In this week’s bulletin:
- Fraud Intelligence and APIs: The Answer Is Staring Us in the Interface
- AT&T Agrees to Pay USD13mn Settlement for 2023 Data Breach
- Exploding Radio Comms Devices Kill 32 in Lebanon
- The MEF Anti-Fraud Yearbook
- Also, MEF Gave Me a Job
- Other News
There was enough news this week to fill three bulletins. And yet, all these developments were predictable. The complexity of risk in the communications sector is on a clearly upward trajectory, even if our capacity to understand and respond to risk remains unchanged.
Fraud Intelligence and APIs: The Answer Is Staring Us in the Interface
Every third conversation I have about tackling frauds will touch upon the divisive subject of how to exchange pertinent information. It seems a lot of people agree that information should be shared, whilst disagreeing about how to do it. Meanwhile, the internet-ification of the comms industry continues at pace, and that means some of the biggest industry players are betting on Application Programming Interfaces (APIs) providing a vital key that will unlock value from comms networks. Ericsson has unveiled a new joint venture that will supposedly encourage developers to explore a variety of new use cases powered by network-level APIs, and the venture involves many big telcos, including América Móvil, AT&T, Bharti Airtel, Deutsche Telekom, Orange, Reliance Jio, Singtel, Telefonica, Telstra, Verizon and Vodafone. Google Cloud and Vonage will partner the new nonprofit entity, which is jointly owned by all the participants, and other telcos are being encouraged to join. The entity, which has not been named yet, will take advantage of open-source APIs that have already been defined by the CAMARA project steered by the Linux Foundation and the GSMA. CAMARA followed this news with an announcement on Monday of a “major release” of 25 APIs that have been “vetted and tested through rigorous release management processes”. Some of these APIs will have already caught the attention of anti-fraud professionals because they provide number verification or they advise if a replacement SIM was recently issued. The latter provides a signal to other parties, such as banks, about the risk that SIM swap fraud is being used to attempt to gain control of a bank account or other online service.
It is not for me to point out that the big ideas that big people put into big press releases often begin as big ideas by little people who do not issue press releases. You can decide for yourself the significance of news about CAMARA’s major release given that the first example they highlighted is the same SIM swap API that scores of telcos have already publicly said they have implemented in dozens of countries. And some of you may have noticed that all this good news about SIM swap APIs sounds a bit like some news about SIM swap APIs implemented in Africa before anybody in a Western country decided SIM swap fraud prevention provides the very best example of the positive benefits of network APIs. But what I did notice this week is that I have been drafting the Mobile Ecosystem Forum’s response to a UK regulatory consultation that asks how the roaming status of users may be interrogated so that inbound international calls which spoof the mobile number may be blocked. And I also noticed that some other people, who are mostly American, and who have no interest in this UK regulatory consultation, have been separately discussing how the One Consortium will develop a framework for tracing the origin of bad international calls so they can share this advice with a mostly European group of regulators, including the UK regulator. Being a little person with no great assets beyond this website, I know it is contentious to argue that instead of wasting time on arguing the merits of how to do one thing to stop one kind of fraudulent activity in one way, and how to do another thing to stop other kinds of fraudulent activities in other ways, that everyone should step back and see a general pattern for how we should tackle challenges like these.
In general, we would save time and money if we all collectively planned to use APIs to tackle fraud by securely exchanging information, with the appropriate parties, about who is roaming, or whether such-and-such call really did originate on a particular network, and various other information that could be used to identify bad actors and block bad traffic. The bulk of the saving would come from realizing that an API initially created to prevent this fraud may also be leveraged to reduce that fraud. This industry has an unfortunate tendency of working back to solutions from specific instances of crime, instead of looking for overlaps where the same methods could be used to mitigate several types of abuse. For example, if a SIM is being used to generate a lot of spam P2P messages in a short period of time, it would be useful to know if that SIM had recently been swapped, before the police arrests the wrong person. However, this is always a contentious argument because many other people will want to solve these problems in several other ways, and much can be said about the relative advantages and disadvantages of everything they propose, when they only look at each problem in isolation. However, I retain hope that the simple ideas of little people sometimes get copied because they are right, even if the credit invariably lands somewhere else.
AT&T Agrees to Pay USD13mn Settlement for 2023 Data Breach
The second chapter in this bulletin about failing to see connections involves AT&T and the penalty it agreed for the breach which occurred in January 2023 involving the personal data of 9 million people. This particular data breach should not be confused with the AT&T breach made public in March 2024 involving the personal data of 73 million people or the AT&T breach made public in May 2024 involving the personal data “of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network”. The US Federal Communications Commission (FCC) decided the January 2023 breach merited AT&T handing over USD13mn in cash and making a bunch of promises and agreeing to audits which essentially mean AT&T will start doing things they should have been doing anyway. According to the FCC this represents a ‘privacy upgrade’…
In 2023, FCC Chairwoman Rosenworcel established the Privacy and Data Protection Task Force, an FCC staff working group focused on coordinating across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches… Thanks to the work of the Task Force and a renewed focus on consumer protections more broadly under Chairwoman Rosenworcel, the Commission secured similar “Consumer Privacy Upgrades” covering beneficial data protection, cybersecurity, and consumer privacy terms with the largest wireless carriers, including today’s AT&T settlement…
Readers will have to look at the detail of the FCC’s findings and decide for themselves if USD1.46 for every individual whose data was breached represents a fair deal for both AT&T and the public who are put at risk every time their personal data is obtained by criminals. AT&T will say they are not really to blame because a vendor who handled the data failed to satisfy the terms of their contract. This kind of argument seems to be taken seriously by the FCC, even though AT&T should have checked if their vendor performed as expected. If telcos are not held liable for the bad behavior of suppliers that manage data on their behalf then they could easily eliminate any responsibility for data protection by writing contracts that imply suppliers are responsible for everything.
