Mobile and SIM data - quantifying the risk - 2011


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile and SIM data - quantifying the risk - 2011

  1. 1. Mobile andSIM data –quantifyingthe riskA CPP white paperMarch 2011
  2. 2. Contents 1.1 Foreword 1.2 Background News 1.3 Research methodology 1.4 Key Findings - Over half of used mobile phones and SIM cards contained personal information - Half of second hand mobile phone owners admitted they have found personal information from a previous owner - The vast majority of people (81%) claim to have wiped their mobile or SIM card before selling them - 58 per cent have sold or given away an old mobile phone or SIM card with the average resale price of £47 - Manually wiping the data was the most common method to delete information 1.5 Conclusion 1.6 Safeguarding your mobile data 1.7 Further Information 1.8 About CPP Mobile and SIM data - quantifying the risk March 2011
  3. 3. Introduction 2 1.1 Foreword This report is intended as a reference document to highlight the potential threat of storing sensitive information on mobile handsets and the dangers of uncontrolled disposal of unwanted or used SIM cards and mobile phones. The review is also intended to generate public awareness of the increased risk of using a mobile device as a storage medium and to encourage people to think long and hard about what they as individuals or business employees may be forfeiting in the name of security. The report also highlights a number of potential security vulnerabilities associated with storing sensitive information on a mobile device and recommends ways to avoid being a victim of data loss. The mobile phone has become a technologically advanced device that offers a large host of features above and beyond its traditional use as a communications device. Almost every mobile phone now features some sort of ability to store and record information, or the ability to take either still photographs or capture video. Additionally, the mobile phone may also be equipped with a voice recorder, allowing the user to record sounds and voices. In some cases these features will be used to store sensitive information such as passwords, bank account information and other personal data. With the continued increase of data storage capacity on mobile handsets, there is a reciprocal increase in the threat these devices pose to our identities via the loss of sensitive information through malware or even loss and theft. This situation raised concerns with CPP, who were worried that such information may not be completely or securely removed prior to disposal and therefore present a real and present danger to people’s identities and companies confidential information. Mobile and SIM data - quantifying the risk March 2011
  4. 4. 3 1.2 Background News - “In another sign that attackers continue to target the mobile sector, it has been revealed that more than 50 apps on Google’s Android market were infected with malware. The apps, which had been available on Google’s Android Market, were said to contain rootkit malware ‘DroidDream’, which can take command of a mobile handset and send personal details to the remote server.” (source: eWeek Europe, March 2011) DroidDream - “The Zeus malware specifically targeting the Blackberry OS is currently detected by Trend Micro BBOS_ZITMO.B. Once installed, the Trojan removes can take itself from the list of applications, in order to effectively stay under the radar.” (source:, March 2011) command of - “As many as 8 in 10 web browsers are vulnerable to hackers and criminals because they are not kept up-to-date, researchers have found. The vast a mobile majority of users are not following the basic precaution of installing patches for known security holes, making them a relatively easy prey for identity thieves handset and and other attackers.” (source: Daily Telegraph, February 2011) - Whether you’re travelling with a laptop, netbook, smartphone, iPad or all of thesend personal above, the risks and defences against them are basically the same, according to Joe Nocera, an information security expert and a principle with details to the PricewaterhouseCoopers. “Many of the security concerns that people think about when they think about their personal computers are applicable in theremote server mobile world. As mobile devices become more sophisticated, they lend themselves to the same types of access to e-mail, passwords, and other secure information that PCs have done in the past”. As specific mobile devices become more popular, they become more of a target for hackers. “Five years ago, the vulnerabilities were Microsoft-based and targeting PCs. Apple tended not to be targeted so often”, say Nocera. “But, in the last year and a half or so, we’re seeing a shift. More and more often we’re seeing either Android or iPhone-based vulnerabilities being targeted. We predict that by 2014 you’ll see those types of vulnerabilities being the most targeted as more and more users go to those mobile devices.” (source: ComputerworldUK, March 2011) - Recent research has revealed the global market for mobile internet will continue to grow rapidly, and reach one billion users by 2015 according to the independent analyst house Ovum (source: Visualsoft, February 2011) Mobile and SIM data - quantifying the risk March 2011
