Burner phones in 2021: increasingly cumbersome but still worth it
Not just for spies or criminals, we share our thoughts on recent attempts to secure private communications "infrastructure", aka burner phones
Burner phones, also known as “toss” phones, have a slightly negative connotation, and are usually associated with criminal or espionage activity. Put simply, a burner or toss phone (used interchangeably) is a device that cannot be readily traced back to you. Indeed, they are used extensively during intelligence operations or by criminals (for good reason), but mustn’t be feared or stigmatized. You, too, may benefit from anonymous communications in order to maintain personal or familial safety, privacy, and security at some point. We cover them in our digital security guide if you haven’t read it yet.
Quick disclaimer: Burner devices ideally mask device ownership through anonymity, presuming the device was acquired properly. While it exceeds the scope of this article, we must note that such devices are not intended to maintain anonymity indefinitely or perfectly, and still can be tracked and exploited when countering an adversary with technical know-how and unlimited resources (more on that for another time). For our purposes, though, let’s focus on the basics.
Yes, burner phones are still a thing
Lest we neglect to highlight the importance and continued relevance of the issue of anonymous communications, let’s examine recent events: An example of burner phones (almost but not quite surprisingly) appearing in current events would be the recent attempts by the Chinese-influenced Hong Kong government to require personal identification and registration when purchasing a SIM card—a dangerous step on the continuum of invasive government surveillance attempts to prevent, track, and monitor democracy activists and protestors opposed to heavy-handed police brutality occurring on the island. Hong Kongers wish to protest the government, and rely on anonymous and secure communications in order to organize and mobilize. Require phone users to register their SIM card, and the network of organizers can be exploited, manipulated, and ultimately degraded.
But back to more local matters: As we at SMU frequently require secure, private, and occasionally anonymous communications in order to ensure the safety and security of our clients and work, we conducted some basic tests to assess the ease with which we could obtain a few burner devices. Unfortunately, options are growing more difficult to access and the barrier to entry steadily increasing. But all hope is not lost, for some solid (and classic go-to options) remain.
While the classic option of purchasing an old Tracfone device and popping a fresh SIM card in it certainly remains viable, we wanted to spruce up our attempt by tackling the behemoth of Amazon and its widely available inventory of communications options. Bold, but worth an attempt.
Our valiant but futile burner phone attempt
With some cash on hand, we traveled to a nearby convenience store and purchased an Amazon gift card. In theory, we’d be able to use that gift card to make a purchase for a number of SIM cards from popular Pay-As-You-Go (i.e. no contract) U.S. vendors such as Mint Mobile, have the SIM cards delivered to an Amazon locker not near our residence using a covert (not real persona) account, pop it into a non-attributable (aka a device not tied to us) mobile phone, and we’d be golden. The process may or may not be outlined in greater detail here (no affiliation but addresses some good nuance).
Not to build to an anticlimactic result, but our attempt failed quite miserably. Not only did we lose about 25% of this gift card’s value (sad) on our attempt, but Amazon immediately flagged and locked our covert account for making the purchase, and demanded documentation in the form of a receipt or some form of address verification letter (i.e. a billing statement or utilities bill) attributing account ownership to us. 24 hours later and our account remains locked with no end in sight.
So what went wrong?
First, let’s establish our intent here: We care about burner devices because they provide security, privacy, and safety through (reasonable) anonymity. That’s the extent of our desired end-state: a safe and secure means through which to communicate. If you can’t identify your opponent, you can’t target them.
We share all these things here because shared information is a shared reality. Learn from these lessons here in order to avoid repeating them yourself when the need for private and anonymous communications arises in your own circumstances. Is this embarassing for us? Not at all: We need to know, understand, and stay current on what works and what doesn’t—the nature of technology and security is that both change and evolve constantly. We ourselves need to stay current on the latest tactics, techniques, and procedures, so this was a great enhancement of our knowledge.
Our observations:
Covert accounts must have some “life” and established history associated with them — this means you must exercise foresight if attempting an online purchase. With online access comes greater flexibility, reach, and scale for your activities. But it comes at the cost of having to have already established infrastructure through which to conduct these activities. Most service providers (here in this instance referring to marketplaces such as Amazon, Google, etc.) now monitor the amount of time an account has been in existence prior to the start of any activity. In our case, the covert account was created only a short while before attempting a purchase, which no doubt tripped a red flag for Amazon’s security team, resulting in the account being flagged and the purchase placed (seemingly indefinitely) on hold. Is there a set amount of time you must wait before attempting an active action? That depends on the service provider. What’s more, if a red flag is raised, we have to be prepared to provide supporting documentation for our covert account, making it more difficult to feign an identity or purport the account to be real. We informed Amazon we did not, in fact, have a receipt and refused to provide a utilities bill with “our” name on it, so we’re still waiting.
