2. Contents
1.1 Foreword
1.2 Background News
1.3 Research methodology
1.4 Key Findings
- Over half of used mobile phones and SIM cards contained personal information
- Half of second hand mobile phone owners admitted they have found personal
information from a previous owner
- The vast majority of people (81%) claim to have wiped their mobile or SIM card
before selling them
- 58 per cent have sold or given away an old mobile phone or SIM card with the
average resale price of £47
- Manually wiping the data was the most common method to delete information
1.5 Conclusion
1.6 Safeguarding your mobile data
1.7 Further Information
1.8 About CPP
Mobile and SIM data - quantifying the risk March 2011
3. Introduction 2
1.1 Foreword
This report is intended as a reference document to highlight the potential threat of storing
sensitive information on mobile handsets and the dangers of uncontrolled disposal of
unwanted or used SIM cards and mobile phones.
The review is also intended to generate public awareness of the increased risk of using a
mobile device as a storage medium and to encourage people to think long and hard about
what they as individuals or business employees may be forfeiting in the name of security.
The report also highlights a number of potential security vulnerabilities associated with
storing sensitive information on a mobile device and recommends ways to avoid being a
victim of data loss.
The mobile phone has become a technologically advanced device that offers a large host
of features above and beyond its traditional use as a communications device. Almost every
mobile phone now features some sort of ability to store and record information, or the
ability to take either still photographs or capture video.
Additionally, the mobile phone may also be equipped with a voice recorder, allowing the
user to record sounds and voices. In some cases these features will be used to store
sensitive information such as passwords, bank account information and other personal
data. With the continued increase of data storage capacity on mobile handsets, there is a
reciprocal increase in the threat these devices pose to our identities via the loss of
sensitive information through malware or even loss and theft.
This situation raised concerns with CPP, who were worried that such information may not
be completely or securely removed prior to disposal and therefore present a real and
present danger to people’s identities and companies confidential information.
Mobile and SIM data - quantifying the risk March 2011
4. 3
1.2 Background News
- “In another sign that attackers continue to target the mobile sector, it has been
revealed that more than 50 apps on Google’s Android market were infected
with malware. The apps, which had been available on Google’s Android
Market, were said to contain rootkit malware ‘DroidDream’, which can take
command of a mobile handset and send personal details to the remote server.”
(source: eWeek Europe, March 2011)
DroidDream - “The Zeus malware specifically targeting the Blackberry OS is currently
detected by Trend Micro BBOS_ZITMO.B. Once installed, the Trojan removes
can take itself from the list of applications, in order to effectively stay under the radar.”
(source: Finextra.com, March 2011)
command of - “As many as 8 in 10 web browsers are vulnerable to hackers and criminals
because they are not kept up-to-date, researchers have found. The vast
a mobile majority of users are not following the basic precaution of installing patches for
known security holes, making them a relatively easy prey for identity thieves
handset and and other attackers.” (source: Daily Telegraph, February 2011)
- Whether you’re travelling with a laptop, netbook, smartphone, iPad or all of the
send personal above, the risks and defences against them are basically the same, according
to Joe Nocera, an information security expert and a principle with
details to the PricewaterhouseCoopers. “Many of the security concerns that people think
about when they think about their personal computers are applicable in the
remote server mobile world. As mobile devices become more sophisticated, they lend
themselves to the same types of access to e-mail, passwords, and other secure
information that PCs have done in the past”. As specific mobile devices
become more popular, they become more of a target for hackers. “Five years
ago, the vulnerabilities were Microsoft-based and targeting PCs. Apple tended
not to be targeted so often”, say Nocera. “But, in the last year and a half or so,
we’re seeing a shift. More and more often we’re seeing either Android or
iPhone-based vulnerabilities being targeted. We predict that by 2014 you’ll see
those types of vulnerabilities being the most targeted as more and more users
go to those mobile devices.” (source: ComputerworldUK, March 2011)
- Recent research has revealed the global market for mobile internet will
continue to grow rapidly, and reach one billion users by 2015 according to the
independent analyst house Ovum (source: Visualsoft, February 2011)
Mobile and SIM data - quantifying the risk March 2011
5. 4
1.3 Research Methoodology
CPP commissioned research in 2011 to establish how much personal data was accessible
on used mobile handsets and SIM cards. The research took two forms:
1. ICM interviewed a random sample of 2,011 adults aged 18+ online between 16 – 18
February 2011. Surveys were conducted across the country and the results were
weighted to the profile of all adults. ICM is a member of the British Polling Council and
abides by its rules. Further information at www.icmresearch.co.uk
2. A live experiment was also carried out in February 2011. Commissioned by CPP, ethical
hacker, Jason Hart, conducted a number of reviews relating to the data contents of re-sold
used mobile devices and SIM cards within the United Kingdom with the objective of the
review being:
- Understand if sensitive information has been left on resold mobile devices
- Understand what type of information is stored
- To see if information can be recovered from resold mobile device even if the
mobile device has been deleted by using software freely available on the
internet
- Understand what information can be found on used SIM cards
- To evaluate whether any information found on a mobile device and or SIM
could be used to conduct any form of identity theft against the original owner
of the device and or SIM
It is important to note that at no point during this experiment was any unauthorised access
or sensitive information used against the original owners of the devices or SIM cards.
