Now that 46 percent of Americans own smartphones, it should come as little surprise that thieves have developed their own taste for the indispensable devices. According to data released by the FCC earlier this year, between 30 to 40 percent of all robberies in major urban areas now involve stolen cell phones, with areas like New York City and Washington D.C. coming in at the high end of that range. In some instances, cell phone owners have been injured or even killed by thugs after their phones.
While wrestling with the issue of crime remains an age-old struggle, cell phones do present a unique technological twist: They can be “blacklisted” from service when reported stolen, preventing the new owners from using them. Although individual carriers have been deactivating stolen phones for years, unlike several other countries, the United States lacks a centralized system of reporting phones lost or stolen, which can make it complicated for a victim to figure out what to do. Worse, many mobile phone users have no idea stolen phones can be deactivated, effectively giving thieves a free ride on their voice and data plans until they can find a way to cancel their accounts. Even if accounts get canceled, thieves are happy to swap around SIM cards on many phones, meaning the handsets themselves are still valuable commodities.
Given the scale of mobile phone theft, why doesn’t the U.S. have a national blacklist of stolen phones? And what can consumers do to protect themselves – or at least make their devices useless to thieves?
How does a blacklist work?
The basic idea behind a stolen phones blacklist is simple: When a device is reported stolen, its unique identifier gets entered into a mobile providers’ systems. If that device connects to a carrier network, the network recognizes it and refuses service (with an exception for 911 emergency calls).
The reality in the United States is a little more complex, thanks to different mobile technologies in use. Verizon and Sprint’s CMDA networks identify phones based on unique Electronic Serial Number (ESN) or Mobile Equipment Identifier (MEID) numbers. AT&T and T-Mobile’s GSM networks use a 15-digit International Mobile Equipment Identity (IMEI) number that uniquely identifies each device, but account information is tied to a particular SIM card. Up until very recently (more below), AT&T and T-Mobile would disable the SIM cards on stolen devices, effectively taking the phones off their networks. However, since SIM cards are removable and easily swapped, so unscrupulous sellers would just remove the stolen SIM card, perform a factory reset of the phone, and put it up for sale online or in a shop.
The situation is further complicated by devices like the Apple iPhone 5 that have both GSM and CDMA hardware. The Verizon iPhone 5 is available GSM unlocked, which means a stolen Verizon iPhone 5 can be brought online on AT&T’s GSM network – and reporting the theft to Verizon will do nothing to stop that from happening.
Other countries that have implemented blacklists for stolen mobile phones – including Australia and the United Kingdom, as well as other European nations – have based them on IMEI numbers. That approach wouldn’t fly in the U.S., since many Verizon and Sprint devices don’t have IMEIs. However, that’s changing, since all LTE devices have IMEIs. As U.S. carriers push towards LTE, an increasing number of their devices will have IMEIs, and be able to participate in consistent blacklist program.
When will the U.S. have a blacklist?
Despite these technological hurdles, the United States is working towards having a nationwide blacklist of stolen mobile devices, and that database will also interoperate with global stolen device registries.
Back in April, the FCC unveiled a voluntary industry initiative to have a centralized database of stolen phone identifiers up and running within six month. That would have been October of this year, and in the nick of time – October 31 – AT&T and T-Mobile activated a database that blocks stolen mobile devices based on their IMEIs, rather than on SIM cards. The system works across both carriers: A phone reported stolen on T-Mobile can’t get service on AT&T’s network, and vice versa.
That’s a step in the right direction. When will CDMA operators Verizon and Sprint get on board? Right now, the target date is November 2013, although there’s some hope the carriers’ aggressive moves toward LTE may make it happen sooner.
The system used by AT&T and T-Mobile (and, eventually, by Verizon and Sprint as well) interoperates with the GSMA’s IMEI Database, a shared resource of stolen devices currently used by 19 countries (mostly in Europe). That means that devices reported stolen in the United States won’t be able to be brought up on networks in other countries where operators check against the same IMEI database. Case in point: the FCC just announced a new joint cooperation agreement with Mexico on mobile device theft based on use of the GSMA IMEI database.
“The notion here is to dry up demand,” said Brian Josef, Assistant Vice President of Regulatory Affairs for CTIA–The Wireless Association, via telephone. “Combined with broader education efforts, we think that these initiatives will be effective.”
Are blacklists effective?
There is evidence that blacklists of stolen mobile devices are an effective theft deterrent, although blacklists don’t magically make phone theft go away.
