Recipero News & Comment

by Linda Geddes (New Scientist)

The pocket spy: Will your smartphone rat you out? – tech – 14 October 2009 – New Scientist.

THERE are certain things you do not want to share with strangers. In my case it was a stream of highly personal text messages from my husband, sent during the early days of our relationship. Etched on my phone’s SIM card – but invisible on my current handset and thus forgotten – here they now are, displayed in all their brazen glory on a stranger’s computer screen.

I’ve just walked into a windowless room on an industrial estate in Tamworth, UK, where three cellphone analysts in blue shirts sit at their terminals, scrutinising the contents of my phone and smirking. “If it’s any consolation, we would have found them even if you had deleted them,” says one.

Worse, it seems embarrassing text messages aren’t the only thing I have to worry about: “Is this a photo of your office?” another asks (the answer is yes). “And did you enjoy your pizza on Monday night? And why did you divert from your normal route to work to visit this address in Camberwell, London, on Saturday?”

I’m at DiskLabs, a company that handles cellphone forensic analysis for UK police forces, but also for private companies and individuals snooping on suspect employees or wayward spouses. Armed with four cellphones, which I have begged, borrowed and bought off friends and strangers, I’m curious to know just how much personal information can be gleaned from our used handsets and SIM cards.

A decade ago, our phones’ memories could just about handle text messages and a contacts book. These days, the latest smartphones incorporate GPS, Wi-Fi connectivity and motion sensors. They automatically download your emails and appointments from your office computer, and come with the ability to track other individuals in your immediate vicinity. And there’s a lot more to come. Among other things, you could be using the next generation of phones to keep tabs on your health, store cash and make small transactions – something that’s already happening in east Asia (see “Future phones“).

Gone phishing

These changes could well be exploited in much the same way that email and the internet can be used to “phish” for personal information such as bank details. Indeed, some phone-related scams are already emerging, including one that uses reprogrammed cellphones to intercept passwords for other people’s online bank accounts. “Mobile phones are becoming a bigger part of our lives,” says Andy Jones, head of information security research at British Telecommunications. “We trust and rely on them more. And as we rely on them more, the potential for fraud has got to increase.”

So just how secure is the data we store on our phones? If we are starting to use them as combined diaries and wallets, what happens if we lose them or they are stolen? And what if we simply trade in our phones for recycling?

According to the UK government’s Design and Technology Alliance Against Crime (DTAAC), 80 per cent of us carry information on our handsets that could be used to commit fraud – and about 16 per cent of us keep our bank details on our phones. I thought my Nokia N96 would hold few surprises, though, since I had only been using it for a few weeks when I submitted it to DiskLabs. Yet their analysts proved me wrong.

Aside from the text messages stored on my SIM card, the most detailed personal information that could be gleaned from my handset came from an application called Sports Tracker. It allows users to measure their athletic performance over time and I had been using it to measure how fast I could cycle to work across London. It records distance travelled, fastest speed at different points along the route, changes in altitude, and roughly how many calories I burn off. But when DiskLabs uploaded this data to their computer and ran it through Google Maps and Street View, they were able to pull up images of the front of my office and my home – with the house number clearly displayed. Sports Tracker also recorded what time I normally leave the house in the morning and when I return from work. “If I wanted more information, then I could just stalk you,” says Neil Buck, a senior analyst at DiskLabs.

I had deliberately chosen to turn Sports Tracker on, and many people might not stop to consider how such programs could be used against them. In February, Google launched Latitude, networking software for smartphones that shares your location with friends. It can be turned off, but campaign group Privacy International is concerned by Latitude’s complex settings and says it is possible the program could broadcast your location to others without your knowledge. “Latitude could be a gift to stalkers, prying employers, jealous partners and obsessive friends,” the organisation warns.

