Sunday, October 5, 2008

Older technology becomes an identity-theft nightmare


It seems that identity thieves are reaping a rich harvest from older electronic equipment dumped by consumers. A report from Australia says:

Mobile phones are changed nearly as often as underwear these days, so it's not unusual that older handsets are passed on to friends or sent for recycling. But what about all the personal information they contain? Did you erase the memory before passing on your last mobile?

Last week, secret MI6 documents were discovered on a memory card that was in a camera sold on eBay for $38. While you wouldn't imagine the likes of James Bond making such a gaffe, it highlights how easily sensitive information is leaked in the digital age. Think of all the personal stuff your mobile contains: photos, text conversations, contacts and documents, not to mention business-related data. All of it can be out there for the taking if you hadn't bothered to delete it before moving on to your new phone.

Now that we're in the era of the smart phone with increasing capabilities, we'll be putting more of ourselves into our portable companions. As our lead story shows, in London alone about 69,000 mobiles and PDAs are left in taxis every six months, so the problem will only grow unless phone makers and providers make it easy to securely wipe a phone before it is handed on.


There are lots of computers, hard disks and other items offered for sale every day, through classified advertisements, on eBay, and through other avenues. I'm willing to bet that most of them haven't been stripped of all their old files, and identity thieves will be able to learn a lot from them. For example, many people don't realize that the Windows operating system retains a list of passwords to your favorite Web sites (unless you tell it not to, and make sure to delete your browsing history). If you log into your bank's Web site to check your accounts, it's fairly likely that your login details have been preserved in your Windows files. Someone who knows how to access them can get at that information without difficulty.

Simply deleting the files isn't any protection. The file system on Windows computers (and many others) doesn't physically wipe the data when you delete a file: it simply marks that space as available for new data to be stored, leaving intact what's actually written to the disk. Only when a new file overwrites that space (or an erase program specifically overwrites it with nonsense characters) will the data become unreadable.

Personally, with the rise in chip-based memory that retains its data even when the battery goes dead, I no longer trust any device with memory to be fully 'wipe-able'. I therefore physically destroy such devices, rather than recycle them. For a computer, I'll take out the hard disk, open it up, and destroy the magnetic platters inside. For a mobile phone, I'll take out the circuit board and physically strip the chips off the board, breaking off their 'legs' so that they can't be re-mounted. It may be a bit excessive, but at least I know no-one will be reading any of my data from those devices!

Of course, you can have this done professionally:





Or with mechanical assistance:





There's always the fun option, too . . .







Peter

2 comments:

phlegmfatale said...

there should be a Terminator episode where common, drab computers reassemble themselves from those impossibly teeny bits. Loved the shreddy thing. WOOHOO!

Anonymous said...

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of “IT Wars” - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations. Our CEO has read this book. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don't want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book – BEFORE you suffer a breach.