Amazon does not like VPNs — Amazon isn’t alone here. Many other providers (looking at you, Google and Facebook) log, monitor, and track where accounts are accessed from, employing browser fingerprinting and other online tracking tools to monitor the difference between where someone says they are and from where they access the service in question. If my account is ostensibly in Illinois but I’m routing my traffic through a VPN and appearing in California, Facebook will detect the anomaly and potentially flag the account, or worse—place it on a security hold till an actual Facebook employee investigates the matter (which again requires greater fidelity and attempts to verify your actual identity). What’s more, other services monitor and automatically block or flag internet traffic coming from known VPN providers, and won’t even allow you to access the target website. So what’s the workaround? Disable your VPN. But don’t do so when at home or work or another typically frequented location—this requires you travel away from those usual places where you have an established pattern of life. Only then is it “safe” and secure to disable your VPN—but don’t plan to return to this location any time soon, lest you establish an identifiable (and thus exploitable) pattern through the exposure of your IP address and other identifying details.
Amazon’s (and others’) “Know Your Customer” (KYC) systems and processes are evolving — With the advent and rise of technology such as artificial intelligence and machine learning, systems are able to employ and leverage the use of computers to conduct activities that typically would require significantly more human capital. That means it’s only growing more difficult to conduct anonymous activities online, as systems and service providers adapt their security policies to reflect known tactics used to bypass traditional security methods. The lifespan of a covert account and its relationship to any “operational” activity such as an anonymous purchase is one prime example. Despite its size, Amazon does not have the manpower to monitor the vast quantity of transactions occurring in its marketplace. Thus, machine learning techniques are employed to automate the monitoring process until certain conditions are met. And as we experienced, the lifespan and amount of time an account has been in existence prior to a purchase is apparently one of those conditions warranting additional action. Once the account is flagged, it then passes to a human to review, which is far more difficult to convince. And while that may sound nefarious on our part, it simply means we are afforded less privacy.
Some SIM card/phone service vendors limit the number of SIM cards available per customer — We were saddened but unsurprised to learn that Amazon limits the number of SIM cards we could purchase through Mint Mobile, likely because they logically figure most people can’t use more than one or two SIM cards at one time anyway. The narrow scope of traditional SIM card usage aside, this puts a damper on any attempts to establish and build a large communications network quickly. Whereas a handful of SIM cards may be useful for a small family, this procurement technique would fail to support a team or group of teams in need of anonymous and secure communications during a crisis event.
Online purchasing options are becoming less viable and mainstream as KYC laws and regulations grow stricter — As security processes evolve to counter known tactics that bypass existing controls, we must turn to more traditional offline methods to procure our anonymous communications. This isn’t a bad thing in and of itself but does increase the time and resource requirements for anyone wishing to rapidly establish an anonymous communications network for the purposes of privacy, security, and safety. Indeed, the cost of security is truly convenience. Whereas we were afforded some measure of convenience and flexibility online, we must turn to more analog methods of obtaining devices and SIM cards for our network—meaning we now require time, fuel, transportation, must work within store operating hours, and other such restrictions to plan, travel, and obtain what we need. This cannot be done terribly quickly, which implies that we exercise foresight in our planning and requirements development—a potentially difficult endeavor.
There is still hope
Thankfully, our “analog” procurement options still exist, they just may not be as convenient as we’d like them to be. While we grow old waiting for Amazon to release the hold on our covert account, we can travel 30 minutes to the nearest Target or Best Buy, and still complete our anonymous Mint Mobile SIM card purchase using cash—they even may accept Amazon gift cards as an option, according to the Amazon partner details webpage. Just ensure you conduct enough research ahead of time to know the store hours, find a store you don’t intend to re-visit (or visit frequently), and can work the trip into your daily routine without highlighting your intentions to potentially interested adversarial parties.
While our purchase isn’t as convenient as placing an order to a nearby Amazon locker with a few clicks, we’re relieved the option remains available at all. While initiatives requiring SIM card registrations like that of Hong Kong may be a ways off on the horizon, knowledge of or the ability to conduct an anonymous burner phone purchase is necessary for anyone requiring safe, secure, and private communications. With communications comes the ability to organize, mobilize, connect, and coordinate—critical functions for any family or business experiencing a crisis or emergency event. The steps covered above apply overseas as well, with a few local nuances. Learn your local environment today and explore how to successfully establish an anonymous communications network.