All data found on the mobile phones was deleted – either manually or by using the
forensic software to remove and destroy the information. The SIM cards were destroyed.
35 used mobile phones and 50 SIM cards were analysed using the following techniques:
- A mobile phone SIM reader (a standard SIM reader that can be purchased from
most electric stores)
- SIM recovery software
- Forensic examination software - mobile forensic software that analysis mobile
phones, smartphones and PDAs for data.
A total of 35 phones were acquired for the investigation based on the following methods:
Method Total
Purchased via private seller on ebay 5
Purchased from a number of used mobile business 20
Acquired from people giving away their mobile phones for free 10
Mobile and SIM data - quantifying the risk March 2011
6. 5
In addition to acquiring mobile phones we wanted to understand the level of potential
threat of used SIM cards during the investigation. We therefore acquired 50 SIM cards by
the following methods:
Method Total
High street mobile phone stores 30
Aquired from purchase of used mobile phones 10
Requests to general public 10
The following process was used in the conducting of the investigation:
- Removal of the SIM (if present) and any media cards
- Inserting SIM cards into the SIM reader and extracting any contacts and SMS
messages
- Inserting media cards into a card reader to extract any information
- A manual inspection of the device contents via the user interface
- Confirmation if data had been deleted prior to purchase
- A logical acquisition of data stored on the handset using forensic examination
software
In using the above software and hardware we focused the investigation on analysing the
data recovered, recording the number of information items and classifying them as
personal or business and indicating whether the information could be regarded as
sensitive. Each phone and SIM card was examined. In addition, the investigation was
primarily focused on the following data categories:
- Passwords
- Usernames
- Bank details
- Photos
- Notes
- Contacts
- Credit cards numbers
- Video
- E-mail addresses
- Company information
- SMS
- E-mails
Mobile and SIM data - quantifying the risk March 2011
7. 6
1.4 Key Findings
Over half of used mobile phones and SIM cards contained personal
information
The investigation revealed a worryingly high number of used mobile phones and SIM cards
contain some element of personal information left by previous owners. In a number of
cases the data left on the mobile or SIM card was highly sensitive. More worryingly, in
some cases, the previous owners had believed that they had deleted the content - but it
was still easily and quickly recoverable.
In relation to the review of mobile phones and SIM cards, below is a summary of the
findings.
Data Content Total Findings
Passwords 3
Usernames 6
Bank details 2
Photos 14
Notes 7
Contacts 35
Credit card numbers 1
Video 19
Email address 17
Company information 4
SMS 139
From just 35 phones and 50 SIM cards a total of 247 pieces of data personal data was
easily recovered, including password and bank details. Of the data recovered, over 75
pieces of information were personal in nature and over 13 were highly sensitive including
nudity, pornography, bank account details, passwords and sensitive company information.
This latter information was enough to commit both personal and company identity fraud.
Data was left on 19 of the 35 mobile phones and 27 of the 50 SIM cards.
Separately in supporting consumer research via a random sample of over 2,000 UK adults,
when we asked people what information they currently have on their mobile phones, the
range of personal information was widespread. Whilst we would expect people to carry
names (66%), photos (57%), diary dates (36%) and music (36%), some respondents
admitted to carrying social networking log in details (14%), work e-mails (6%), PIN
numbers (4%), online banking details (2%) and bank account information (2%).
Mobile and SIM data - quantifying the risk March 2011
8. 7
34% of 18-24 year olds claim to store social networking log in details on their mobile
handsets and six per cent of 25-34 year olds PIN numbers.
With mobile data usage increasing all the time, the value of products that provide a
complete data back up and remote lock and wipe of all data is clear and would address a
very real consumer requirement.
