I was kindly invited down to Bournemouth University the other day by Shamal Faily, to give a talk as part of their Cyber Seminar series. I decided to talk about a quite hot topic which I’m very familiar with, mobile phone theft. The slides are updated from an earlier talk, but cover some of the political involvement in 2012/13 and some information on recent industry action and what should happen next.
NMPCU
Combating phone theft – US takes a step forward but is it enough?
It seems that the theft of mobile phones is starting to be recognised in other parts of the world than the UK at the moment. A few of the American newspapers are reporting on the announcement that mobile network operators (or carriers as they are known over there) have done a deal with the FCC to block stolen mobile devices. This is all good news and I don’t want to pour cold water over what is going to be generally good for the consumer in the long term.
 |
| This never used to happen in the old days |
Why has it taken until now?
The concept of a global blacklist (or Central Equipment Identity Register [CEIR]) for mobile devices has been written in stone (well the GSM specs) for a very long time. See this paper from mobile security veteran Charles Brookson from 1994, which talks about the CEIR. Operators have quietly ignored this requirement and very few are connected to it. Even local blacklisting has been an issue over the years, with issues over sharing information with other operators inside single countries. The practical difficulties are always cited as well as cost. Having been involved in a lot of this debate, a lot of the arguments just don’t wash. As an example, using prohibitive cost as a reason not to maintain a blacklist is laughable. Storage cost is ridiculously low, management is minimal and the operators themselves will see direct benefits from not allowing criminals to hook up stolen phones on their networks. The simple answer to network operator blacklisting is: “where there’s a will, there’s a way”.
Identity changing is not the issue it once was
Another argument that has been frequently wheeled out is that criminals will just change the identity (the IMEI number) of the device to side-step the blocking system. The fact is that IMEI number changing has dropped off massively since the turn of the century as more security has been built into devices (through a lot of effort in a number of industry initiatives). My presentation ‘Mobile Phone Theft: An unsolvable problem?’ from 2011 expands on some of this. There is a 42 day breach reporting process run by the GSM Association which nearly all the manufacturers are involved in. It seems as though the manufacturers have played their part, but it could be argued that the network operators haven’t.
What are governments doing?
It could also be argued that governments haven’t really played their part in all of this. Only the UK has really stepped up and addressed the criminals who actually perpetrate these crimes with legislation and through a dedicated Police unit, the National Mobile Phone Crime Unit. What meaningful steps have other countries taken to help their citizens from the blight of mobile phone theft?
Are we addressing the right problem any more?
Apparently the US system is going to take two years to become operational and this is where I have a bit of an issue. Development and deployment could probably happen a lot more quickly than this, given that the standards have already existed for nearly 20 years. My other issue is about whether we’re addressing the right problem anymore? If mobile phones have evolved to the point that they are now more mobile computer than phone, we should look at what will drive a thief. Thieves take phones generally for their inherent value. That is why historically, blocking a phone’s network access has essentially disabled the device and made it valueless. This isn’t the case in 2012. If you block the IMEI number, guess what? Anyone can still use the phone – you can use the WiFi connection to get on the web, you can use WhatsApp and Skype and you’ll still be able to download stuff from app stores. While this still remains the case, mobile phone theft is going to continue to be a problem. In some ecosystems, the vendor is actually in a very strong position (think those companies with fruits in the name) and they have actually provided additional tools to help against theft. What they need to make sure now is that those devices are not ‘re-activated’ after theft.
What can I as a user do to help myself?
- It sounds a bit obvious, but make sure you use your device PIN-lock feature. It can be a pain to use, but it is highly effective in ensuring that whatever is on your device stays on your device. Although thieves generally just care about selling the device on, you still don’t want all your personal data potentially going astray.
- Another piece of sensible advice is to be aware of your surroundings; don’t leave your phone on tables in cafes, be careful where you’re using your phone (in dangerous neighbourhoods etc) and when out and about at night. In big cities, tube and metro exits are commonly targeted as people turn their phones on when they surface.
