IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
T 5.94 Misuse of cards
Loss and theft of mobile phones are everyday occurrences. In addition to loss
of the phone itself, this can result in further financial loss. If an unauthorised
person gains possession of a SIM card (e.g. because he finds it or steals it), he
can make calls at the expense of the genuine cardholder as long as he knows
the PIN or can guess it easily.
Data such as telephone directories or short messages which are stored on the
mobile phone or SIM card may well be of a confidential nature. Loss of the
mobile phone or card may then mean disclosure of this stored information.
There have been instances in the past where the cryptographic security
mechanisms of the SIM cards provided by some network providers have
proved too weak. This meant it was possible to make copies of these network
providers’ SIM cards. However, to do this, the adversary must have the
original card. He also needs the PIN or, alternatively, the requirement to enter
the PIN must be deactivated in order that the IMSI can be read.
Such an attack can easily be prevented and detected by private users.
However, where a number of different people have access to the same mobile
phone it is possible for such an attack to be carried out and only noticed long
after the event. For example, this affects mobile phones from a pool or
companies which hire out mobile phones.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000