Do Crooks Own Your Wireless Service?

Security journalist Brian Krebs does a lot of admirable work, but recently people have been bombarding my inbox with recommendations to read one of his recent articles, subtly entitled “Who Owns Your Wireless Service? Crooks Do.” I wish these people would stop suggesting that I read this piece, partly because I have read it already, and partly because it falls well below Krebs’ usually high standards. Maybe Krebs and the readers of the article really do believe criminals are managing every telco in the USA, or maybe they just think Krebs has captured the anti-corporate zeitgeist in the USA. I only saw an article that rehashes several old stories, ties them together with the biased and unchallenged opinions of one political activist, and tossed in a few new links to half-assed blogs that Krebs had read earlier that week. Krebs considered this sufficient research to justify the conclusion that:

…the wireless industry today has all but ceded control over this vital national resource to cybercriminals, scammers, corrupt employees and plain old corporate greed.

Of course Krebs is talking about US mobile providers, in the insular way that only Americans would talk about an industry that has to work on a global level – or has Krebs already forgotten all the fuss about Russian hackers and Huawei’s 5G networks? Somebody needed to check the facts in Krebs’ article. We might trust a journalist to do that work, but surveys show the American public has even less faith in the media than they do in phone companies. So let me have a go instead…

On Tuesday, Google announced that an unceasing deluge of automated robocalls had doomed a feature of its Google Voice service that sends transcripts of voicemails via text message.

Google said “certain carriers” are blocking the delivery of these messages because all too often the transcripts resulted from unsolicited robocalls, and that as a result the feature would be discontinued by Aug. 9. This is especially rich given that one big reason people use Google Voice in the first place is to screen unwanted communications from robocalls, mainly because the major wireless carriers have shown themselves incapable or else unwilling to do much to stem the tide of robocalls targeting their customers.

It is hardly a surprise that Google, the business that spends lavishly on anti-telco academic research and pays more to lobbyists than any other tech firm is trying to tarnish the reputations of businesses that actually carry the cost for the infrastructure which Google wants to use free of charge. But what exactly are these ‘certain carriers’ doing wrong in this instance? They are blocking spam. The spam is created inadvertently because of some other spam, but it is still spam. If they refused to block this form of automated spam, would that also prove that telcos are ‘incapable or else unwilling’ to reduce the extent to which machines create unwanted traffic?

AT&T in particular has had a rough month. In July, the Electronic Frontier Foundation (EFF) filed a class action lawsuit on behalf of AT&T customers in California to stop the telecom giant and two data location aggregators from allowing numerous entities — including bounty hunters, car dealerships, landlords and stalkers — to access wireless customers’ real-time locations without authorization.

Krebs makes a fair point here. US telcos keep selling location data, and that is both a bad and stupid thing to do, costing them a lot of harm for a tiny amount of revenue. But if you are going to write an article that says the whole industry is run by crooks, you need to do better than to identify a single telco that has ‘particular’ problems.

And on Monday, the U.S. Justice Department revealed that a Pakistani man was arrested and extradited to the United States to face charges of bribing numerous AT&T call-center employees to install malicious software and unauthorized hardware as part of a scheme to fraudulently unlock cell phones.

Ars Technica reports the scam resulted in millions of phones being removed from AT&T service and/or payment plans, and that the accused allegedly paid insiders hundreds of thousands of dollars to assist in the process.

This is all true, and a real problem for telcos. Handsets are expensive, and thieves want to steal them. Criminals can make good margins by reselling handsets whilst affording to pay enormous bribes to telco staff who lack integrity – or the common sense to realize they will likely be caught if they keep unlocking phones that disappear to Pakistan. But what does this have to do with consumer protection? The phones were being stolen from the telco, not from its customers. Consumer advocates often complain there is too much locking of handsets, even though crime prevention is one of the main reasons to lock phones to specific networks. And what exactly should telco bosses do about criminals willing to pay USD428,500 to a single corrupt employee over a five-year period? Should they raise employee wages to six-figure levels just to keep pace with the generosity of the criminals?

