77

A stranger walks up to you on the street. They say they lost their phone and need to make a phone call (has happened to me twice, and maybe to you). What's the worst a phone call could do?

Let's assume they don't run, don't plug any devices into the phone, they just dial a number and do whatever, and hang up.

Anders
  • 64,406
  • 24
  • 178
  • 215
Andy Ray
  • 1,098
  • 1
  • 8
  • 12
  • 22
    For what it's worth, if a stranger needed to borrow my phone, I'd dial the number myself and put it on speaker. This would reduce the chance of them running off, and also prevent most of the scams and schemes listed below, yet still allow me to be a good Samaritan to someone with a genuine need. – aslum Dec 21 '12 at 16:11
  • 3
    It wouldn't prevent the premium rate dial scheme if there was someone there to answer. – Andy Ray Dec 24 '12 at 20:57
  • @DelvarWorld: Hopefully, you would notice that it's a premium number. – SLaks Dec 24 '12 at 21:38
  • 2
    Turn off your app that is tracking their ankle bracelet... – Neil McGuigan Oct 07 '15 at 22:06
  • 2
    @NeilMcGuigan Or increase the fresh time from minutely to 24 hours... – jimp Nov 12 '15 at 20:48
  • @aslum I let them to use my powerbank instead. I would not let them to use my phone in any way. –  Oct 06 '16 at 18:36
  • 4
    If I were you I'd at least use [screen pinning](https://support.google.com/nexus/answer/6118421?hl=en), which is available since Android 5, so the other person can't access anything else then the dialer. – rugk Oct 07 '16 at 14:51
  • I think I have had someone I let borrow my phone steal credit card information I have copied to my note pad. So, there's one real thing that can happen. – Jeremy Conley May 27 '17 at 06:18

11 Answers11

74

A few scams I've seen making the rounds:

  • Use it to dial a premium rate number owned by the group. In the UK, 09xx numbers can cost up to £1.50 per minute, and most 09xx providers charge around 33%, so a five minute call syphons £5 into the group's hands. If you're a good social engineer, you might only have a 10 minute gap between calls as you wander around a busy high-street, so that's £15 an hour (tax free!) - almost triple minimum wage.
  • Use it to send premium rate texts. The regulations on there are tighter, but if you can get a premium rate SMS number set up, you can charge up to £10 per text. A scammer would typically see between £5 and £7 of that, after the provider takes a cut. It's also possible to set up a recurring cost, where the provider sends you messages every day and charges you up to £2.50 for each one. By law the service provider must automatically cancel it if they send a text sayin STOP, but every extra message you send gains you money.
  • Set up an app in the app store, then buy it on peoples' phones. This can be very expensive for the victim, since apps can be priced very high - some up to £80. In-app purchases also work. This is precisely why you should be prompted for your password on every app purchase and in-app purchase, but not all phones do so!
  • Install a malicious app, such as the mobile Zeus trojan. This can then be used to steal banking credentials and email accounts. This seems to be gaining popularity on Android phones.
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 7
    Bullet point #1: I have found my true calling. – Thomas Dec 21 '12 at 10:15
  • 1
    +1 for the first two points, as the OP assumes that they "dial a number and do whatever, and hang up". I know whatever is broad, but I'm assuming that is akin to talk to or listen to the call, and not Install arbitrary software. – Joshua Drake Dec 21 '12 at 19:27
  • 1
    For scenario #1 - which seems like the best answer, btw, is there any chance the phone owner can dispute / have these charges refunded? Do you have any links concerning this scam? – Andy Ray Dec 22 '12 at 00:36
  • 2
    When I ran into some bad charges on my PAYG phone, it was very difficult to dispute them. It may be easier on contract, but I don't know. It's a YMMV thing. As far as links go, I don't have any atm (I'm using my tablet right now) but I can try to dig some yup later. – Polynomial Dec 22 '12 at 12:25
  • 2
    @Thomas no pun intended ;) – saloalv Jan 02 '15 at 14:18
33

They could dial their own number to get yours (assuming your number isn't private.)

I think I just invented a new, somewhat forceful and creepy, pick-up move.

Toby
  • 465
  • 3
  • 4
31

They could use it to send the detonation signal to that nuclear weapon they've secreted in a warehouse in Manhattan. That's pretty much the worst-case scenario.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
9

Some mobile networks in the world allow users to transfer prepaid balances from one account to another. Alternatively, they might send some sort of incriminating SMS from your phone which may cause you issues with law enforcement officer.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Akshay Joshi
  • 191
  • 2
6

While detonating a bomb or EMP would be the most harmful, I think the following scenarios are much more likely to happen.