It is possible your phone could broadcast your location to others without your knowledge

A phone-based calendar could also leave you vulnerable. Police in the UK have already identified burglaries that were committed after the thief stole a phone and then targeted the individual’s home because their calendar said they were away on holiday, says Joe McGeehan, head of Toshiba’s research lab in Europe and leader of DTAAC’s Design Out Crime project, which recently set UK designers the challenge of trying to make cellphones less attractive to people like hackers and identity thieves. “It’s largely opportunistic, but if you’ve got all your personal information on there, like bank details, social security details and credit card information, then you’re really asking for someone to ‘become’ you, or rob you, or invade your corporate life,” McGeehan says.

Code cracker

When Buck looked at my colleague’s iPhone, he found two 4-digit numbers stored in his address book under the names “M” and “V”. A search through his text messages revealed a few from Virgin informing him that a new credit card, ending in a specific number, had just been mailed to him. Buck guessed that “M” and “V” were PIN codes for the Virgin credit card and a Mastercard – and he proved to be correct on both counts.

“Out of context, an individual piece of information such as an SMS is almost meaningless,” says Jones. “But when you have a large volume of information – a person’s diary for the year, his emails, the plans he’s building – and you start to put them together, you can make some interesting discoveries.”

In this way the DiskLabs team also identified my colleague’s wife’s name, her passport number and its expiry date, and that she banks with Barclays. Ironically, Barclays had contacted her regarding fraud on her card and she had texted this to her husband. Buck’s team also discovered my colleague’s email address, his Facebook contacts, and their email addresses.

This kind of personal data is valuable and can fetch a high price online. It’s ideal for so-called 419 scams, for instance, in which you receive an email asking for help in exporting cash from a foreign country via your bank account, in exchange for a share of the profits. “What they need to launch a successful 419 scam is personal information,” says Jones.

A growing awareness of identity theft means that many people now destroy or wipe computer hard drives before throwing them away, but the same thing isn’t yet happening with cellphones, says Jones. At the same time, we are recycling ever greater numbers of handsets. According to market analysts ABI Research, by 2012 over 100 million cellphones will be recycled for reuse each year.

As part of a study to find better ways to protect cellphone data, Jones recently acquired 135 cellphones and 26 BlackBerry devices from volunteers, cellphone recycling companies and online auctioneers eBay. Around half of the devices couldn’t be accessed because they were faulty. In our own smartphone experiment, we were unable to retrieve any data from a BlackBerry, or the Samsung E590.

However, Jones’s team found 10 phones that contained enough personal data to identify previous users, and 12 had enough information for their owner’s employer to be identified – even though just three of the phones contained SIM cards.

Of the 26 BlackBerrys, four contained information from which the owner could be identified and seven contained enough to identify the owner’s employer. “The big surprise was the amount we got off the BlackBerry devices, which we had expected to be much more secure,” says Jones. While BlackBerry users have the option of encrypting their data or sending a message to purge data from their phones should it be sold or stolen, many had not done this. “Security is only any good if you turn the damned thing on,” says Jones.

Security is only any good if you turn the damned thing on

His team managed to trace one BlackBerry back to a senior sales director of a Japanese corporation. They recovered his call history, 249 address book entries, his diary, 90 email addresses and 291 emails. This enabled them to determine the structure of his organisation and responsibilities of individuals working within it; the organisation’s business plans for the next period; its main customers and the state of its relationships with them; travel and accommodation arrangements of the individual; his family details – including children, their occupations and movements, marital status, addresses, domestic arrangements, appointments and addresses for medical and dental care; his bank account numbers and sort codes, and his car registration index. Two further BlackBerrys “contained details of a personal nature about the owner and other individuals that would have caused embarrassment or distress if it had become publicly known”, says Jones.

Although his team used specialist forensic software to retrieve data from the phones, much of it could be obtained directly from the handsets themselves, or by using simple software of the kind that is sold with a phone. “This was not designed to be a sophisticated attack, it used simple techniques that anyone would have access to,” Jones says.

That’s bad news, considering that around 20 millions handsets were lost or stolen worldwide in 2008, according to UK data-security specialists Recipero. So how can people go about making their phones more secure? Turning on the security settings is an important first step, says McGeehan, as this may dissuade potential thieves from going to the effort of trying to crack the codes. Then make sure you delete anything you want to keep secret, while bearing in mind that it is often possible to recover it (see “Phone security Q & A“). “I work on the basis that anything I put on there I’ve got to be prepared for people to see,” says McGeehan.

As for me, I’ve taken to deleting potentially incriminating messages as soon as they arrive in my inbox – and reproving the sender in return. I have also passed my old handset to my husband for safekeeping. If those brazen messages must fall into someone else’s hands, I’d rather they were the hands of the Don Juan who composed them than a smirking IT geek in a distant windowless room.

To read the rest of this article please go to: New Scientist

With the recent incident highlighted in an article on the register website regarding the theft of consumer electronic from people luggage and their subsequent sale on eBay once again the use of CheckMEND could have saved a lot of people buying this stuff a lot of hassle. Remember if it looks too good to be true it probably is, always check what you are buying with CheckMEND.

I have just been watching BBC News and one of their features was ‘Why shopping online could reward’.

The feature really focused on the fact that shoppers who like to spend their money online could also be earning at the same time and used an example from a woman who would only purchase items once she had sold a few on eBay and made a small profit.  Great example of how online shopping can really work well with the current credit crunch. However, I do wish the BBC had highlighted some of the risks involved in online shopping, like CNBC have done.

Yesterday we launched in the US and have already seen some coverage including from the Denver Post and it states we aim to curb the cybercrime of selling suspect second-hand goods. Hopefully there will be more to follow.

Anyway, hopefully the USA launch will be just as successful as the UK. According to the US Census Bureau the population of USA currently stands at 304,381,960 with:
• One birth every  7 seconds
• One death every 13 seconds
• One international migrant (net) every 29 seconds
• Net gain of one person every… 10 seconds

From the global population of internet users 27% are in the US and having read a lot of online articles and blogs e-fencing is proving to be a problem which the US are struggling to control. E-fencing laws have been discussed as being essential to combat organised retail crime. However, CheckMEND should now be an answer to their prayers, so let’s see how it goes.

This is what we do best and we have had plenty of stories from people who didn’t discover CheckMEND in time…

For example; Andrew Gudelajtis, from Mansfield, bought a Vodafone Nokia mobile phone from eBay for his wife. The phone arrived in a sealed box and was sold as being brand new, but after using it for six weeks the mobile phone stopped working.

He decided that he should use CheckMEND to check the IMEI number on its database. The search came back and identified the phone as being stolen or blocked. Unfortunately Andrew was then unable to re-trace the eBay seller and is left with a phone that doesn’t work and at the moment he is pursuing Vodafone to see if they can help – either by unblocking the phone or chasing the seller.

Hopefully he will have some luck at some point, but it is a great example of why you should use ‘CheckMEND before you buy’ or insist on sellers having a CheckMEND report. Or as I mentioned within my last post we should push for eBay to insist all sellers conduct a CheckMEND report!

Any questions – please fire them this way!

E-fencing – it’s an easy way to make fast cash and there are no regulations to stop you. BUT we can change this.

E-fencing is increasing everyday, according to CNBC , with the help of faceless online auction sites such as eBay and we need to really start looking into ways to overcome these issues. Well CheckMEND already have.

CNBC news in the USA have been really pushing the dangers consumers are facing in order to make e-fencing a more recognized problem.

The US-based National Retail Federation even went as far as to predict health problems caused by e-fencers re-selling stolen beauty products online, listing Cover Girl, Olay and RoC as the most common targets of e-fencing.
New York based Tiffany & Co has previously filed a lawsuit against eBay, and a host of other major retailers have all tried to persuade eBay and other online auction companies to combat e-fencing, but little has moved forward.

I have noticed a few online discussions by a number of cyber-crime bloggers  about who is to blame and who’s responsibility it is. One I would like to highlight is, Investor Trip’s They point out the fact that eBay seem to be passing the buck. Quoting eBay’s Vice President of Trust & Safety Rob Chesnut: ‘increase theft protection at the retail level. It’s the job of these major retailers to prevent criminals from lifting their products.’

