What SIM Card Vulnerability Means For Payments

The battle for our privacy and security may soon take a turn for the worse.

This was the implication of a New York Times story that indicated that 750 million mobile phones could be vulnerable to attack as a result of new research led by a German cryptographer.

In the piece, the newspaper spoke to Karsten Nohl, a German mobile security expert who said he has uncovered how to obtain the digital keys of mobile SIM cards. The discovery allowed him to spy on calls, make purchases through mobile payment systems and send viruses via text message, all from his personal computer.

“We can remotely install software on a handset that operates completely independently from your phone,” Nohl told the Times. “We can spy on you. We know your encryption keys for calls. We can read your SMS [messages]. More than just spying, we can steal data from the SIM card, your mobile identity and charge to your account.”  

Introduced in the early 1990s, SIM cards were long thought to be unhackable. As such, the announcement has captivated the technology community, as the results could have widespread implications in the mobile phone, payments and security industries.

But, who is the man behind the report, and what do his findings mean for mobile phone users around the globe?

Who Is Karsten Nohl?

A 32-year-old, German-born cryptographer, Karsten Nohl graduated from the University of Virginia in 2008, and went on to found Berlin-based Security Research Lab. Nohl became well-known in security circles in 2009, when a software tool he published replicated keys used to encrypt mobile phone conversations. The industry adopted higher standards for its encryption methods following the publication, the Times said.

Nohl plans to present his new findings, which were the culmination of three years of research, at the Black Hat security conference on July 31. The conference runs from July 27 through August 1.

What Does Noel’s Discovery Mean For Users?

In the interview, Nohl indicated that he was able to gain access to SIM cards due to a flaw in the system’s encryption method exhibited on roughly 25 percent of cell phones. Nohl said his team tested more than 1,000 SIM cards over a two-year period as part of the study.

The Times indicated that the damage from the discovery will likely be mitigated, as it exploited an outdated technology. D.E.S. encryption, the newspaper said, is used on about 3 billion cellphones. However, most operators have switched to Triple D.E.S. encryption, a stronger method for safeguarding SIM card information.

Before releasing the findings, Noel submitted his work to the GSM Association, which represents the mobile payment industry. A spokesperson for the organization said that it has considered the study, and will be looking to provide guidance to network operators and SIM vendors that may have been impacted.

However, Forbes indicated that some areas in the developing world may be impacted more than others. It suggested consumers in Africa, where SIM-card payments are commonplace, could face the biggest threat. The GSM Association has estimated that there are upwards of 735 million SIM cards in use in Africa.

For more on the developing story, read Noel’s interview with The New York Times here.