  5. 5. 4 1.3 Research Methoodology CPP commissioned research in 2011 to establish how much personal data was accessible on used mobile handsets and SIM cards. The research took two forms: 1. ICM interviewed a random sample of 2,011 adults aged 18+ online between 16 – 18 February 2011. Surveys were conducted across the country and the results were weighted to the profile of all adults. ICM is a member of the British Polling Council and abides by its rules. Further information at 2. A live experiment was also carried out in February 2011. Commissioned by CPP, ethical hacker, Jason Hart, conducted a number of reviews relating to the data contents of re-sold used mobile devices and SIM cards within the United Kingdom with the objective of the review being: - Understand if sensitive information has been left on resold mobile devices - Understand what type of information is stored - To see if information can be recovered from resold mobile device even if the mobile device has been deleted by using software freely available on the internet - Understand what information can be found on used SIM cards - To evaluate whether any information found on a mobile device and or SIM could be used to conduct any form of identity theft against the original owner of the device and or SIM It is important to note that at no point during this experiment was any unauthorised access or sensitive information used against the original owners of the devices or SIM cards. All data found on the mobile phones was deleted – either manually or by using the forensic software to remove and destroy the information. The SIM cards were destroyed. 35 used mobile phones and 50 SIM cards were analysed using the following techniques: - A mobile phone SIM reader (a standard SIM reader that can be purchased from most electric stores) - SIM recovery software - Forensic examination software - mobile forensic software that analysis mobile phones, smartphones and PDAs for data. A total of 35 phones were acquired for the investigation based on the following methods: Method Total Purchased via private seller on ebay 5 Purchased from a number of used mobile business 20 Acquired from people giving away their mobile phones for free 10Mobile and SIM data - quantifying the risk March 2011
  6. 6. 5 In addition to acquiring mobile phones we wanted to understand the level of potential threat of used SIM cards during the investigation. We therefore acquired 50 SIM cards by the following methods: Method Total High street mobile phone stores 30 Aquired from purchase of used mobile phones 10 Requests to general public 10 The following process was used in the conducting of the investigation: - Removal of the SIM (if present) and any media cards - Inserting SIM cards into the SIM reader and extracting any contacts and SMS messages - Inserting media cards into a card reader to extract any information - A manual inspection of the device contents via the user interface - Confirmation if data had been deleted prior to purchase - A logical acquisition of data stored on the handset using forensic examination software In using the above software and hardware we focused the investigation on analysing the data recovered, recording the number of information items and classifying them as personal or business and indicating whether the information could be regarded as sensitive. Each phone and SIM card was examined. In addition, the investigation was primarily focused on the following data categories: - Passwords - Usernames - Bank details - Photos - Notes - Contacts - Credit cards numbers - Video - E-mail addresses - Company information - SMS - E-mailsMobile and SIM data - quantifying the risk March 2011
  7. 7. 6 1.4 Key Findings Over half of used mobile phones and SIM cards contained personal information The investigation revealed a worryingly high number of used mobile phones and SIM cards contain some element of personal information left by previous owners. In a number of cases the data left on the mobile or SIM card was highly sensitive. More worryingly, in some cases, the previous owners had believed that they had deleted the content - but it was still easily and quickly recoverable. In relation to the review of mobile phones and SIM cards, below is a summary of the findings. Data Content Total Findings Passwords 3 Usernames 6 Bank details 2 Photos 14 Notes 7 Contacts 35 Credit card numbers 1 Video 19 Email address 17 Company information 4 SMS 139 From just 35 phones and 50 SIM cards a total of 247 pieces of data personal data was easily recovered, including password and bank details. Of the data recovered, over 75 pieces of information were personal in nature and over 13 were highly sensitive including nudity, pornography, bank account details, passwords and sensitive company information. This latter information was enough to commit both personal and company identity fraud. Data was left on 19 of the 35 mobile phones and 27 of the 50 SIM cards. Separately in supporting consumer research via a random sample of over 2,000 UK adults, when we asked people what information they currently have on their mobile phones, the range of personal information was widespread. Whilst we would expect people to carry names (66%), photos (57%), diary dates (36%) and music (36%), some respondents admitted to carrying social networking log in details (14%), work e-mails (6%), PIN numbers (4%), online banking details (2%) and bank account information (2%).Mobile and SIM data - quantifying the risk March 2011
