Undoubtedly the mobile phone has over the past few years become a technologically advanced device that offers a large host of features beyond its traditional use as a communications device. Today almost every mobile phone now features some sort of ability to store and record information or the ability to take either photographs or capture video.

Additionally the phone may also be equipped with a voice recorder allowing the user to record sounds and voices. In some cases, these mobile phone features can be used to store sensitive information such as passwords, bank account information, photos and other personal information. With the storage capacity on mobile phones set to increase, so does the ongoing threat of leaving sensitive information on a mobile device.

Whilst the evolution of the mobile handset from a voice only communications tool to a device that can facilitate access to a range of lifestyle choices is exciting, there are concerns regarding the security of this personal data especially when it comes to the loss, theft or legitimate disposal of such items.

This view was echoed by Joe Nocera, an information security expert and a principle with PricewaterhouseCoopers who said: “Many of the security concerns that people think about when they think about their personal computers are applicable in the mobile world. As mobile devices become more sophisticated, they lend themselves to the same types of access to e-mail, passwords, and other secure information that PCs have done in the past[1].”

In order to quantify whether used mobile phones constituted a real risk to their former owner’s identities, CPP commissioned Jason Hart, senior vice president at CRYPTOCard to analyse 35 used mobiles including the latest smartphones to more basic models and 50 SIM cards. The purpose of the experiment was to qualify what type of sensitive information, if any, had been left on resold mobile handsets and SIM cards - even if it had been assumed deleted, and whether the information was enough to steal someone’s identity. It is important to note that at no point during the review was any unauthorised access or sensitive information used against the original owner of the device or SIM. All data found was deleted - either manually or by using the forensic software to remove and destroy the information. The SIM cards were destroyed.

So what did we find?

Using a mobile phone SIM reader, SIM recovery software and forensic examination software that analyses mobile phones including smartphones and PDAs for data, we discovered that a worryingly high number of used mobile phones and SIM cards contain some element of personal information. In a number of cases, the data that was left on the mobile was highly sensitive. More worrying, in some cases, the former owners had intentionally deleted their information, but it was still easily and quickly recoverable.

From 35 mobile phones and 50 SIM cards, 54 per cent of the mobile devices and SIM cards contained personal data and we retrieved a total of 247 pieces of personal data. From all the data recovered, 75 pieces of data were personal in nature and 13 were highly sensitive including nudity, pornography, bank account details, passwords and company sensitive information.

Separate to the experiment, we conducted omnibus research via a random sample of over 2,000 UK adults to understand people’s understanding of mobile data security and if the results were comparable with our data audit findings.

Interestingly and consistent with our analysis, 50% of second hand mobile phone owners said they had found personal information from a previous owner on the mobile device and SIM card purchased second hand. Respondents said phone numbers were the most common form of data left on the handset, but text messages (26%), names (24%) and multi-media were also prominent.

When we asked people what information they stored on their mobile device and whilst we would expect people to store names (66%), photos (57%), diary dates (36%) and music (36%), some respondents admitted to carrying social networking log in details to sites like Facebook and LinkedIn (14%), work e-mails (6%), PIN numbers (4%), online banking details (2%) and bank account information (2%).

More worrying and in direct contrast to our data audit, 81% of people claim to have wiped their mobile device before selling them, with 60% very confident that they had wiped everything from their handset or SIM card. This conflicts with our audit that showed 54 per cent of used devices contained personal data.

Helping to explain this variance, 74 per cent of people claimed to have wiped their mobile phone or SIM manually – a process that security experts acknowledge leaves the data intact and fully retrievable. Using a factory reset on a mobile phone may seem to be the easiest precaution, but factory resets are far from permanent since they only delete the header information and allow the aforementioned software to recover the original data.

So what can we conclude from this investigation?

The experiment shows that mobile phone users are unaware personal data is still obtainable from a device even after the user has consciously deleted content from the handset. Facilitating this is the fact that most mobile phones do not allow a user to absolutely delete all personal content and that the process to recover data from a used mobile is very simple using the correct tools and with limited technical knowledge.

Furthermore it is evident that smartphones today hold far greater information about the user and leave a much larger identity footprint compared to mobile handsets common only a few years ago.

The investigation also showed that getting SIM cards can be a very simple process as they were largely obtained over the counter for free and that certain stores were happy to give away used SIMs with either no concern or no awareness of the potential breach of privacy.

Without doubt the surge of smartphones and their increasingly popularity will present the identity fraudster with increased opportunities to defraud the handset owner and even businesses that may have sensitive information stored on their employees’ devices.

Mark Hack, an information security expert and executive vice president of NCP engineering was quoted recently as saying[2]: “Because today’s devices are so much more powerful and can hold so much more information than ever before, the risks are increasing. Add to that our tendency to carry both personal and business information around with us on the same device, and our mobile devices have never looked so appealing to hackers.”

With recent stories of malware like the DroidDream and the Zeus Trojan increasingly targeting both smartphone apps and handsets, aligned with a vibrant second hand market in mobile phones, consumers will need to ensure that they manage the evolving mobile data risk and don’t let it become an open door to their identity.

[1] ComputerworldUK, March 2011

[2] ComputerworldUK, March 2011