How Safe Is Your Mobile?

[invisiblebond 7]

You're under attack. With call and SMS spoofing and spam, mobile viruses...even SIM cloning. What's more, these threats don't require rocket science to learn, making most mobile phones out there extremely vulnerable. We give you a detailed report on these threats, along with advice on how to protect yourself against them. Plus we take you through some of the hottest mobility trends

While they started as the wireless version of the good old landline, mobile phone usage today is just not restricted to making calls. They are our music player, camera, video player, Web Browser, all rolled into one. More seriously, they provide access to bank statements, credit cards, are your password valet, and overall a sign of your social identity.

Mobile phones contain GSM and CDMA modems for mobile Net access, act as handheld devices for SFA (Sales force Automation), and so on. Enterprises extensively use mobile communications for business benefit. Just look around to see the many different uses of mobile communication.

Enterprises use mobile devices for doing quick polls and surveys, and not to mention the traditional and push mails that have changed the way mobile executives communicate. Today you have access to unified clients that provide access to IMs, VoIP servers, Skype, etc from a single interface. In short, mobile communication has become the epicenter of our communication today.

And now the flip side

It's good to see so many good things happening in the world of mobility. But did you know that apart from getting so much functionality, how much of your confidential data is exposed to unscrupulous elements? Many people carry their ATM/credit card pin numbers on their mobiles, unencrypted or encrypted. Many people also link their phones with their bank, demat and Insurance accounts. They store crucial contact details, SMSes, chat logs, etc. So, just image if your phone becomes vulnerable and somebody manages to access this data? You wouldn't even want to imagine the impact!

Believe it or not, but with the growing popularity and increase in the number of mobile phones, the number of threats that they're prone to has also increased. What's even more worrying is that these threats are not very difficult to perform. We did a thorough study of these threats and in this story, we will take you through the most common ones that mobile networks are prone to. But don't worry. We won't leave you dangling with nightmarish thoughts in your mind. Besides telling you about the threats, we've talked about ways to combat them towards the end of this article.

SMS Spoofing

All of you would be recieving plenty of promotional SMSes that either don't show the phone number or comewith only a name, but no phone number. These are essentially called anonymous or masked SMSes. By the same technique one can even send SMSes with someone else's number, and the technique is known as SMS spoofing.

Unfortunately, you don't need to be a tech expert to spoof SMSs. Even a novice can do it. There are websites on the Internet (both free and paid) that let you send spoofed SMSes. Besides websites, there are even some software that can do the same. We'll not get into the details of which software and how to do SMS spoofing, because that's not our intent. We just want to highlight the gravity of the threat. For instance, just count the number of times your phone number is used for authentication over the mobile network.

For example, for balance enquiry or for recharging a DTH account, most of the times you would have registered through your phone number and now access the same through an SMS.

If someone spoofs your phone number for sending SMSes, then that person can easily pretend to be you and do all account related enquiries with the spoofed number.

Call spoofing

VoIP is becoming increasingly popular amongst most organizations. The good news is that today you can easily download an Open Source IPPBX from the Internet and configure it as a VoIP gateway on your network and start enjoying the benefits of VoIP. Add a FXO card to that and you can even make local calls with it over IP. While it feels good to have so much power, remember that the same power can also be misused, and one of the methods is called call spoofing. For instance, you could get a call from somebody posing as a representative of your bank and ask you some confidential information. If you're not careful, then you might reveal this information to the caller and become a victim of call spoofing.

There are sites on the Internet which can be used by anybody to do SMS Spoofing.

Call spoofing is similar to SMS spoofing but more difficult to perform. Essentially, a VoIP gateway with a FXO card is used to initiate a call and the VoIP server can be configured to change the caller id to a desired value.

This attack is pretty much similar to forged mails, but the scary part here is that you don't have a spam filter that would let you distinguish a forged call from others. Plus, the level of awareness about mail scams is higher than that of call spoofing. That's why people don't take it seriously and hence the possibility of a successful scam attack is higher.