  8. 8. 7 34% of 18-24 year olds claim to store social networking log in details on their mobile handsets and six per cent of 25-34 year olds PIN numbers. With mobile data usage increasing all the time, the value of products that provide a complete data back up and remote lock and wipe of all data is clear and would address a very real consumer requirement. Half of second hand mobile phone owners have admitted that they have found personal information from a previous owner In the supporting consumer research, half of second hand mobile owners have admitted they found personal information from a previous owner on the mobile and SIM cards that they have purchased second hand. This is consistent with the results of the live experiment where 54% of mobile phones and SIM cards contained personal information. Phone numbers were the most common form of data left on the handset, but text messages (26%), names (24%) and multi-media (music, videos and photographs) were also prominent. Seven per cent of people claimed to have accessed e-mails, three per cent social media log in details and two per cent bank information. 49 per cent of people who had bought a second hand mobile said they did not find any personal information. Again, this claimed behaviour is broadly consistent with our analysis of the used mobile phones and SIM cards whereby 46% of the handsets did not contain sensitive personal information. Q: Have you ever found any of the following information from a previous owner on a second hand mobile phone you bought? 50% 49% 40% 31% 30% 26% 24% 21% 20% 10% 7% 2% 3% 1% 1% 1% 0% All who have bought a second hand mobile phone or SIM Phone numbers Security information e.e. passwords, pin numbers etc Names Multimedia - music, videos, photographs Bank details Other types of information Social networking log in details No E-mails Don’t know Text messagesMobile and SIM data - quantifying the risk March 2011
  9. 9. 8 The vast majority of people (81%) claim to have wiped their mobile or SIM card before selling them Most worryingly 81 per cent of people claim to have wiped their mobiles before selling them, with 60 per cent confident they wiped everything from their mobile handset or SIM card. This conflicts with the experiment that showed over half of mobile handsets and SIM card had retrievable personal data. Men (61%) were marginally more confident than women (58%) that they had deleted all their personal information. Those aged 35-44 (66%) were more confident than those aged 65+ (48%). Nine per cent of people who have sold their mobile or SIM cards were not confident they had wiped their phone or SIM fully. Q: Thinking about when you sold your SIM or mobile phone, which of the following describes what you did about wiping (removing all personal information, media files etc) 81 per cent your SIM or phone? of people 80%claim to have 70% wiped their 60% 61% 58% mobiles 50%before selling 40% them 30% 20% 17% 13% 11% 9% 9% 8% 9% 8% 7% 6% 10% 5% 3% 0% Male Female All who have sold a second hand mobile or SIM card I was advised by the company I sold it to to wipe my phone or SIM I was advised by friends or family to wipe my phone or SIM I am confident I wiped my phone or SIM fully I am not confident I wiped my phone or SIM fully I did not wipe my phone or SIM Not applicable Don’t know Mobile and SIM data - quantifying the risk March 2011
  10. 10. 9 58 per cent have sold or given away a used mobile phone or SIM card with the average resale price of £47 When upgrading and disposing of redundant mobile phones and SIM cards, the most popular method of disposal is to give the phone or SIM to a friend or family member (30%). 19 per cent claimed to have donated it to a recycling company and nine per cent sold it to an online shop or via an online audition site like eBay. Seven per cent said they threw it in the bin and five per cent sold it to a friend or family member. Three per cent said they had sold it to a second hand shop. Women were more likely to have given it to a friend or family member or to have donated it to a recycling company. Men on the other hand, were more likely to dispose of their mobile phone or SIM card by selling it online or to a friend and family member or disposing of it in the bin. Those aged 25-44 were the most likely to sell a mobile handset or SIM card via an online shop or through an online auction site like eBay. When we asked people how much they had sold a mobile phone or SIM card, the mean price was £46.60. When you consider that over half the mobile phones and SIM cards in our experiment contained personal information, it would seem that people are inadvertently selling their personal information for a very low price. Those aged 25-34 sold their devices for a mean price of £57.26 verses £31.48 for people aged 65+. The sophistication of handset will have influenced this higher used retail price. Q: Have you ever sold or given away an old mobile phone or SIM card in the following ways? 40% 37% 35% 35% 32% 30% 28% 25% 21% 20% 17% 15% 10% 9% 9% 10% 8% 8% 7% 6% 4% 4% 5% 3% 3% 3% 3% 1% 0 Male Female All Respondents Gave it to a friend or family member Sold it to a friend or family member Donated it to a recycling company Sold it to a second hand shop Sold it to an online shop I have never given away or sold an old mobile phone Sold it on an online auction website e.g. eBay I have never owned a mobile phone Thrown it in the bin OtherMobile and SIM data - quantifying the risk March 2011
