Fraudsters mining data left on recycled and stolen UK mobiles


Criminals buying up unwiped phones for as little as £10 in web auctions, security firm BlackBelt says

Recycled and stolen handsets from the UK still containing their former owners’ personal data are being sold on to foreign criminals looking to commit fraud with the information.

This is according to Ken Garner (pictured), smartphone security business development manager at security software firm BlackBelt, who told Mobile News his company has seen a “huge” increase in activity by gangs selling handsets to fuel fraud.

Garner said despite efforts by recyclers to remove all data from devices before they are sold on, a certain percentage “slip through the net” and end up in the wrong hands still containing sensitive data.

Recycled handsets are often sold into international markets – typically Singapore, Hong Kong and the Middle East – Garner told Mobile News.

Information that fraudsters are particularly keen to mine includes access to or copies of emails, banking details, PIN numbers, passwords and photographs that can identify where the handset’s former owner lives and what they have in their home.

Garner said: “When UK recyclers send handsets abroad, they become part of a huge supply chain and get lost. Unknowingly, some of those handsets are not wiped in their entirety and slip through the net. That information can be very valuable in the wrong hands.”

Online auctions
He continued: “Smartphones are absolutely the target of choice for criminals. They are used for all aspects of a person’s life, and mobile phones are less protected than computers currently.

“The most valuable ones are the ones that have banking data on them – particularly if it is data that gives access to corporate accounts.”

Gangs have even set up “legal” auction websites to promote and detail the information found on the devices they sell, with prices for the phones typically ranging from £10 to £100.

These include Russian website Spamdot, which previously sold data taken from servers and PCs, but which has now turned its attention to smartphones.

Another Russian site Citadel – which is also known as Fortress – sells malware that enables users to access personal information mined from mobile phones, as well as allowing them to recover deleted information.

It also sends a link to a phone number or email which, if opened, provides access to the device they have obtained.

Market shift
Garner, who works closely with the police to gather information on the activity, said the market has shifted towards mobile phones as prices paid for stolen credit card details have fallen.

Garner said: “These sites originally sold stolen credit card information, but there is now a whole new underground  economy selling software that is understood to hack into both mobile phones and computers.

“We know there is a huge increase in the amount of activity on these sites. The prices for stolen credit card information has lowered, as it is so common. It is more profitable to do it with phones.

“These phones are stolen in the UK or were sent abroad for recycling but not wiped properly. The sites selling the data are traditionally located abroad.”

Two of the leading mobile phone recyclers in the UK, Mazuma Mobile and Fonebank,  said they have not had any problems with data stored on the devices they handle.

Mazuma MD Charlo Carabott told Mobile News the firm ensures all of its handsets are wiped, whether they are faulty or fully functioning, and it only works with “approved partners”.

Carabott claimed Mazuma has to date recycled more than 4.5 million handsets since it started trading in 2007 and, as well as its own data-wiping procedures, it provides customers with details on wiping all data themselves.

Carabott said: “To date, we have had no issues with data whatsoever. No one has a complete system, and operating systems are being launched all the time, but we have a number of stages where the devices are wiped and checked.”

Fonebank director Olly Tagg told Mobile News it has yet to experience issues with data, but he said he believes more needs to be done to ensure the risks are reduced further.

Tagg said more responsibility should be placed on network operators, manufacturers and even the Government to help increase awareness of the potential issues which can arise from storing private information on mobile phones.

“There needs to be more education,” Tagg said. “It was not really an issue years ago when people’s phones were just used for calling, but now people use their phone like a computer.

“There needs to be a big move towards ensuring data is removed, but it needs to be a coordinated approach – it is very easy to point the finger at recyclers, but it should be an industry-wide effort.”

Mobile News contacted UK recyclers Envirofone, Redeem, Mobile Phone Xchange, RPC Recycle, Fone Hub, Simply Drop and Money4mymobile, all of whom declined to comment.