Thursday, November 18, 2010, by Chris Porter Identity theft and my mobile: Should I worry? Identity theft is not just about the unlawful use of identity cards. It can be described as the usage of someone else’s identity or any identifying attribute without the necessary consent or lawful authority from the rightful owner, with the specific intent to carry out unlawful or malicious activities. This definition draws a lot from the Identity Theft and Assumption Deterrence Act of 1998 (US Federal Trade Commission). A number of identity theft methods do exist, some are more popular than others, such as the infamous e-mail from a willful investor who trusts you more than anyone else in the world, but others are less known, and potentially, more dangerous. To start off, we will have a look at a surprising shortcoming within the mobile phone GSM infrastructure. Have you ever heard about SMS spoofing? Similar to e-mail spoofing, one can send an SMS message with altered header information, largely affecting the human component of security through the inherent trust we have in our phone contacts, especially when it comes to family and friends. Looking at the weak-points in GSM, especially with the added ‘flexibility’ provided by online SMS centres, I decided to carry out a simple attack: Assume this simple scenario: Aldo and Berta work together at the same company. Aldo trusts Berta but he has no trust in me (the attacker). I managed to obtain their number using a concoction of data from their social profiles and through freely available online directory services. The objective of my attack was to obtain some sensitive information, the building’s entry code, out of Aldo. This will never happen given the fact that Aldo does not know me! So I must exploit the established trust he has in Berta in order to do that. Can I steal Berta’s identity for a while in order to accomplish my mission? Using an openly available online service I created a new text message addressed to Aldo, but modified the sender identifier so that it appears as if the message is being sent by Berta rather than by myself. So in practice, and at face value, Aldo’s mobile device will indicate that a new text message from Berta has arrived! The message instructed Aldo to send the building’s entry pass-code to my number (supposedly Berta’s inpatient brother). Not surprisingly, after a few seconds from when the message was sent, I got the code from Aldo! Neat! You can imagine Aldo’s reaction when I tried to explain that in fact it was I that sent the message. Disbelief, confusion and shame are just a few feelings that came up! The message cost me €2.36, but cheaper alternatives do exist! This method of theft can be classified under pretexting; getting someone’s personal and potentially identifying information under false pretenses. Given trust obtained from a stolen identity, the type and amount of information which can be obtained is limitless, and in turn, the list of actions that can be carried out with such information is endless. Let’s say, you decided to send your e-ID number together with your password to someone you trust (for some imaginable reason). There are two major risks. Firstly, SMS data is not encrypted, so it can either be seen by employees on the mobile operator’s premises, or even worse although more difficult, intercepted anywhere in between your phone and the SMS Centre. Secondly, if you’re answering to an SMS requesting such details, you may be unknowingly fooled into sending sensitive information to a third person with malicious intents (recall Aldo’s story). Can SMS be trusted? No. SMS is not secure, and privacy cannot be guaranteed (this should not be confused with encrypted push-e-mail provided by most operators here in Malta). This is why we do not see a lot of SMSbased commercial services, such as payments. Any technical solution? Yes. End-to-end security; encrypted SMS can be used for high sensitivity texting. We found that it is possible to implement a hardware-based SIM extension with cryptographic capabilities in order to ensure integrity, confidentiality and non-repudiation in SMS messages. This is particularly useful in high-risk industries. Any quick solutions? Be cautious. It won’t harm to call the person requesting the information to confirm such request. Secondly and more importantly, try to keep personal information as personal as possible, always! More approaches on the issue of stealing identities using unconventional means will be examined in the coming weeks. Any comments and queries may be directed to chris.porter@um.edu.mt. Mr Porter is an assistant lecturer in the Department of Computer Information Systems in the Faculty of ICT at the University of Malta.