April 21, 2009, 11:38 AM — The mystery why cybercriminals want a discontinued Nokia phone isn't getting any clearer.
Hackers have been offering up to €25,000 (US$32,413) in undergrounds forums for Nokia 1100 phones made in the company's former factory in Bochum, Germany. The phone can allegedly be hacked so as to facilitate illegal online banking transfers, according to the Dutch company Ultrascan Advanced Global Investigations.
Nokia said on Tuesday it is not aware that resale prices for a phone that retailed for less than €100 when it debuted in 2003 have risen so high. Further, Nokia maintains the phone's software isn't flawed.
"We have not identified any phone software problem that would allow alleged use cases," the company said in an e-mailed statement.
The 1100 can apparently be reprogrammed to use someone else's phone number, which would also let the device receive text messages. That capability opens up an opportunity for online banking fraud.
In countries such as Germany, banks send an mTAN (mobile Transaction Authentication Number) to a person's mobile phone that must be entered into a Web-based form in order to, for example, transfer money into another account. A TAN can only be used once, a security feature known as a one-time passcode.
Criminals have proven adept at obtaining peoples' user names and logins for online bank accounts, either through tricking people into visiting look-alike bank Web sites, through clever e-mail messages or simply hacking PCs.
European banks typically issue customers a list of TANs, but phishers tricked people into revealing those. Deutsche Postbank used to accept any TAN from the list to complete a transaction. Then the bank moved to requesting specific TANs from the list. After continuing fraud, it in 2005 decided to expanded the use of mTANs.
"The mTAN is valid only for the requested transfer and only for a short period," according to the bank's Web site. "It thus has no value for a fraudster."
That is, unless the hacker could also receive the mTAN, which Nokia 1100 hack allegedly allows.
Nokia said it doesn't know of an 1100 software problem that would allow call spoofing. The company said that a phone's SIM (Subscriber Identity Module) card -- which holds the device's phone number -- has security mechanisms that are separate from the phone itself.
Nokia said it is aware of commercial services that claim to provide caller identification or phone-number spoofing services, but in those cases the service provider acts as a proxy between the caller and the recipient, Nokia said.
But it is possible to have multiple phones running on a service provider's network that use the same phone number, said Sean Sullivan, a security advisor with the security vendor F-Secure in Finland. Usually, the last phone that used the network will be the one that receives inbound messages, he said.
"So if this particular Nokia 1100 can be modified to spoof the victims phone number, it should be possible to become the primary handset -- at least long enough to receive the TAN," Sullivan said.
Technical details on how the 1100 is being modified are still unknown, said Frank Engelsman of Ultrascan. However, a woman in Finland contacted his company on Monday after seeing a news story and offered to send her Bochum-made Nokia 1100. When it arrives, the phone will be examined and tested to see if the TAN interception can be replicated, Engelsman said.
Meanwhile, a Dutch technology site, portablegear.nl, wrote that it placed a fake advertisement for the particular Nokia 1100 on an online marketplace. People offered as much as €500, offering to immediately come pick up the device.
Nokia produced more than 200 million devices in the 1100 model family. The company said it doesn't disclosure figures such as how many 1100s were made in Bochum.
