05 Aug, 16
05 Aug, 16

Are You As Secure As You Think You Are?

Highlighting the vulnerable SIM card security system, the author opines that encryption of SIM cards can protect users against social engineering and hacks.

By

By Jayanth Varma

For quite some time now, I have been concerned that the SIM card in the mobile phone is becoming the most vulnerable single point of failure in online security. The threat model that I worry about is that somebody steals your mobile, transfers the SIM card to another phone, and goes about quickly resetting the passwords to your email accounts and other sites where you have provided your mobile number as your recovery option. Using these email accounts, the thief then proceeds to reset passwords on various other accounts. This threat model cannot be blocked by having a strong PIN or pattern lock on the phone or by remotely wiping the device. That is because, the thief is using your SIM and not your phone.

[su_pullquote align=”right”]The security issues are made worse by the fact that telecom companies simply do not have the incentives and expertise to perform the authentication that financial entities would do.[/su_pullquote]

Read moreSocioeconomic Analysis of Crimes Against Women

If the thief knows enough of your personal details (name, data of birth and other identifying information), then with a little bit of social engineering, he could do a lot of damage during the couple of hours that it would take to block the SIM card. Remember that during this period, he can send text messages and Whatsapp messages in your name to facilitate his social engineering. The security issues are made worse by the fact that telecom companies simply do not have the incentives and expertise to perform the authentication that financial entities would do. There have been reports of smart thieves getting duplicate SIM cards issued on the basis of fake police reports and forged identity documents (see my blog post of three years ago).

A secure SIM card protects the user against social engineering. | Photo Courtesy: Pexels

Modern mobile phones are more secure than the SIM cards that we put inside them. They can be secured not only with PIN and pattern locks but also fingerprint scanner and face recognition software. Moreover, they support encryption and remote wiping. It is true that SIM cards can be locked with a PIN which has to be entered whenever the phone is switched off and on or the SIM is put into a different mobile. But I am not sure how useful this would be if telecom companies are not very careful while providing the PUK code which allows the PIN to be reset.

[su_pullquote]SIM encryption would keep SIM security completely in your hands and not in the hands of a telecom company that has no incentive to protect your SIM.[/su_pullquote]

Read moreMinimum Wage Fraud in America

If we assume that the modern mobile phone can be made reasonable secure, then it should be possible to make SIM cards more secure without the inconvenience of entering a SIM card PIN. In the computer world, for example, it is pretty common (in fact recommended) to do remote (SSH) login using only authentication keys without any user entered passwords. This works with a pair of encryption keys – the public key sits in the target machine and the private key in the source machine. A similar system should be possible with SIM cards as well, with the private key sitting on the mobile and backed up on other devices. Moving the SIM to another phone would not work unless the thief can also transfer the private key. Moreover, you would be required to use the backed up private key to make a request for a SIM replacement. This would keep SIM security completely in your hands and not in the hands of a telecom company that has no incentive to protect your SIM.

This system could be too complex for many users who use a phone only for voice and non critical communications. It could therefore be an opt-in system for those who use online banking and other services a lot and require higher degree of security. Financial services firms should also insist on the higher degree of security for high value transactions.

I am convinced that encryption is our best friend: it protects us against thieves who are adept at social engineering, against greedy corporations who are too careless about our security, and against overreaching governments.The only thing that you are counting on is that hopefully P ≠ NP.

Jayanth Varma is a professor of finance working at the Indian Institute of Management, Ahmedabad.

Read moreTime Filters

This article was originally published on Jayanth Varma’s Blog.

Featured Image Source: Passel

[su_note note_color=”#d2eaf6″]Fresh insights delivered to your phone each morning. Download our Android App today![/su_note]

Stay updated with all the insights.
Navigate news, 1 email day.
Subscribe to Qrius

what is qrius

Qrius reduces complexity. We explain the most important issues of our time, answering the question: "What does this mean for me?"

Featured articles

1

Asian Games 2022, Day 6: Aishwary Pratap Singh Tomar, Swapnil Sunil Kusale and Akhil Sheoran get gold in the men’s 50m rifle
2

India’s climate discourse needs local narratives
3

Why do people choose to migrate in India?
4

New Pixel 8 Pro Leaks give us an idea of what Google will offer with new flagship phone
5

Apple made the switch finally, so is USB-C better than the lightning port?
6

10 facts about Lord Ganesh and Ganesh Chaturthi…how many do you know?
7

Parliament Special Session: PM Modi talks about Chandrayaan, G20 Success, Shift to New Building
8

Bollywood legend Zeenat Aman has these tips for women’s financial independence
9

Apple Wonderlust Event 2023: What does the new iPhone 15 series promise buyers?
10

Shah Rukh Khan, Shashi Tharoor, to the world: India’s G20 Presidency widely lauded globally