Less Radiation

There was an interesting feature this week on BBC’s Watchdog programme about mobile phone text message spoofing. Two American researchers demonstrated how they are able to send fake MMS/Text messages that look like they’ve come from your bank to a smartphone.

This is a variation on phishing emails, but now on mobiles. All mobile network operators responded by saying that they weren’t aware of any real world use of this exploit that had so far left a single customer out of pocket – and they’re quite probably right. This seems like an awful lot of effort to go to if you want to get your hands on someones bank details & security passphrases.

I detailed on this site about 16 months ago that Dect cordless phones were now completely insecure. Anyone with a laptop, PCMCIA Com-On-Air Dect card & a decent antenna can record all you household phone calls from anywhere within a 200 metre radius of your home. Lots of older people now do home banking by telephone and over a series of calls you’ll be handing over full pins & security details. Even if you don’t give them to the bank you’ll be reusing them when you’re confirming your identity to insurance, utility & credit card providers – maybe you use that same 4 digit pin code for your home alarm & cashcard. Maybe you’re just paying for stuff with your credit card over the phone. If you live in a block of flats where tenants come and go every 6 months you’d be an easy target.

Ten years ago criminals could use an analogue radio scanner to record all the traffic on the old fashioned cordless home phones, perhaps to a computer for later analysis. They could use a DTFM decoder to figure out which number you’d called, and build up a profile that would leave them knowing you better than your best friend. Well now with the supposedly secure Dect phones they can take this further. Because each Dect phone has its own unique identifier – like the MAC address in your PC or the OUI number in a Bluetooth chip – it’s easy to zone out all the people you don’t want to listen to. Okay, only about half the Dect phones in use are insecure, but which half are you in? It’s not very reassuring is it? We’re nearly all using these Dect cordless phones at home these days.

Anyway, I saw not one article 16 months ago in the UK press or on TV about the Dect threat (although lots appeared in the German media), but now we need to worry about spoof texts. Go figure. If you really care about your health and security use a wired home phone.

As regards unusual text messages from your bank, apply some common sense – if it looks wrong, it’s because it is wrong. Wait until you get home and log onto your account there. Don’t ring numbers or use web links in these messages. Open a new browser window & check your balance from your 3G phone that way.

Pop into the bank and ask them about the real state of your account. If money diasappears from your account by a fraud that’s not your fault they’ll be giving you that money back anyway.

Smartphones are like mini PCs and they can get infected with malware and other nastiness, just like your home PC (for instance it’s now quite common for untrusting partners to secretly install tracking software on their partners smartphones to keep tabs on your whereabouts with GPS accuracy).

BBC Watchdog Story