Mobile phones can now store vast amount of information
such as contacts, SMS, and e-mails. However, if your mobile phone
fell into the wrong hands, your phone could give your identity
away.
Pictures
As the saying goes, "A picture
is worth a thousand words"; it definitely is when it comes to
mobile phone identity theft. So, if you were to take a photograph
outside the front door of your house with a GPS-enabled mobile
phone, the geographical location of your house is embedded into the
picture. This would help attackers to identify the home address of
the mobile phone owner or indeed family members.
Applications
It is possible for a user to
enable automatic login for their social network account on their
smartphone. Therefore, if a phone was stolen with such
capabilities, potentially endless amounts of information may be
exploited. Other applications, with a potentially harmful side
effect, are those which record our movements and location making it
possible to plot an individual's latest movements.
Bluetooth
"
Bluesnarfing" is attacking a user by attempting to exploit
Bluetooth vulnerabilities that allow the attacker to gain access to
data held on a phone. There are various forms of malware that
attempt to steal phone data. Although Bluetooth attacks are
currently rare, we should be aware of the vulnerabilities and have
Bluetooth activated only when we need it.
Contacts list
An attacker can try to track
down contact entries with telling names of "Home" or "Me" that can
then be used to start information gathering. I know of people who
store personal banking information as a contact under an alias name
such as "Lesley" for Lloyds. An informed criminal may be able to
apply credit and debit card formulas to this information and
identify further banking information. If you think you have been
cunning in the hiding of your financial information, think
again.
Text messages
Text messages are often
useful in gleaning a wealth of information about the mobile phone
owner. For instance, I examined the mobile phone of someone who
appeared to have just moved home; the handset contained a draft
(saved) text messages saying "New address" which was promptly
followed by a full address and a telephone number. There were even
gas and electric meter readings recorded on the message.
E-mails
The information stored in an
e-mail box is limitless and is priceless information for an
identity theft. As we continue to rely on e-mail access on our
mobile phone we are increasingly vulnerable to attack.
Calendars and notes
Some people store
meetings and significant events in their calendar, for example
"meeting with ABC bank". Again a bold attacker may call the bank
and confirm the meeting and try to establish the victim's name.
Notes in a mobile phone are in my experience one of the most common
areas to store passwords and Pins, giving the attacker an easy step
towards card fraud or the unauthorised access of password-protected
information
The purpose of this article is not to put you off mobile phones.
It is to make you think about what they are and what they mean to
you. My advice is that you treat a mobile telephone like anything
else you value. Lock it up, keep it secure and if you happen to
sell your phone or in a corporate environment it becomes
decommissioned - make absolutely sure that the critical resident
data is securely erased.
Stuart Clarke is a Forensic Consultant at 7Safe
Limited