We should all probably be thankful that the defendant in this case wasn’t using his considerable access to aid criminals who specialize in conducting unauthorized SIM swaps…

Late last month, a federal judge in New York rejected a request by AT&T to dismiss a $224 million lawsuit over a SIM-swapping incident that led to $24 million in stolen cryptocurrency.

The defendant in that case, 21-year-old Manhattan resident Nicholas Truglia, is alleged to have stolen more than $80 million from victims of SIM swapping, but he is only one of many individuals involved in this incredibly easy, increasingly common and lucrative scheme.

SIM swaps are bad too. But do you know what is also bad? Losing your phone and then going to the store and bitching and moaning at a member of staff who will not give you a replacement SIM. And million-dollar heists of cryptocurrency would not be ‘incredibly easy’ if crypto millionaires took sensible measures to protect themselves like not saving their passwords on Google Drive. I know that lax password security for crypto accounts is an important driver of the increasing number of SIM swaps because Krebs wrote about it himself, but nobody seems to think Google should be sued for letting people save unencrypted passwords to the cloud.

So what the fresh hell is going on here? And is there any hope that lawmakers or regulators will do anything about these persistent problems? Gigi Sohn, a distinguished fellow at the Georgetown Institute for Technology Law and Policy, said the answer — at least in this administration — is probably a big “no.”

Yes, but Gigi Sohn would say that, given that she was appointed to a job at the Federal Communications Commission (FCC) by a Democrat politician, then lost it when the Republicans gained the upper hand. I can understand why she might like to see the Republicans thrown out of office so she can get another lucrative job at the FCC. What is harder to understand is why her political opinions are being presented as matters of fact.

“The takeaway here is the complete and total abdication of any oversight of the mobile wireless industry,” Sohn told KrebsOnSecurity. “Our enforcement agencies aren’t doing anything on these topics right now, and we have a complete and total breakdown of oversight of these incredibly powerful and important companies.”

That is not true, and Krebs should know this already. He has written at length about specialist police teams fighting SIM swaps. In this new article Krebs later refers to the adoption of SHAKEN/STIR by US mobile carriers, but seemingly forgets to mention this method of preventing caller ID spoofing was actively pushed by the FCC. Perhaps he needs to do more research in this area, because I was surprised to discover that Krebs had never before mentioned the SHAKEN/STIR protocols in any previous article, even though his readers have discussed them in the comments they leave on Krebs’ site. If Krebs had paid attention to the adoption of SHAKEN/STIR he would know its introduction was announced soon after the FCC levied a USD120mn fine against a serial robocaller, setting a new precedent for enforcement penalties unmatched by any that were imposed whilst Sohn was working for the US regulator.

On the issue of illegal SIM swaps, Wired recently ran a column pointing to a solution that many carriers in Africa have implemented which makes it much more difficult for SIM swap thieves to ply their craft.

“The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer,” wrote Wired’s Andy Greenberg in April. “If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked.

Krebs is usually a solid researcher, but with this paragraph he really lets himself down. He asserts that “many” African telcos have implemented this control, but does he know the number that have? The article in Wired does not say. What can be shown is that article exaggerated the extent of anti-fraud controls in the African market. For example, the Wired piece mentions these checks having already been implemented in Kenya. This article was published during April but Safaricom, the dominant mobile provider in Kenya, only announced the launch of their anti SIM-swap API in June.

Americans really need to get over themselves. It is a tired, nationalistic and racist trope to argue they are disturbingly behind just because a business in Africa did something before a business in the USA did it. African telcos are years ahead of US telcos on certain aspects of mobile security because they are also years ahead with delivering mobile financial services. There is no need to go into a meltdown if US telcos have not yet implemented a control which was only recently adopted by a few of Africa’s leading telcos.

In terms of combating the deluge of robocalls, Sohn says we already have a workable approach to arresting these nuisance calls: It’s an authentication procedure known as “SHAKEN/STIR,” and it is premised on the idea that every phone has a certificate of authenticity attached to it that can be used to validate if the call is indeed originating from the number it appears to be calling from.

