S 4.114 Use of the security mechanisms provided on mobile phones

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User

Mobile phones and services offered in connection with mobile phones can be secured by PINs or passwords at various levels. This includes:

Access to the SIM card

The SIM card can be protected against unauthorised access by a four- to eight-digit PIN. The subscriber uses this PIN to identify him/herself to the card. If an unauthorised person gets hold of the SIM card, he/she is not able to activate the card without knowing the PIN. In order to prevent any misuse of the SIM card, it is absolutely necessary to activate this PIN prompt so that the PIN must be entered after having switched on the mobile phone. The PIN should not be kept together with the mobile phone and/or the SIM card.

At the time of delivery, the PIN prompt is usually disabled and a PIN is preset. When using the mobile phone for the first time, the PIN should be changed and activated in any case. In this, no trivial or easily guessable PIN should be selected (1111, date of birth, etc.).

Note: The keys of a mobile phone keyboard often contain numbers and letters. This may be used to select passwords instead of PINs that can be remembered more easily, but should not be too simple. Example: "TWOMAN" corresponds to the PIN "896626".

The SIM card will be blocked after an incorrect PIN is entered three times. In order to unblock the SIM card, an eight-digit unlock code must be entered. This code is often referred to as PUK (PIN Unblocking Key) or Super-PIN. If the wrong PUK is entered ten times, the card is rendered useless. This unlock code is normally delivered in a PIN letter together with the SIM card. It should be stored extremely carefully and protected against unauthorised access. The PUK must not be stored together with the mobile phone in any case.

In addition to the PIN, the PIN2 is another PIN number that can be used to control the access to certain functions of the SIM card. It is often used for configuration changes to the SIM card that cannot be performed by the user him/herself, e.g. restrictions of the use. For example, this may also be a corporate telephone book that can only be modified after the PIN2 is entered. The PIN2 has a separate unlock code (PUK2).

Access to the mobile phone

Furthermore, there is generally a security code for the mobile phone (device PIN) in order to control the access to certain functions. This code should also be changed to an individually selected value as quickly as possible. It should be written down and protected against unauthorised access. The device PIN doe snot have to be entered every time the mobile phone is switched on. It can be used to prevent the mobile phone from being used with a different SIM card (anti-theft protection), for example.

Voice mail access

Voice mail can be configured for every subscriber with the network operator, which serves as an answering machine, amongst other things. Since the voice mail can be retrieved from everywhere and also from any terminal device, it must be protected against unauthorised access using a PIN. During initial configuration, the network operator assigns a preset PIN. This PIN should be changed immediately in any case.

Additional passwords

Along with the various PIN numbers mentioned above, there may be additional passwords for different types of use. For example, this is the case when accessing user data with the network operator. A password must be stated under some circumstances when calling the hotline regarding a billing-related question. Fee-based services such as the retrieval of information or the performance of certain configurations on the part of the network operator are often protected with the help of additional passwords. These should be selected carefully and stored securely just like any other password.

In general, all PINs and passwords should be handled carefully (see also S 2.11 Provisions governing the use of passwords).

Note: Recently, attackers repeatedly tried to obtain the PIN or PUK of mobile phone users via the telephone by impersonating employees of a network operator and pretending there was a technical fault. PIN numbers should never be disclosed on the telephone!

Mobile phones provide a large number of different security mechanisms. The mechanisms present and/or how these may be enabled depend on the mobile phone used, the SIM card, and the selected network operator. Therefore, the operating instructions and the security instructions of the network operator should be read thoroughly. When using corporate telephones, it is recommendable to both pre-configure and document the most important security mechanisms on a clearly structured leaflet.

Review questions:

© Federal Office for Information Security. All rights reserved.