NEWS
O2 is offering users a quick and easy way to unlock mobile phones with a personal unblocking code (PUK) which they can get online simply by typing their mobile number into the O2 website.
The website then generates the PUK code and, while that takes the headache out of dealing with call centres for users desperate to access their mobile after it becomes locked, it has raised some concerns about security as users only have to know the phone number - and it doesn't have to be their own phone.
Security expert Bruce Schneier, posting on his blog raised concerns that the system could pose a threat. "Now anyone on the internet can visit this website, type in a valid mobile telephone number, and get a valid PUK to reset the PIN - without any authentication whatsoever," he said.
The easiest breach to achieve would be when somebody steals a mobile phone from a person whose number they already know - in an environment such as a school or more worryingly an office where converged devices such as an XDA may hold a lot of sensitive corporate data.
Less simple would be when the thief doesn't know the mobile number. However, if they have snatched a coat, handbag or wallet as well, the contents may include an item such as a business card that can betray the mobile phone number.
But a spokesman for O2 told silicon.com this represents a very small security risk, far outweighed by the ease of use which will benefit customers.
The O2 spokesman said: "The vast majority of mobile phones which are stolen are already on, providing a window of opportunity to make calls between the phone being stolen and reported stolen.
"You're only ever asked for a PIN code when the phone is already switched off."
He added that the system is there to help users whose phones are accidentally locked, or in some cases are locked by a friend changing a PIN number as a joke. He said the benefits of such a straightforward system far outweigh "a very small security risk".
Comments
There are 8 comments. Join the discussion
1. anonymous
This is ridiculous. Are O2 trying to make life easier for phone thieves? If I forget my PUK I need to ring up and give a password and some other details. I have an O2 coontract and will not be renewing it when it expires.
2. Stuart Fawcett
Great - O2 blackberrys with access to company email are also at risk - if my sales guy leaves his BB and business card on site then Access to email is also available! O2 cannot seriously think that this is acceptable care of our business information.
3. anonymous
I know thieves are not that clever, but surely even they can work out that all they need to do to get the number of the phone they have just stolen is make a call.
Let us hope the other carriers look for other means to save themselves a few quid, since if others adopt this system then surely it can only encourage mobile phone muggings.
4. Mick J
"Less simple would be when the thief doesn't know the mobile number"
Surely all they have to do is use the mobile to ring a phone with caller ID?
5. Jamie
This is a non issue. If your phone is switched on when it is stolen then the thief can run up your phone bill anyway. As soon as your phone is reported stolen the IMEI number is blocked by all networks.
The networks do this by adding your phones serial number (IMEI) onto a national blacklist database (Central Equipment Identity Register). Effectively the handset becomes absolutely useless and the thief is in possession of a pretty paper weight!
The PUK code is an out of date security measure which has been superseded by the CEIR
6. Nigel Hawthorn
O2's response is terrible. If someone steals a mobile and doesn't know the number all they need to do is dial another mobile and the number of the stolen one will appear. (Ed note. To be fair to O2, if they need the PIN or PUK code then it is fair to assume the phone is off when they steal it. As such, dialling another number isn't an option.)
7. D Heffernan
Hi there
I work for O2 Customer Services Prepay divisionand I feel that the posts on this site are born out of naivety and lack of thought than the customer truly understanding the concept of retrieving your PUK Code. I get calls day in day out from people who have blocked there phone and need the PUK Code and when I tell them you can retrieve it from the website they are more than happy to thank me. As stated previously the pin is only needed when turned off and most people report the phone stolen/lost within minutes where we can bar the handset. So cynical britain has reared its ugly head again. My advise is get the fact before shouting your mouth off and you will realise O2 are leading the way to enhance the Customer experience.
8. kacsa27
D Heffernan, I've got he facts. You suggest something like you don't need the lock the car as this is in a safe area.
Providing the PUK code without authentication means providing the PIN code to anybody who know your phone number.
A SIM card can store text messages and phone numbers. It is not your business to decide if they are sensitive or not. The PUK code is a well known security measure which is simply bypassed by O2 without disclosing the risks.
Your experience is based on customers unaware how vulnerable they are. If you also told them that this way anyone else can reset their PIN, I guess they would react a bit differently.