Half of second hand mobile phone owners have admitted that they have
found personal information from a previous owner
In the supporting consumer research, half of second hand mobile owners have admitted
they found personal information from a previous owner on the mobile and SIM cards that
they have purchased second hand. This is consistent with the results of the live experiment
where 54% of mobile phones and SIM cards contained personal information.
Phone numbers were the most common form of data left on the handset, but text
messages (26%), names (24%) and multi-media (music, videos and photographs) were
also prominent.
Seven per cent of people claimed to have accessed e-mails, three per cent social media
log in details and two per cent bank information.
49 per cent of people who had bought a second hand mobile said they did not find any
personal information. Again, this claimed behaviour is broadly consistent with our analysis
of the used mobile phones and SIM cards whereby 46% of the handsets did not contain
sensitive personal information.
Q: Have you ever found any of the following information from a previous owner on a second
hand mobile phone you bought?
50% 49%
40%
31%
30%
26%
24%
21%
20%
10% 7%
2% 3%
1% 1% 1%
0%
All who have bought a second hand mobile phone or SIM
Phone numbers Security information e.e. passwords, pin numbers etc
Names Multimedia - music, videos, photographs
Bank details Other types of information
Social networking log in details No
E-mails Don’t know
Text messages
Mobile and SIM data - quantifying the risk March 2011
9. 8
The vast majority of people (81%) claim to have wiped their mobile or SIM
card before selling them
Most worryingly 81 per cent of people claim to have wiped their mobiles before selling
them, with 60 per cent confident they wiped everything from their mobile handset or SIM
card.
This conflicts with the experiment that showed over half of mobile handsets and SIM card
had retrievable personal data.
Men (61%) were marginally more confident than women (58%) that they had deleted all
their personal information. Those aged 35-44 (66%) were more confident than those aged
65+ (48%).
Nine per cent of people who have sold their mobile or SIM cards were not confident they
had wiped their phone or SIM fully.
Q: Thinking about when you sold your SIM or mobile phone, which of the following
describes what you did about wiping (removing all personal information, media files etc)
81 per cent your SIM or phone?
of people 80%
claim to have 70%
wiped their 60%
61%
58%
mobiles 50%
before selling 40%
them 30%
20%
17%
13%
11%
9% 9% 8% 9%
8% 7% 6%
10% 5% 3%
0%
Male Female
All who have sold a second hand mobile or SIM card
I was advised by the company I sold it to to wipe my phone or SIM
I was advised by friends or family to wipe my phone or SIM
I am confident I wiped my phone or SIM fully
I am not confident I wiped my phone or SIM fully
I did not wipe my phone or SIM
Not applicable
Don’t know
Mobile and SIM data - quantifying the risk March 2011
10. 9
58 per cent have sold or given away a used mobile phone or SIM card with
the average resale price of £47
When upgrading and disposing of redundant mobile phones and SIM cards, the most
popular method of disposal is to give the phone or SIM to a friend or family member
(30%).
19 per cent claimed to have donated it to a recycling company and nine per cent sold it to
an online shop or via an online audition site like eBay. Seven per cent said they threw it in
the bin and five per cent sold it to a friend or family member. Three per cent said they had
sold it to a second hand shop.
Women were more likely to have given it to a friend or family member or to have donated
it to a recycling company. Men on the other hand, were more likely to dispose of their
mobile phone or SIM card by selling it online or to a friend and family member or
disposing of it in the bin.
Those aged 25-44 were the most likely to sell a mobile handset or SIM card via an online
shop or through an online auction site like eBay.
When we asked people how much they had sold a mobile phone or SIM card, the mean
price was £46.60. When you consider that over half the mobile phones and SIM cards in
our experiment contained personal information, it would seem that people are
inadvertently selling their personal information for a very low price.
Those aged 25-34 sold their devices for a mean price of £57.26 verses £31.48 for people
aged 65+. The sophistication of handset will have influenced this higher used retail price.
Q: Have you ever sold or given away an old mobile phone or SIM card in the following ways?
40%
37%
35%
35%
32%
30% 28%
25%
21%
20%
17%
15%
10%
9% 9%
10% 8% 8%
7%
6%
4% 4%
5% 3% 3% 3% 3%
1%
0
Male Female
All Respondents
Gave it to a friend or family member Sold it to a friend or family member
Donated it to a recycling company Sold it to a second hand shop
Sold it to an online shop I have never given away or sold an old mobile phone
Sold it on an online auction website e.g. eBay I have never owned a mobile phone
Thrown it in the bin Other
Mobile and SIM data - quantifying the risk March 2011
11. 10
Manually wiping the data was the most common method to delete
information
Three quarters (78%) who have wiped their mobile phone or SIM card before selling it on
have relied on manually completing this – a process that security experts acknowledge
leaves the data intact and retrievable. Using a factory reset on a mobile phone may seem
to be the easiest precaution before disposing of the device, but factory resets are far from
permanent, since they only delete the header information to your data and allow software
to recover the original data.
