging an iPhone up for resale, after doing an erase from the Settings menu, I would do a DFU restore of the firmware as well, especially if the device was jailbroken before.

    18. Re:manufactuers and telcos fault again by hsmith · · Score: 1

      Best troll on /. - creates a new account for every MS story. Bravo.

    19. Re:manufactuers and telcos fault again by Lumpy · · Score: 1

      HUH? I can completely wipe a iphone in 12 seconds, android phone even faster. do you even know what you are talking about?

      --
      Do not look at laser with remaining good eye.
    20. Re:manufactuers and telcos fault again by Lumpy · · Score: 1

      I blend them in the blendtech at the office. far better than your burning.

      The great fun is watching the co-workers complain about the taste of their smoothies for the next month after I blended a phone...

      --
      Do not look at laser with remaining good eye.
    21. Re:manufactuers and telcos fault again by Lumpy · · Score: 1

      OMG!!!! you have to do all that!!?!?!?!

      Windows 7 phone wipes it for you at random!

      --
      Do not look at laser with remaining good eye.
    22. Re:manufactuers and telcos fault again by DrgnDancer · · Score: 1

      What evidence do you have the iPhones (or Android phones for that matter) still have accessible data after a wipe? I've not heard this before. Regardless, the article is *not* about "securely" wiping the phone. It's about people foolishly trying to manually wipe a phone and missing stuff. Given that this is the only story you've *ever* commented on, and the fact that you're clearly spining facts, I'm inclined to believe the AC above who accuses you of being an astroturfer.

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
    23. Re:manufactuers and telcos fault again by tlhIngan · · Score: 1

      I guess they do that because they don't make any money from you selling your phone second hand. This is especially true for iPhones and Android. Are Blackberry and Windows Phone 7 really the only phones that have complete wipe feature built-in?

      iPhones have wipe capability as well - there's a standard option in the settings menu for it. This I think was an option since iOS 3 which added Exchange support (where it also adds remote-wipe capability)

      http://www.tuaw.com/2009/08/23/dont-forget-to-wipe-your-iphones-data/

      And yes, it takes that long because it's doing a full wipe. Which can leave your iPhone in a bad state, too, requiring an iTunes restore (which repartitions, reformats and installs the OS again).

      I would assume Android devices have a similar feature, though I think it was limited to just a simple clear all data by reformatting the user disk.

      The phones most likely to contain personal information would be the old dumbphones or featurephones which often don't have interfaces to do it other than manually going through and deleting one by one.

    24. Re:manufactuers and telcos fault again by Jeremiah+Cornelius · · Score: 1

      The story is misleading 'tho'.

      There is just as much PD left on 2nd-hand Blackberrys, and I would venture guessing that there is even more CORPORATE data on those...

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    25. Re:manufactuers and telcos fault again by dmmiller2k · · Score: 1

      Windows 7 phone wipes it for you at random!

      Not totally random, my friend with one discovered the hard way. It takes a vigorous shake of the phone followed by a wiping motion with screen pressure.

      --

      "No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin

    26. Re:manufactuers and telcos fault again by davester666 · · Score: 1

      And the outside of the phone may have minor scuffing, as if it were thrown twenty or thirty yards and landed on pavement.

      --
      Sleep your way to a whiter smile...date a dentist!
    27. Re:manufactuers and telcos fault again by Em+Adespoton · · Score: 1

      True... if you zero all memory in a solid block, it is effectively gone; no need to rewrite. If you zero only some memory, the wear leveling will kick in, and you might not actually have cleared the bits you meant to clear.

    28. Re:manufactuers and telcos fault again by avandesande · · Score: 1

      Wasn't there a recent article on /. explaining how it was almost impossible to delete the data from flash ram?

      --
      love is just extroverted narcissism
    29. Re:manufactuers and telcos fault again by qubezz · · Score: 1
      Wasn't there a recent article on /. explaining how it was almost impossible to delete the data from flash ram?

      I have proof there wasn't.

      The entire flash storage on these devices is encrypted. The keys used to decrypt the drive on the fly, also stored on flash, can be overwritten quickly. Everything else on the drive looks like random numbers and 0s after the crypto keys are wiped.

      Blackberry also securely wipes all user data if an incorrect unlock password is entered 10 (or fewer; configurable) times. The data leakage problem is mostly non-smart phones, where no mechanism is provided to wipe all the data. Not only contacts, but notes, calendar dates, and other PDA-type personal information can be entered into these phones. One would have to go into every application and manually delete every individual appointment, etc. to resell, and then you just hope you found everything.

  2. Manually? by Anonymous Coward · · Score: 1

    Erasing things manually?

    When I gave my old phone to my mother, I went into setup and selected "factory reset". That's it, phone wiped. I then took out the SIM card, with my contact list, and moved it to my new phone, and put her SIM card into the phone instead.

    That was a Samsung SGH-Z500, but as far as I know, every phone I've had has had a factory reset option. I even used it several times on my old Nokia 9110 company phone, although for other reasons (you'd think that phone was running Windows ME).

    1. Re:Manually? by Anonymous Coward · · Score: 1

      The story is not about a factory reset. It's about secure wiping a phone.

  3. what i do is by FudRucker · · Score: 1

    i bought a cellphone 3 years ago, and i will continue using it until it breaks, then i will smash it with an 8 pound sledge hammer against an anvil until it is a shredded pulp, then i will sweep up the pieces and put it in the trash, good luck trying to get any info off of it after that...

