Half of Used Phones Still Contain Personal Info

jhernik writes "More than half of second-hand mobile phones still contain personal information of the previous owner, posing a risk of identity fraud. A study found 247 pieces of personal data stored on handsets and SIM cards purchased from eBay and second-hand electronics shops. The information ranged from credit card numbers to bank account details, photographs, email address and login details to social networking sites like Facebook and Twitter. According to data security firm CPP, 81 percent of previous owners claim they have wiped personal data from their mobile phones and SIM cards before selling them. However, deleting the information manually is 'a process that security experts acknowledge leaves the data intact and retrievable.'"

manufactuers and telcos fault again

[devboys]

Phone manufacturers and telcos are making the wiping much harder than it needs to be. I guess they do that because they don't make any money from you selling your phone second hand. This is especially true for iPhones and Android. Are Blackberry and Windows Phone 7 really the only phones that have complete wipe feature built-in? I dont even mean the usual delete, but actual multiple times overwriting. While it's more important for business users (and why RIM and Microsoft pay more attention to such details)

Re:

[Toe, The]

So you're saying Apple is amateurish and Microsoft is secure? Are you sure you thought that through?

Re:

[PsyciatricHelp]

Why bother spending the time to wipe a stolen device?

Re:

[cayenne8]

Actually...I'm kinda surprised, I'd never even ever thought about selling a cell phone after I've used it...is there really a market for this?

In the past, when my cell phone was off contract, it was usually so beat up, and outdated (2 main reasons I'd want to get a new one) I just usually chunk them in the trash. I kinda assumed most everyone did, I've never seen a used one before.

I supposed with more phones like the iPhone and Android ones that are smartphones, I can see a market for used ones...I guess

Re:

[somersault]

You might be surprised how cheap some people are! My brother in law would totally buy a used phone.

Here at work we re-use old handsets sometimes too, or give them to employees if they want to keep them.

I've thrown one or two out, kept some as spare (then gave it to gf and she lost it, or it was stolen..), and had my last phone stolen (weirdly it was on the day before my new one arrived by post).

Re:

[Igarden2]

There are many for sale on Ebay. I am presently using one I purchased at a very good price from a merchant there. One must exercise caution to avoid stolen phones.

Re:

[Jeremiah Cornelius]

The story is misleading 'tho'.

There is just as much PD left on 2nd-hand Blackberrys, and I would venture guessing that there is even more CORPORATE data on those...

Re:

[Amarantine]

Yes. Apple makes computers for people who don't understand anything about computers. Microsoft makes computers for professionals.

Didn't know that Microsoft makes computers. But you are aware that most people who don't understand computers, use Windows, right? "Oh, perhaps the printer didn't hear me. I'll just hit the print button again."

Re:manufactuers and telcos fault again

[Ritchie70]

It would not shock me if Microsoft took security more seriously than Apple.

Microsoft products are the target of more attacks.

Microsoft has more business customers.

I just got a new phone and have no idea if I successfully deleted everything from my old phone. It seems clean, but maybe I should just take it apart into little pieces and be done with it. I usually leave old phones in the donation bin at work, though.

Re:

[devboys]

Also remember that the iPhone jailbreaks are actually remote exploits run on a website. iPhones are basically completely rooted just by visiting a website. Great security there, tho Apple users are posting is a "good" thing as it allows them to root their phone.

Re:

[Chrisq]

However, deleting the information manually is 'a process that security experts acknowledge leaves the data intact and retrievable.'"

I usually leave old phones in the donation bin at work, though.

Where do you work?

he works at Al Quaida. Plenty of second hand phones, they only get used once

Re:

[davester666]

And the outside of the phone may have minor scuffing, as if it were thrown twenty or thirty yards and landed on pavement.

Re:

[tehcyder]

Really? Do you not think it would be a bit subtler and more professional if was actually a professional being paid to write that post?

Re:

[somersault]

I bet he thinks he's being subtle. He has been getting better sometimes, but now that we know to expect it, it's going to stay pretty obvious. I won't be able to take any new users seriously for a while..

Re:

[Dan541]

I burn my old smart phones (literally) it's the only way I can know that the data is really gone.

Re:

[drinkypoo]

You know, you could disassemble them and just burn the flash chips rather than the whole phone.

I've never let go of a smartphone yet, I've only had one and it's still here. If I do, though, this is the route I'll go.