The way to protect yourself against call spoofs is to remember that no bank or financial institute is going to ask you for confidential information over the phone. Even if they do, then you should not give it to them.

Spamming voice and text

This is another common threat. All of us receive unwanted calls and SMSes selling credit cards or free ringtones, etc. Every day I receive about 60% spam SMSes. For calls, this percentage is lower but still hovers around 20 to 30%. These are more of a nuisance than a security threat, just like the spam you get in your mail. But you never know when things will change for the worse. Today, a lot of spam mail that comes also contains viruses and spyware. You might just start getting such malware over SMS in the future. The worst part about this vulnerability is the lack of a good Spam filter for mobiles. There are a couple of anti-spam solutions available, but they have to mostly be configured manually. This means you have to manually create the the blacklisted and white listed phone numbers. However, this is not 100% efficient.

Websites like this are accessible to everyone, meaning it's dangerous to leave Bluetooth enabled on your phone in public.

Spyware

This is the biggest risk being faced by mobile networks today. The mobile spyware industry has evolved tremendously in the last one year and both security agencies and hackers are trying to use it for spying!

Recently we interviewed the CEO of Appin Knowledge Solutions, who talked about possible Spyware threats in mobile communication. When asked why mobiles are so susceptible to spyware attacks he said:

�Spywares are usually based on J2ME, and can be transmitted to a phone through the following ways:

Downloading unauthorized software like games and videos which might have a spyware attached, using GPRS.

Clicking on links received via messages. Through an MMS attachment. Through SMS.

�When a computer is hacked the only way to access it is through Internet; but a phone can be reached by various modes like SMS, call, internet, etc."Rajat Khare - CEO,

Appin Knowledge Solutions�

He further added that �A phone that is infected with a Spyware can be completely controlled and made to perform various functions. These include:

As soon as a call is made from the controller phone to the target phone one can hear all conversations, happening at the place where the mobile is located.

Several functions of the phone can be controlled via just an SMS, such as switching the phone off or on, retrieving data from the phone, ordering the phone to upload data on a web interface, via GPRS, etc.

SIM  cracking software such as this are easily available on the Internet, and can be used to break encryptions in SIM cards to create their copies

All the call logs can be checked through a web interface.

The SMS content can also be monitored using a web interface.All the data stored in the phone can be viewed through a web interface.If the mobile has a GPS, the location of the phone can also be tracked with this spyware.Even audio/video recording can be done, just by sending the command through an SMS.

While a mobile operator would use software such as this to replace your SIM with a fresh one, somebody else could use it to clone your SIM for malicious intent.

As they say, that there's a good and bad side to everything. So Appin has developed one such spyware and plans to provide it to government intelligence and security agencies so that they can use it to track and spy on suspected terrorists and criminals.

Mobile Security Solutions for Tata Users

F-Secure Corporation has partnered with Tata Communications recently. With this partnership Tata Communications will be the first in India to offer its customers an all-in-one mobile security package. The Mobile Security solution enabled by F-Secure includes realtime virus protection, malware protection and an integrated firewall, and enables smartphone users to enjoy the full potential of their devices without the fear of mobile threats. This solution supports all the main mobile platforms running an open operating system, Windows Mobile, Symbian S60 and UIQ. A firewall provides additional security for all mobile devices that access public WiFi networks.

The bad side is of course that there would be many such spyware programs available on the Net, which can perform similar functions. The irony is that there

�are websites selling such software openly and claiming to help the society by providing means to track their flirtatious spouse, spoilt kids, etc.

SIM cloning

It might sound very Hollywood like, but yes it is possible. If you have seen the movies Bourne Supremacy and National Treasure Part 2, then you would be aware of SIM cloning. But there a few differences in reality. While in the movie, the protagonist creates a copy of the phone in less than five minutes, and once done, is able to listen to all calls that are dialed and received through the original phone.

