Thursday, November 18, 2010, by Chris Porter
Identity theft and my mobile: Should I worry?
Identity theft is not just about the unlawful use of identity cards. It can be described as the usage of someone
else’s identity or any identifying attribute without the necessary consent or lawful authority from the rightful owner,
with the specific intent to carry out unlawful or malicious activities. This definition draws a lot from the Identity
Theft and Assumption Deterrence Act of 1998 (US Federal Trade Commission).
A number of identity theft methods do exist, some are more popular than others, such as the infamous e-mail
from a willful investor who trusts you more than anyone else in the world, but others are less known, and
potentially, more dangerous.
To start off, we will have a look at a surprising shortcoming within the mobile phone GSM infrastructure. Have
you ever heard about SMS spoofing? Similar to e-mail spoofing, one can send an SMS message with altered
header information, largely affecting the human component of security through the inherent trust we have in our
phone contacts, especially when it comes to family and friends. Looking at the weak-points in GSM, especially
with the added ‘flexibility’ provided by online SMS centres, I decided to carry out a simple attack:
Assume this simple scenario: Aldo and Berta work together at the same company. Aldo trusts Berta but he has
no trust in me (the attacker). I managed to obtain their number using a concoction of data from their social
profiles and through freely available online directory services. The objective of my attack was to obtain some
sensitive information, the building’s entry code, out of Aldo. This will never happen given the fact that Aldo does
not know me! So I must exploit the established trust he has in Berta in order to do that. Can I steal Berta’s identity
for a while in order to accomplish my mission?
Using an openly available online service I created a new text message addressed to Aldo, but modified the
sender identifier so that it appears as if the message is being sent by Berta rather than by myself. So in practice,
and at face value, Aldo’s mobile device will indicate that a new text message from Berta has arrived! The
message instructed Aldo to send the building’s entry pass-code to my number (supposedly Berta’s inpatient
brother). Not surprisingly, after a few seconds from when the message was sent, I got the code from Aldo! Neat!
You can imagine Aldo’s reaction when I tried to explain that in fact it was I that sent the message. Disbelief,
confusion and shame are just a few feelings that came up! The message cost me €2.36, but cheaper alternatives
do exist! This method of theft can be classified under pretexting; getting someone’s personal and potentially
identifying information under false pretenses. Given trust obtained from a stolen identity, the type and amount of
information which can be obtained is limitless, and in turn, the list of actions that can be carried out with such
information is endless.
Let’s say, you decided to send your e-ID number together with your password to someone you trust (for some
imaginable reason). There are two major risks. Firstly, SMS data is not encrypted, so it can either be seen by
employees on the mobile operator’s premises, or even worse although more difficult, intercepted anywhere in
between your phone and the SMS Centre. Secondly, if you’re answering to an SMS requesting such details, you
may be unknowingly fooled into sending sensitive information to a third person with malicious intents (recall
Aldo’s story).
Can SMS be trusted? No. SMS is not secure, and privacy cannot be guaranteed (this should not be confused
with encrypted push-e-mail provided by most operators here in Malta). This is why we do not see a lot of SMSbased commercial services, such as payments.
Any technical solution? Yes. End-to-end security; encrypted SMS can be used for high sensitivity texting. We
found that it is possible to implement a hardware-based SIM extension with cryptographic capabilities in order to
ensure integrity, confidentiality and non-repudiation in SMS messages. This is particularly useful in high-risk
industries.
Any quick solutions? Be cautious. It won’t harm to call the person requesting the information to confirm such
request. Secondly and more importantly, try to keep personal information as personal as possible, always!
More approaches on the issue of stealing identities using unconventional means will be examined in the coming
weeks. Any comments and queries may be directed to chris.porter@um.edu.mt.
Mr Porter is an assistant lecturer in the Department of Computer Information Systems in the Faculty of ICT at the
University of Malta.