S 4.114 Use of the security mechanisms provided on mobile phones

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Users

Mobile phones and related services offered can be protected at various points by means of PINs and passwords. The facilities offered include the following:

Access to the SIM card

The SIM card can be protected against unauthorised access with a four- to eight-digit PIN. The subscriber identifies himself to the card using this PIN. If an unauthorised person gains possession of a SIM card, he cannot use it without also knowing the PIN. To prevent misuse of the SIM card, it is therefore essential that the option on the phone requiring entry of this PIN is activated so that once the mobile phone is switched on the PIN has to be entered. The PIN should not be kept with the mobile phone or SIM card.

Usually new mobile phones come with this PIN entry requirement disabled and a PIN is preconfigured. It is essential that the first time the phone is used the PIN is changed and activated. The PIN selected must not be a trivial number or a number that is easy to guess (e.g. 1111, date of birth etc.).

Note: On most mobile phones, underneath the numbers on the keypad there are also letters. These can be used to choose passwords for oneself instead of PINs. Passwords are easier to remember, but of course once again they must not be too simple. For example, "4AUGEN" corresponds to the PIN "43937".

After three failed attempts at entering the PIN, the SIM card is blocked. To lift this block, an eight-digit unblock code must be entered. This is frequently referred to as the PUK (PIN Unblocking Key) or Super PIN. After ten entries of an incorrect PUK, the card is invalidated. This unblock code normally comes in a PIN notification letter together with the SIM card. It should be kept with the utmost care and protected against unauthorised access. Under no circumstances should the PUK be kept together with the mobile phone.

As well as the PIN, there is also a PIN2, an additional secret number which can be used to protect access to certain functions on the SIM card. It is often used when changes need to be made to the configuration of the SIM card but the user himself cannot make these changes, for example restrictions on use of the phone. For example, there might be a corporate telephone directory which can only be modified after entry of PIN2. PIN2 has its own unblock code (PUK2).

Access to the mobile phone

In addition, there is generally also a security code for the mobile phone (device PIN) which is used to protect access to certain functions. Once again, this code should be changed to a user-defined value at the earliest opportunity. It should be written down and protected against unauthorised access. However, the device PIN does not have to be entered every time the mobile phone is switched on. For example, this PIN can be used to prevent the mobile phone being used with a different SIM card (anti-theft protection).

Access to mailbox

The network provider can set up a mailbox for every subscriber which amongst other functions serves as an answerphone. As the mailbox can be interrogated from anywhere and also from any terminal device, it must be protected against unauthorised access with a PIN. When the mailbox is first set up, the network provider issues a predefined PIN. It is important that this is changed immediately.

Other passwords

As well as the various personal identification numbers listed above, there may be additional passwords for various types of use. For example, a password will be required to access the user data held by the network provider. Thus, a password may be required when the user rings the hotline to query a bill. Services which incur additional charges, such as retrieval of information or getting the network provider to perform certain configurations are generally protected through additional passwords. Like all other passwords, these should be chosen carefully and kept securely.

As a general rule, all PINs and passwords should be handled with care (see also S 2.11 Provisions governing the use of passwords).

Note: There have been a number of cases recently in which criminals have attempted to obtain the PIN or PUK of mobile phone users over the phone by posing as staff of a network provider and pretending that there is a technical defect. Information on personal identification numbers should never be given out over the telephone.

There are many different security mechanisms available with mobile phones. Which of these are available and how they can be activated depends on the particular mobile phone used, the SIM card and the selected network provider. Therefore the network provider's operating instructions and security instructions should be evaluated carefully. Where company phones are used, it is recommended that the most important security mechanisms are preconfigured and also documented in a well laid out leaflet.