A Mutable Log

The SIM card flaw and me

Recent news reports from Forbes and other news outlets inform that security researcher Karsten Nohl has discovered a flaw in SIM cards that use the older DES encryption standard. I was wondering how the flaw affects me.

I am a prepaid customer

I have been a prepaid customer for a while. I use mobile phones as internet-enabled devices, instead of using their carrier-enabled features. The apps I use are similar to those I use on the PC, such as Skype. Using internet-enabled apps does not mean I am immune to attacks, just that potential vulnerabilities get patched more regularly. Being a prepaid customer limits my exposure to a SIM hack where the attacker is able to use my credit.

I use e-mail

I use e-mail, and you do too. You probably already know that e-mail travels over the Internet in plain text. I avoid sending sensitive data over e-mail. If you are requested to, don’t send more data than the other party needs. If you think sending more data will ensure agility, think twice. Someone can intercept your message and find the extra information useful for social engineering. What is valid for e-mail is also valid for SMS messages and phone calls. Don’t assume they are any more secure than e-mail. If you have to, spread sensitive data across e-mail, SMS, and a phone call.

Security through obscurity

In the past, standards were based on the principle of security through obscurity and intentionally weak cryptography. This reduced cost and attended to government regulations regarding use of strong cryptography. Modern standards implement security by design, based on stronger encryption, public key infrastructure, and dynamic information that makes every transaction unique. SIM cards, and even chip-based payment cards, have a greater say in barring transactions. I favor technology that implements modern standards, and is upgradable or discardable when a vulnerability is found. As luck would have it, SIM cards are discardable.