In reality, however, you can't clone all SIM cards. Second, if the card has been clonedss, it still takes a huge amount of time. No one can clone a SIM card in five minutes. It takes a couple of hours on a standard dual core machine to clone a SIM card.

sMoreover, after cloning the SIM card it is impossible to hear the conversation of the original phone from the cloned phone. However, what can easily be done is to make calls and send SMSes using the number of the original phone, and it would be billed to the original SIM. Second, if let's say a call or SMS is made to the original number, it could be received either by the cloned or the original phone, depending on which one responds to the operator's signal first.

So, let's say, the original phone is off or it is out of reach, all calls will go to the cloned phone. Even if both phones are on, the one that responds first to the tower signal will receive the call.

SIM cloning is also not too difficult to do. Anybody even remotely familiar with a little bit of programming can easily do it. Of course, we're not about to get

�into a tutorial of SIM cloning here. But we'd just like to add that SIM cloning means copying the SIM's identification number to another SIM card so that the operator treats both as one. Every SIM has an encryption key that needs to be cracked. Thankfully, the newer SIMs have strong encryption keys, making them more difficult to crack. It's the older 16k and some 32k SIMs that have weaker encryptions which can easily be cracked. So if your mobile phone has a SIM card that is older than June 2005, then chances are it can be cloned very easily.s

Our advice is to get it replaced immediately. Most service providers do it free of cost.

Other hot trends

Besides threats to mobile security, there are some very good trends taking shape in mobility and mobile communication as well. The number of mobile phones

�has exceeded 250 million this year. The cost of mobile phones has dropped significantly, from the 3-4K range to 1.5-2K range.

Protection against Mobile Fraud

We talked about so many threats that mobile phones face today. Now let's talk about protection. Following is a list of some Dos and Don'ts:

Dos:

1. If you are using a SIM card which is more than one and a half years old, then get it replaced immediately. This service is generally free of cost and all you have to do is to contact your service provider.

2. If your mobile phone was left unattended for some time (at least 4 hours or more) at a location where someone else could have accessed it, then keep an eye on your mobile bill. If you observe a discrepancy, then get the SIM blocked and have a new one issued from your operator.

3. Install a good antivirus on your mobile phone.

4. SMS is not a clean medium to communicate confidential data. But if you still want to, then use encryption software such as SMSProtector, Fortress SMS, etc.

5. Keep a close eye on your bill. If you see some discrepancy, immediately get your mobile phone and SIM card checked by an expert. Your phone could have a spyware.

6. If you are feeling your phone's response time is very high, again take it to an expert. Your phone might have a spyware.

Don'ts

1. If your phone doesn't have an encrypted password valet, then don't save PIN numbers and passwords on it.

2. Don't leave your phone unattended for long.

3. Don't connect your phone or its memory card to a PC which doesn't have an updated antivirus installed.

4. Don't click on MMS or SMS links if you don't know or trust the sender. Even if you trust the sender, it's always good to call him back and check if he has actually sent the link or not.

5. Don't accept any SMS with an attachment unless it is from your service provider and you have requested for the same.

6. Never pass on sensitive information, such as bank account or credit card details over the phone, if you get a call from a bank or credit card agency. They're not supposed to ask you for this information over the phone

Another hot emerging trend is that of SMSes. They're being used for some really fancy applications. Besides being used for generating business in TV shows, one application is multi-lingual SMSes, and there are companies like Geneva Software offering these �same. Geneva allows you to send SMSes to anybody in multiple Indian languages. What's more, these SMSes can be sent to even ordinary cellphones because the application converts them into a graphics image. This simple solution can have as powerful impact, as it can be sent to people who're not English literate. The govt. for instance can use this functionality to convey a message to the common public, most of which is non-english speaking and carries ordinary cellphones.