I despise the necessity but it's not my fault. If the SIM had enough storage for more than a number and a partial name then I would have stored all my numbers in it.

Re:

[Lumpy]

I blend them in the blendtech at the office. far better than your burning.

The great fun is watching the co-workers complain about the taste of their smoothies for the next month after I blended a phone...

Re:

[alt236_ftw]

I don't know about the WM7 implementation, but multiple times overwriting is hit and miss on flash media due to the wear levelling algorithm.
Unless the chip directly supports it, multiple overwrites simply spread the writes on different sectors.

Re:

[Em Adespoton]

True... if you zero all memory in a solid block, it is effectively gone; no need to rewrite. If you zero only some memory, the wear leveling will kick in, and you might not actually have cleared the bits you meant to clear.

Re:

[Anonymous Coward]

Yeah, wiping an iPhone is so hard. I mean you've got to go to Settings -> General -> Reset and then tap on "Erase all content and settings".

Can you believe they made it that hard? It's just terrible!

Re:

[Lumpy]

OMG!!!! you have to do all that!!?!?!?!

Windows 7 phone wipes it for you at random!

Re:

[dmmiller2k]

Windows 7 phone wipes it for you at random!

Not totally random, my friend with one discovered the hard way. It takes a vigorous shake of the phone followed by a wiping motion with screen pressure.

Re:

[DrgnDancer]

Actually it's trivially easy to wipe an iPhone. Dunno about Android, though I assume they have the same feature, but on an you can set up an iPhone to self wipe after four failed PIN attempts. That's right, if for some reason you can't figure out who to use the large "reset to factory default condition" button in iTunes, you can turn on the PIN function and force it to wipe itself after four failed attempts. But hey, it's a lot easier to bash products you know nothing about than to actually post accurate

Re:

[DrgnDancer]

What evidence do you have the iPhones (or Android phones for that matter) still have accessible data after a wipe? I've not heard this before. Regardless, the article is *not* about "securely" wiping the phone. It's about people foolishly trying to manually wipe a phone and missing stuff. Given that this is the only story you've *ever* commented on, and the fact that you're clearly spining facts, I'm inclined to believe the AC above who accuses you of being an astroturfer.

Re:

[guruevi]

Maybe they should do like the iPhone then. Encrypt everything by default and when you're done with it it erases the private key - all data unreadable in under a second. I don't know where GP comes from that Apple can't but Apple is the ONLY device besides the newer Androids and some old BB's that has it and does it reliably/remotely. Many businesses actually choose iPhone over other devices (even Windows) because of the Enterprise features.

Re:

[mlts]

iPhones, especially the iPhone 4, have a decent erase mechanism which allows for a secure method of zeroing it out. When the device is told to erase itself, it just zeroes out the master key and replaces it with another from a cryptographically secure RNG. This is a quick, but secure way of ensuring that the data on the device is rendered inaccessible.

Just to be safe, if I were packaging an iPhone up for resale, after doing an erase from the Settings menu, I would do a DFU restore of the firmware as well,

Re:

[avandesande]

Wasn't there a recent article on /. explaining how it was almost impossible to delete the data from flash ram?

Re:

[qubezz]

Wasn't there a recent article on /. explaining how it was almost impossible to delete the data from flash ram?

I have proof there wasn't.

The entire flash storage on these devices is encrypted. The keys used to decrypt the drive on the fly, also stored on flash, can be overwritten quickly. Everything else on the drive looks like random numbers and 0s after the crypto keys are wiped.

Blackberry also securely wipes all user data if an incorrect unlock password is entered 10 (or fewer; configurable) times. The

Re:

[hsmith]

Best troll on /. - creates a new account for every MS story. Bravo.

Re:

[Lumpy]

HUH? I can completely wipe a iphone in 12 seconds, android phone even faster. do you even know what you are talking about?

Re:

[tlhIngan]

I guess they do that because they don't make any money from you selling your phone second hand. This is especially true for iPhones and Android. Are Blackberry and Windows Phone 7 really the only phones that have complete wipe feature built-in?

iPhones have wipe capability as well - there's a standard option in the settings menu for it. This I think was an option since iOS 3 which added Exchange support (where it also adds remote-wipe capability)

http://www.tuaw.com/2009/08/23/dont-forget-to-wipe-your-iphone [tuaw.com]

Manually?

[Anonymous Coward]

Erasing things manually?

