Thanks to Brian Krebs, this week I learned that this scenario exists:
Imagine, if you will an identity thief caught in the act by law enforcement. As part of the evidence collection, they find a mobile device with a whole bunch of stolen credit cards, driver’s licenses, and other data that was in the process of being used by said thief, to steal the identities of dozens of people.
That evidence sits in the property room until such a time as the law says it’s safe for the law enforcement agency to get rid of it, at which time the device is put up for auction.
You would think that before auctioning off these devices with illegally-gotten and dangerous information on them, the various agencies would have wiped them clean, no?
According to the University of Maryland, you’d be completely wrong.
Also, the researchers found that many of the phones clearly had personal information on them regarding previous or intended targets of crime: A dozen of the phones had photographs of government-issued IDs. Three of those were on phones that apparently belonged to sex workers; their phones contained communications with clients.
One phone had full credit files for eight different people on it. On another device they found a screenshot including 11 stolen credit cards that were apparently purchased from an online carding shop. On yet another, the former owner had apparently been active in a Telegram group chat that sold tutorials on how to run identity theft scams.
The most interesting phone from the batches they bought at auction was one with a sticky note attached that included the device’s PIN and the notation “Gry Keyed,” no doubt a reference to the Graykey software that is often used by law enforcement agencies to brute-force a mobile device PIN.
Not only did they not wipe that phone, they didn’t even bother to remove the sticky note with the PIN from the back of it. That’s just the kind of laziness that causes many people to not trust law enforcement, isn’t it?
Follow these topics: Security