Tuesday, 27 October 2015
When it comes to exposure of personal data, people tend to imagine Vitamin D-deficient cybercriminals flogging bank details hacked from someone’s account.
But every day, people freely trade their most personal information for minimal economic gain on online marketplaces like eBay.
You might think no one would be so foolish, but School of Computer and Security Science Lecturer Patryk Szewczyk disagrees.
For the past five years, he has been buying second hand memory cards online and using simple digital forensic tools to recover the sellers’ data.
He’s not surprised by anything he finds on the cards anymore.
“I’ve seen everything from resumes to family photos, utility bills, medical certificates, government documents, documents from doctors, referral or recommendation letters, even payslips,” he said.
“We’ve interrogated more than 1000 memory cards over the years and there’s basically nothing we haven’t seen.”
The potential for identity theft from the information stored on the cards is almost limitless and on more than one occasion Szewczyk has had to hand information to Police.
Yet most people don’t get a good price in return for throwing the key to their life away.
He estimates most get a few dollars for the memory cards, once fees and postage have been paid.
The project is part of Szewczyk’s ongoing research into how well the general public handle their personal information.
And the short answer is – not well.
“I think people have a misconception of the erasure capabilities of common operating systems,” he says.
“People assume that if they format a card then that data is gone.” But formatting a memory card or hard drive is like ripping out the contents page of a book, he explains.
While it makes it harder to find something inside, the information is still there.
The software Szewczyk uses reads the whole ‘book’ and uses unique identifying codes to isolate and restore individual files.
These techniques also require no technical expertise.
Dozens of five‑minute YouTube videos can show anyone interested how to recover the data.
Szewczyk says most people are unaware of the risks and online vendors should be doing more to protect sellers.
“I don’t think we should be expecting the end user to always be responsible and to make sure their data is erased appropriately,” he says.
“The onus should be placed on the service providers who are allowing people to sell these cards. Having a notification and link to a site showing how to erase data securely is not that hard.”
The only way to be sure personal data on memory cards doesn’t end up in the wrong hands is never to sell them in the first place, says Szewczyk – and for extra protection smash them with a hammer once they are no longer being used.
This article first appeared in EDITH Magazine Issue #4. It is available for download via the EDITH Magazine webpage.
Please leave a comment about your rating so we can better understand how we might improve the page.