- And finally, write down your IMEI number – you’ll need this to give to the Police and network operator if your phone ever gets stolen. You can get the number from the back of your handset or by typing in *#06# at the home screen of your phone.
Don’t advertise your phone to thieves
We’re never going to stop people stealing things, but at least in the US and the UK life is being made slightly more difficult for thieves making things slightly more safe for you.
Mobile Security Week
This week is Carphone Warehouse’s Mobile Security Week. I worked with the guys there to create some advice on security for users which you can find on their site. An extended version is on this page. As part of their research, Carphone Warehouse conducted a survey of over 2000 people which highlighted a lack of awareness amongst users about the importance of protecting personal data. It is interesting that only about 54% of those surveyed think that data on their phone is secure. That is lower than I expected and shows that people are at least concerned about mobile phone security, but maybe aren’t sure what to do. The National Mobile Phone Crime Unit (NMPCU) have done some great work in the past few years behind the scenes to help prevent mobile phone theft and one of those is to create a database of property which you the user can use by registering at the link in the first tip. If your phone turns up, the Police can then easily identify it as yours. A lot of my readers are tech people, but most mobile users aren’t and they don’t necessarily want to be. Probably one of the most important messages I’d like to get across is for people to use their handset PIN lock – if you don’t want people getting access to your personal data, this is a simple way of preventing that.
It’s great to be able to get the message out this week to people to think about mobile security, so have a look at the tips and see if you and your family are safe and secure?
David’s Mobile Security Tips
As phones become more and more sophisticated, mobile security becomes increasingly important for users. Here are some tips on how to keep you safe and secure when using a mobile phone.
Record your phone’s identity number in case it is stolen
The International Mobile Equipment Identity (IMEI) is what identifies your phone to the network and is located on the back of your phone underneath the battery. Another way to get your IMEI number is to type *#06# into your phone keypad to display it. When you get your new phone, it should be also on the side of the box. Keep the box label in a drawer just in case you need it. If your phone is lost, report the IMEI number to your service provider and they can block your phone so it can’t be used to make calls. If it is stolen, you should also give the IMEI number to the Police.
You can also register your phone’s details and IMEI number on the UK National Property Register at: http://www.immobilise.com/. This helps the Police to return lost or stolen property to its correct owner.
Secure access to your device and voicemail
PINs and passwords can be a pain as they put a barrier in the way of things you do repeatedly. These days it can be difficult to remember all your different PINs and passwords or be very tempting to use the same password for everything. Firstly, voicemail. The recent phone hacking scandal in the UK showed how important it is to have a PIN on your voicemail to prevent people listening into your private messages. Ring your operator and make sure you have one setup, or alternatively have the service switched off entirely. Don’t choose obvious PINs e.g. 1111, 1234, dates of birth etc.
Make use of the handset locks to protect your data and messages. With touch-screen phones, these are often gesture based, meaning that a convenient swipe is all that is needed to unlock your phone, whilst still keeping your phone safe.
Learn how to manage your passwords without having to remember lots of complex details. You can do this by using password safes which can store lots and lots of different passwords and generate random ones for you. Make sure these are also backed up in a safe place.
Learn how to remotely lock and wipe your phone if you lose it
Losing your phone or having it stolen does happen and when it does, what do you do to prevent someone getting access to your work or personal data? This is where lock and wipe services come in. Many handsets are now capable of running applications which you can stop someone getting access to your data and if you’re sure you can’t recover it, to delete your data. It is a service that can give you invaluable peace of mind if the worst happens. Some services can even help you locate your lost phone by using the GPS function of the device to work out where it is.
Be very wary of WiFi hotspots
However tempting it may be to connect to free WiFi when you’re out and about, take a moment to consider who is providing that service and why. If they’re charging, who are you giving your credit card details to?
By connecting to an untrusted network, you could potentially allow an attacker to get into your accounts for social networking sites, your email and banking details. In general if you are connected to a public WiFi network, don’t do anything sensitive such as internet banking or making purchases.