  11. 11. 10 Manually wiping the data was the most common method to delete information Three quarters (78%) who have wiped their mobile phone or SIM card before selling it on have relied on manually completing this – a process that security experts acknowledge leaves the data intact and retrievable. Using a factory reset on a mobile phone may seem to be the easiest precaution before disposing of the device, but factory resets are far from permanent, since they only delete the header information to your data and allow software to recover the original data. 38% claimed to have performed a hard reset of the device and 4% used a third party software application. Women (82%) were more likely to manually delete information than men (78%), whereas Factory more men are more likely to use third party software or perform a hard reset of the device – all of which are not absolutely secure methods. resets are 18-24 year olds were the most likely (56%) to perform a hard reset of the mobile phone. far from Q: Which ‘wiping’ method have you used?permanent, since they 100% only delete 80% 82% the header 74%information 60%to your data 42% 40% 34% 20% 7% 3% 1% 1% 1% 1% 3% 0% 0% Male Female Wiping Method Erased all data yourself from the handset manually Performed a hard reset of the device Used a third party software application Other type of wiping method Not applicable - didn’t wipe my phone or sim Don’t know Mobile and SIM data - quantifying the risk March 2011
  12. 12. 11 1.5 Conclusion This investigation shows that that most people are totally unaware of the issues of storing information on mobile devices. The core issues are as follows: - The report has confirmed users are unaware that in some cases personal data is still obtainable from a devices after the user has deleted content from the mobile device - Most mobile phones do not allow the user to totally delete all personal content or user data - The ability to recover deleted data from a mobile is a very simple process using the correct tools and with limited technical knowledgeThe surge in - It was very clear from the investigation that smartphones hold far greater information about the user and leave a much larger footprint compared to older mobile phones smart - The investigation showed getting SIM cards can be a very simple process and phones will some mobile phone stores were happy to give away used SIM cards with no concern for the potential breach of privacy provide - The surge in smartphones will provide fraudsters with increased opportunities to defraud the handset owner and organisations that have sensitive information fraudsters stored on the handset. With the increasing penetration and use of smartphones for daily communication and with m-commerce with the evolution of near-field-communications, there is clearly a requirement for heightened awareness amongst consumers about the need for digital increased security beyond laptops and PCs. “Because today’s devices are so much more powerful and can hold so much moreopportunities information than ever before, the risks are increasing”, says Martin Hack, information security expert and executive vice president of NCP engineering. “Add to that our to defraud tendency to carry both personal and business information around with us on the same device, and our mobile devices have never looked so appealing to hackers.” (source: the handset ComputerworldUK, March 2011). Whilst there has been no major detrimental impact on consumers to date, we could, one owner day, face a major security lapse as criminals increasingly target mobile applications for data. The Zeus virus that directed victims to a fake website where they were invited to download an application that then steals their banking details could be a sign of phishing attacks becoming a huge problem for smartphone users especially when mobile banking reaches a critical mass. The proliferation of applications for mobile devices makes their pre-screening increasingly difficult as they are becoming the primary way people access internet-based services. Recent research from Ovum predicts the global market for mobile internet will continue to grow rapidly and reach one billion users by 2015 and just fewer than 17% of this global population will access the internet exclusively via their mobile handsets. The provision of products that address the security implications of this transfer of personal data onto the mobile handset will meet a real consumer need and are more relevant than ever. Mobile and SIM data - quantifying the risk March 2011
  13. 13. 12 1.6 Safeguarding your mobile data Danny Harrison is Head of Mobile Data Security at CPP and offers the following advice to consumers to help protect them from data loss. Danny has over ten years’ experience and is responsible for CPP’s mobile phone assistance and insurance products that insure against lost, stolen and damaged handsets, and also assists people in the event of lost data. Danny is media trained across print and broadcast and is available for media interviews on the issue of data security. If you are selling your mobile follow the below steps to reduce the risk of data transfer: - Restore all factory settings - this is the first step that you should take as it is the easiest precaution before disposing of the unit, but factory resets are far from permanent so follow the steps below to protect your data - Remove your SIM card and destroy it - Delete back-ups - even if your smartphone, PDA or laptop data is securely removed from the mobile device, it can continue to exist on a back up somewhere else - Log out and delete - make sure you have logged out of all social