When I gave my old phone to my mother, I went into setup and selected "factory reset". That's it, phone wiped. I then took out the SIM card, with my contact list, and moved it to my new phone, and put her SIM card into the phone instead.

That was a Samsung SGH-Z500, but as far as I know, every phone I've had has had a factory reset option. I even used it several times on my old Nokia 9110 company phone, although for other reasons (you'd think that phone was running Windows ME).

Re:

[Anonymous Coward]

The story is not about a factory reset. It's about secure wiping a phone.

what i do is

[FudRucker]

i bought a cellphone 3 years ago, and i will continue using it until it breaks, then i will smash it with an 8 pound sledge hammer against an anvil until it is a shredded pulp, then i will sweep up the pieces and put it in the trash, good luck trying to get any info off of it after that...

So....

[zach_the_lizard]

So, anyone got a phone I can have? I promise to whipe it

Re:

[Lumpy]

could you promise to spell correctly instead?

Re:

[zach_the_lizard]

Thts juhst owt uv tha kwestyun

Wiping should not be needed

[mmcuh]

The main problem here isn't that people aren't deleting their data, it's that phones don't come with block-level or at least filesystem-level encryption for all data by default. If you're marketing something to everyone, including the idiots, you should make it idiot-proof.

Re:

[Anonymous Coward]

If you're marketing something to everyone, including the idiots, you should make it idiot-proof.

If you make something idiot-proof, the world will make a better idiot.

Re:

[owlstead]

That's maybe a bit funny, but I cannot imagine why it is marked insightful.

Re:

[Anonymous Coward]

> Encryption is only effective if you require the user to enter a pass phrase every time he needs access.

That's not how you would use encryption here.

You would encrypt most of the desk with a randomly-generated key stored in the unencrypted part.
When the user of the phone then selects "Delete Everything!", you generate a new key and overwrite
the old. That really will get rid of the old data.

mandatory wipe option

[mango9]

How about a fairly accessible mandatory wipe option being required in new models? Might require SIM to be taken out first. Not too hard surely. Probably easier to do in Europe though ... cell phone companies would need pushing.

Re:

[account_deleted]

Comment removed based on user account deletion

The telcos like to lock down phones and cut out

[Joe The Dragon]

The telcos like to lock down phones and cut out apps from the manufacturers

Restore factory settings is not easy

[joeflies]

When you look at most phones (especially the pre-smart phone units), there are not easy ways to wipe it back to factory settings. There's no easy way to check if "wipe factory settings" really deleted the data or just removed pointers to the data. There is no sim to pull. And thus, there's no obvious way for the average consumer to dispose of their personal information other than to destroy the phone itself.

My CAR contains personal info!

[Anonymous Coward]

I bought my latest (used) car just over a year ago. It has a bluetooth handsfree system built in.

Imagine my surprise when I tried to call home one day to find that i was hearing a stranger's voice on the answering machine! Apparently the previous owner programmed her "Home" number into the car itself rather than accessing the address book from her device.

I still have not figured out how to delete the entry!

Re:

[peragrin]

RFTM seriously every car manual tells you the steps to do just that.

This is slashdot you should know it anyways.

It is also why i never program numbers into the car, I pick up the phone dial whom I want and let the handsfree take over.

Re:

[GodfatherofSoul]

So, did you ask her out?

Lost or stolen

[fremsley471]

C'mon, the answer is simply 'half of all phones are lost/found or stolen'. That's why the 'owners' don't care.

Who sells their SIM card?

[McPierce]

Why would you sell your SIM card? That's what the buyer needs to get from the carrier in order to activate the phone. If you sell your SIM card then it's not a case of data loss but an ignorant person.

I Have To Join In

[Anonymous Coward]

...With the chorus of responses above. Every time I get a new phone I have to go through a goddamn voodoo ritual of clicking around on Google for a couple of hours trying to figure out where the phone manufacturer and/or the original carrier of the phone decided to hide, password protect, lock out, or otherwise attempt to obscure the method for doing a "master reset" or full wipe of the phone's data. I think in the USA this problem is compounded by the ubiquity of contract phones -- non-nerds can basically

Wipe The Device!

[Lieutenant_Dan]

Some manufacturers have some key combinations to erase the device. Sometimes the manuals actually the steps required.

Not affiliated, but these guys have a db of the commands:
http://www.recellular.com/recycling/data_eraser/default.asp [recellular.com]