The concept behind pawn shops is relatively old fashioned. In recent years, however, a new danger has entered the picture: identity theft.
Pawn shops give out small, short-term loans using a borrower’s item of value as collateral. The shop holds onto the item for a set period of time and, if the loan isn’t repaid, takes possession of the item and sells it to recoup the loss. Historically, the worst thing that could happen to someone who doesn’t repay the loan is losing a cherished gold watch passed down for generations. Not anymore.
According to Jordan Birnholtz, co-founder of the Detroit-based startup PawnGuru, many of the personal computers being sold by pawn shops across the country still contain bits and pieces of personal information left behind by their previous owners. That data could expose people who rely on pawn shops to make ends meet—like some of the 30 million un-banked and under-banked Americans—to having their privacy invaded and their identities stolen.
Birnholtz started PawnGuru in 2014 as a way to level improve the pawn industry for customers. “What we found was that, pawn shops were this very uncompetative market,” he said. “We went door-to-door [to different pawn shops] in Detroit with eight or nine different items, and we found that the average price variance on any one of those items was 300 to 400 percent. A ring would $100 somewhere and then $400 elsewhere.”
“What are the odds those drives are being wiped correctly?”
For a lot of the people utilizing pawn shops, the ability to comparison shop between different locations is prohibitively onerous. They’ll simply go to the one store that’s most geographically convenient and either accept or reject the price they get. Birnholtz wanted to add a layer of transparency into the process.
“[PawnGuru lets] people post a request to sell or buy an item online, so all the pawn shops will get back to them ahead of time,” he explained. “I’ve actually seen situations where people say at the shop, ‘Are you sure about this offer because I’m going to go pay for bus fare because I don’t have a car.’ We let people figure out where the best deal is ahead of time. We try to give them a little more information, which is leverage in a pretty difficult situation.”
The site has signed up about 2,000 pawn shops so far—roughly one in every six pawn shops in the United States.
Despite the growth of his business, something bothered Birnholtz. Before launching PawnGuru, he worked at a cybersecurity-focused venture capital firm, which got him thinking about the serious digital privacy risks affecting every computer user. He noticed that laptops were one of the most common items being sold at the pawn shops that signed up for PawnGuru.
“I started to think to myself, what are the odds those drives are being wiped correctly? The pawn shops are wiping the drives, they’re earnestly trying to protect the customers—I honestly don’t think it’s malicious at all, but what are the odds those drives are actually being wiped clean of the previous users’ data?” he said. “It turns out the odds are not very good.”
Birnholtz recruited college friends from around the country to purchase laptops at pawn shops and then send them his way. He also snagged a few from ones near his home. Birnholtz ended up with 30 in all, usually for a couple hundred dollars each. He then used a free piece of software, Photorec, to recover the data that had been deleted from the devices.
In 65 percent of cases, Birnholtz was able to determine the identities of the previous owners of the laptops he purchased. He found some 1,400 personal documents, 300 corporate work invoices, the blueprints and schematics for factories of a “big three” automaker and one of its suppliers, and around 1,800 photographs.
While he never encountered anyone anyone’s full credit card or bank account number, Birnholtz found a lot of banks statements containing the last four digits of Social Security and bank account numbers. He even found one set of screengrabs of text messages between family members exchanging the personal information they needed to log into a bank account. All of that information could be used by identity thieves to prey on innocent pawn customers.
Many of the photos Birnholtz found were, unsurprisingly, explicit in nature. “There was this guy who pretty clearly had a hetero-normative family, but all of his porn was incredibly queer,” he recalled. “This isn’t a major risk vector for financial information in the way the other stuff I descried is, but you could out somebody based on the findings of our laptop search.”
“You’re not just getting information about the previous owners,” he continued. “You’re also getting information about people who are connected to the previous owners. If you’re just getting info on a single person, the return on investment on this might not be so good. But you have decent odds on getting information on people or on businesses that that person is affiliated with.”
Emmett Murphy, public relations director for the National Pawnbrokers Association, noted that, while about 85 percent of the customers who utilize pawn shops for loans repay the balance and ultimately get their item back, it’s standard policy for most pawn shops to wipe all tech devices clean as soon as they take them in.
“When a pawnbroker takes that item in, it is an emerging practice to make sure that they have all the of the information that they need to take ownership of that item—even though the pawnbroker is likely to be giving that iPhone or iPad back to the person in 30 days, there is the chance that they won’t, Murphy said. “So they need to be able to have ownership of it.”
Not only does returning a device to its factory setting immediately upon it be transferred into the pawn shop’s possession make the resale process easier, deleting all of the data on a laptop or smartphone often requires entering the previous owner’s password. If someone brings in a device to which they don’t have the password, it’s a red flag that the device might be stolen.
“It’s in the best interest to make sure all of their information that is from that device is backed up somewhere, and they should know that likely the requirement for the loan or sale is that its unlocked and rest back to a factory default,” Murphy explained.
For people thinking of pawning a laptop or other electronic device, Bruce Snell, the cybersecurity and privacy director at Intel Security provided a list of precautionary measures for personal data safe. First, he suggested doing a full backup of all your data—music, movies, photos, contacts, etc.—before handing over your device.
Snell also advised decoupling your device from online accounts. “While it would seem logical that wiping a hard drive would essentially make it a new gadget, there’s a fair number of programs and services lurking deep on your device that may cause hiccups later,” he said. “Before you pass on a device, make sure you have logged out of every service you use and de-authorize that device to be associated with each account—this includes messaging accounts like Skype and iMessage; storage and backup programs like Dropbox; media and streaming services like iTunes; games, productivity software and especially security software.”
For those who want to take extra precautions, Snell suggested logging out of all your accounts on that device after changing your password. “While it may require you to login again on your other devices,” he said, “it will make sure someone isn’t using your account on your old system.”
For pawnbrokers, Murphy noted, wiping the data can pose a challenge because deleting data from a device is, in effect, an arms race between the person doing the wiping and the person attempting to recover the information that has been wiped. Simply dragging all the files in the hard drive to the trash and clicking the “empty” button may be sufficient to keep that information inaccessible from someone with little technical skill, but it’s not going to deter the NSA—or anyone who downloads an app like Photorec, for that matter.
“If you’re going to erase a hard drive, it might, to the consumer and to an untrained pawn broker—it might look like that item has been wiped. But people do understand there are multiple levels of information that’s on a hard drive that may still be there,” Murphy said. “We encourage pawnbrokers to make sure that they have some system in place to wipe these devices clean.”
In Birnholtz’s estimation, most of the pawn shop owners he encountered during his computer-buying escapades were doing factory resets, but a sizable minority were just deleting the files—neither of which are sufficient to consistently outmatch the free recovery software he found online.
Birnholtz suggests pawn shops invest in a product similar to WibeTech’s eRazer, a stand-alone hardware device that connects to a computer and wipes the hard drive more completely than many software-only solutions. Birnholtz is working with the shops listed on PawnGuru to convince them to purchase the eRazer or another comparable device. If a shop sends PawnGuru proof of purchase, the site plans on adding a badge next to their listing—a sign to people considering pawning their device at the shop that it’s safe for them to do so.
For actually wiping a device’s drive clean—which pawn customers would ideally do before handing it over to a pawn shop—there are a bunch of solid options like KillDisk and Darik’s Boot and Nuke.
Without these precautions, both across the pawn industry and by people using their devices as a way to get some quick and necessary cash, pawn shop laptops will likely remain a steal when it comes to people’s digital privacy.