Tuesday, 10 April 2012

Combating phone theft - US takes a step forward but is it enough?

It seems that the theft of mobile phones is starting to be recognised in other parts of the world than the UK at the moment. A few of the American newspapers are reporting on the announcement that mobile network operators (or carriers as they are known over there) have done a deal with the FCC to block stolen mobile devices. This is all good news and I don't want to pour cold water over what is going to be generally good for the consumer in the long term.

This never used to happen in the old days

Why has it taken until now?

The concept of a global blacklist (or Central Equipment Identity Register [CEIR]) for mobile devices has been written in stone (well the GSM specs) for a very long time. See this paper from mobile security veteran Charles Brookson from 1994, which talks about the CEIR. Operators have quietly ignored this requirement and very few are connected to it. Even local blacklisting has been an issue over the years, with issues over sharing information with other operators inside single countries. The practical difficulties are always cited as well as cost. Having been involved in a lot of this debate, a lot of the arguments just don't wash. As an example, using prohibitive cost as a reason not to maintain a blacklist is laughable. Storage cost is ridiculously low, management is minimal and the operators themselves will see direct benefits from not allowing criminals to hook up stolen phones on their networks. The simple answer to network operator blacklisting is: "where there's a will, there's a way".

Identity changing is not the issue it once was

Another argument that has been frequently wheeled out is that criminals will just change the identity (the IMEI number) of the device to side-step the blocking system. The fact is that IMEI number changing has dropped off massively since the turn of the century as more security has been built into devices (through a lot of effort in a number of industry initiatives). My presentation 'Mobile Phone Theft: An unsolvable problem?' from 2011 expands on some of this. There is a 42 day breach reporting process run by the GSM Association which nearly all the manufacturers are involved in. It seems as though the manufacturers have played their part, but it could be argued that the network operators haven't.

What are governments doing?

It could also be argued that governments haven't really played their part in all of this. Only the UK has really stepped up and addressed the criminals who actually perpetrate these crimes with legislation and through a dedicated Police unit, the National Mobile Phone Crime Unit. What meaningful steps have other countries taken to help their citizens from the blight of mobile phone theft?

Are we addressing the right problem any more?

Apparently the US system is going to take two years to become operational and this is where I have a bit of an issue. Development and deployment could probably happen a lot more quickly than this, given that the standards have already existed for nearly 20 years. My other issue is about whether we're addressing the right problem anymore? If mobile phones have evolved to the point that they are now more mobile computer than phone, we should look at what will drive a thief. Thieves take phones generally for their inherent value. That is why historically, blocking a phone's network access has essentially disabled the device and made it valueless. This isn't the case in 2012. If you block the IMEI number, guess what? Anyone can still use the phone - you can use the WiFi connection to get on the web, you can use WhatsApp and Skype and you'll still be able to download stuff from app stores. While this still remains the case, mobile phone theft is going to continue to be a problem. In some ecosystems, the vendor is actually in a very strong position (think those companies with fruits in the name) and they have actually provided additional tools to help against theft. What they need to make sure now is that those devices are not 're-activated' after theft.

What can I as a user do to help myself?

  • It sounds a bit obvious, but make sure you use your device PIN-lock feature. It can be a pain to use, but it is highly effective in ensuring that whatever is on your device stays on your device. Although thieves generally just care about selling the device on, you still don't want all your personal data potentially going astray.
  • Another piece of sensible advice is to be aware of your surroundings; don't leave your phone on tables in cafes, be careful where you're using your phone (in dangerous neighbourhoods etc) and when out and about at night. In big cities, tube and metro exits are commonly targeted as people turn their phones on when they surface.
  • And finally, write down your IMEI number - you'll need this to give to the Police and network operator if your phone ever gets stolen. You can get the number from the back of your handset or by typing in *#06# at the home screen of your phone.
Don't advertise your phone to thieves

We're never going to stop people stealing things, but at least in the US and the UK life is being made slightly more difficult for thieves making things slightly more safe for you.



1 comment:

  1. I hate to be completely miserable but in all my experiences I have never met anyone who had any help of the police with a stolen phone. It is too often a case of, oh well. A mobile phone in the grand scheme of things may be minor to the police, but to an individual who relies on their phone for technology, data, work, family etc it's an irreplaceable item.

    ReplyDelete