back to article Sensitive data easily swiped from eBayed mobiles

Second-hand mobile phones sold on by their owners often contain extensive personal and sensitive data that leave sellers open to identity theft and other privacy risks. Pre-owned mobile phones and SIM cards purchased on eBay or from shops were checked using readily available equipment to see what personal information was left …


This topic is closed for new posts.
  1. Bristol Dave

    Data stored on SIMs

    I didn't think anything of worth was stored on SIM cards now? AFAIK for the last 6-7 years or so most handsets have stored all user data in internal memory (mainly because the storage on SIM cards was so limited).

  2. The Original Ash

    Phones with memory cards

    Remember folks; Deleted doesn't mean wiped. If you can mount it as mass storage, numerous free tools are available to assist in data recovery.

    Either use a data destruction program (I use Eraser for USB mass storage, DBAN for internal drives) or keep the memory card, or physically destroy it.

    If you can't mount phone memory as mass storage, it'll be more difficult to get your data. Do delete it, though.

    1. Anonymous Coward
      Anonymous Coward

      HDDs on Ebay

      It makes me laugh how many people sell on their old computers on ebay minus the hard disk and then wonder why they get bugger all for them. Recently did some research on the bay when my wife was looking for a used cheap laptop. Laptops of a particular model without HDD were selling for £50-100 while similar items with an HDD and OS were selling for £100-160. Why don't these people just use DBAN or similar?

      1. Anonymous Coward

        and MS gets richer

        whether you use DBAN or buy a new HD, an new OS licence is needed since of course a recovery CD/DVD is seldom provided, and most likely MS will increase even more its licence to computer ratio. Thiefs.

  3. Anonymous Coward
    Anonymous Coward

    Not just ebay...

    I recently purchased an HTC phone from a UK retailer. The box was sealed, and all looked good.

    The phone looked brand new and worked perfectly.

    Being the techie that I am, the first thing I did was install a file manager and start poking about. On the SD card I found some temporary files, thumbnails of websites (used by the browser when bookmarks were viewed in tile mode) and some of the sites were ones I hadn't ever been to. It also included a thumbnail of somebody else's facebook page!

    More digging ensued (still not having to resort of data recovery tools, just browsing directories), and I soon found two receipts in PDF files which had been downloaded as email attachments which included an email address. So I emailed him.

    Turns out my "New" phone had been pre-loved for a few days by someone else who had returned it under the UK distance selling regulations.

    Although I am perfectly happy with the phone and quite happy to keep it, I do feel that if I pay for a new phone I expect a new phone. Car dealer ships sell "demonstrators" at a discount after all.

    I'm sure the distance selling regulation have hugely increased this kind of occurrence, but they would have got away with it if they had a vague clue about the products they were selling.

    Note: Android's "factory reset" / "wipe user data" does not clear the SD card.

    I will be contacting the company concerned very shortly.

    1. Anonymous Coward
      Anonymous Coward

      Why don't you... and shame? If it's true, you've nothing to fear.

      It may also help the El Reg commentards to avoid getting ripped off...

    2. Jimbo 6
      Paris Hilton

      Is there a lawyer in the house ?

      I've searched but been unable to find a legal definition of when a consumer good changes from 'new' to 'used', does anyone know one ? ~ I think AC is being what is known in the retail trade as a 'whinging bastard' : if (for example) I go into a shoe shop, try on a pair of shoes and walk ten steps in them before rejecting them, no-one could reasonably argue with the retailer that those shoes were now 'used' (even though they *had* been used, for about 30 seconds). Is there a definite cutoff point, or is it a legal grey area ?

      Paris, cos she knows about soiled goods.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is there a lawyer in the house

        As the OP A/C, I would indeed be interested to know if there is a lawyer in the house.

        What I'm talking about here is not someone picking up a phone in a shop, having a look at it and putting it back. What I had on the memory card, and confirmed in an email exchange with the original owner, is 6 days of ownership and use. Photos taken (which I recovered from the card) with date stamps confirm this.

        In your analogy the shoes haven't left the store. A more correct analogy would be someone buying the shoes, wearing them for a week, then taking them back. If you discovered this after buying the shoes as new, would you be so happy, or would you "Whing"?

        As for naming the company concerned, I am quite willing to do this once I have finished my discussions with them. As I said, I'm quite happy with the phone, and wouldn't trust them to send me a "real" new one if they offered an exchange - It could just be a more thoroughly reset one! But I believe some sort of compensation should be due... Especially given the leak of enough personal information for me to name and contact the original owner!

      2. Anonymous Coward
        Anonymous Coward


        "I've searched but been unable to find a legal definition of when a consumer good changes from 'new' to 'used',"

        That phone is used. Honest dealers will usually sell that sort of thing as as "returns", "refurbished" or "B Grade". Also under the sale of goods act I'm pretty sure that particular phone was not "as described" if it was clearly described as a new phone.

