T 5.97 Unauthorised transfer of data over mobile phones

Mobile phones provide the means whereby data from one IT system, e.g. a PC or notebook, can be transported to another without a cable connection having to be established between the two devices.

Information can then be surreptitiously retrieved and transmitted in a place where IT systems can be accessed openly. If a mobile phone is connected to a modem or has an in-built modem, information held on a computer can be transmitted to virtually anywhere in the world wire-free.

This type of unauthorised data transfer can be performed either with a mobile phone that has been specially brought along for the purpose or even using an internal mobile phone. In this way, large quantities of data can be passed to the outside world unnoticed. New technologies make the transmission of large quantities of data over mobile phones increasingly attractive. With GSM the maximum data transfer rate is currently 14.4 kbit/s. Recent protocols achieve significantly higher transfer rates. GPRS, for example, allows a transfer rate of 53.6 kbit/s and UMTS a transfer rate of 384 kbit/s.

Nor is it always possible to check afterwards whether such data transmission has occurred as the network provider's record of the call data may already have been deleted.

Example:

• An employee of a company is called out of a meeting with an external person in order to answer an important phone call. The external person uses the short time she is unattended in order to connect the PC installed in the meeting room to his GSM modem. She then initiates a data transfer to a connection of her choice.
• Where remote access services are used over mobile phone networks, the Calling Line Identification Presentation (CLIP) mechanism is often used as an authentication feature. If the mobile phone is stolen or lost, the authentication procedure will no longer function properly. Although normally a PIN has to be entered when a mobile phone is switched on, most people leave their phones switched on. If the telephone is already switched on when it is stolen, then theoretically it can be used immediately by a third party. If the battery is re-charged in time, the point at which the phone cuts out due to lack of power can be deferred and hence the need to input the PIN because the phone has been switched on again.