Mobile phones can now store vast amount of information such as contacts, SMS, and e-mails. However, if your mobile phone fell into the wrong hands, your phone could give your identity away.
As the saying goes, "A picture is worth a thousand words"; it definitely is when it comes to mobile phone identity theft. So, if you were to take a photograph outside the front door of your house with a GPS-enabled mobile phone, the geographical location of your house is embedded into the picture. This would help attackers to identify the home address of the mobile phone owner or indeed family members.
It is possible for a user to enable automatic login for their social network account on their smartphone. Therefore, if a phone was stolen with such capabilities, potentially endless amounts of information may be exploited. Other applications, with a potentially harmful side effect, are those which record our movements and location making it possible to plot an individual's latest movements.
"Bluesnarfing" is attacking a user by attempting to exploit Bluetooth vulnerabilities that allow the attacker to gain access to data held on a phone. There are various forms of malware that attempt to steal phone data. Although Bluetooth attacks are currently rare, we should be aware of the vulnerabilities and have Bluetooth activated only when we need it.
An attacker can try to track down contact entries with telling names of "Home" or "Me" that can then be used to start information gathering. I know of people who store personal banking information as a contact under an alias name such as "Lesley" for Lloyds. An informed criminal may be able to apply credit and debit card formulas to this information and identify further banking information. If you think you have been cunning in the hiding of your financial information, think again.
Text messages are often useful in gleaning a wealth of information about the mobile phone owner. For instance, I examined the mobile phone of someone who appeared to have just moved home; the handset contained a draft (saved) text messages saying "New address" which was promptly followed by a full address and a telephone number. There were even gas and electric meter readings recorded on the message.
The information stored in an e-mail box is limitless and is priceless information for an identity theft. As we continue to rely on e-mail access on our mobile phone we are increasingly vulnerable to attack.
Calendars and notes
Some people store meetings and significant events in their calendar, for example "meeting with ABC bank". Again a bold attacker may call the bank and confirm the meeting and try to establish the victim's name. Notes in a mobile phone are in my experience one of the most common areas to store passwords and Pins, giving the attacker an easy step towards card fraud or the unauthorised access of password-protected information
The purpose of this article is not to put you off mobile phones. It is to make you think about what they are and what they mean to you. My advice is that you treat a mobile telephone like anything else you value. Lock it up, keep it secure and if you happen to sell your phone or in a corporate environment it becomes decommissioned - make absolutely sure that the critical resident data is securely erased.
Stuart Clarke is a Forensic Consultant at 7Safe Limited
This was first published in March 2009