T 5.94 Misuse of cards

Loss and theft of mobile phones are everyday occurrences. In addition to loss of the phone itself, this can result in further financial loss. If an unauthorised person gains possession of a SIM card (e.g. because he finds it or steals it), he can make calls at the expense of the genuine cardholder as long as he knows the PIN or can guess it easily.

Data such as telephone directories or short messages which are stored on the mobile phone or SIM card may well be of a confidential nature. Loss of the mobile phone or card may then mean disclosure of this stored information.

There have been instances in the past where the cryptographic security mechanisms of the SIM cards provided by some network providers have proved too weak. This meant it was possible to make copies of these network providers' SIM cards. However, to do this, the adversary must have the original card. He also needs the PIN or, alternatively, the requirement to enter the PIN must be deactivated in order that the IMSI can be read.

Such an attack can easily be prevented and detected by private users. However, where a number of different people have access to the same mobile phone it is possible for such an attack to be carried out and only noticed long after the event. For example, this affects mobile phones from a pool or companies which hire out mobile phones.