E-bay phones blog post

In conducting a recent experiment for CPP into personal data left on second hand mobile phones and SIM cards, I’ve revealed just how unaware users are of the amount and nature of personal information left on their old mobile devices – even when they feel their phone has been wiped.

Due to rapid technological advances, smartphones have much more memory and capability to save personal data, increasing the risk of identity fraud to users. This threat will only increase further if people continue to store data, including credentials like usernames and passwords, on their mobile phones.

Over half of the 35 used mobile phones and 50 SIM cards analysed contained personal information on them - 247 individual pieces of data in total. The information recovered included personal and at times, highly sensitive information which, fallen into the wrong hands, could put the previous owner at direct risk of identity fraud.

One thing that was clear from the investigation was that perhaps unsurprisingly - due to their increasingly central role in users’ day to day lives - smartphones hold much more personal information on them about their former owner compared to older mobile phone models. An analysis of one smartphone alone uncovered usernames, passwords, credit card information, videos, company information, photos, email addresses and notes - certainly enough information to start a social engineering attack. For a start, a fraudster would quite easily be able to take ownership and control of the previous owner’s email account, login to online shopping sites they had visited and purchase items fraudulently.

The worrying combination is this: most mobile phones do not allow a user to totally remove all personal content or user data, and the ability to recover deleted data from a mobile is a very simple process that can be undertaken with limited technical knowledge. For the purposes of this experiment, I used SIM card readers and software that can be easily accessed in the public domain.


These results highlight a clear requirement for heightened awareness amongst consumers about the need for digital security on their phones. An effective way for this threat to be reduced is by the use of Two Factor Authentication, meaning the user generates a onetime password on demand. The sooner a commodity based authentication service is available the sooner we are going to minimise the risk.

But until such an authentication is commonplace, what can consumers do to protect themselves from passing on their personal data in their old phones or SIMs? In the first instance, never keep an old SIM card – remove it and destroy it. Also, regardless of whether they intend to sell on their mobile phone, users need to be careful not to store vast amounts of personal information on their devices. The less data that’s on a mobile device in the first place, the easier it will be to wipe and protect the user. Other keys steps to help consumers protect themselves include:

• Restore all factory settings - This is the first step to take to conduct a top level clearance of data on the handset
• Delete any back-ups - Even if data stored on a smartphone, PDA or laptop is securely removed from the mobile device, that’s not to say it won’t exist on a back up elsewhere
• Log out and delete – It’s vital to log out of social network sites accessed on the phone as well as wireless connections, company networks and applications. Once logged out, delete passwords and any wireless connections.
• Various passwords - The use of the same ID/password combination on multiple systems, and storage of them on mobile phones should be avoided. If it is necessary to store these details on a phone, it’s best to try and use a picture reminder of the password.

Remember, if a phone is being sold on to a retailer, it should be wiped and the SIM card destroyed.

If you want more information on how to protect yourself or see how these experiments worked, please visit CPP’s blog