StorefrontBacktalk

This is page 2 of:

Sensitive Data On Phones And Tablets Can’t Be Erased, Researchers Say

February 24th, 2011

Unfortunately, that old page hasn’t actually been erased. The sensitive data is still there—just not accessible through the “flash translation layer,” the circuitry that makes flash memory look like a disk drive. There’s no way for a program to kill that data.

But it’s relatively easy for a thief who steals a thumb drive to pry it open, connect the flash memory chips to an under-$1,000 homemade reader and resurrect most of the data—payment card numbers, personal customer information or whatever else is supposed to have been deleted.

If that seems unlikely, remember that thieves have hacked together some very sophisticated hardware to steal payment card data. The UCSD researchers said a copy of their own flash-chip reader “would require only a moderate amount of technical skill to construct.”

Indeed, the researchers said the only way to be sure that data was deleted from a flash-memory device was if the manufacturer specifically designed a “secure delete” function into the drive—and then that function would probably only work reliably if it was erasing all the flash memory in the drive. And that’s not likely to happen for all flash drives any time soon. For the cheapest ones—thumb drives—it may never happen.

What does that mean if you’re going to use iPhones or iPads in your store? Don’t store any sensitive data on the flash-memory “drive” in the mobile device, even temporarily. Apple’s i-devices use regular programming memory that can be securely wiped, so it’s probably safe to hold a payment card number in memory momentarily while a card is being swiped. But storing it on the device’s flash drive? Not safe—even a remote wipe won’t reliably clear that data.

Of course, in practice, the price of an iPhone or iPad actually provides a little bit of security (though only a little). Dismantling the device to sift through the flash-memory chips will almost certainly destroy its resale value. And there’s no guarantee for a thief that there will be anything useful hidden in the mobile device’s memory. It’s a gamble, and maybe—maybe—a thief will go for the quick profit instead of the long-shot.

Still, making sure programmers don’t use flash storage for any unencrypted sensitive data is probably a good practice in any retailer’s IT shop.

But thumb drives? They have no resale value. They’re cheap, easy to disassemble, have no remote-wipe function and are routinely used for carrying unencrypted data. That makes them unsafe for any type of sensitive information—and the perfect target for thieves.

No one in your business should be using thumb drives. And good luck getting rid of them.

Posted in Security/Fraud

Comments are closed.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.