It turns out that this is quite possible if you're using an Android handset. Any handset which has not had it's dialer updated in the last 3 months is vulnerable to this.
Basically it works off something called USSDs. You know. When you're browsing a web page from your handset, you click a phone number and it calls it for you. It's a special type of URL.
Turns out that whilst the most common instruction is to make a call, it can also be used to show you your IMEI number or do a full factory reset.....
If you've updated to Jelly Bean, or your phone manufacturer / network have released an update for your handset (which you've downloaded and installed), then you should be safe. For everyone else, be aware!
To see if your handset is vulnerable, click this link to see if it displays your IMEI number or not (if it does, that's not good)