Sensitive Data On Phones And Tablets Can’t Be Erased, Researchers Say
Written by Frank HayesMaking sure that deleted data is really gone has never been easy, and it just keeps getting more difficult. On February 16, a group of researchers reported that it’s almost impossible to reliably erase sensitive data from smartphones and thumb drives. In fact, as much as 85 percent of a “deleted” file may still exist in flash memory—even after using techniques that would obliterate data from a conventional hard drive.
That means the most mobile of devices, which are the hardest to physically secure, are also the hardest to keep safe from a data perspective. And at a time when retailers are beginning to hand tablets and smartphones to associates so they can let customers check out anywhere in the store, it raises a serious question: If a thief walks off with that mobile device, just how much sensitive information could the thief get access to? Short answer: A lot, if he’s willing to open up the device, remove the flash memory chips inside and read them directly.
That’s what the researchers from the University of California, San Diego, did. They tested a variety of solid-state drives, including USB thumb drives, by loading them with data, erasing and overwriting the data using various techniques known to work well on conventional magnetic disks, and then opening the devices and checking the chips to see what had survived.
The results are pretty depressing. On thumb drives—which are probably the riskiest place to put sensitive data anyway, because they’re so easily lost or stolen—a file that had been overwritten 10 times was barely gone at all at the chip level: 84.9 percent of the data survived.
Put simply, what works for magnetic hard drives—writing on top of the existing data—doesn’t work on flash drives. There’s simply no safe way to store sensitive data on those drives, because there’s no way to reliably delete them. The only secure way to deal with that data is either to encrypt it or to never store it on the thumb drive or smartphone in the first place.
Here’s the problem: On conventional hard drives, it’s possible to actually overwrite data on exactly the same spot on the magnetic surface. Change those bits magnetically, and the sensitive data is gone.
But flash drives don’t work that way. They can’t write small pieces of data in-place on the drive, even though that’s what appears to be happening. Instead, one entire chunk of flash memory is copied to a different chunk of memory, but with the new data replacing the old. Then the new chunk of memory (technically it’s called a page) is logically swapped in for the old page, which is added to the list of empty space on the drive.
Unfortunately, that old page hasn’t actually been erased.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
