Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Data Storage Privacy IT Technology

It's Scary How Much Personal Data People Leave on Used Laptops and Phones, Researcher Finds (gizmodo.com) 116

A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild. From a report: For around six months, he collected used desktop, hard disks, cellphones and more from pawn shops near his home in Wisconsin. It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII) -- the bread and butter of identity theft. Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones. The total cost of the experiment was a lot less than you'd imagine. "I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600," he said.

Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good. The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver's license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.

This discussion has been archived. No new comments can be posted.

It's Scary How Much Personal Data People Leave on Used Laptops and Phones, Researcher Finds

Comments Filter:
  • by IWantMoreSpamPlease ( 571972 ) on Wednesday March 20, 2019 @09:43AM (#58304224) Homepage Journal

    Used to belong to a tax accounting firm.
    Fully functioning. Over 100k tax return forms still on the system.
    *Everything*, was still there. Names, SSNs, tax id records, addresses, everything.

    It's a damn good thing I was honest and DBAN'd that drive immediately.
    I contacted the seller and told him this.
    Never heard back...

    • by Anonymous Coward on Wednesday March 20, 2019 @09:46AM (#58304236)
      I'm going to guess that the seller wasn't all that interested in protecting the clients of the business that he stole that computer from...
    • by ytene ( 4376651 )
      You did the right thing - and credit to you for that... But I sometimes wonder if something like this isn't worth reporting to the FBI. Unless - as someone else has suggested in comments - the device was stolen, then you have to wonder if that tax accounting firm have lax security controls that means they are leaking data all over the place.

      It's the sort of thing that the FBI should want to investigate, given the amount of harm that identity theft can cause - and given the data elements you comment were
      • It's the sort of thing that the FBI should want to investigate, given the amount of harm that identity theft can cause - and given the data elements you comment were on the device when you bought it.

        While it is stupid to leave personal info, especially THIS much on a laptop or other piece of electronic gear to be sold used.....what crime exactly was committed?

        I mean, if there is no crime to be investigated and charged with, then there is no reason to call the FBI or other law enforcement agencies.

        And no

      • Not American, so I don't know about the FBI angle. Being a Britbong however, reporting it sounds like the type of caper that would result in *all* of your computing hardware being confiscated by law enforcement until it's so obsolete as to be unsaleable.

        Not just the items bought second-hand to prove a point, but everything you use. At least this side of the pond, police have a bit of history in being a bit, shall we say, 'indiscriminate' with regard to what they see as evidence-gathering.

        Although I do fee

    • by nehumanuscrede ( 624750 ) on Wednesday March 20, 2019 @10:29AM (#58304460)

      If it was on E-Bay, consider the possibility the laptop was stolen.

      People steal shit like this all the time from desks, vehicles, etc. which is why all of our corporate laptops have full drive encryption.

  • by ytene ( 4376651 ) on Wednesday March 20, 2019 @09:47AM (#58304240)
    Yesterday, BeauHD posted an article related to the fact that California is re-introducing right-to-repair legislation, which, believe it or not, is related to this topic.

    If I can open a slot on the bottom of my laptop and easily replace the internal storage drive (on my PS/3 and PS/4 doing this requires removal of one screw), then I can be 100% certain that I am not leaking data if I sell on my old device. Yes, OK, I still have to buy a new drive and maybe re-install the OS on it, but these are simple enough tasks these days.

    With the advent of devices with integrated storage, often soldered on to motherboards, this becomes impossible. What this now means is that the original manufacturer would have to come up with a way to *guarantee* you that all data on embedded storage had been securely wiped. Otherwise, their failure to do that, coupled with negligent design or negligent security implementations, could result in the loss of your personal data.

    I wonder how many smartphone/tablet/similar device manufacturers would be willing to step up and own that liability in return for being able to prevent you from upgrading or repairing your device. I'm betting not that many.
    • Even if the manufacturer thinks they did a wipe, it might not actually be done. My recommendation is to always use FDE. This way, when the drive is reformatted, there is no way to access the data, especially if the machine uses a TPM, and the TPM is reset.

      I recommend FDE on everything, if possible. This way, making sure a complete zeroing isn't as big an issue.

    • The other fun part is once the integrated battery is toast, you may have no way to even power up the device to wipe it anymore. I guess you could argue that the device at that point is junk and destroy it to keep the data safe, but that would preclude you from selling it/giving it away for parts.

  • by Anonymous Coward

    Expect someone to mass purchase defunct store web sites to get equivalent data.