And who was responsible for devising SHAKEN/STIR? US telcos, at the prompting of the FCC, though Sohn somehow neglected to share this important fact. And if she feels so strongly about robocalls, then why was she not demanding the FCC impose digital certificates back in June 2017, when she was still a paid advisor to the FCC and Americans were already enduring over 2.5bn robocalls per month?

“The FCC could make the carriers provide robocall apps for free to customers, but they’re not,” Sohn said. “The carriers instead are turning around and charging customers extra for this service. There was a fairly strong anti-robocalls bill that passed the House, but it’s now stuck in the legislative graveyard that is the Senate.”

AT&T said it and the other major carriers in the US are adopting SHAKEN/STIR and do not plan to charge for it. The company said it is working on building this feature into its Call Protect app, which is free and is meant to help customers block unwanted calls.

Here is some much-needed balance, but the strange juxtaposition – the opinion of one person versus a corporate statement by just one of the US mobile networks – shows how little research Krebs did before he wrote this piece. Why not state the approach to be adopted by other US telcos too? And why is so much space being devoted to the opinions of a single political-activist-lawyer with a grudge against the staff who currently work at the FCC?

What about the prospects of any kind of major overhaul to the privacy laws in this country that might give consumers more say over who can access their private data and what recourse they may have when companies entrusted with that information screw up?

What about them? The headline says telcos are owned by crooks. Krebs first turned to an announcement by Google to support this startling claim. But Krebs suddenly switches the focus of his article to a subject that relates much more to serial privacy abusers like Google than telcos.

If Krebs is arguing that US telcos oppose toughened privacy laws then he is right to do so. But this is an area where telcos and Google are happy to fight side-by-side.

Sohn said there are few signs that anyone in Congress is seriously championing consumer privacy as a major legislative issue.

That is also a fair comment. But instead of pretending the problem lies with “this administration”, Sohn should point out there is so little interest in tough privacy laws because fellow Democrats like Representative Ro Khanna, a Co-Chair for the Presidential nomination campaign of Bernie Sanders, are also in the pocket of Google. Khanna is seen as one of the Democrats’ leading authorities on tech businesses, but when he wrote a proposed “internet bill of rights” he submitted the draft to Google and Facebook for their approval, whilst arguing that the European Union’s General Data Protection Regulation (GDPR) was too onerous to use as a template for privacy laws in the USA…

Europe’s [GDPR] regulations [are] a nine, we’re a zero. Why can’t we get to a four or a five?

And then Krebs’ piece suddenly ends, on the non-sequitur that abuse of personal data is caused by ‘crooks’ running telcos, although the record US fine for privacy failings was imposed on Facebook, and the agency responsible for imposing that fine was the Federal Trade Commission, not the FCC.

After starting with the shocking assertion that telcos are run by crooks, Krebs’ article peters out with a tangential discussion of privacy. This is because the article is an extended laundry list of the peeves of Gigi Sohn, a political activist with her own axe to grind. We can only assume that net neutrality is never mentioned because the sky has stubbornly refused to fall, despite Sohn’s previous insistence that the FCC’s repeal of net neutrality regulations would lead to widespread exploitation of consumers.

This piece does not deliver a measured analysis of the flaws of US telcos, which are many, and do deserve criticism. Piecemeal rants like these reduce the focus on areas where US telcos should be forced to improve, such as the imposition of enhanced controls over location data. If Krebs intends to interview activists like Sohn in future, maybe he should simply repeat what they say verbatim, or apply some professional skepticism instead of browsing the internet for anything which vaguely supports their one-sided arguments.

All things considered, I would struggle to give Krebs’ article a four or a five out of ten. There is little research, and he is too trusting of biased sources. He relies on gossip and second-hand opinions to support his ugly clickbait headline.

Do crooks own your wireless service? Perhaps they do, but if this scanty flawed evidence was presented in court then an objective judge would have to throw it out.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.