Know what you are giving applications permission to do
Always think about what an application is supposed to be doing, where it came from and who made it. Simple internet searches can often verify the validity of an application if you suspect all is not well. Inspect the permissions that an application requests. Does this application really need access to your phonebook? Does it really need to send SMSs? If not, just don’t install it. It should be said that some phone permissions aren’t very well done and can be difficult to understand, so even a legitimate application can give a misleading impression of what it actually does. There are some tools available to help you manage your permissions, for example only giving one application the permission to get to your location.
A common practice amongst hackers is to create a fake copy of a genuine application. This might be free, to entice people to download it. Sadly, the free version is a “Trojan horse” and will do nasty things. Mobile malware is still at a very low level in comparison with the PC world, but is definitely on the rise in 2011 and you should be extremely careful with applications you download. Many hackers see mobiles as an increasingly juicy targe
t because your whole life is stored on there. You are putting yourself at increased risk if you ‘jailbreak’ your device or if you install untrusted applications. Anti-virus applications are now available for those people who want an added level of protection.
Be careful when clicking on web links and scanning 2D barcodes
Don’t be lured into clicking on an unknown link to a web page. A phone’s screen is much smaller and it is often more difficult to see a full link to a website and verify that it is what it says it is. Not only this, but links are often shortened so you can’t actually read the proper website it goes to. If you get messages or posts on facebook and twitter with links, stop and think. Do you know the sender? If you do, is this something that they would send you? If you do click, it is often too late once you realise that there is a problem. Don’t react to or reply to spam messages you may get over SMS or Bluetooth.
New technology allows barcode scanner applications to read 2D or Quick Response (QR) codes (kind of like square barcodes). These are often put in newspapers and on advertising boards. Be very careful – do you know and trust the source. Could the poster have been tampered with or be fake? The problem here is that you often can’t verify that the link is genuine or not, because you can’t decipher the barcodes with your own eyes. It could be linking to some very nasty stuff.
Always backup your data
This is something that is always on the to-do list but never quite gets done. Take a little time to think about what would happen if you lost your phone and phone numbers and how it would affect you. Then think about what you can do to mitigate that. There are lots of services and tools out there to help you do this on a regular basis without thinking about it. Choose one you trust, or if you decide to backup your data yourself, make sure you do it regularly and store it in more than one place just in case your backup fails.
Be careful when charging your phone on someone else’s computer or at a charge point
Be extra careful if you desperately need to charge your phone while out and about. A lot of phones combine a data connection with the charger so you could end up having your data stolen without realising it. Who is providing the service? Do you have to handover your phone to have it charged? Do you really need to connect to your friend’s laptop? At a recent hacking conference, a fake battery charging booth was setup offering free phone charge but then stole the data of the phones connected.
Protect your children whilst surfing
Kids often know more than their parents when it comes to new technology. Whilst a phone can give you peace of mind that your child is safe when out and about, it also has access to lots of functionality and content that you might not want to allow your child access to at home. There are some applications available that can be installed on mobiles to help you manage what your child can access or download. You can get a shop to set these up for you and set a password so that your settings can only be changed by you. Some great information on protecting your children online in The Carphone Warehouse’s Guide to Mobile Web Safety at: http://www.carphonewarehouse.com/mobilewebsafety and also CEOP’s website: http://www.thinkuknow.co.uk/
Be aware of your surroundings when using your phone
Phones are an attractive target to thieves and whilst they’re with us all the time, they can be snatched or stolen easily. Think about your surroundings when you’re about to use your phone. Do you really want to turn your phone on, just as you walk out of the tube, or can you do it further down the street? If you’re sat in a café or bar, don’t leave your phone on the table. It is a prime target for snatching or a distraction theft. Of course, make sure that any handbags or rucksacks are secured too; trapping a chair leg around a handle is a good way to prevent a bag being stolen.
When you’re walking along and browsing such that you haven’t noticed if someone is near you? You are particularly vulnerable if you’re tied up doing something else. Rather than walking home at night on the phone to a loved one, put the phone away so that you’re aware of everything going on around you.