It could also be used to make public announcements, such as an early warning system about a disaster. So for instance, if (God forbid), a Tsunami is about to hit the Indian shores, then multi-lingual SMSes can be sent to the people who're likely to be affected by it. It would be the fastest means of reaching out to masses. Likewise, GPS is another hot trend in mobile communication. Today it comes in-built with many high-end mobile phones. A lot of companies have started offering GPS maps. Nokia for instance, offers maps of over 100 countries, and for eight Indian cities. These maps contain details of 75k+ Kms of road, 10k+ restaurants and hotels, 10k+ bank ATMs, 5k+ schools and colleges, 3k+ petrol pumps, 3k+ places of worship, 2k+ hospitals and medical shops, etc. Plus, even ordinary phones today with a GPRS connection can have location information thanks to Google Maps, which uses GSM towers to identify your location on a map

[raccoon 53]

Very intresting post... thanks!

[@mitJ@in 256]

Very useful information.

"1. If you are using a SIM card which is more than one and a half years old, then get it replaced immediately. This service is generally free of cost and all you have to do is to contact your service provider."

But None of Operator give Duplicate Sim/Ruim Card at free of cost. Reliance charges Rs.99 for same. Other operators also charged aroung Rs.100 to Rs. 200.

[Honest 836]

But None of Operator give Duplicate Sim/Ruim Card at free of cost. Reliance charges Rs.99 for same.

^^^

My dear friend, desn't Reliance charging Rs.15/- for a duplicate Ruim ?

Regards.

[drmadhu 87]

In ahmedabad none of webworld sell blank card and webworld says no blank card and near shop of webworld reliance dealer go for black marketing of this ruim card and dealer sell it for 200 Rs and this black marketing with support of webworld?

So for this metter where can we complain about this?

Edited July 7, 2008 by vijaymalhotra_2007

[@mitJ@in 256]

My dear friend, desn't Reliance charging Rs.15/- for a duplicate Ruim ?

Regards.

Kindly Call Customer Care at *333 and Confirm.

[@mitJ@in 256]

In ahmedabad none of webworld sell blank card and webworld says no blank card and near shop of webworld reliance dealer go for black marketing of this ruim card and dealer sell it for 200 Rs and this black marketing with support of webworld?

So for this metter where can we complain about this?

Mark an E-mail at CustomerCare@relianceada.com or Serviceassurancecell@relianceada.com.

Or you may call *333, But E-mail option is better.

[Honest 836]

Kindly Call Customer Care at *333 and Confirm.

^^^

I called the Customer Care many times about the same, but CC of Reliance always confirms that the Duplicate / Blank Ruim charges are Rs.15/- only.

Regards.

[Honest 836]

In ahmedabad none of webworld sell blank card and webworld says no blank card and near shop of webworld reliance dealer go for black marketing of this ruim card and dealer sell it for 200 Rs and this black marketing with support of webworld?

So for this metter where can we complain about this?

@Vijay

My dear friend, yes these people are definetely BLACK MARKETING the Ruims. But Reliance can't help against these private resellers. So, their's no need to send them an Email for those who are not authorised to sell Reliance products.

Obviously you can definetely shoot a mail if the same has been done to you by Web World or Web World Express / Reliance Mobile Store.

Regards.

[raccoon 53]

Well, none of the pvt. shops would be able to sell them at those rates of the WebWorlds and Express outlets sell them at the official price of Rs. 15 !!! So the blame goes right back to RCom!

[@mitJ@in 256]

^^^

I called the Customer Care many times about the same, but CC of Reliance always confirms that the Duplicate / Blank Ruim charges are Rs.15/- only.

Regards.

Please check.

[Honest 836]

^^^

OK, that means, the new unprovisioned Ruim is available at Rs.15/- and duplicate Ruims issued by the company as the substitutue for damaged Ruims will be charged at Rs.100/-.

But each and every time these stupid CC people tells the same thing.

God knows what is going to be the future of Reliance CC.

Regards.