networking sites, emails, wireless connections, company networks and applications. Once you are logged out make sure you delete the password and connection - Various passwords - avoid using the same ID/password on multiple systems and storing them on your mobile phone, if you are going to store them on your phone use a picture that reminds you of the password - If you are selling your mobile phone ask for it to be wiped if you don’t know how to do it yourself - Don’t store vast amounts of personal information on your mobile phone/SIM if possible If you are keeping your mobile, the following tips should help keep your mobile secure: - Make sure your software is up-to-date – regularly check the manufacturer’s website for updated software patches or firewall updates - Leave the phones security setting as they are – most of the default browser settings are secure, so leave them as they are - Avoid unencrypted public wireless networks – only use encrypted networks which require an ID or password for access. WPA (Wi-Fi protected access) is the most secure. Paying to access a Wi-Fi network does not necessarily mean it is secure - Use websites beginning with ‘https’ not just ‘http’- it means any information you enter is encrypted - Turn off cookies and autofill – if your mobile device automatically enters passwords and login information into websites that you visit, turn that feature off. It is convenient, but it is a security threat - Be careful about what applications you download – be selective which ones you download. Take time to review some of the comments.Mobile and SIM data - quantifying the risk March 2011
  14. 14. 13 1.7 Further Information For further information please contact: Nick Jones Head of Public Relations CPPGroup Plc Holgate Park York YO26 4GA www.cppgroup.plc Tel: 01904 544 387 E-Mail: and SIM data - quantifying the risk March 2011
  15. 15. 14CPP is an award-winning organisation:- Winner in the European Contact Centre Awards, Large Team of the Year category, 2010- Finalist in the European Contact Centre Awards, Best Centre for Customer Service, Large Contact Centre of the Year categories, 2010- Finalist in the National Sales Awards, Contact Centre Sales Team of the Year category, 2010- Finalist in the National Insurance Fraud Awards, Counter Fraud Initiative of the Year category, 1.8 About CPP 2009 Corporate Background Information- Finalist in the European Contact Centre Awards, The CPPGroup Plc (CPP) is an international marketing services business offering bespoke Large Team and Advisor customer management solutions to multi-sector business partners designed to enhance of the Year categories, their customer revenue, engagement and loyalty, whilst at the same time reducing cost to 2009 deliver improved profitability.- Named in the Sunday This is underpinned by the delivery of a portfolio of complementary Life Assistance Times 2008 PricewaterhouseCoopers products, designed to help our mutual customers cope with the anxieties associated with Profit Track 100 the challenges and opportunities of everyday life.- Finalists in the National Whether our customers have lost their wallets, been a victim of identity fraud or looking Business Awards, 3i for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to Growth Strategy enjoy life. Globally, our Life Assistance products and services are designed to simplify the category, 2008 complexities of everyday living whether these affect personal finances, home, travel,- Finalist in the National personal data or future plans. When it really matters, Life Assistance enables people to live Business Awards, life and worry less. Business of the Year category, 2007, 2009 Established in 1980, CPP has 11 million customers and more than 200 business partners and Highly Commended across Europe, North America and Asia and employs 2,300 employees who handle in 2008 millions of sales and service conversations each year.- Named in the Sunday In 2010, Group revenue was £325.8 million, an increase of more than 12 per cent over the Times 2006, 2007, 2008 previous year. and 2009 HSBC Top Track 250 companies In March 2010, CPP debuted on the London Stock Exchange (LSE).- Regional winner of the National Training What We Do: Awards, 2007 CPP provides a range of assistance products and services that allow our business partners- Winner of the BITC to forge closer relationships with their customers. Health, Work and Well-Being Award, 2007 We have a solution for many eventualities, including:- Highly Commended in - Insuring our customers’ mobile phones against loss, theft and damage the UK National Customer Service - Protecting the payment cards in our customers’ wallets and purses, should Awards, 2006 these be lost or stolen- Winner of the Tamworth - Providing assistance and protection if a customer’s keys are lost or stolen Community Involvement Award, 2006. Finalist in - Providing advice, insurance and assistance to protect customers against the 2008 insidious crime of identity fraud- Highly Commended in - Assisting customers with their travel needs be it an emergency (for example The Press Best Link lost passport), or basic translation service Between Business and Education, 2005 and - Monitoring the credit status of our customers 2006. Winner in 2007 - Provision of packaged services to business partners’ customers- Finalist in the National Business Awards, Innovation category, For more information on CPP click on 2005 Mobile and SIM data - quantifying the risk March 2011