The United Kingdom began blacklisting in 2003. In addition to coordinating with the GMSA IMEI Database, the UK also set up a voluntary Immobilizer service where consumers can set up an account and register their devices’ IMEIs. If a device is stolen, they can log into their account and report the theft. The information is quickly made available to UK network operators (so the phone can’t be brought back online with any provider) as well as to police, insurers, and recyclers.
“Whilst mobile phone theft will always occur,” said Jack Wraith, Chair of the UK’s Mobile Industry Crime Action Forum (MICAF) via email, “the processes that are in place here in the United Kingdom have gone a long way to ensure that the incidence of theft have been mitigated and have provided the user of mobile phones the ability to have an impact on the aftermath of a theft or loss.”
That said, IMEI blacklists aren’t 100 percent effective. For one thing, they can be circumvented by shifting stolen phones to countries and carriers that don’t participate in the GSMA IMEI Database – two prime candidates there are China and Russia. There’s still good money for smartphone thieves to nab phones in the U.S., UK, and other participating markets and ship them off where they can be used with impunity.
Blacklists also rely on consumers to proactively report thefts. Australia launched its blacklisting program back in 2004, yet statistics show that there has been a 25 percent decline in the number of blocking requests it has received since then, despite substantial growth in number of Australian mobile users during the same period.
Furthermore, IMEI’s aren’t immutable. With the right software and expertise, most phones can be reprogrammed with new IMEIs to evade carrier lockouts. It’s more complicated than swapping a SIM card, but usually no more difficult than jailbreaking. Back in 2002, a British Telecom spokesperson indicated 10 percent of IMEI’s on its network were duplicates. In emerging markets like Pakistan and Kenya, duplicate IMEIs are apparently very common today: Pakistan’s MORE Magazine reports more than 3 million phones in that country are operating on faked IMEIs.
What to do before your phone is stolen
Having your phone stolen doesn’t just mean you’re out the cost of a phone, it means your contacts, calendars, email, Web history, social networking information, and even mobile payment capabilities are in danger. You aren’t just trying to protect your phone: you’re trying to protect your digital life.
Here are some things you can do to protect yourself in case your phone is stolen:
- Record your ESN/MEID and/or IMEI number in a safe place. Most smartphones can display their identifiers in their settings or about screens. Most devices with IMEI numbers have them printed on their packaging and inside their battery compartments. Having these number available will help you quickly deactivate the phone if it’s stolen.
- Though not foolproof, set a PIN or security lock for your phone so it can’t be accessed without entering a combination. Don’t set it to something easy like your birthday or “1234.”
- Back up your phone’s data, whether to a cloud-based service (like Apple’s iCloud) or to a personal computer. If your device is stolen, you can easily restore the most recent data to a new device.
- Consider a tracker or security service for your mobile phone, such as Apple’s Find My iPhone, services from mobile carriers or security software developers. These can help trace your device, if stolen, but by no means guarantee you’ll get it back.
- Consider a remote wipe service for your device. In the event your phone is stolen, you can remotely delete all apps, media, and data from it to prevent misuse or identity theft. On Android, this means using a third-party app (usually, anyway). Apple’s iCloud service also offers remote wipe capabilities.
- Above all, be careful how you use and store your phone: Stay aware of your surroundings while texting or using the device, never leave your phone unattended in a vehicle or public place, and even be careful displaying headsets and earbuds in public. Nothing says “possible iPhone here” like white earbuds.
What to do if your phone is stolen
If your phone is stolen, here’s what to do:
Contact security or authorities
If you’re at an event or venue, contact any on-site security immediately; they may be able to help, or it’s possible the phone has been turned in to lost and found. Otherwise, contact local law enforcement as soon as possible to report the phone as stolen.
Contact your carrier
Contact your carrier as quickly as possible to report the phone lost or stolen: this may help you from being liable for fraudulent voice and data charges. (It’s not uncommon for phones to be stolen and quickly used to make international calls.) If you have the phone’s ESN/MEID or IMEI, that will help carriers shut down the phone quickly.
Try remote location
If you’ve installed remote tracking software, you can try using it to see if your phone can be found using GPS and location services. Sometimes phones really are picked up by venue security, good Samaritans, and folks with no ill intentions who will happily return phones to their owners. (Apple’s Find my iPhone feature can even let phone finders call the owner.)
If you’re pretty sure your phone is gone, triggering a remote wipe can be the only way to protect your data. Many thieves don’t care about your data anyway – they just want the device – but many will be happy to look for addresses, birthdays, credit card numbers, banking information, and anything else that can be used to commit identity theft. Remote wiping won’t get your your phone back, but can help keep your private information secure. And you can restore your data to a new device because you’ve been saving it regularly using a syncing service or backup utility. Right?