Text messages were once just a way for friends to keep in touch. Today, we're as likely to receive a message on our phone from our bank or phone operator and we trust these messages are genuine, because the company names appear in the top of the message.
However, two top security consultants from America have shown Watchdog how flaws in the mobile phone networks mean this trust could be exploited.
Zane Lackey from iSec Partners in New York, and Luis Miras, a security consultant from San Francisco, showed how they can send messages to any phone in the world and make the messages appear to come from any number or name they choose.
The messages can look like they have been sent from a friend's number or can look like they come from an official company like a bank. They are so authentic the phone believes they are real, and doesn't think they have been sent by someone else instead. Zane and Luis can also keep their identity private.
The messages are actually MMS (Multimedia Messaging Service) messages but to most phones they appear as text messages.
Zane and Luis showed Anita how it worked. She had a phone with a real text message which had been sent by a bank confirming an online transaction. They were then able to send a message which appeared to come from exactly the same source and said exactly the same thing.
iPhone handset believed it was genuine
The message was so convincing that the iPhone Anita was using believed it was genuine and listed it directly underneath the real message from that bank.
"There would be no question in my mind that this had come from the bank," said Anita. All phones tested by Zane and Luis can receive these messages.
Flaw lies with mobile networks
The flaw lies with the mobile networks themselves rather than phones themselves. Orange was the only UK network which didn't allow their fake messages to go through.
The experiment
We decided to test how easily people would be taken in by such messages. We asked four Watchdog viewers to be filmed for a day as they went about normally using their phones. They each had different handset models and were on different networks.
We told them we were making a film about how much people use their mobiles. What we didn't tell them was that Zane and Luis were waiting round the corner ready to send them a message pretending to be from their bank. Our researchers had already found out the name of their bank during discussions with them beforehand.
The message said the name of their bank in the 'from' section and told them £300 had been transferred from their bank account. It also gave them a telephone number to call in case they had any queries.
During the day each participant received the message. One person chose to ignore it while she was being filmed. Two others were so worried by the message that they checked their bank accounts immediately and realised no money had been debited.
Our final participant did believe the message and called the number we had given. She believed the person at the end of the line was from her bank.
Instead it was a Watchdog researcher pretending to be an employee of that bank. The participant gave her full bank details, including her address and mother's maiden name.
We destroyed the personal information we had been given, and when we told our participants about what we had done they were shocked.
Since our experiment relied on being able to know the phone numbers and bank accounts of our individual participants, Luis explained how a criminal might exploit the flaw if they didn't have that information:
"This is similar to phishing, where you're emailing lots and lots of people, and as long as a certain number respond then you'll be able to get their personal details. So it's a numbers game."
Zane and Luis discovered this flaw last year and presented it to a security conference in Las Vegas in July 2009. At the same time, they informed the organisation which represents the world's mobile phone networks - the GSM Alliance. To date, the flaw has not been fixed.
Watch our advice film on how to avoid identity theft.
COMPANY RESPONSES:
GSM Alliance:
"GSMA's Security Group regularly becomes aware of claims of security compromise and communicates these to its network operator members for assessment and consideration. We became aware of this issue [announced by iSEC] last year and we reported our findings to our members at that time. As mobile operators have complex networks with unique characteristics, our members take the findings and decide on how to implement them in their own individual environments.
"We have not been made aware of actual attacks such as this but are confident that operators could quickly identify large scale phishing attacks using MMS spoofing with the variety of existing network monitoring mechanisms that they deploy. The GSMA is not a consumer-facing body and it is not our role to address our members' customers. "
Vodafone:
"We are aware of the possibility of message "spoofing" that ISEC Partners has been able to create with a test group. To date, no customer has reported such an incident to us.
Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in co-operation with other mobile operators to help protect customers from fraudulent activity.