    --
    Politics is Treachery, Religion is Brainwashing
  4. So.... by zach_the_lizard · · Score: 2

    So, anyone got a phone I can have? I promise to whipe it

    --
    SSC
    1. Re:So.... by Lumpy · · Score: 1

      could you promise to spell correctly instead?

      --
      Do not look at laser with remaining good eye.
    2. Re:So.... by zach_the_lizard · · Score: 1

      Thts juhst owt uv tha kwestyun

      --
      SSC
  5. Wiping should not be needed by mmcuh · · Score: 5, Insightful

    The main problem here isn't that people aren't deleting their data, it's that phones don't come with block-level or at least filesystem-level encryption for all data by default. If you're marketing something to everyone, including the idiots, you should make it idiot-proof.

    1. Re:Wiping should not be needed by Anonymous Coward · · Score: 2, Insightful

      If you're marketing something to everyone, including the idiots, you should make it idiot-proof.

      If you make something idiot-proof, the world will make a better idiot.

    2. Re:Wiping should not be needed by Anonymous Coward · · Score: 3, Insightful

      > Encryption is only effective if you require the user to enter a pass phrase every time he needs access.

      That's not how you would use encryption here.

      You would encrypt most of the desk with a randomly-generated key stored in the unencrypted part.
      When the user of the phone then selects "Delete Everything!", you generate a new key and overwrite
      the old. That really will get rid of the old data.

    3. Re:Wiping should not be needed by owlstead · · Score: 1

      That's maybe a bit funny, but I cannot imagine why it is marked insightful.

  6. mandatory wipe option by mango9 · · Score: 2

    How about a fairly accessible mandatory wipe option being required in new models? Might require SIM to be taken out first. Not too hard surely. Probably easier to do in Europe though ... cell phone companies would need pushing.

  7. The easy way by DigiShaman · · Score: 1

    If your data is stored on chip or CDs, just nuke it. All it takes is a solid 10 seconds in the microwave ~ on high. Of course, I bare no responsibility for any toxic fumes that may be released. You've been warned.

    --
    Life is not for the lazy.
  8. The telcos like to lock down phones and cut out by Joe+The+Dragon · · Score: 1

    The telcos like to lock down phones and cut out apps from the manufacturers

  9. Restore factory settings is not easy by joeflies · · Score: 2

    When you look at most phones (especially the pre-smart phone units), there are not easy ways to wipe it back to factory settings. There's no easy way to check if "wipe factory settings" really deleted the data or just removed pointers to the data. There is no sim to pull. And thus, there's no obvious way for the average consumer to dispose of their personal information other than to destroy the phone itself.

  10. My CAR contains personal info! by Anonymous Coward · · Score: 2, Interesting

    I bought my latest (used) car just over a year ago. It has a bluetooth handsfree system built in.

    Imagine my surprise when I tried to call home one day to find that i was hearing a stranger's voice on the answering machine! Apparently the previous owner programmed her "Home" number into the car itself rather than accessing the address book from her device.

    I still have not figured out how to delete the entry!

    1. Re:My CAR contains personal info! by peragrin · · Score: 1

      RFTM seriously every car manual tells you the steps to do just that.

      This is slashdot you should know it anyways.

      It is also why i never program numbers into the car, I pick up the phone dial whom I want and let the handsfree take over.

      --
      i thought once I was found, but it was only a dream.
    2. Re:My CAR contains personal info! by GodfatherofSoul · · Score: 1

      So, did you ask her out?

      --
      I swear to God...I swear to God! That is NOT how you treat your human!
  11. Lost or stolen by fremsley471 · · Score: 1

    C'mon, the answer is simply 'half of all phones are lost/found or stolen'. That's why the 'owners' don't care.

  12. Who sells their SIM card? by McPierce · · Score: 1

    Why would you sell your SIM card? That's what the buyer needs to get from the carrier in order to activate the phone. If you sell your SIM card then it's not a case of data loss but an ignorant person.

    --
    Darryl L. Pierce "What do you care what people think, Mr. Feynman?"
  13. I Have To Join In by Anonymous Coward · · Score: 2, Insightful

    ...With the chorus of responses above. Every time I get a new phone I have to go through a goddamn voodoo ritual of clicking around on Google for a couple of hours trying to figure out where the phone manufacturer and/or the original carrier of the phone decided to hide, password protect, lock out, or otherwise attempt to obscure the method for doing a "master reset" or full wipe of the phone's data. I think in the USA this problem is compounded by the ubiquity of contract phones -- non-nerds can basically only buy a cell phone from a service provided, tied to that service provider in this country -- and it's common practice for cell carriers to lock out, password, and hide features of their phones in their BS custom firmware (Which also probably locks you out of firmware updates from the manufacturer, at least on basic "dumb" phones. Oh, and it has a thirty-second slideshow animation complete with irritating jingle and the carrier's logo that plays when you power on and off, which can't be silenced or skipped.). Apparently they do this to force users to buy games and ringtones through them at exorbitant cost instead of just hooking up a USB cable and copying some MP3's/Java Apps from their PC, but this causes other problems like tucking the Master Reset option in a damn maintenance menu that's locked with a password that only the cell phone company is supposed to know. And sometimes they do other fun things like disabling Bluetooth file transfer, disabling tethering, disabling local video playback, etc., etc.

    This is a practice that needs to stop. This article is just another example of why.

  14. Wipe The Device! by Lieutenant_Dan · · Score: 2

    Some manufacturers have some key combinations to erase the device. Sometimes the manuals actually the steps required.

    Not affiliated, but these guys have a db of the commands:
    http://www.recellular.com/recycling/data_eraser/default.asp

    --
    Wearing pants should always be optional.