        You don't strictly need a legal definition of the word used, or indeed pre-owned or second user. They are pretty self explanatory in and of themselves. "Used" - somebody has used it. "Pre-Owned" - somebody else owned it before you. "Second User" - you are the second user of the phone. All of them would be taken to mean second hand and I'm pretty sure a court of law would agree.

  4. Anonymous Coward

    my old data containing devices

    languish at the bottom of a plastic bucket filled with lots of cheap NaCl salt (1kg cost 11 euro cents) and 4 litres of tapwater....for quite a while....magnetic remnance analysis might work on rusty platters or corroded SIMS , but I wouldn't let it near any nice shiny hi-tech analysis gear if I was the forensics team. Oh, and as far as I can tell - there's now't illegal on these devices. I just value what little privacy I have left!

  5. Martin Usher

    Its not just phones

    One of my wife's bridge playing friends got her house broken into recently and in addition to a lot of valuable jewelry she lost her oldish desktop computer.

    This isn't England where anything that isn't screwed down gets stolen on principle (and it its screwed down it just gets unscrewed), this is an upscale part of California where computers are ten a penny, you can't even give them away.

    Then it dawned on us -- the computer's worthless but what's on it is not.

    1. Steve Evans

      Re: Its not just phones

      Errrr, in England laptops aren't stolen on principle. You just have to wait for your local authority to donate one to you.

      This is normally done in a subtle way (to avoid the embarrassment of being identified as "on support") by them leaving said laptop on a bus, train or taxi seat.

  6. J. Cook Silver badge

    The carriers and manufacturers are also partly to blame as well...

    A lot of companies either don't publish the magic key sequence to factory wipe mobiles (Kyocera, I'm glaring at YOU), or the magic service menu key sequence which allows access to the factory reset are held by the carrier that they lived on, and they've been... lacking when people like me ask "how to I wipe this device to remove all the data on it?"

    We had a large box at work *full* of various models of old handsets, and the only ones I can be confident that got wiped were the crackberries that either got nuked from our BES server, or via the magic key sequence that RIM published for those models.I can dig making it somewhat difficult to reset a phone; but don't hide it behind a carrier's protected programming menu.

    As for the SD cards and SIM cards that our phones had? either our users swapped them into their replacement handsets, or they got formatted and reused in house for other phones. The few devices that had SIM cards got those snapped in quarters.

  7. Adze

    Kill it...

    ...with fire!

    A sim doesn't keep much data after its been exposed to the business end of a propane lamp any more than the platters from old hard drives do while glowing cherry red at the bottom of my woodburner or bbq. Do keep the magnets from old drives though, they're great for sticking things to the fridge which you don't want the kids to remove... or cleaning up spilt panel pins.

  8. heyrick Silver badge

    Selling on my Android phone

    Given it cost me about €15 (+contact), when my Defy is no longer useful to me as a phone, it will be retired to a life of playing mp3 and video and to be a rather nifty pocket data sheet library, with wifi for quick emails and web... uh... pretty much what I use it for now! ;-)

    I know I could probably root the thing, write loads of files, reflash a newer Android, blah blah, but the hassle of getting the sdk set up to do all that is more than I'd be likely to make back. Besides, it is a nice display, I don't plan to get rid of it.

    That said, is there a "reset everything" option in Android? A hell of a lot of things are remembered, and work without the micro SD card, like emails, all the login settings, browser "remembered passwords", and with Swype, the learned dictionary is in there too. These days, taking out the SIM and/or memory card won't help much.

  9. heyrick Silver badge

    I don't worry about old SIMs, smartcards, or sensitive CDs

    A second or two in the microwave sorts that problem out. ;-)


    1. Disco-Legend-Zeke

      Never Underestimate...


      ...the determination of the data recovery team. Vis. probing memory dice that had been melted out of their packages by fire, as reported previously in these forums. Burning off** the reflective layer of a cd/dvd may not destroy the dye or intaglio image.

      Shredding, at some specified sieve level is indicated. I recall seeing a commercial eraser that passed a grinding wheel across a spinning CD, grinding off info.

      *Vaccinate your badgers now.

      **It probably would smell bad.

  10. andy gibson

    "reset everything" option in Android

    I think Clockworkmod wipes absolutely everything.

  11. Phil Koenig

    Blackberries seem to have it right

    If you use the built-in "security wipe" option on a modern BB, it will remove everything, if you check all the pertinent boxes and confirm this.

    Not only does it remove things, it securely overwrites them. (Yanno, the way you're supposed to do it.)

    Which is why it isn't a 30-second process. More like a 45-minute one.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019