Published June 26, 2012
Thinking about selling or donating an old smartphone? Robert Siciliano, a Boston-based identity theft expert for the McAfee security company, has this piece of advice: Proceed with caution.
Recently, Siciliano says he purchased dozens of used laptops, tablets, and smartphones off Craigslist. The sellers thought they had removed all of their personal data, but Siciliano says many of the devices -- especially the smartphones -- still contained a lot of private information.
"The data was relatively easy to access," says Siciliano. "Anyone with average computer skills and the right software, which is often free or available for just a few dollars online, can retrieve personal data from smartphones, even if the previous owner has taken many of the manufacturer-recommended steps to clearing their data from the device."
If an identity thief gets hold of data on your old smartphone, the risks could be dire, according to Aaron Messing, a lawyer specializing in technology and information privacy issues.
"It's important for consumers to realize that their smartphones are actually mini-computers that contain all types of sensitive personal and financial information," says Messing, who's with the Olender Feldman firm in Union, N.J.
That information typically includes, but is not limited to: phone contacts, calendars, emails, text messages, pictures and a browser history. Increasingly, many phones also contain everything you'd have in your wallet -- and more -- as more consumers are using mobile banking and payment apps.
If just a little information gets into the wrong hands, it can go a very long way because each piece of compromised data is a clue toward finding more, says Messing.
"Email is especially sensitive because access to email will often give (a thief the) ability to reset passwords, which can be used to access financial and health information," says Messing. Since many consumers ignore warnings not to use the same password for numerous sites, the risk could easily be multiplied very quickly.
So far, there haven't been many reported incidents of identity theft using data pulled from discarded smartphones. But it's a problem that Messing worries might rise as smartphone usage grows. A recent study by Pew Internet found that nearly half of Americans now own smartphones, up from 35% last year.
Donating an old phone to an established charity or trading it in to a brand-name store may seem safer than selling it to a stranger via eBay or Craigslist. But either way, do you really know where it will wind up? Messing cautions consumers to focus on wiping their phones clean of data and not put too much trust in a charity or buyer.
The steps for clearing out a smartphone vary by manufacturer. Andrea Eldridge, CEO and co-founder of Nerds On Call, a computer and electronics repair service based in Redding, Calif., says there are a couple of things you want to keep in mind no matter which model you have.
"Before selling or donating your old smartphone, remove the SIM card and any expansion memory cards, which are common on some devices," she says.
While removing memory cards will clear some data, Siciliano says it's critical that you also do a factory reset to restore the phone to its original condition.
"Each type of device is a little different, but if you Google the term 'factory reset,' along with the name of your phone, you'll find instructions on how to wipe it clean," he says. The process usually takes no more than a few minutes.
But that still may not be enough to protect against identity theft, at least not for some smartphone users.
When Siciliano looked at the used and supposedly purged smartphones he bought as part of his test, he discovered that phones using Google's Android operating system in particular still contained personal data, including names, home addresses, security passwords and email login information, even though the owners claimed they had followed the factory-reset procedure.
The non-Android smartphones he bought, including BlackBerrys and Apple iPhones, did appear to have all personal data deleted when owners performed a factory reset and removed the cards that store sensitive information.
"If I had an Android phone, I just wouldn't sell or donate it," Siciliano says. "It's just not worth the risk. If I was going to recycle it, I'd take a hammer to the device first."
Google did not respond to multiple messages seeking comment.
In 2011, AccessData, a digital forensics firm based in Lindon, Utah, conducted an experiment similar to Siciliano's and discovered personal data left on a number of smartphones that had been wiped by their owners and then sold on sites including eBay and Craigslist.
While the security risks may vary somewhat between platforms, Messing says any owner needs to be vigilant about securing an unwanted smartphone because the potential threat from identity theft is growing.
"We expect cyber criminals to increase their efforts to exploit mobile devices as the opportunity for profit will only increase as smartphones become increasingly powerful and relied upon," he says.