Recycled and stolen mobile phones from the UK are being bought by foreign criminals with fraudulent intent for as little as £10 in online auctions, for the information left on them by their former owners.
The handsets, which still contain personal data, are being bought with the sole intent of committing fraud with the information, according to a report in online magazine Mobile News.
Ken Garner, Smartphone Security Business Development Manager at security specialist BlackBelt, told the magazine that his company has seen a “huge” increase in activity by gangs selling handsets to fuel fraud. He said that despite efforts by recyclers to remove all data from devices before they are sold on, a certain percentage “slip through the net” and end up being of use to fraudsters.
Recycled handsets are often sold into international markets – typically Singapore, Hong Kong and the Middle East. If they still enable access to or contain copies of emails, banking details, PIN numbers, passwords and photographs, the former owner's address and many other personal details could be exploited for fraud or identity theft.
Mr Garner said: “When UK recyclers send handsets abroad, they become part of a huge supply chain and get lost. Unknowingly, some of those handsets are not wiped in their entirety and slip through the net. That information can be very valuable in the wrong hands.” He continued: “Smartphones are absolutely the target of choice for criminals. They are used for all aspects of a person’s life, and mobile phones are less protected than computers currently. The most valuable ones are the ones that have banking data on them – particularly if it is data that gives access to corporate accounts.”
Criminals are now setting up “legitimate” auction websites to promote and detail the information found on the devices they sell, with prices for the phones typically ranging from £10 to £100. Russian website Spamdot previously sold data taken from servers and PCs, but now focuses on smartphones. Another Russian site, Citadel (aka Fortress), sells malware that enables users to access personal information mined from mobile phones, as well as allowing them to recover 'deleted' information. It also sends a link to a phone number or email which, if opened, provides access to the device they have obtained. Garner, who works closely with the police to gather information on the activity, said the market has shifted towards mobile phones as prices paid for stolen credit card details have fallen.
Mobile phone recyclers Mazuma Mobile and Fonebank say they have not had any problems with data stored on the devices they handle. Charlo Carabott, Managing Director of Mazuma, told Mobile News that his firm ensures all of its handsets are wiped, whether they are faulty or fully functioning, and it works only with “approved partners”. He added that Mazuma has recycled more than 4.5 million handsets since it started trading in 2007 and, as well as its own data-wiping procedures, it provides customers with details on wiping all data themselves.
Fonebank Director Olly Tagg told the publication it has yet to experience issues with data, but he said he believes more needs to be done to ensure the risks are reduced further, with more responsibility placed on network operators, manufacturers and even the Government to help increase awareness of the potential issues which can arise from storing private information on mobile phones. "There needs to be more education," said Mr Tagg. "It was not really an issue years ago when people’s phones were just used for calling, but now people use their phone like a computer. There needs to be a big move towards ensuring data is removed, but it needs to be a coordinated approach – it is very easy to point the finger at recyclers, but it should be an industry-wide effort.”