Mobile Phone Services are targeted by hackers and stalkers because they have traditionally presented an easy target. Although mobile networks have improved their processes considerably, very few phone accounts are protected by the necessary security controls to keep their users safe from hacking or identity theft. When the phone is in the hands of young children, security couldn’t be more important.
ParentShield is designed to protect vulnerable users with a safe SIM card and is quite different from any other mobile network as a result. Here we look at the common vulnerabilities that mobile networks can suffer from.
SIM Hijacking, or SIMJacking is a broad term for technology or techniques for taking over the control of a SIM card by a third party. In its most technically-advanced forms, it can be performed by simply sending a specially-crafted SMS message to the phone. This can cause the SIM to perform simple tasks including sending data from the phone back to the bad guy.
Such information can include finding the phone location, user information, call information and even perform tasks on the phone. That’s pretty scary. A modern SIM card is actually a little computer in itself that can run small applications that are capable of doing a number of things – including sending and receiving messages or placing calls.
If you look inside your Mobile Phone you will probably find an Icon to open a “SIM Application Toolkit” that is designed to interface with the SIM and provide a way of generating a user interface with the SIM – with various menus, tools and suchlike.
No SIMJacking on ParentShield
ParentShield’s SIM cards don’t support the SAT ( SIM Application Toolkit ) and all SMS messages – the goto method of invoking such an attack – come to ParentShield phones via our SIM firewall. An example of this can be seen in the Apple iMessage setup SMS messages that ParentShield customers can choose to see. We strip the special control characters from the SMS ‘PDU’ – the encoded SMS message, and allow the message to be seen as if it were a standard message.
Number Jacking is the technique increasingly used to take over someone else’s mobile phone number – usually with a view to obtaining OTP ( One Time Passcodes ) such as those sent to authorise payments or access to websites that use the phone for Two Factor Authentication ( 2FA ).
‘Owning’ or in hacker speak ‘pwning’ someone’s phone number means it’s possible to access the Mose valuable and sensitive information controlled by that person. In many cases people find in a very short space of time that their bank accounts, social media accounts, and whole identity is compromised.
This can be achieved by a simple phone call to many mobile phone companies and, because they generally have very poor security processes, just pretending to be the account holder allows the attacker to close their account, and request a PAC that allows the number to be transferred to a new SIM.
In other cases, an SMS spoofing the number that’s being targeted can be sent to the mobile operator requesting a PAC. Although the PAC will be sent to the correct phone, rather than the attacker’s phone, it’s easy for the perpetrator to call the target and pretend to be the mobile network, either beforehand, or afterwards, or both, and dupe the target into revealing the code.
Domestic Control via NumberJacking
Although it may appear less abusive than identity theft it’s still possible for a partner or ex-partner to move numbers onto ”their network’ or within their actual account with a view to escalating control or power. Controlling someone’s mobile phone – their plan, minutes, texts and data is a powerful control and even wittingly allowing this control to fall into the wrong hands can become a real problem if relationships fall apart – it’s something that ParentShield sees every day.
No Number Jacking on ParentShield
ParentShield blocks all ‘shortcode’ SMS messages of the type used to communicate with the network so the most common variants of this attack will fail before they even start.
ParentShield users are NEVER presumed to have any authority or control in any way – so all the systems in place involve a direct communication with the parents.
While inbound number ports are possible onto the ParentShield network, they are never performed without question. The controls in place are considerably more stringent than with any other network. As a rule inbound Number Porting would only ever be performed on the instruction of a child’s social worker or a suitably-appointed welfare officer.
Phone Hacking or VoiceMail Hacking
Phone Hacking became a household name in the naughties with dozens of celebrities and espionage targets falling prey to unscrupulous, journalists in some cases, accessing voicemail messages. It has been widely practiced ever since the telephone voicemail has been in place, which is just about as long as there have been mobile phones.
Many people aren’t aware that their voicemail is stored totally unencrypted by their mobile phone company and can be accessed by simply using a simple PIN number that most mobile networks set to ‘0000’ by default. This means that anyone who wants to access your stored or current voicemail messages can do so without very much difficulty. Mobile networks have grown to have hundreds of millions of users and simply don’t have the support staff and systems to properly police SIM reset and access queries. Knowing just a little about the target – which you certainly would if it was your child’s or ex-partner’s child’s phone that you were trying to access.
No phone hacking with ParentShield
Voicemail always presumes that the person using the phone has the ability to secure and safely control their own phone and their own voicemail. So ParentShield has completely removed the VoiceMail system from its network. Obviously having no voicemail makes the process of hacking it redundant. In stead ParentShield has become the only network to put in place ‘Network Watch‘ alerts – alerting a user and their parent simultaneously when a phone returns to the network after a period of disconnection, say a flat battery or a trip to a very remote location.
Voicemail also potentially provides a vector for bullying. While it’s possible to block calls from any known, or all unknown callers on any network, this will usually direct the caller to voicemail. A voicemail message might be more emotionally inflamed, with the caller known that they have been blocked, and it’s still possible to leave threats or abusive messages. Not being able to reply even seems to make things even worse. Even repeat silent calls are threatening or worrying for any user.
With ParentShield – a blocked caller is exactly that. The recipient of the blocked call is totally unaware that the blocked call attempt has been made.
New Phone Number for a child
In many cases where any of the situations above have been experienced or attempted, it will be desirable to get a new phone for your child altogether. Moving to ParentShield will generate a new protected mobile number and move the control of the child’s phone to the appointed guardian.
While the child themselves receives a totally-normal mobile phone experience, callers will receive sufficient notice via ‘pre-call’ whispers to know that it’s a special ParentShield service. All our number ranges are designed to be ‘searchable’ via Google so if a parent or guardian suspects that their child’s mobile account has been moved without their knowledge, it’s possible to track the network down.
The mobile network displayed on the phone itself will also allow ParentShield to be identified by an adult if necessary. If you suspect that your child or anyone else is on ParentShield you can call 03301221180 and our security team will be able to advise you how to identify the mobile network and discover whether it is a ParentShield Phone or not.
Better Login Security
ParentShield’s my.engine-mobile.co.uk portal has been designed with the highest security needs in mind. Unlike most mobile networks, ParentShield can offer:
- Two Factor Login Authentication
- Login Alerts – to alert the account holder in case of unauthorised access
- Telephone verification controls
ParentShield has far stricter “KYC” processes than any mainstream mobile network. This allows our support and IT teams to better identify authorised users.
Children – the phone users themselves are NEVER presumed to have any authority to log in or change settings or preferences. This is very different to an adult network where possession of the phone brings you to within about 80% of the required authorisation to assume full control.