We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it. More details about phone security can be found at www.getsafeonline.com"
T Mobile:
"We are aware of the possibility of message 'spoofing' that ISEC Partners has been able to create with a test group.
"To date, no customer has reported such an incident to us.
"Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in co-operation with other mobile operators to help protect customers from fraudulent activity.
"We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it.
"More details about phone security can be found at www.getsafeonline.com."
02:
"We are aware of the possibility of message 'spoofing' that ISEC Partners has been able to create with a test group. To date, no customer has reported such an incident to us.
"Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in cooperation with other mobile operators to help protect customers from fraudulent activity.
"We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it. More details about phone security can be found at www.getsafeonline.com"
3:
"We are aware of the possibility of message 'spoofing' that ISEC Partners has been able to create with a test group.
"To date, no customer has reported such an incident to us.
"Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in co-operation with other mobile operators to help protect customers from fraudulent activity.
"We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it. More details about phone security can be found at www.getsafeonline.com"
Virgin Mobile:
"As a responsible mobile service provider, we take the security of our customers very seriously. Whilst we have not received any customer reports of this issue to date, we are working closely with our network provider T-Mobile to ensure our customers are protected."
Tesco Mobile:
"We are aware of the possibility of message 'spoofing' that ISEC Partners has been able to create with a test group. To date, no customer has reported such an incident to us.
"Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in cooperation with other mobile operators to help protect customers from fraudulent activity
"We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it. More details about phone security can be found at www.getsafeonline.com"
Talk Mobile:
"As a virtual network operator, we do not own our own network infrastructure and do not participate in the GSM Alliance. We therefore rely on our network partner Vodafone to provide the actual network security.
Nevertheless, we were very concerned to learn of the security risks highlighted in your report and are working with our partner to tackle this issue as quickly as possible. We recommend that customers consult their banks should they receive any suspicious communications and follow their advice in relation to safeguarding their personal details.
We have informed our Customer Service staff to be aware of this issue and will publish suitable warnings for our customers on our website."
Mobile Spoofing
However, two top security consultants from America have shown Watchdog how flaws in the mobile phone networks mean this trust could be exploited.
Zane Lackey from iSec Partners in New York, and Luis Miras, a security consultant from San Francisco, showed how they can send messages to any phone in the world and make the messages appear to come from any number or name they choose.
The messages can look like they have been sent from a friend's number or can look like they come from an official company like a bank. They are so authentic the phone believes they are real, and doesn't think they have been sent by someone else instead. Zane and Luis can also keep their identity private.
The messages are actually MMS (Multimedia Messaging Service) messages but to most phones they appear as text messages.
Zane and Luis showed Anita how it worked. She had a phone with a real text message which had been sent by a bank confirming an online transaction. They were then able to send a message which appeared to come from exactly the same source and said exactly the same thing.
iPhone handset believed it was genuine
The message was so convincing that the iPhone Anita was using believed it was genuine and listed it directly underneath the real message from that bank.
"There would be no question in my mind that this had come from the bank," said Anita. All phones tested by Zane and Luis can receive these messages.
Flaw lies with mobile networks
The flaw lies with the mobile networks themselves rather than phones themselves. Orange was the only UK network which didn't allow their fake messages to go through.
The experiment
We decided to test how easily people would be taken in by such messages. We asked four Watchdog viewers to be filmed for a day as they went about normally using their phones. They each had different handset models and were on different networks.
We told them we were making a film about how much people use their mobiles. What we didn't tell them was that Zane and Luis were waiting round the corner ready to send them a message pretending to be from their bank. Our researchers had already found out the name of their bank during discussions with them beforehand.
The message said the name of their bank in the 'from' section and told them £300 had been transferred from their bank account. It also gave them a telephone number to call in case they had any queries.
During the day each participant received the message. One person chose to ignore it while she was being filmed. Two others were so worried by the message that they checked their bank accounts immediately and realised no money had been debited.
Our final participant did believe the message and called the number we had given. She believed the person at the end of the line was from her bank.
