Mobile sinks are needed in many sensor network applications for efficient data collection, data querying, localized sensor reprogramming, identifying and revoking compromised sensors, and other network maintenance. Employing mobile sinks however raises a new security challenge: if a mobile sink is given too many privileges, it will become very attractive for attack and compromise. Using a compromised mobile sink, an adversary may easily bring down or even take over the sensor network. Thus, security mechanisms that can tolerate mobile sink compromises are essential. In this paper, based on the principle of least privilege, we first propose several efficient schemes to restrict the privilege of a mobile sink without impeding its capability of carrying out any authorized operations for an assigned task. To further reduce the possible damages caused by a compromised mobile sink, we then propose efficient message forwarding schemes for depriving the privilege assigned to a compromised mob...