Although eBay is right, I still believe it is also the responsibility of eBay, and other online action sites, to protect their users. One simple way of doing this is to CHECKMEND IT. From our perspectives, asking all sellers to carry out a compulsory CheckMEND check would solve a lot of e-fencing problems.
Currently, there is an option to carry out a checkMEND report on eBay but it’s not compulsory. If we can persuade eBay to enforce then at least consumers will know they are shopping safely with eBay! Reassurance is all they need.

Anyway, here are some interesting snapshots of the top 10 eBay selling markets last year by rank, published on 14.05.2008 by Harris Interactive:
- Los Angeles-Long Beach, California
- 196,089 Los Angeles residents sold 24,051,645 items for a total of $1,396,037,518.
- Best-selling categories for Los Angeles sellers were cell phones and their accessories as well as clothing and accessories.
- Los Angeles sellers were also the most charitable eBay sellers last year, donating the most of any city via eBay Giving Works, eBay’s program that helps people buy and sell for a cause, turning e-commerce into a force for good.
New York

- 158,859 New York City residents sold 12,621,651 items for a total of $1,045,503,913.
- Best-selling categories for New York sellers were jewelry, gems, watches and clothing and accessories.

Chicago
172,972 Chicago residents sold 10,229,844 items for a total of $908,708,440.
Best-selling categories for Chicago sellers included toys and sports memorabilia.

Philadelphia
120,900 Philadelphia residents sold 7,069,212 items for a total of $584,383,915. Best-selling categories for Philadelphia sellers included collectibles and toys.

Dallas
85,484 Dallas residents sold 5,003,292 items for a total of $754,493,210. Best-selling categories for Dallas sellers included jewelry, gems and watches, and clothing and accessories. Dallas sellers also made more money on sales of cars and trucks than did sellers in any other top-10 U.S. seller market.
Orange County, California
75,486 Orange County residents sold 6,945,490 items for a total of $636,654,084.
Best-selling categories for Orange County sellers were auto parts and cell phones and accessories.
Washington, D.C.
112,462 D.C. residents sold 5,024,888 items for a total of $393,720,726. Best-selling categories for D.C. sellers included books and toys.
Houston
76,450 Houston residents sold 4,297,389 items for a total of $528,872,858. Best-selling categories for Houston sellers included health and beauty and collectibles.

Nassau-Suffolk, New York -
70,714 Nassau-Suffolk residents sold 5,396,880 for a total of $400,253,200. Sports memorabilia and health and beauty were best-selling categories here.

Fort Lauderdale, Florida -
39,623 Fort Lauderdale residents sold 2,838,954 items for a total of $631,845,063.
Best-selling categories for Fort Lauderdale sellers included home furnishings and auto parts.

The survey

was carried out by Harris Interactive. They also revealed that one in 10 US adults (that’s 11percent) is currently selling personal household items to generate extra cash, with the majority (59 percent) doing so via online sales

or auction sites like eBay. Additionally, 30 percent of all adults say they are likely to sell their personal or household items over the next three months to earn extra cash. Great, but are you sure they are not stolen!!!

So, lets all jump o

n the band wagon and make sure a CheckMEND check is enforced with all sales on eBay.

For those of you who have heard about it, but wondered what CheckMEND is and how it came about I thought I would give you the low down on why and how it all began.

Lost my phone!

In 2000 I lost my phone on the London Underground and went to the lost property office to try to find it. However, I was then faced with the task of providing a serial number or what we also know as the IMEI number. But in 2000  no one had really heard of what an IMEI number was let alone know their own!

Anyway after eventually finding my IMEI number and recovering my phone, I realised that all modern consumer electronic products have a unique serial number and that without them there was little way of distinguishing one item from another. Thus, I formed the idea that there was a need in the market for a pre-loss or theft registration service containing these serial numbers.

Previous career path

My career has always involved providing services to the consumer, back in 2000, at the age of 40; I sold my chain of restaurants, bars and leisure facilities, with the aim of taking early retirement and relaxing after a very full working life… until the idea for CheckMEND hit me.