Long-serving readers will remember that blaming other companies for data breaches is a common theme for AT&T. Some may even remember that the same rationalization was proferred in 2015, when AT&T and FCC reached a then-record settlement of USD25mn for a breach involving offshored call centers that affected 280,000 AT&T customers. The data involved in that breach was more sensitive, but what the FCC now describes as a ‘privacy upgrade’ looks more like treading water when observing the number of breaches that have occurred over time. Regulators in most countries tend to increase penalties when the same rules are repeatedly broken by the same business. AT&T has had two more serious data breaches since the one covered by this latest settlement, begging the question of whether penalties are being geared up to motivate necessary change.
Exploding Radio Comms Devices Kill 32 in Lebanon
You probably do not need to read Commsrisk to discover 12 people were killed when thousands of pagers simultaneously exploded in the hands of Hezbollah operatives in Lebanon this week, or that another 20 were killed when hundreds of ‘walkie-talkies’ exploded the next day. Other commentators are better qualified to discuss the implications for Arab-Israeli relations, the conflict in Palestine, and the threat of an escalation involving Iran. My cold but rational contribution is to express surprise that we have not seen attacks like these before. Even ‘Western’ networked radio devices like iPhones rely on international supply chains. The more complicated the route by which a finished product is assembled and then transported, the greater the opportunities for subversion. At the same time, fully-charged batteries can contain a lot of energy. Whilst many have assumed that explosive materials were intentionally placed inside the devices used by Hezbollah, they ignore the explosive potential of the batteries that all of us carry every day.
Some phone batteries store around 30,000 joules of energy when charged. All of this energy can be rapidly released when the battery is short-circuited, resulting in an intense fire. Hardware designed to intentionally short-circuit the battery when the phone’s software receives a particular message would be harder to spot with the naked eye than an obviously foreign object inserted into the case. When a short circuit occurs, the battery undergoes a runaway thermal cascade that is the equivalent of lighting gunpowder within a closed box. 30,000 joules is approximately equal to the energy stored by 7 grams of TNT or the combined muzzle energy of five bullets fired from an AR-15 rifle. The way energy is directed when released also determines the threat to human safety as well as the amount of energy that is released. A lot of speculation has focused on how a detonator and a small amount of explosive may have been hidden inside the case so they would not be identified when the devices were inspected by Hezbollah’s security team. Journalists have paid less attention to whether the design of the batteries and the casing of the device were contributors to the harm caused. If the box containing the battery — the case of a telephone, pager or walkie-talkie — is made from an inflexible material of the correct strength to constrain any initial expansion of a short-circuited battery until the case catastrophically fails, then the material will become shrapnel. Like a knife through flesh, it is the piercing capability of this shrapnel that would do the real harm.
There are some people who think the threat of international supply chains being subverted is largely academic. Others tend not to worry about their phones being commandeered by bad actors because they lack the imagination to foresee how much harm could be done to them. Perhaps these risks will get more attention if people realize they are carrying a potential bomb in their pocket or in their hand, and that it could be set off remotely by somebody sending a specific text message.
The MEF Anti-Fraud Yearbook
Being an eternal pessimist, I sometimes get so engrossed with imagining doomsday scenarios that I neglect the really good things happening around me. That is my excuse for forgetting to mention the publication of the 2024 Anti-Fraud Yearbook of the Mobile Ecosystem Forum (MEF), which came out late last week. It is a really well-written summary of all the most important fraud topics for professionals working in mobile (and not so mobile) communications, as compiled by MEF Director Nick Rossman. Register to download a copy from here.
Also, MEF Gave Me a Job
You are likely aware that MEF now sponsors Commsrisk because you saw their logo at the top of the page. You may also remember reading in July about how I was retiring after spending 17 years writing about all the dangers lurking around every corner of the comms sector, and then reading in August that I was not retiring after all. Negotiations with MEF continued after they told me not to retire, and have concluded with me being appointed to a new role as their Director of Anti-Fraud and Integrity. The ‘integrity’ part refers to all the aspects of maintaining good service and behaving properly, such as delivering accurate bills and assuring costs. The ‘anti-fraud’ part requires less explanation. That is a lot of work, which is why I will need your help to succeed. And yes, I do mean you. I geolocate the IP address of everyone who reads this website, so I might just visit your house if I notice you shirking.
Being serious for a moment — as if anti-fraud APIs, data breaches and fatal explosions were not serious enough — there is no reason to delay my retirement unless working with MEF provides a catalyst for change, and that change can only occur if those of us who want change can overcome the resistance of those who oppose it. So I am going to be nagging a lot of you in the near future about joining MEF, donating intellectual property, attending meetings and conference calls, and all those other wonderful things that people are thinking about when they smile and use the word ‘collaboration’, but stop thinking about when they leave the office to catch the early train home.
This also means I do not want to hear any malarkey about what MEF has or has not done in the past. As a famous robot-killer once observed: there is no fate but what we make for ourselves. If something needs to be done, then we can do it, if we do it together.
Other News
- Mobileum emerges from Chapter 11 bankruptcy with reshaped balance sheet
- Germany’s Constitutional Court finds Hesse state law on phone surveillance has unconstitutional lack of privacy safeguards
- Brazilian comms regulator Anatel tells bankers that corporate telemarketers’ voluntary adoption of STIR/SHAKEN will receive its public launch in October and will be branded ‘Verified Origin’ (‘Origem Verificada’)
- Capgemini data breach includes virtual machine logs of T‑Mobile
- US industry association CTIA wants everyone to know that extensive work has led them to trace the origins of 10 different SMS spammers; now they just need somebody in power to prosecute them