38% claimed to have performed a hard reset of the device and 4% used a third party
software application.
Women (82%) were more likely to manually delete information than men (78%), whereas
Factory more men are more likely to use third party software or perform a hard reset of the device
– all of which are not absolutely secure methods.
resets are 18-24 year olds were the most likely (56%) to perform a hard reset of the mobile phone.
far from Q: Which ‘wiping’ method have you used?
permanent,
since they 100%
only delete 80%
82%
the header
74%
information 60%
to your data 42%
40% 34%
20%
7%
3% 1% 1% 1% 1% 3%
0%
0%
Male Female
Wiping Method
Erased all data yourself from the handset manually
Performed a hard reset of the device
Used a third party software application
Other type of wiping method
Not applicable - didn’t wipe my phone or sim
Don’t know
Mobile and SIM data - quantifying the risk March 2011
12. 11
1.5 Conclusion
This investigation shows that that most people are totally unaware of the issues of storing
information on mobile devices. The core issues are as follows:
- The report has confirmed users are unaware that in some cases personal data
is still obtainable from a devices after the user has deleted content from the
mobile device
- Most mobile phones do not allow the user to totally delete all personal content
or user data
- The ability to recover deleted data from a mobile is a very simple process using
the correct tools and with limited technical knowledge
The surge in - It was very clear from the investigation that smartphones hold far greater
information about the user and leave a much larger footprint compared to older
mobile phones
smart - The investigation showed getting SIM cards can be a very simple process and
phones will some mobile phone stores were happy to give away used SIM cards with no
concern for the potential breach of privacy
provide - The surge in smartphones will provide fraudsters with increased opportunities
to defraud the handset owner and organisations that have sensitive information
fraudsters stored on the handset.
With the increasing penetration and use of smartphones for daily communication and
with m-commerce with the evolution of near-field-communications, there is clearly a
requirement for heightened awareness amongst consumers about the need for digital
increased security beyond laptops and PCs.
“Because today’s devices are so much more powerful and can hold so much more
opportunities information than ever before, the risks are increasing”, says Martin Hack, information
security expert and executive vice president of NCP engineering. “Add to that our
to defraud tendency to carry both personal and business information around with us on the same
device, and our mobile devices have never looked so appealing to hackers.” (source:
the handset ComputerworldUK, March 2011).
Whilst there has been no major detrimental impact on consumers to date, we could, one
owner day, face a major security lapse as criminals increasingly target mobile applications for
data. The Zeus virus that directed victims to a fake website where they were invited to
download an application that then steals their banking details could be a sign of phishing
attacks becoming a huge problem for smartphone users especially when mobile banking
reaches a critical mass. The proliferation of applications for mobile devices makes their
pre-screening increasingly difficult as they are becoming the primary way people access
internet-based services.
Recent research from Ovum predicts the global market for mobile internet will continue to
grow rapidly and reach one billion users by 2015 and just fewer than 17% of this global
population will access the internet exclusively via their mobile handsets.
The provision of products that address the security implications of this transfer of
personal data onto the mobile handset will meet a real consumer need and are more
relevant than ever.
Mobile and SIM data - quantifying the risk March 2011
13. 12
1.6 Safeguarding your mobile data
Danny Harrison is Head of Mobile Data Security at CPP and offers the following advice to
consumers to help protect them from data loss. Danny has over ten years’ experience and is
responsible for CPP’s mobile phone assistance and insurance products that insure against
lost, stolen and damaged handsets, and also assists people in the event of lost data.
Danny is media trained across print and broadcast and is available for media interviews on
the issue of data security.