I decided to start up a company called Recipero (latin meaning to retain or recover), with a view to building a company that provided a range of products and services based on the accumulation, organisation and analysis of information relating to personal property ownership, associated criminality, fraud and illegal trading.

The simple pre-loss registration database:

The starting point was with a simple pre-loss registration database, but it quickly became apparent that there was value in the analysis of the data and potential to provide HPI-type data for consumer electronics.  This was reinforced at the time with the explosion of online auction sites and the willingness of people to buy and sell second-hand goods online. All at the same time as the huge increase in the theft of mobile phones and other mobile devices such as laptops, ipods and the like.
The next three years was spent populating the MEND data warehouse and building partnerships across the mobile industry, with the likes of Carphone Warehouse and mobile phone networks. The police forces were also a vital partner for me.
Eventually, the system grew and now contains billions of pieces of discrete information and is accessed over a million times a month by the mobile phone industry, all UK Police forces, major insurers, the second hand trade, recyclers and the public.
CheckMEND.com was launched in 2006 and the CheckMEND database is now used extensively by second hand trade and the public the most common use of CheckMEND by the general public is for when they are buying or selling items from online auction sites like ebay.

Taking it international:

I can now safely say the company is well established and we are starting to focus on business outside the UK. 2008 will see two new launches for CheckMEND.com. One in the US, which the Recipero and CheckMEND teams are extremely excited about, with the U.S. being the largest market for consumer electronics. Not only that, we have already begun the process of launching in Asia too.

Obviously the road to where we are today didn’t all run as smoothly as suggested above, many a challenge was faced and problem overcome, but this is the CheckMEND story… so far…

Have a look at the youtube video : http://www.youtube.com/watch?v=6zcm9VFNvuQ

Following our last post on £5 billion stolen goods for sale online, it seems that online auction sites are taking the heat, but as Identity Resolution Daily points out, if they reduce, what is termed as e-fencing – selling stolen goods online -  they will lose most of their revenue.

However, if these auction sites ignore the statistics, and continue to allow themselves to be marketplaces for selling ‘stolen goods’ will mean that they will soon become high profile case studies for us.  Beware – You will get caught

There has been much discussion within the mobile tech community on whether CheckMEND is a good deal which our very own bat phone cleared up:

Hi, just to let you know CheckMEND ‘trade’ account is such only because that’s who they think would be interested in it. In fact the vat number and co number are optional at registration and they only thing ‘trade’ about it is a minimum £25 worth of checks purchased at registration. At the moment though you get 50 checks for this so paying only £0.50 instead of £2.99 for your first fifty checks and only £1 per check after that.

Of course reselling checks is against the terms and all your certificates will have the account holders details on so giving them away becomes awkward too but if you may check several phones in future (the credits never expire) it’s a good deal.

Declaration: I work for the parent company but this isn’t an advert, I just want to put right the misunderstanding about trade accounts. I’ll pass on the confusion and perhaps the web guys will modify the website.

We have some hard hitting facts for you, collated from our CheckMEND database.

Mobile Phone stats from CheckMEND

• Of the £5bn Stolen goods for sale online, it is estimated that £2.6bn of that can be attributed to mobile phones
• Of all the checks carried out on CheckMEND over the last 18 months 67% were made on mobile phones. Which equates to 6,700,000 checks made through CheckMEND, were to check the IMEI number of a mobile phone
• Out of every town in the UK you are most likely to be sold a stolen mobile phone in Leicester

CheckMEND has identified 3,522 stolen handsets in the last 23 days, that’s 153 a day and from these checks, it indicates the place you are most likely to be offered a stolen phone in order of likelihood are:

Leicestershire

Greater London – Finsbury Park, North London -600 policemen arrested 70 people!

Birmingham

Manchester

Cambridge

The Nokia N95 is the most checked phone as it is the top end of the price range for second hand phones, so watch out n95 users…

Please remember to protect your mobile phone and register your belongings free with immobilise www.immobilise.com.

After registering your property stolen your information will be fed to our CheckMEND database and we can stop all e-fencing criminals from re-selling your property.