Improperly Disposing Old Mobile Phones Could Leave Users Vulnerable to Data Theft and other Cyber Threats, Warns SANS Institute
January 2017 by SANS INSTITUTE
The Middle East is one of the leading markets for smartphones and countries such as the UAE and Saudi Arabia boast over 90% smartphone penetration - among the highest in the world. Smartphone manufacturers are well aware of this and top brands such as Apple and Samsung now have just one year upgrade cycles on their flagship models.
As a result, many consumers change their phones as often as once a year. This enables them to enjoy the impressive features that the latest models offer, but few give thought to disposing their old phones in the proper manner. In doing so, they fail to acknowledge the security implications of their actions and thus expose themselves to the threat of data theft.
"Today, mobile devices store far more sensitive data than users realize, often more than their personal computers. This information can include where they live, work and the places they visit frequently; contact information for their friends, family and co-workers; messages and chats; web-browsing history; personal photos, cloud storage and email; and even stored passwords and access to highly sensitive services such as online banking. Even a few leaked details can leave users vulnerable to social engineering and phishing attacks which open the floodgates to even more malicious and damaging attacks such as identify theft, and cyber fraud," says Ned Baltagi, Managing Director, Middle East & Africa at SANS.
Luckily, if users are ready to make a conscious effort, they can effectively safeguard themselves from such threats. SANS Institute recommends a few, relatively easy steps which are as follows:
Wiping the Device
Regardless of how you dispose of your old smartphone, such as donating it, exchanging it for a new one, giving it to another family member, reselling it, or even throwing it out, you need to first make sure that you erase all the sensitive data.
It is extremely important to keep in mind that simply deleting data is not enough! There are many tools readily available on the internet which can recover this data. Instead, users need to ’wipe’ their phones- a process that involves not only deleting the stored information but overwriting it, often multiple times, thus rendering it unrecoverable. Of course, this also means users need to properly backup their phone prior to the process.
An easy way to wipe data from a smartphone is to use the phone’s inbuilt ’factory-reset’ feature. While this works effectively for the iOS and Android operating systems, it isn’t effective for Windows phones. Also, for this to be effective, its important to first encrypt the phone before running the factory reset as this ensure that the data is unreadable once restored to factory settings.
SIMs and External Memory Cards
In addition to storing data on the device itself, smartphones tend to save some information on the SIM. Unlike the phone’s internal storage, a factory reset does not wipe data from the SIM. Often, when moving from one device to a newer model, due to size differences, or the need to change the mobile number, users need to purchase a new SIM card. In such scenarios, it is best to physically shred or destroy the old card to prevent it from being reused.
To offer users added flexibility, many smartphones support external memory cards. Over time, these cards accumulate information such as pictures, application data, and other sensitive content. While these cards can be transferred from one device to another, this might not always be possible or desirable- for instance, the new phone may not support an external memory card, or the user might require a card with great storage. As was the case with the SIM card, users should consider physically destroying unused memory cards rather than leave them lying about.
In the coming year, the number of cyber threats will no doubt increase. For security professionals, institutions such as SANS raise cyber security awareness and competency by offering professional training courses. As technology integrates more with everyday life, consumers too need to develop such security consciousness.