Old or broken phones an ID theft concern

Smartphone exchanges, resales and swaps have become a billion-dollar business, but such transactions are raising concerns about the security of consumer data after those devices change hands.

The worldwide market for refurbished phones was 56 million units in 2014, and that number is expected to grow to 120 million units worth $5 billion by 2017, according to research firm Gartner, Inc.

With more consumers opting to resell, recycle or exchange their phones, there is a growing data security issue, according to Jack Gerbs, I.T. security expert and CEO of Quanexus in Centerville.

“The choice is to destroy that phone and get another one, or trust the company and the processes the company has put into place,” said Gerbs, adding that no industry-wide standards exist.

“If the phone doesn’t work, the data is still on there,” he said. “There are tools the bad guys can use to steal your information and that could be used against you.”

Joshua Laymon of Xenia said he is on his second refurbished phone that no longer works. He said he’s been offered another exchange through his carrier, but he’s concerned about the banking, credit card and client information contained on the phone.

“My concern with turning it in is that the information on there is able to be seen by human eyes. It’s a trust thing,” Laymon said. “It’s hard to trust people you don’t know.”

For a working phone, many consumers opt for a factory reset, but that doesn’t always erase everything, according to the University of Cambridge. Researchers studied 20 second-hand smartphones and found that even after a factory reset, more than 80 percent of data — including pictures, emails and texts — was able to be accessed.

The Cell Phone Industry Trade Association (ctia.org) has compiled a list of apps consumers can use to wipe their own phones. It also offers a list of recommendations, including manually overwriting and deleting all passwords and PINs, security setting parameters, apps, pictures, SD memory cards and peripheral device settings.

Those steps, along with a master reset, should erase the data, said Gerbs.

But don’t forget the subscriber identity module, or SIM card.

“Take the SIM card out. A master reset is not going to wipe the SIM card,” Gerbs said. “You have to be responsible to take care and protect your own identity.”

This newspaper contacted Samsung, the maker of Laymon’s smartphone, and it issued this statement:

“Samsung takes consumer privacy and data security very seriously. It is our policy that the data on all phones that are refurbished is wiped completely. In the event that the data cannot be cleared off a phone, for any reason, the phone is safely destroyed.”

Samsung also encourages its customers to enable the ‘Find My Mobile’ feature on their phones in order to actively manage and protect their data.

Laymon said he wants carriers and manufacturers to offer some sort of additional assurance that data is safe.

“It would be nice to have some sort of guarantee, some type of identity theft protection,” he said.

Laymon said isn’t taking any chances; he will keep the non-working phone and destroy it himself.

“I’ll be paying for two phones — 1200 bucks. It’s definitely aggravating.”