Instead it was a Watchdog researcher pretending to be an employee of that bank. The participant gave her full bank details, including her address and mother's maiden name.
We destroyed the personal information we had been given, and when we told our participants about what we had done they were shocked.
Since our experiment relied on being able to know the phone numbers and bank accounts of our individual participants, Luis explained how a criminal might exploit the flaw if they didn't have that information:
"This is similar to phishing, where you're emailing lots and lots of people, and as long as a certain number respond then you'll be able to get their personal details. So it's a numbers game."
Zane and Luis discovered this flaw last year and presented it to a security conference in Las Vegas in July 2009. At the same time, they informed the organisation which represents the world's mobile phone networks - the GSM Alliance. To date, the flaw has not been fixed.
Watch our advice film on how to avoid identity theft.
COMPANY RESPONSES:
GSM Alliance:
"GSMA's Security Group regularly becomes aware of claims of security compromise and communicates these to its network operator members for assessment and consideration. We became aware of this issue [announced by iSEC] last year and we reported our findings to our members at that time. As mobile operators have complex networks with unique characteristics, our members take the findings and decide on how to implement them in their own individual environments.
"We have not been made aware of actual attacks such as this but are confident that operators could quickly identify large scale phishing attacks using MMS spoofing with the variety of existing network monitoring mechanisms that they deploy. The GSMA is not a consumer-facing body and it is not our role to address our members' customers. "
Vodafone:
"We are aware of the possibility of message "spoofing" that ISEC Partners has been able to create with a test group. To date, no customer has reported such an incident to us.
Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in co-operation with other mobile operators to help protect customers from fraudulent activity.
We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it. More details about phone security can be found at www.getsafeonline.com"
T Mobile:
"We are aware of the possibility of message 'spoofing' that ISEC Partners has been able to create with a test group.
"To date, no customer has reported such an incident to us.
"Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in co-operation with other mobile operators to help protect customers from fraudulent activity.
"We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it.
"More details about phone security can be found at www.getsafeonline.com."
02:
"We are aware of the possibility of message 'spoofing' that ISEC Partners has been able to create with a test group. To date, no customer has reported such an incident to us.
"Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in cooperation with other mobile operators to help protect customers from fraudulent activity.
"We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it. More details about phone security can be found at www.getsafeonline.com"
3:
"We are aware of the possibility of message 'spoofing' that ISEC Partners has been able to create with a test group.
"To date, no customer has reported such an incident to us.
"Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in co-operation with other mobile operators to help protect customers from fraudulent activity.
"We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it. More details about phone security can be found at www.getsafeonline.com"
Virgin Mobile:
"As a responsible mobile service provider, we take the security of our customers very seriously. Whilst we have not received any customer reports of this issue to date, we are working closely with our network provider T-Mobile to ensure our customers are protected."
Tesco Mobile:
"We are aware of the possibility of message 'spoofing' that ISEC Partners has been able to create with a test group. To date, no customer has reported such an incident to us.
"Security and fraud prevention are a priority for all network operators. Our fraud and security team work both independently and in cooperation with other mobile operators to help protect customers from fraudulent activity
"We urge all our customers never to give out their personal details in response to unsolicited messages or emails. If they are in doubt as to the legitimacy of a message, they should not reply to it. More details about phone security can be found at www.getsafeonline.com"
Talk Mobile:
"As a virtual network operator, we do not own our own network infrastructure and do not participate in the GSM Alliance. We therefore rely on our network partner Vodafone to provide the actual network security.
Nevertheless, we were very concerned to learn of the security risks highlighted in your report and are working with our partner to tackle this issue as quickly as possible. We recommend that customers consult their banks should they receive any suspicious communications and follow their advice in relation to safeguarding their personal details.
We have informed our Customer Service staff to be aware of this issue and will publish suitable warnings for our customers on our website."
Mobile Spoofing