Mobile Theft Vulnerabilities: A Modern Day Heist
I recently heard about a report on the BBC regarding a string of thefts from Gyms
In these incidents, the thieves steal both the victim's phone (or possibly just their SIM card) and their bank card. The thieves then load the victim's bank's phone app on their own phone and register the victim's bank card with this app. To validate the switch to a new app, the bank sends a code via SMS to the victim's phone. The thieves are in possession of the phone and so they can read the SMS and validate the transfer. Once the card is registered on the thieves' phone they can use the app to get a PIN reminder for the bank card and from there they can use the bank card indiscriminately in shops to buy high value goods which they can later sell for cash.
Why Concealing SMS Messages isn't Enough
AHA! I hear you say! "This is simple to thwart - you should simple configure your phone not to display the contents of SMS messages when the phone is locked." Well, yes, you definitely should do this, but this is not enough. All the thief has to do to bypass your lock screen is simply remove the SIM from your phone and insert it into a different phone. Indeed, in one of the incidents I heard about, the thief did not steal the phone at all, they simply stole the bank card and swapped the SIM with a pre-paid pay-as-you-go SIM. This left the victim with a working phone (albeit with a different phone number). In the time it took victim to work out what was going on, the thieves had already put the real sim in their own phone, registered the banking app and spent thousands of pounds on the card.
The Forgotten Security Measure: The SIM Lock
"So what SHOULD I do?" you ask. There is a technique to prevent this which dates back to the early days of mobile phones but is rarely used today: Welcome back to our old, but faithful, friend the "SIM Lock". The SIM Lock is a 4 digit pin code which, as its name suggests, lives on your SIM, not on your phone. Whenever the SIM is powered up (i.e. when you switch your phone on), the phone will prompt you to provide the SIM PIN. The SIM refuses to operate until the correct PIN is provided and, what's more, the SIM will lock after 3 consecutive failed unlock attempts.
Understanding the Drawbacks of SIM Locks
Before we move on to the process of enabling the SIM Lock, lets just consider the couple of downsides of using the SIM Lock (they're not biggies):
1. Whenever you switch you phone on (that's switch it on or restart it, NOT unlock it), you will need to enter BOTH the SIM Lock AND the Phone lock. If you use a different PIN for your SIM and your phone (more on this later), you'll need to take care to check which one the phone is asking for because if you get confused and enter the phone PIN when it is asking for the SIM PIN you might end up locking your SIM. I don't think this is too much of a hassle - after all, how often do you actually switch your phone off completely?
2. As already mentioned you could accidentally lock your SIM. However the clever folks who invented the SIM PIN have you covered. Every SIM card has a 8 digit Personal Unblocking Key or PUK. The PUK does not change and is unique to your SIM and it can be obtained from your phone network provider before, or after you accidentally lock yourself out. You might be wondering why this isn't called a SIM Unlocking Code - Well, appart from the unfortunate acronym, its not called this because the PUK serves a dual purpose and is also the code you need if you're phone has been locked to a specific network provider. Apparently (according to this article: https://www.uswitch.com/mobiles/guides/how-to-get-your-puk-and-unlock-your-phone/ ) networks have't been able to sell locked phones that are locked to a single network since December 2021. If you're unlucky enough to have a phone that is locked then your network may refuse to give you the PUK until your initial contract term is done. N.B. The PUK should not be confused with the PAC (Porting Authorisation Code) - The PUK unlocks and locked SIM, the PAC is what you need if you want to move your phone number to a different network.
Preparing to Enable SIM Lock
So, you want to enable your SIM lock? There are a couple of potential gotchas here, but we can avoid these with a tiny bit of preparation:
1. First off, get your PUK. You only need to do this once - it won't change (unless you get a new SIM card). You don't have to wait until you've accidentally locked your SIM to get this. Some providers require that you phone customer services to get this, others provide access to it by logging into your account on their web site. In some cases, if you have the original credit-card-sized plastic holder your SIM came in, the PUK might be written on that - in this case it may be labelled either PUK or PUK1
Here are some links to help pages from the big UK network operators:
Vodafone: https://support.vodafone.co.uk/Phones...
GiffGaff: https://community.giffgaff.com/d/...
2. When you first enable your SIM Lock, your phone will ask you to enter the existing SIM PIN. Wait what? Yep - even if the SIM Lock isn't enabled, the SIM still has a PIN code. This will have been set to some default number by your network. The defaults vary from one network to another. This page provides a handy list of default PINs for different UK network providers: https://www.controlf.net/simpin/ . But if you want to be extra sure you should find the official web site from your network here are some examples
GiffGaff: https://www.giffgaff.com/help/...
领英推荐
Enabling SIM Lock
So once you've got your PUK and the default PIN for your SIM you'll need to actually enable the SIM Lock on your phone. Of course, in the process you will want to change the PIN to something that isn't the default. Security nerds will tell you that this should be different to the phone PIN. I don't disagree with this, but I can see this could get confusing and I think its better to enable SIM Lock and use the same PIN as your phone, than it is not enable the SIM Lock at all. So, if you can remember two PIN's then go ahead, but if that's going to confuse you then just use the same PIN for your SIM as for your phone.
You can find instructions for enabling SIM Lock on Apple and Android phones here:
Apple
The apple page oddly doesn't cover changing your SIM PIN, so this page might be more useful
Android
Hiding SMS Content from the Lock Screen
Is there anything else I should do? Definitely. The SIM Lock on its own is next to useless as a defence against the attack outlined above if you don't also configure your phone NOT to display the contents of SMS messages on your lock screen. So here are some links that explain how to do this on Android and Apple phone:
Apple
The apple page wasn't particularly clear to me - this page made more sense:
Android
(see the section titled "Control how notifications show on your phone's lock screen")
Some Lock Screen Messages can be Useful
This is a slight tangent, but one additional thing you might want to add to improve the chances of getting your phone back if you happen to lose it, is to add a message on your lock screen to help anyone finding your phone get it back to you. This is pretty straightforward on Android, but a bit fiddly on iPhone - see the links below for instructions. However, before doing this you should think carefully about message you show. My first thought was to add my wife's phone number, but it occurred to me that if someone stole my phone they might use this number as the basis of some sort of social engineering attack - perhaps calling this number and claiming that some accident had befallen me, attempting to panic my wife into divulging some sort of information. Obviously displaying contact information for an emergency contact when your phone is locked could be useful in an emergency, so this is a personal choice. My own approach is to use a virtual phone number which routes to a voicemail box which is configured to send any voicemails to my email. That way the phone displayed number isn't linked to any of my personal details or accounts, it doesn't reveal anything about where I live, but if someone does find my phone they can call it and leave a pessage which will be emailed to me. Of course, if my phone is lost (or stolen) and someone does leave me a message I'll need to think carefully about how I would respond to this - it probably wouldn't be wise to provide a postal address just in case the person contacting you was a theif trying to purpetrate some sort of identity theft.
Here are some links that will help with adding emergency contacts and deciding what to display on your lock screen...
Adding a custom message to your lock screen with Android
Adding a custom message to your lock screen with iPhone
More details about emergency contacts: