The BBC reports that customers of TalkTalk, the UK telco, are being cheated by “an industrial-scale” organized criminal outfit in India. The story was researched by freelance investigative journalist Geoff White who interviewed three people who said they worked for the criminal enterprise. Each gave a credible and consistent story about how they duped TalkTalk customers. This is the scam in outline:
- Gangsters employ up to 60 staff who work in shifts in call centers in two Indian cities.
- The call center staff phone TalkTalk customers, pretending to be from TalkTalk. They follow scripts that closely resemble real TalkTalk scripts.
- The goal of the conversation is to persuade the victims to install malware.
- Once the malware is installed, a separate team within the criminal enterprise uses it to gain access to the victim’s online bank accounts.
White states that the stories given by the Indian whistleblowers match the details of crimes suffered by TalkTalk customers. There have been plenty of victims. In this Guardian story, TalkTalk customer Barry Tucker had GBP6,300 (USD7,700) stolen from his bank account, whilst this story in the Redditch Standard tells us how another TalkTalk customer was conned out of GBP1,700 (USD2,100).
Lawyers are working for a group of victims who seek compensation for considerable losses. Inevitably a lot of finger-pointing is now going on as businesses and regulators seek to deflect blame. The banks say they cannot be held responsible if customers give out passwords or allow their devices to be infected with malware (and that seems like a reasonable point to me). TalkTalk customer data was clearly stolen, but the telco says they worked hard to protect customers from the consequences. The actual breach may have been the fault of Wipro employees, after TalkTalk outsourced some of its call center operations to Wipro’s Kolkata office. Three Wipro employees were arrested last year on suspicion of selling TalkTalk customer data. The Indian businesses implicated by the whistleblowers insist they are not criminals, of course. And the always-useless UK Information Commissioner’s Office (ICO) has been ‘investigating’ the breach for years, as explained in the Guardian:
Graeme Smith from County Durham was one of the first victims to come forward after he was defrauded of £2,800 in January 2015. He says he can’t understand why the ICO is taking so long.
“This happened to me two years ago, and since then we have seen the ICO fine the company but stall on pronouncing on the earlier data breaches. There is a group of victims who have all been very patient, but this is starting to wear a bit thin. The ICO needs to get its act together. We have lost considerable sums and would like some answers. Is this body there to protect consumers’ data or not?” he asks.
Let us face facts. When it comes to situations like these, regulators are as likely to protect customers as I am likely to put my head into a shark’s mouth because a civil servant promises he will investigate should my head be bitten off. Maybe regulators will fine businesses, but only after the business has found out what went wrong and admitted to their failures. Otherwise these regulators are incompetent at determining what happened and providing redress for victims. So if this industry wants to protect its reputation it cannot take the usual minimalist approach of waiting for somebody to scream “compliance” before taking action. We do not need to wait for rules to be imposed upon us before we act sensibly to protect our businesses and our customers. Many of the issues are straightforward; there is just a lack of willingness to execute the following basic steps to improve our service and reduce the likelihood of crime:
- Stop measuring the performance of fraud departments based solely on the work done to protect the telco from being the victim of crime. Incentivize them to protect the customer from fraud as well.
- Stop thinking that breaches do not happen if you pretend they do not happen. Confess publicly and take immediate measures to raise customer awareness so they are less likely to fall victim to crime.
- Boards should stop thinking that responsibility for security and crime prevention can be delegated away from them because they lack the skills to review it. If board members are not competent to step up to this 21st century challenge then replace them with board members who are.
- Ensure contracts have severe penalties for any outsourced supplier who leaks or abuses data. Do not wait for customers to suffer before punishing a lax supplier. Make the supplier pay as soon as the breach is identified, and increase the size of the penalty according to how long was the delay between when the breach occurred and when the telco was informed of it.
- And the last point is so obvious that it pains me to write it: we need to spend more on security!
There is one other brief observation worth making here. I have received telephone calls, probably from genuine big businesses that supply services to me, which began by asking me for personal data so they could verify my identity “for data protection reasons”. What kind of terrible behavior is this? I understand the business’ dilemma – they want to be sure that the correct person picked up the telephone. But how should I know the caller is from the business they claim to be representing? It is not like I can verify their identity by asking their date of birth and their mother’s maiden name. And why is “data protection” treated as synonymous with protecting corporate interests, or ticking a legal compliance box, when it should be about genuinely serving the interests of customers? This is a terrible example to set and inevitably encourages criminals to construct telephone scams that play on the gullibility of ordinary people. Sometimes it is best if the business just deals with important matters by sending a letter, instead of trying to save some pennies by employing a man in an Indian call center who reads from a script that tells me what I need to do for him.
We can do a lot better than this, and we should. It should not take more heavy-handed government laws, the intervention of overpaid and under-equipped regulators, or reams of negative press to address issues like these. It only requires us to acknowledge a basic truth. Share prices and customer confidence are repeatedly being whacked by scandals like these, so we had better start explaining to shareholders why it is in their best financial interests to spend more on security and fighting crime.
Look here for the BBC’s version of the scam TalkTalk call center story.