If you are selling your mobile follow the below steps to reduce the risk of data transfer:
- Restore all factory settings - this is the first step that you should take as it is the
easiest precaution before disposing of the unit, but factory resets are far from
permanent so follow the steps below to protect your data
- Remove your SIM card and destroy it
- Delete back-ups - even if your smartphone, PDA or laptop data is securely
removed from the mobile device, it can continue to exist on a back up
somewhere else
- Log out and delete - make sure you have logged out of all social networking sites,
emails, wireless connections, company networks and applications. Once you are
logged out make sure you delete the password and connection
- Various passwords - avoid using the same ID/password on multiple systems and
storing them on your mobile phone, if you are going to store them on your phone
use a picture that reminds you of the password
- If you are selling your mobile phone ask for it to be wiped if you don’t know how
to do it yourself
- Don’t store vast amounts of personal information on your mobile phone/SIM
if possible
If you are keeping your mobile, the following tips should help keep your mobile secure:
- Make sure your software is up-to-date – regularly check the manufacturer’s
website for updated software patches or firewall updates
- Leave the phones security setting as they are – most of the default browser
settings are secure, so leave them as they are
- Avoid unencrypted public wireless networks – only use encrypted networks
which require an ID or password for access. WPA (Wi-Fi protected access) is the
most secure. Paying to access a Wi-Fi network does not necessarily mean it is
secure
- Use websites beginning with ‘https’ not just ‘http’- it means any information you
enter is encrypted
- Turn off cookies and autofill – if your mobile device automatically enters
passwords and login information into websites that you visit, turn that feature off.
It is convenient, but it is a security threat
- Be careful about what applications you download – be selective which ones you
download. Take time to review some of the comments.
Mobile and SIM data - quantifying the risk March 2011
14. 13
1.7 Further Information
For further information please contact:
Nick Jones
Head of Public Relations
CPPGroup Plc
Holgate Park
York
YO26 4GA
www.cppgroup.plc
Tel: 01904 544 387
E-Mail: nick.jones@cpp.co.uk
Mobile and SIM data - quantifying the risk March 2011
15. 14
CPP is an award-
winning organisation:
- Winner in the European
Contact Centre Awards,
Large Team of the Year
category, 2010
- Finalist in the European
Contact Centre Awards,
Best Centre for Customer
Service, Large Contact
Centre of the Year
categories, 2010
- Finalist in the National
Sales Awards, Contact
Centre Sales Team of the
Year category, 2010
- Finalist in the National
Insurance Fraud Awards,
Counter Fraud Initiative
of the Year category,
1.8 About CPP
2009
Corporate Background Information
- Finalist in the European
Contact Centre Awards, The CPPGroup Plc (CPP) is an international marketing services business offering bespoke
Large Team and Advisor customer management solutions to multi-sector business partners designed to enhance
of the Year categories, their customer revenue, engagement and loyalty, whilst at the same time reducing cost to
2009 deliver improved profitability.
- Named in the Sunday
This is underpinned by the delivery of a portfolio of complementary Life Assistance
Times 2008
PricewaterhouseCoopers products, designed to help our mutual customers cope with the anxieties associated with
Profit Track 100 the challenges and opportunities of everyday life.
- Finalists in the National Whether our customers have lost their wallets, been a victim of identity fraud or looking
Business Awards, 3i for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to
Growth Strategy enjoy life. Globally, our Life Assistance products and services are designed to simplify the
category, 2008 complexities of everyday living whether these affect personal finances, home, travel,
- Finalist in the National personal data or future plans. When it really matters, Life Assistance enables people to live
Business Awards, life and worry less.
Business of the Year
category, 2007, 2009 Established in 1980, CPP has 11 million customers and more than 200 business partners
and Highly Commended across Europe, North America and Asia and employs 2,300 employees who handle
in 2008 millions of sales and service conversations each year.
- Named in the Sunday In 2010, Group revenue was £325.8 million, an increase of more than 12 per cent over the
Times 2006, 2007, 2008 previous year.
and 2009 HSBC Top
Track 250 companies In March 2010, CPP debuted on the London Stock Exchange (LSE).
- Regional winner of the
National Training What We Do:
Awards, 2007 CPP provides a range of assistance products and services that allow our business partners
- Winner of the BITC to forge closer relationships with their customers.
Health, Work and
Well-Being Award, 2007 We have a solution for many eventualities, including:
- Highly Commended in - Insuring our customers’ mobile phones against loss, theft and damage
the UK National
Customer Service - Protecting the payment cards in our customers’ wallets and purses, should
Awards, 2006 these be lost or stolen
- Winner of the Tamworth - Providing assistance and protection if a customer’s keys are lost or stolen
Community Involvement
Award, 2006. Finalist in - Providing advice, insurance and assistance to protect customers against the
2008 insidious crime of identity fraud
- Highly Commended in - Assisting customers with their travel needs be it an emergency (for example
The Press Best Link lost passport), or basic translation service
Between Business and
Education, 2005 and - Monitoring the credit status of our customers
2006. Winner in 2007
- Provision of packaged services to business partners’ customers
- Finalist in the National
Business Awards,
Innovation category, For more information on CPP click on www.cppgroupplc.com
2005
Mobile and SIM data - quantifying the risk March 2011