05 Aug, 16
05 Aug, 16

Are You As Secure As You Think You Are?

Highlighting the vulnerable SIM card security system, the author opines that encryption of SIM cards can protect users against social engineering and hacks.

By

By Jayanth Varma

For quite some time now, I have been concerned that the SIM card in the mobile phone is becoming the most vulnerable single point of failure in online security. The threat model that I worry about is that somebody steals your mobile, transfers the SIM card to another phone, and goes about quickly resetting the passwords to your email accounts and other sites where you have provided your mobile number as your recovery option. Using these email accounts, the thief then proceeds to reset passwords on various other accounts. This threat model cannot be blocked by having a strong PIN or pattern lock on the phone or by remotely wiping the device. That is because, the thief is using your SIM and not your phone.

[su_pullquote align=”right”]The security issues are made worse by the fact that telecom companies simply do not have the incentives and expertise to perform the authentication that financial entities would do.[/su_pullquote]

If the thief knows enough of your personal details (name, data of birth and other identifying information), then with a little bit of social engineering, he could do a lot of damage during the couple of hours that it would take to block the SIM card. Remember that during this period, he can send text messages and Whatsapp messages in your name to facilitate his social engineering. The security issues are made worse by the fact that telecom companies simply do not have the incentives and expertise to perform the authentication that financial entities would do. There have been reports of smart thieves getting duplicate SIM cards issued on the basis of fake police reports and forged identity documents (see my blog post of three years ago).

A secure SIM card protects the user against social engineering.
A secure SIM card protects the user against social engineering. | Photo Courtesy: Pexels

Modern mobile phones are more secure than the SIM cards that we put inside them. They can be secured not only with PIN and pattern locks but also fingerprint scanner and face recognition software. Moreover, they support encryption and remote wiping. It is true that SIM cards can be locked with a PIN which has to be entered whenever the phone is switched off and on or the SIM is put into a different mobile. But I am not sure how useful this would be if telecom companies are not very careful while providing the PUK code which allows the PIN to be reset.

[su_pullquote]SIM encryption would keep SIM security completely in your hands and not in the hands of a telecom company that has no incentive to protect your SIM.[/su_pullquote]

If we assume that the modern mobile phone can be made reasonable secure, then it should be possible to make SIM cards more secure without the inconvenience of entering a SIM card PIN. In the computer world, for example, it is pretty common (in fact recommended) to do remote (SSH) login using only authentication keys without any user entered passwords. This works with a pair of encryption keys – the public key sits in the target machine and the private key in the source machine. A similar system should be possible with SIM cards as well, with the private key sitting on the mobile and backed up on other devices. Moving the SIM to another phone would not work unless the thief can also transfer the private key. Moreover, you would be required to use the backed up private key to make a request for a SIM replacement. This would keep SIM security completely in your hands and not in the hands of a telecom company that has no incentive to protect your SIM.

This system could be too complex for many users who use a phone only for voice and non critical communications. It could therefore be an opt-in system for those who use online banking and other services a lot and require higher degree of security. Financial services firms should also insist on the higher degree of security for high value transactions.

I am convinced that encryption is our best friend: it protects us against thieves who are adept at social engineering, against greedy corporations who are too careless about our security, and against overreaching governments.The only thing that you are counting on is that hopefully P ? NP.

Jayanth Varma is a professor of finance working at the Indian Institute of Management, Ahmedabad.

This article was originally published on Jayanth Varma’s Blog.

Featured Image Source: Passel

[su_note note_color=”#d2eaf6″]Fresh insights delivered to your phone each morning. Download our Android App today![/su_note]

Stay updated with all the insights.
Navigate news, 1 email day.
Subscribe to Qrius

About Author

what is qrius

Qrius reduces complexity. We explain the most important issues of our time, answering the question: "What does this mean for me?"

Featured articles

1

Before Christ

What Does BCE Mean? Difference between BCE, CE, BC and AD
2

GDP

Revealing the Top 10 GDP Countries of 2024: A Deep Dive into Global Economic Powerhouses
3

Android

The Ultimate Guide to the Best Car Racing Games for Android in 2024
4

cars

Best Family Car in India in 2024: Experience Memorable Journeys with Loved Ones
5

Extreme sports

Hidden Chess Rules: Elevate Your Game with Secret Strategies
6

adventure sports

Cristiano Ronaldo vs Lionel Messi: Why Cristiano Ronaldo Is Better
7

40 Top GK Questions: Boost Your Knowledge Quotient!
8

Why has increased productivity not led to more free time?
9

gita

Gita quotes on karma: Want to live your best life? Laws to live by…
10

Facebook

Facebook and Instagram down: What reason did Meta give?