If you happen to have an old Nokia 1100 that was made in a certain factory in Germany lying around the house, you may be able to say “Show me the money!” Well, if you wanted to sell to hackers that is.
It seems that there are claims the phone can be hacked to allow illegal online banking transfers, which is making the amount some folks are willing to spend for one quite high. Up to a little over $32,000 in some underground forums. Yeah….you read that right. All for a phone that ran about a hundred when it was first introduced on the market in 2003.
Nokia says they don’t know why the 1100 is selling for so much now, and maintains their phone isn’t flawed. In an emailed statement, the company said that “We have not identified any phone software problem that would allow alleged use cases.”
The reason it seems to be in such hot demand is that it allegedly can be reprogrammed to use another person’s phone number. “Big deal,” you might say. Actually, this is kind of a big deal.
This allows the phone to also receive text messages, which then leads to online banking transactions and fraud. This can happen because in some countries, the banks send mTAN (mobile Transaction Authentication Number) to a customer’s mobile phone. This mTAN has to be plugged into a Web-based form to do transations like….transfer money to another account. The number, which is kind of like a special passcode, can only be used one time.
And the nefarious have become quite good at getting their virtual hands on usernames and logins for online bank accounts. They can do it by email phishing or by simply hacking into computers.
Previously, European banks had issued a list of TANs, and some banks used any TAN from that list to complete a transaction. Big shocker when phishers began getting those numbers off of people. Then banks asked for specific TANs (still from the list). Fraud continued. In 2005 they brought about the mTANs which only work for a specific requested transaction and for a short period of time. Because of these restrictions, the bank website is saying the mTAN is useless to a hacker. “The mTAN is valid only for the requested transfer and only for a short period. It thus has no value for a fraudster.”
Unless, of course, that hacker could also get a hold of the mTAN. Which the Nokia 1100 hack is alleged to permit. But, Nokia still insists it knows nothing of an 1100 software problem that would allow call spoofing. Their response is that the phone’s SIM card has security measures separate from the actual phone.
The company said that they are aware of commercial services that say they can provide caller ID or phone-number spoofing services, but say in those cases the providers acts as a proxy between the recipient and the caller.
However, Sean Sullivan, security advisor with security vendor F-secure says differently. He claims it is in fact possible for multiple phones to be running on a provider’s network using the same phone number. He says that the last phone using the network will be the phone that receives the inbound messages.
“So if this particular Nokia 1100 can be modified to spoof the victims phone number, it should be possible to become the primary handset—at least long enough to receive the TAN,” Smith said.
It isn’t clear how the technical modifications are being made at this point. But, just recently a woman in Finland offered to sell her Bochum-made Nokia to Frank Engelsman of Ultrascan, who’s company will examine and test it to see if “the TAN interception can be replicated”.
In the meantime, portablegear.nl, wrote how they put up a fake ad selling the Nokia 1100 on an online marketplace. The had plenty of takers offering to come and pick it up immediately. Although the offer price wasn’t near what it is said to go for on the underground market, they had offers for over $700.
Over 200 million phones were produced in the 1100 family. And the funny part? I actually am one of the people with this phone stuffed in an old junk drawer. But Nokia isn’t talking on how many of those were made in Bochum.