If you have a smartphone, it's very likely you have some kind of weather widget on the homescreen which tells the attacker what is your hometown. Also, I yet have to see a smartphone without news widget, which again, tells the attacker what kind of person you are. Are you following a finance news? Sport? IT? The very same thing can be done by just looking at your installed apps. Do you have any games? Which ones? Do you have any kind of booking apps? Does this kind of app keeps any sort of history? Well, in short, within just few second attacker can make pretty reliable profile of you. Do you have anykind of notebook app? What have you written in it?

The second threat is... Well, most likely you just gave him full access to all of your e-mail accounts and with a few presses on the screen, he could forward all of your mails to his account.

The last thing which I can remember are pranks. While this doesn't sound like anything danger, it can be really unpleasantly. The attacker could send to a random contact of opposite sex SMS - "Hey, I'm thinking about you...". Just imagine if this random contact is your wife's friend (now, the scenario of detonating nuclear weapon is not so scary, isn't it?). Or even more explicit message to a contact saved as your family member (e.g. Mother). He could also update your Facebook status, leave a message on a Twitter or upload some of your private photos to a public service.

Andalur
  • 2,032
  • 1
  • 14
  • 12
StupidOne
  • 2,802
  • 21
  • 35
  • “[…] he could forward all of your mails to his account” - wtf? Within a 10 or fewer seconds? – slayer Sep 19 '18 at 08:57
6

They could dial a USSD to get supplimental information about you or your device. Some UUSD codes have been documented to have the capability of doing a factory reset on your phone. Source

KDEx
  • 4,981
  • 2
  • 20
  • 34
6

with a USB rubber on android the pin password could be hacked (brute forced) http://hakshop.myshopify.com/products/usb-rubber-ducky

they could then create a backup of your device, they could analyse already created backups, they could download all of your saved data, media etc and use this to further penetrate other areas of interest.

https://santoku-linux.com

they could run the phone through a smartphone pentest framework, and infect it for botnet purposes.

http://georgiaweidman.com/wordpress/

they could hawk it for cash

http://www.cashamerica.com/

on a side note, if your lucky they could;

  1. correct any duplicate contacts you have
  2. organize your mobile media
  3. finishing posting your facebook post you left open
  4. beat that hard level on Angry birds for you
  5. Call your most called numbers to return your phone
  6. Call the carrier to report it lost/stolen
  7. etc
Oscalation
  • 322
  • 2
  • 10
4

With some phones it is possible to call system commands or even to lock the SIM card, just by visiting a prepared website. There was an article some time ago on Heise security about this problem.

martinstoeckli
  • 5,149
  • 2
  • 27
  • 32
3

Rule 3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

Graham Hill
  • 15,394
  • 37
  • 62
  • 1
    But access _is_ restricted. From the question: "Let's assume they don't run, don't plug any devices into the phone, they just dial a number and do whatever, and hang up." That implies access is supervised by the device owner. The bad guy is only allowed to do whatever they can get away with without the device owner noticing. No popping open the device casing with a screwdriver, removing the sim card, or plugging the device into a computer. Probably wouldn't even be able to get away with viewing the device owner's contacts, at least not for long. That's hardly "unrestricted physical access". – Ajedi32 Nov 30 '16 at 17:01
2

Did not see these: adding another sync account, forwarding your calls, automated pin code retrieval (boostmobile), calling drug dealers, making threats over your phone.

user73042
  • 21
  • 1
1

Not very likely to most people here but they could detonate an IED on the other side of the world. A phone can do a lot of harm.

Phil
  • 135
  • 2
  • 7
    I highly doubt a terrorist would borrow someone else's phone, leaving their DNA and fingerprints all over the device, and have a member of the public see their face. Especially when you can buy a cheap pay-as-you-go phone, top it up with cash, use it once, then throw it in a river. – Polynomial Dec 21 '12 at 10:20
  • 1
    You are right. It is highly doubtable. – Phil Dec 21 '12 at 12:58
  • 2
    @DanNeely - because providing the very same answer as already posted shouldn't be encouraged. While Mike's answer is not likely to happen and it's more of a joke, it's still has a point. – StupidOne Dec 21 '12 at 20:36