While it is easy to intercept information from mobile phones used on analog networks, it is much harder to do so on such digital networks as the North American Personal Communication Services (PCS) and the European Global System for Mobile (GSM) telecommunications. This is so because the signals are encrypted, making them much more difficult to intercept without expensive equipment and a higher degree of technical expertise.
Although signal encryption during airtime is a standard feature of GSM networks, a network operator can choose not to implement it. In this case, when a handset is turned on to access the host base station for services, the subscriber is vulnerable to the same eavesdropping attacks as with analog systems.
GSM signal encryption is done via a programmable smart card—the Subscriber Identification Module (SIM), which slips into a slot built into the handset. Each customer has a personal smart card holding personal details (short codes, frequently called numbers, etc.) as well as an international mobile subscriber identity (IMSI)—equivalent to Mobile Identification Number (MIN) for analog systems—and an authentication key on the microprocessor.
Plugging the smart card into another phone will allow that phone to be used as if it were the customer’s own. This is convenient in that the subscriber needs only to carry the SIM while traveling and plug it into a rental phone at the destination location where the difference in frequency would preclude use of the owner’s phone. However, it is still possible for a technically savvy fraudster to access a microprocessor’s firmware for identification details and to reprogram them into other SIM cards.
Counterfeiting SIM cards for GSM phones can be accomplished by programming computer chips using a laptop computer and other peripheral equipment. Although cloning fraud is possible, the technical expertise required is such that fewer people will be able to engage in this activity. And the nature of the process is such that it cannot be done on a massive scale cost-effectively.
While cloning may have hit a higher technological barrier on GSM and PCS networks, other types of fraud, such as technical fraud in international roaming markets and subscription fraud, are on the rise. With GSM networks, there is little protection from the theft of authentication keys.
In fact, the use of mobile communications services by a growing subscriber base across an expanding network of roaming partners has created opportunities to defraud the digital networks to a degree not envisioned by participants in the early design phases of the technology. The weak link in GSM networks is the challenge and response technique incorporated into the authentication process that allows the SIM to verify its IMSI by demonstrating knowledge of the authentication algorithm and the unique key, referred to as the Ki.
The home system sends a random challenge to the handset, and only that handset can encrypt the challenge using both the algorithm and the Ki resident within the SIM assigned to that subscriber. Using the stored algorithm, the SIM generates the correct response back to the home system. In this scenario, the single point of failure is the authentication center in the home system.
Authentication should prevent fraudulent access to the wireless service, and the authentication center itself can be secured against internal and external theft of the IMSI and Ki sets. However, even this solution has its share of problems.
For example, when high call volumes and nonsignaling traffic threaten to overburden the system—as when subscribers roam to international locations where the potential of intersystem bottlenecks is greatest—network administrators can reconfigure their systems to reuse the results of previous authentications or bypass the authentication process entirely to reduce the traffic back to the home system.
As traffic increases, network administrators come under increasing pressure to alter or dispense with authentication out of the need to keep congestion down, customers happy, and revenues up. Unfortunately, tampering with authentication creates opportunities for fraud, which also can result in customer churn and lost revenues. The solution is to increase network capacity, which also costs money and can lead to customer churn if prices are increased.