A vulnerability discovered in the SIM cards used in some smartphones could be exploited by fraudsters to steal consumers' mobile and online bank account information, according to†Security Research Labs in Berlin.
SIM cards are small, removable plastic chips that store information such as the user's phone number, security data and billing information.
SIM cards can also act as gateways to the apps on smartphones, including mobile banking apps, according to the tech blog KnowYourMobile.com.
Security Research Labs founder Karsten Nohl will present the research at the BlackHat Conference later this month in Las Vegas.
"SIM cards are the de facto trust anchor of mobile devices worldwide," the Berlin company said in a blog post. "The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets."
An attacker, Security Research Labs explains, begins by sending an unrecognizable, binary text message usually meant to carry user logs and telephone settings to a victim's phone.
The cellphone then responds by sending back an error message carrying a signature that can be distilled to reveal a 56-bit Data Encryption Standard key. DES is an old encryption standard used by about one in eight phones around the world, the company says.
The cracked key can then allow a criminal to download software onto the SIM card that can, among other tricks, change voicemail numbers and find out exactly where a phone is at any time.
"This allows for remote cloning of possibly millions of SIM cards including their mobile identity as well as payment credentials stored on the card," the researcher explains.
The carrier joint venture Isis uses SIM cards to store its customers' financial information; the digital wallet company has near-complete control over the chips.
And there is at least one scheme in the developing world that stores banking information on cell phone SIM cards, allowing funds transfers to be made from a phone.
Gemalto works with a number of banks around the world, including Redeban Multicolor, Colombia's largest financial network, that deploy mobile apps in its SIM cards.
AT&T, Verizon and T-Mobile all said their phones are not susceptible to this vulnerability because they use a newer form of encryption.
This isn't the first cybercrime experts have noticed an issue with SIM cards.
Last year, Trusteer discovered a Trojan horse variant used to steal international mobile equipment identity numbers (IMEI) from bank account holders. The theft took place when a person tried to log in to their mobile banking application.
In this heist, a criminal then contacted a carrier, reporting the cellphone as stolen and then receiving a new SIM card that would eventually receive all the one-time passwords originally meant for the victim.