Buyers Scour eBay For Data-Rich Hard Drives

Welcome Guest. | Log In| Register | Membership Benefits

January 30, 2006 (2:40 PM EST)

By Gregg Keizer , TechWeb Technology News

Buyers on eBay troll the online auction site for used drives in the hope that the platters haven't been wiped clean and contain valuable data, including credit card numbers, a researcher said Monday.

Simson Garfinkel, a postdoctoral fellow at the Harvard's Center for Research on Computation and Society, has been buying used hard drives on eBay since 2001, then analyzing the data he finds on some of the devices.

Of the 236 drives Garfinkel bought, 7 contained more than 300 recoverable credit card numbers; one from had more than 11,000 unique account numbers that he could retrieve.

That's because only 19 percent of drives he acquired had been wiped clean. The majority of previous owners had either not touched the drives or had only run the DOS commands FDISK and FORMAT, which actually leave data on the drive so users with simple diagnostic tools can read the information.

Some eBay buyers are sniffing for such drives. "I think that many drives sell for more than their market value," on eBay, Garfinkel said in an e-mail interview with TechWeb. The only explanation: they're playing the possibilities, and expect there's data on some of the drives they buy.

Garfinkel even tracked down the original owners of the 7 credit card-packed drives, using basic detective work such as analyzing the most common e-mail addresses on the platter and/or reviewing intact Word documents for clues.

The drive with 11,609 unique credit card numbers came from a medical center, which had also disposed of another drive with 81 additional numbers that Garfinkel purchased. Other drives came from an ATM (with 827 unique numbers), a supermarket (1,356 numbers), and an auto dealerships (498 numbers).

By Garfinkel's calculations, about 1,000 used drives are sold daily on eBay. Using his findings -- 3 percent of the drives he purchased contained more than 300 recoverable credit card numbers -- about 30 of those devices have confidential financial information.

Try TechWeb's RSS Feed!
(Note: The feed delivers stories from TechWeb.com only, not the entire TechWeb Network.)

SECURITY WHITE PAPERS AND REPORTS

Configuration Audit and Control for Virtualized Environments
Find out how to maintain the same level of stability and security across both virtual and physical environments, using the same software and approach.

CIGNA Finds Good Therapy: Builds a More Efficient Risk Management, Streamlined Compliance, and System Security Program
To bolster the vulnerability management portion of its overall risk management program, CIGNA selected QualysGuard, thus enabling the company to streamline control of its entire vulnerability management lifecycle: asset discovery, vulnerability assessments, track security fixes, and meet federal, state, and internal policy regulations.

Best Practices for Windows Vista Planning, Migration, and Ongoing Management
It is vital to ensure PC system and data security during migration to Windows Vista. This white paper highlights considerations that must be addressed over the entire migration process.

Auditing: What You Need to Know
All companies must go through a formal auditing process to ensure they're meeting various compliance demands. In theory, this exercise will help them understand where their security holes are and how to make appropriate improvements. But how do companies ensure their auditors understand specific IT security issues and requirements? We find out.