Karsten Nohl, Security Researcher Hacks SIM Cards with SMS

Forbes reported earlier in the week that Karsten Nohl’s a German researcher has managed to hack the encryption found on about a quarter of all SIM cards.

Breaking the encryption allows Nohl to install custom software onto a breached SIM which could potentially send stealth text messages, direct calls that the user is making to a different phone number or authorize pre-installed apps such as Visa to the phone number.

This is a highly advanced form of phone number spoofing – which isn’t new.

The main vulnerabilities fall into 3 categories:

1. Using the SIM as an authorization method of the users phone number

2. Directing calls and text messages without user’s knowledge or permission

3. Confidence Fraud, directing others to act, such as open a phishing web-page.

Whether you call this fraud SIM Spoofing, Phone Number Spoofing or Identity theft, it is actually most similar to Account Takeover Fraud.

4 Considerations to Combat Account Takeover Fraud of SIM Cards

1. Remove the burden of trust from the user

Having their SIM card taken over is similar to having their email broken or phone stolen. Consider your solution in this light.

2. Don’t rely on a single device as a security countermeasure

Would two factor authentication by text message be as secure as an email, telephone call or app when authorizing financial movements.

When a call is being redirected to a premium rate number, how will you notify the customer so they can decide whether they should proceed?

3. Have you considered the user’s normal behaviour (behavior analytics) for your risk based authentication.

Moving money by SMS is much more common in Africa that areas where internet access is faster and more stable.

That said, who uses premium rate phone numbers the most? Some users will call premium rate booking lines all the time, some will never stray from the same 10 phone numbers.

We’ve all had the calls from our banks about suspicious activity – now more app ecosystems have credit cards attached, all providers, particularly telco’s should be adopting behavior analytics systems to drive powerful Risk Based Authentication.

4. Do you have adaptive security?

Whether you’ve discovered premium rate telephone number, which hacked SIMs are being directed to call or text. How are you going to protect your customers going forward?

Banning a known bad phone number is very similar to how websites used blacklists to block spammers, it is just a game of cat and mouse – you need to think further ahead.

Have you considered the behaviors behind the crime? What patterns are the frauds exhibiting? Are the original OTA text messages which originate the fraud coming from a certain destination, at a certain time? Is there a trend to the SIM card identifier or mobile phone number ranges which are affected?


The technology already exists in the financial fraud space and the web fraud detection space, what is changing is the way the ‘eco-systems’ of apps which often use device identifiers such as SIM cards, IMEI and phone numbers as a way to authenticating the user. As these get tied closer to bank accounts and credit cards, the need for behavior piercing technology has never been higher.