Implications of Insecure Disposal

Improper disposal of old phones may have severe security implications exposing users to data theft.

Regardless of how you dispose of your old smartphone, such as donating it, exchanging it for a new one, giving it to another family member, reselling it, or even throwing it out, you need to first make sure that you erase all the sensitive data.

Ned Baltagi, Managing Director, Middle East & Africa at SANSNed Baltagi, Managing Director, Middle East & Africa at SANS stated, “Today, mobile devices store far more sensitive data than users realize, often more than their personal computers.”

This information can include where they live, work and the places they visit frequently; contact information for their friends, family and co-workers; messages and chats; web-browsing history; personal photos, cloud storage and email; and even stored passwords and access to highly sensitive services such as online banking. Even a few leaked details can leave users vulnerable to social engineering and phishing attacks which open the floodgates to even more malicious and damaging attacks such as identify theft, and cyber fraud, he continued.

So, how can you effectively safeguard yourself from such threats? SANS Institute recommends a few, relatively easy steps:

Wiping the Device

It is extremely important to keep in mind that simply deleting data is not enough! There are many tools readily available on the internet which can recover this data. Instead, users need to ‘wipe’ their phones- a process that involves not only deleting the stored information but overwriting it, often multiple times, thus rendering it unrecoverable. Of course, this also means users need to properly backup their phone prior to the process.

An easy way to wipe data from a smartphone is to use the phone’s inbuilt ‘factory-reset’ feature. While this works effectively for the iOS and Android operating systems, it isn’t effective for Windows phones. Also, for this to be effective, its important to first encrypt the phone before running the factory reset as this ensure that the data is unreadable once restored to factory settings.

SIMs and External Memory Cards

In addition to storing data on the device itself, smartphones tend to save some information on the SIM. Unlike the phone’s internal storage, a factory reset does not wipe data from the SIM. Often, when moving from one device to a newer model, due to size differences, or the need to change the mobile number, users need to purchase a new SIM card. In such scenarios, it is best to physically shred or destroy the old card to prevent it from being reused.

To offer users added flexibility, many smartphones support external memory cards. Over time, these cards accumulate information such as pictures, application data, and other sensitive content. While these cards can be transferred from one device to another, this might not always be possible or desirable- for instance, the new phone may not support an external memory card, or the user might require a card with great storage. As was the case with the SIM card, users should consider physically destroying unused memory cards rather than leave them lying about.

In the coming year, the number of cyber threats will no doubt increase. For security professionals, institutions such as SANS raise cyber security awareness and competency by offering professional training courses. As technology integrates more with everyday life, consumers too need to develop such security consciousness.