Be aware or beware!
While reading some reports about the Assam bombing (2008), I came across an interesting technological surprise. Three men were arrested in connection with the serial blasts, including Nazir Ahmed, a Muslim whose number was used by Islamic Security Force (Indian Mujahideen) to send an SMS claiming the responsibility of the blasts.
Nazir was interrogated and it was discovered that his SIM card was being used simultaneously from two handsets. A new technology – SIM cloning – had emerged and was termed as a ‘technological surprise’ by local police to mask their lack of know-how.
Whether Nazir Ahmed was actually involved in the bombings or not is a separate issue, what really interests me was the technology that came to the forefront after investigation. I decided to visit mobile malls to get a SIM card cloned (for the purpose of writing this article) and to see what people know about SIM cloning. I went to numerous shops and asked the shopkeepers to create a copy of my SIM card so I can operate one number from two different mobile phones simultaneously. I told them that I don’t want to swap my SIM card again and again.
The request was so unusual that it drew the attention of people standing near me. Many shop owners laughed at my request and argued that this technology doesn’t exist anywhere in the world. The customers who were standing at the shops also pitched in, and tried to convince that I was asking for an impossible task.
Not everyone in the mobile mall considered my request stupid, though. A retailer told me that making a copy of a SIM card is an illegal activity and they don’t perform such tasks. When I insisted on being referred to a place or person who could do this for me, I was told, “Such fraudulent activities are performed in Saddar, hackers can do this. But we don’t know anyone, and even if we knew someone we won’t tell you because it is illegal.”
I was advised to drop the idea because the CPLC takes strict action if they get to know about it. I stepped out of the mall smiling at the confidence of people (who were trying to prove me wrong), and feeling proud that there are still some people who refuse to do illegal activities.
For all those who have read this term for the first time, SIM cloning is a process of duplicating your SIM card. It is an illegal activity that can be performed by extracting the secret codes of these cards. SIM cards were considered to be the safest part of mobile phones, but illicit activities like cloning and hacking have left a question mark over their security.
A SIM (Subscriber Identification Module) consists of two secret codes: an IMSI (International Mobile Subscriber Identifier) number, which is usually 15 digits long but can be one or two digits shorter, and a 128-bit Ki value used in authenticating the SIM on a mobile network. These secret codes enable the operator to authenticate the customer and bill her/him.
To clone a SIM card, you need to extract the IMSI number and Ki value first. Any SIM reader or scanner can be used for this purpose. Once you have the code, you can copy it to the blank or programmable SIM card through software. Cloning a SIM card requires sophisticated equipment and software to read and copy the necessary information.
But are these tools available easily in Pakistan? Mirza Burhan Baig, Information Security Executive at Server4Sale LLC says, “The equipment is not readily available in Pakistan, although there are many tools that can be purchased online”. Every user relies on local cellular service providers to keep communication going, so are Pakistani SIM cards easy to hack or clone? He replied, ”I cannot say which cellular network is vulnerable and which is not, but a company with better plans for security, better infrastructure and better policies to avoid a security breach is certainly less vulnerable to such things than others.”
When it comes to SIM card security and encryption issues, no one can address concerns better than the mobile network operator themselves. So I met Ashar Hayat Siddiqui, Regional Technical Head (South) Warid Telecom. According to Siddiqui, Warid SIM cards are imported from international vendors and are based on COMP128v3 (an algorithm that cannot be cracked easily). “I have gathered the data from every city, but no case of cloning or hacking is reported yet.” He took me back to the days of TDMA (Time Division Multiple Access) and explained how cloning started off during the time of TDMA.
Paktel and Instaphone were the leading giants in cellular communication at that time and there was no roaming. People who wanted to call had to dial the city code after ‘03’ and before dialling their desired number; for instance, if someone had to place a call in Lahore they would dial 0342*******. As TDMA phones have no SIM cards, operators have to configure the ESN (Electronic Serial Number) and MDN or CTN (Mobile Directory Number or Cellular Telephone Number) number to allow a call and bill for it.
Some evil minds intercepted ESN/MDN pair and cloned them on another phone to make calls from different cities without paying. This was called phone cloning. But with the arrival of GSM technology (SIM-based phones), things changed. Cellular companies must have a robust system to differentiate a genuine caller from a fake one. If someone is using a cloned SIM card, can he or she be detected by the operator? “Yes, it is technically possible to identify a cloned call through rigorous analysis of CDRs and defining alerts on such simultaneous calls from the same IMSI or MSISDN,” according to Siddiqui.
I contacted CPLC (City Police Liaison Committee), Pakistan Telecommunication Authority (PTA) and other cellular companies to grab the statistics of such cases. But to my great surprise no such case has been registered to date. Does it mean SIM cloning is not done in Pakistan? I simply couldn’t digest this fact!
When I shared this opinion with Ashar Siddiqui, he amazed me with an interesting bit of information. “PTA and all cellular companies invested a huge amount to deploy IMEI system a few years ago. Once the complaint is registered, this system traces the targeted IMEI number when the phone is switched on from another SIM card. It also helps in curbing the sale of snatched phones. But soon after the system was installed, perpetrators found a way out. They started changing the IMEI numbers of these stolen phones and sold them easily in market.” he said. So readers, you must have got the answer why your snatched phone never returns to you. Looking at the astonishment at my face, he smiled and said, “You can expect everrrrything here!”
A perpetrator who clones your SIM card can cause significant damage. He or she can spy on you by keeping a track of your activity, harm your credibility by misusing your card, and use it to make fraudulent calls, illegal money transfers or even conduct terrorist activities.
Burhan Baig explained it with an easy example, “If someone gets the keys of your home, he can do whatever he wants to do. Similarly if anyone gets access to your SIM card, he can make calls or transactions in your name and can involve you in illegal activities. He/ she can also hack your accounts even if the two step verification is active”.
Most people using mobile phones in our country don’t have technical knowledge, so they cannot identify that their SIM has been cloned. When the SIM is cloned or hacked, it starts to react differently. You may receive enormous bills, your SIM card registration may fail sometimes and you may discover that your mobile number is in use when you are not using it. If you come across such situations, simply call your service provider and request for the call record. If you find any suspicious number, ask your network operator to block your SIM card.
“If the owner blocks his/her original SIM card, the duplicate SIM card cannot be operated, because its IMSI and KI value are the same,” says Burhan. The only way to avoid SIM cloning is to take care of your SIM card and never share it with anyone for any reason. According to the PTA, “As per the Customer Service Agreement Form (CSAF), the legal owner of the SIM/telephone subscription is responsible for all actions taken against the subject services. Any misuse may be reported to CMOs along with evidence.”
Keep in mind that SIM cloning is illegal, there can be no legitimate reason to clone a SIM card. If you want to keep a backup of your SIM card, you can put all the important data on the Cloud. There is always a way to avoid illegal activities, try to adopt it and persuade others to do the same!
For the purpose of this article, all major mobile operators were approached, some didn’t respond to calls while others didn’t respond to the questions. Special thanks to Warid Telecom for giving me their time, and PTA for sending a Wikipedia document (I haven’t received such a well-researched document from any authority).