The very strange story of an old mobile phone

It is spreading like a small slumbering fire over the internet: Criminals pay big money for your old Nokia 1100 mobile phone. They only seem to be interested in Nokia 1100’s from 2001 or 2002 and they have to be manufactured in Germany (to be more precise: from Bochum). The news was released by the ‘company’ UltraScan on Saturday 18 April 2009 and the original press release can be read on the UltraScan website. All the media coverage on the subject made me think of the following.

The press release states that the criminals use these phones to capture SMS messages with TAN codes (one time passwords to sign an online banking transaction) of online banking systems. But it does not give any proof for these claims.

How would this work? The attacker will need your login credentials for the online banking website and your mobile phone number. Of course the mobile phone number can for a lot of people be found on the social networks, but then they still need your credentials. They can not retrieve your mobile phone number from the online banking website, as this is – at least at the Dutch ING bank – partly obscured and can not be changed online without a letter being sent to your postal address to confirm the change. The attackers need quite some information from you before they can target you with this kind of attack. Capturing TAN codes is just a small part of the attack in that case.

But let’s assume that the attacker indeed has retrieved your credentials, your mobile phone number and he is targeting you. Will in that case your own phone disconnect from the providers network during the attack? If so, you would most likely notice your phone being disconnected from the network, which is a nice trigger that something is going on.

The other way is that both you and the attacker will receive the SMS message at the same time, like some sort of cloned connection. In that case it is a nice warning system when your account is being plundered, because you will receive a TAN SMS at a time when you are most likely not even using the online banking system. If you call the bank as soon as you receive the SMS, the bank should have enough time to get your money back.

I doubt if this attack will work better than the current Man in the Middle and Man in the Browser attacks which only need a little piece of malware installed on the victims PC and don’t require the difficult intelligence phase to collect the credentials and the mobile phone numbers.

Well if the attack would work, how much would the criminals pay for this phone? The press release quotes the amount of 25.000 Euro’s (around 32.000 dollars), which is quite a lot for a phone even with these characteristics – you would need to be able to finish quite a lot of successful transactions to even get your investment back, let alone make some money. What kind of things could you do with 25.000 Euro’s? Well for starters you could build your own hardware which mimics the hardware from the Nokia 1100. If it is just for stealing SMS messages from other people it doesn’t matter if the device doesn’t look like a phone. Criminals are smarter than to hunt down old mobiles if they can build the hardware themselves. So why didn’t they build the hardware themselves? Possibly because it needs to be a phone, not some SMS receiver. But why does it need to be a phone?

One of the people leaving a comment on this subject on the Engadget website is Paul Prijs. Paul explains that the phones can be used to send out SMS messages to someone else using the same provider, the provider then does not keep records of where the SMS has been send to. This is of course highly useful for criminals, they can communicate by SMS without traces. That is worth something isn’t it? They are not going to walk around with some home made device for this, so it needs to be the Nokia 1100. Of course until someone finds a way to modify any phone to do this.

I hope UltraScan is wrong, but if they are right we have much worse problems than criminals trying to snoop our TAN codes. If the story would be true then it doesn’t mean that the attackers can only steal TAN codes by SMS but that the whole SMS system has been broken. Since this is a problem with an old phone it seems that it can not be solved from the providers point of view. Or it can and they just don’t seem to bother to fix it.

In that case from this day on we can not trust SMS anymore. All your SMS messages to your loved one, all your SMS messages with passwords or any SMS you could think of can be read by another. But on the other side, I just looked through my SMS messages and overall they are actually pretty boring, who would want to read those anyways.

On the topic of UltraScan I could probably write another long blog post, which I won’t at this moment. The Dutch based ‘company’ however does not have a Dutch Chamber of Commerce registration and therefore is not a real company. Despite having cool flowcharts containing al the different parts of the ‘company’ and claims of more than 3000 informants on their websites the only person that ever surfaced to the outside world is Frank Engelsman. You might just think that it is just a big one man show.

I wouldn’t dare to say that Frank Engelsman has great delusions. But people could think that, and you can’t blame them.