  • Used Laptops (Score:2, Interesting)

    by Anonymous Coward

    I buy a lot of used laptops from people to refurbish and give to local schools that don't have the money to buy them.

    I am appalled at what I find on them.

    One time I got (they were donated) 10 used IBM Thinkpads from a criminal law firm in town. They did absolutely nothing to purge the hard drives of sensitive client information. All of their files were intact, unencrypted, just sitting in My Documents.

    I called them to tell them what they had done and they didn't care one iota. Unbelievable. I could probably

  • Way way back when, I used to refurbish warranty returns for a major computer retailer. Almost no one wiped their drive before returning their machine. (In addition I amassed a nice music and movie collection of discs left in the drives.) We didn't care much, we would just wipe it and carry on.Sounds like nothing has changed. Incidentally the variety of failures we encountered was impressive - dropped in oceans, hit by trucks, burnt through with blowtorches, urinated on, smoked to death, shot, infested, in
  • I want to know where I can get 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones for around $600.

    • And if someone was intent on getting personal details off sold hardware to defraud the previous owners, I am not at all convinced that people who had to pawn their stuff would be a sensible group to target.
      • Oftentimes the person trying to pawn the stuff is likely not the person whose stuff is on the device. Pawn shops do try to check serials and databases to check if something is stolen, but stuff does get through.

    • In Wisconsin, duh.
    • Depending on how old and outdated it is, you can even get paid to take stuff like that.

  • by DontBeAMoran ( 4843879 ) on Wednesday March 20, 2019 @10:02AM (#58304318)

    Always look for crypto-currency wallets/numbers/keys/passwords.

    I once found a used laptop with a dogecoin wallet on it, there was still 15 coins in it!
    Needless to say, I still went to work the next day.

  • by Anonymous Coward

    As someone who has dumpster dived for electronics before, it's amazing the shape people throw away hardware in. They crack a screen and don't think about he data on the system, let alone the fact that the laptop still works. I've found tax records, bank passwords, etc on systems I've come across. I'm always a proponent of DBAN and when I find that stuff I'm quick to wipe the system, but I imagine a lot of people's data gets stolen due to carelessness.

  • If he got them all at pawn shops, then many of them could have been stolen. A lot of stolen goods go to pawn shops. The same is true of flea markets.

  • without a common user solution.

    Pretty much everyone on here knows how to properly wipe a device / drive / whatever.
    This crowd, however, doesn't really represent the common user.

    To be used effectively by those who don't speak IT fluently, the process of wiping / clearing any
    given device needs to be simplified imo.

    After educating these people on WHY they need to wipe a device, make sure they have an
    easy method to make it happen.

    For phones, a built in App wipes the entire phone when the user initiates it. ( T

  • My solution (Score:5, Funny)

    by The Grim Reefer ( 1162755 ) on Wednesday March 20, 2019 @10:42AM (#58304516)

    I typically overwrite all sectors on a HD for a month with random crap, and drill holes in the platters.

    After that it gets spun around inside a 15 Tesla magnet for 2 hours. Then I use thermite to melt it into a pool of slag, grind up the slag into a fine powder and divide that into 5 equal portions.

    I feed one of those portions to my dogs and then set half of their waste on fire and put the other half into the garbage. I use honey to stick another portion to the bird seed I have in a feeder. The third portion I take to a metal recycling place. The fourth portion gets flushed down the toilet. The fifth portion is in a safe deposit box, just in case I need to recover anything.

    If I'm being extra careful, I encrypt the drive with ROT13, twice, before the random writes.

    • I typically overwrite all sectors on a HD for a month with random crap, and drill holes in the platters.

      How well does that work on a small device with a soldered on SSD that just had the screen break and is still under warranty?

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Same, only you do it to the whole device. Return the firth portion under warranty.

  • Secrets? (Score:4, Insightful)

    by TechyImmigrant ( 175943 ) on Wednesday March 20, 2019 @10:46AM (#58304536) Homepage Journal

    >Social Security numbers, dates of birth, credit card information

    None of these things is a secret and should not be used as such.

    • Really? Then provide yours.

      • Really? Then provide yours.

        I will when they make it illegal to use them as authentication tokens.

        • by Trogre ( 513942 )

          So they are de facto secrets.

          • So they are de facto secrets.

            Bullshit.
            Lots of people know my birthdate - It's been entered on numerous forms.
            Lots of people know my SS number - It's been passed around government departments for a long time.
            Lots of people have access to my credit card number - Pretty much every time I use it.

            That means we live in a de-facto vulnerable state. I don't plan to make myself more vulnerable.

        • So you do see how it is a problem that such information is left on sold devices You just pretend not to see it to make a snarky post on /.

          • So you do see how it is a problem that such information is left on sold devices You just pretend not to see it to make a snarky post on /.

            I see that it is the practice of companies and the government using them as authentication tokens that makes it a problem when they are left on devices.

      • Really? Then provide yours.

        Okay. 3. I'm really old.

      • Comment removed based on user account deletion
  • If you're planning on getting something you use back, and are desperate enough to use a pawn shop to get money, you probably aren't thinking, "Hey, I should invest money I don't have right now in backup media so that I can wipe the contents of this machine I'm planning to get back after I get my paycheck next week."

    If you wipe the drive properly, the machine becomes useless to you, even if you get it back.

    Of course, if a thief is pawning it, they probably didn't think to wipe the contents. Heck, they may ha

    • So I guess I'm showing my ignorance, but people sell things to pawn shop intending it to be like a payday loan with collateral of their property?
      • by AvitarX ( 172628 )

        Exactly, usually the interest is far better than a payday loan, but they have the collateral.

        A payday loan (in my area) costs $75.00 for $500.00 0 interest loan with a 2 week payback. They take a bank account for the deposit and pull the $75.00 to renew your loan if you don't pay it back in 2 weeks. Effectively you're paying $1950/year in fees for a $500 until you pay the principal.

        With a pawn shop you use property as collateral, and typically get a loan amounting to 25%-50% of your collateral's thrift/used

  • you do is DBAN and/or replace the drive, and if phone, do wipe. Never use a used laptop or computer or phone due to numerous issues. This would include sensitive documents, passwords, illegal content, viruses, etc.
  • I help refurbish computers for a nonprofit and had one donated a while back. From a cursory look on the hard drive, there was no login password, business and home addresses, SSN and credit card numbers, pictures, scans, detailed financial data and more. I could have totally stolen this user's complete identity so easily if I were a dishonest person. Needless to say. the hard drive underwent DBAN. Even computers I've bought from secondhand stores have had personal info on them. I guess most people think th
  • A person might be concerned about privacy. You, me, most people here wouldn't fit in the other category, but people generally don't care about privacy. Even if they get stung, they'll care about it only until they get their replacement cards and a refund from their credit card company, then it's back to the same lax behaviors.

    Case in point: People who are concerned about their privacy wouldn't tell 20 million anonymous people that they're going on vacation and, by extension, leaving their house gener
  • I would recommend if you're discarding a device, you donate it to a reputable recycler in your area.

    I know in my case, as a recycler, we destroy all data on all devices we receive before repurposing them.

    You should pick a recycler whom is committed to customer privacy and has certifications for data destruction practices.

    Ask your recycler about how they handle data on received devices. Probe deeper if you want, ask to see the procedures taken.

    Not every consumer is savvy enough to properly erase devices. S

  • This is a great use-case for casual device encryption.

    Phone, tablet, desktop PC, on all of these you should consider full device encryption for your storage.

    Once an encrypted device is no longer needed, you can discard it safely without worry if was encrypted all along to begin with.

    This also helps mitigate the consequences of device theft.

  • by Pezbian ( 1641885 ) on Wednesday March 20, 2019 @01:17PM (#58305370)

    Every computer I resell I've started checking for cryptocurrency.

    Back when BTC was going for a couple bucks, college kids would set up miners on school PCs that I would later buy at surplus sales.

    That $5 Core Duo with the massively outdated GPU might be worth its weight in gold.

  • When I get rid of a phone (I typically keep them because AI don't buy contract phones), SIM card pulled, factory reset 3 times. On laptops, I set up the laptop, Network or wifi connections. Then the drive gets mirrored with an SSD, the HDD is shelved with the expiration date of the warranty. If I sell the laptop, the original drive gets put back.
  • I have this box full of old hard drives and cell phones going back 15 years. This is why. I should really do something with it one of these days, but at least I know for certain no one is looking at them.
  • I can't help feeling that Microsoft could significantly improve this situation by including Bitlocker into Windows 10 Home edition.

    They could make it even better if was one of the recommended actions in "Action Center" - meaning that Windows would occasionally nag you to set it up.

I THINK THEY SHOULD CONTINUE the policy of not giving a Nobel Prize for paneling. -- Jack Handley, The New Mexican, 1988.

Working...