The Real Reason Hackers Want Your Old Backup Phone

in , ,  

old phone security, SIM card theft, SIM swapping, factory reset data recovery, two-factor authentication, identity theft, phone data privacy

Your sister upgraded last spring and handed you her old Samsung "just in case." You threw it in a drawer. Then your phone cracked, you used it for two weeks, logged into your email, your bank app, your Google account — and then your new phone arrived, so you shoved the backup back in the drawer. It still has your SIM card in it. You haven't thought about it since.

That phone in the drawer is not a paperweight. To the right person, it's a master key.

It's Not About the Phone. It's About the Number.

Most people assume hackers want your device for what's on it — photos, saved passwords, that kind of thing. That's not wrong, but it misses the bigger threat. What's actually valuable is your phone number, and specifically, its role as a trust signal.

Think about the last time you logged into your bank from a new device. It probably sent a text to verify it was really you. That text went to your phone number. Your phone number is your identity for dozens of services that don't know any better way to confirm who you are.

SIM swapping — also called SIM hijacking — is a form of identity theft where attackers deceive or bribe mobile carriers into transferring a victim's phone number to a SIM card they control, giving them the ability to intercept calls, text messages, one-time passcodes, and other multi-factor authentication methods. And if your old SIM card is sitting in that drawer phone, still active, without a PIN lock? They may not even need to call your carrier. Bitsight

The "Factory Reset" Trap

Here's the counterintuitive part that almost no one talks about: wiping a phone doesn't actually wipe it.

When you tap "Factory Reset," your phone marks that storage space as available — but the data itself often stays physically on the chip until something overwrites it. From a forensic perspective, a factory reset removes user access to data and restores default settings, but residual files can persist in unallocated storage sectors, low-level system partitions, and as recoverable fragments of photos, videos, and documents — especially if storage blocks haven't been reused. Salvation DATA

This isn't theoretical. Researchers investigating modern Android devices running Android 11 and 12 found that user data has reportedly been recovered after a factory reset by applying forensic data recovery techniques. The software to do this is commercially available. It's the same tooling used by phone repair shops. ScienceDirect

Some of those shops are not trustworthy.

What "Backup Phone" Actually Means to a Thief

You've used that phone as a backup at least once, which means it likely has:

  • Login sessions that weren't explicitly signed out
  • Cached messages that synced before you logged off
  • Your carrier's SIM still seated inside, possibly still active
  • Saved Wi-Fi passwords — which can reveal where you live and work
  • Fragments of app data that survived the reset

A functional old SIM can expose your contacts and message history, enable impersonation, and make you vulnerable to targeted fraud — and if it doesn't have a SIM PIN enabled, someone who gets hold of it can use it in another device. Saily

The SIM card is the worst overlooked piece. It's not glued in. It takes three seconds to remove and slip into another phone. No password required.

What You Actually Need to Do

This is the part most articles get soft on. Here's what matters specifically:

Before you give away, sell, or store any old phone:

  1. Remove the SIM card first. Don't reset, don't sign out — do this before anything else. Cut the SIM with scissors if you're not transferring the number. If the card is still active, call your carrier and deactivate it.
  2. Enable full-disk encryption before resetting (Android users especially). On Android, go to Settings → Security → Encryption, run it, then factory reset. This means any residual data left over is scrambled without the key. iPhones encrypt by default when you have a passcode set.
  3. Sign out of every account manually before resetting — Google, Apple ID, Samsung account, banking apps, anything. Don't rely on the reset to do this.
  4. After reset, run a data-overwriting app like iShredder (Android/iOS) or use the "Erase All Content" option on iPhone, which properly destroys the encryption key rather than just clearing the index.
  5. Never store an active-SIM phone in a drawer. If you want to keep a backup phone, use it with a fresh SIM or no SIM at all.

The Thing Nobody Mentions About Two-Factor Authentication

Here's the insight that gets buried: SMS-based two-factor authentication — the kind where a code gets texted to you — is the weakest form of 2FA, but it's the default for most banks, email providers, and social platforms.

Threat actors can bypass common security questions by researching personal information shared online, and can also access your mobile account on the provider's website to initiate and authorize a SIM swap using credential stuffing — plugging in stolen usernames and passwords to answer security questions during authentication. The fact that you enabled 2FA doesn't protect you if someone can hijack the number receiving those codes. Canadian Centre for Cyber Security

The real fix, where your accounts allow it: switch from SMS codes to an authenticator app like Google Authenticator, Authy, or a hardware key like a YubiKey. These are tied to a physical device you control, not a phone number that can be transferred by a customer service rep who got socially engineered.

The Honest Limitation

Here's what this article can't fix: most people won't do all of this, and some of it is genuinely complicated on older Android phones where encryption isn't automatic. If you have a very old device — anything running Android 6 or earlier — full encryption may not be available or effective, and even an encrypted reset may leave recoverable traces. In that case, the safest option is physical destruction of the storage chip, which is extreme advice that most people reasonably won't take. The risk isn't zero even if you do everything right; it's just significantly lower. Know that going in.

Sources:

  • Bitsight: What is SIM Swapping 
  • Saily: What to Do With an Old SIM Card 
  • Salvation Data: Factory Reset and Data Security 
  • Canadian Centre for Cyber Security: Security Considerations for SIMs 
  • ScienceDirect / Forensic Science International: Assessing Data Remnants in Modern Smartphones After Factory Reset 
Share: