Complacent anti-fraud professionals can stop reading now. This article is only written for the hard-working minority who apply professional skepticism throughout their work, and who are specifically open to questioning why anti-fraud practices and expectations vary so much from country to country.
Are you still here? Okay, we can begin. But if you are still expecting the same kind of blah blah whac-a-mole yada yada drivel that is provided by most commentators on comms fraud then you have been warned. For this story to be told accurately, it must partly be told in Spanish.
PRIMERO: D. A.A.A. (en adelante, la parte reclamante) con fecha 12 de enero de 2022 interpuso reclamación ante la Agencia Española de Protección de Datos. La reclamación se dirige contra ORANGE ESPAGNE, S.A.U. con NIF A82009812 (en adelante, la parte reclamada u ORANGE). Los motivos en que basa la reclamación son los siguientes:
La parte reclamante manifiesta que el día 2 de diciembre de 2021 recibió un mensaje de ORANGE en el que se le informaba que se activaba el servicio de desvío de llamadas, el cual no había solicitado.
La parte reclamada autorizó sin su consentimiento un desvío de datos desde su móvil a una tercera línea que no es de su propiedad y desconoce.
Además, habían accedido a sus cuentas bancarias, realizando diversos cargos y operaciones no autorizadas.
So begins case number EXP202202151 of the Agencia Española de Protección de Datos (AEPD), Spain’s data protection agency. The facts as presented at the outset say that a customer of Orange Spain, only named as AAA, complained in January 2022 about call forwarding being applied to their mobile phone service without them asking for it, and that consequently their bank account was raided.
AAA backed up their claim with two pieces of evidence:
- a police report which said their mobile service was interrupted between 5.16pm and 7.14pm on December 2, 2021, although this police report seemingly only repeated what AAA told the police, and;
- screenshots of a Whatsapp exchange supplied by Orange, which seemingly came from an account matching AAA’s phone number, and which relate to a request to implement call forwarding because AAA’s SIM card had been damaged.
Before we continue the story, it is worth noting that forwarding voice calls does not mean that SMS messages have been forwarded. This audience is well aware of the reasons why criminals intercept one-time passwords (OTPs) sent to authenticate users of banking services, but establishing that voice calls have been forwarded is not the same as establishing SMS messages were sent to somebody who should not have received them.
Orange Spain do not deny that they briefly implemented call forwarding. Their version of events begins with:
En relación con lo expuesto, y en cuanto al desvío de llamadas, indicar a esta Agencia que el día 2 de diciembre se recibe una llamada de un particular, asegurando ser el titular de la línea, y facilitando al operador los datos identificativos del mismo necesarios para confirmar su identidad como titular de la línea.
Per Orange’s account, they received a request for call forwarding on December 2 and implemented it because the source of this request provided sufficient information to identify themselves as the owner of this phone account. Orange went on to assert that only voice calls were forwarded to the new number.
En resumen, desde el nuevo número no se puede acceder a los datos, aplicaciones ni mensajes del número viejo, en definitiva, a ningún tipo de información distinta a las llamadas entrantes.
This would mean AAA’s bank account could not have been compromised in the way that AAA claimed. Although AEPD wrote up the complaint as concerning call forwarding, AAA had originally complained they had been the victim of a SIM swap, which would entail access to all the services associated with the SIM. But as there was no SIM swap, and as the SMS messages were not forwarded, the bank accounts could not have been compromised by an OTP that was sent by SMS.
Orange then explained they further investigated what had occurred when AAA contacted them to complain about losing service, and this led them to immediately cancel call forwarding. The risk analysis function of Orange deduced that the request for call forwarding had come from somebody who had successfully impersonated AAA.
En este sentido, se ha podido constatar, tras un estudio derivado de la recepción de la presente reclamación, realizado en aras de esclarecer lo sucedido, que el personal de atención al cliente de la empresa, tras recibir las comunicaciones del cliente, y como refleja la propia documentación anexa al requerimiento, procedió, de forma inmediata, a anular el desvío de llamadas. Además, se dio traslado al grupo de análisis de riesgo de la compañía para que realizara un estudio de la situación, determinando que la solicitud de desvío de llamadas había sido irregular y que la misma se había producido por otra persona, sin perjuicio de que el llamante, superando las medidas de seguridad anteriormente descritas, se identificara satisfactoriamente como el particular que ahora reclama.
Orange’s analysis concluded that AAA’s personal information had been compromised to the extent needed to answer Orange’s identification questions. They thus barred further changes to AAA’s account unless it is made by a voice call from AAA’s Orange mobile number, or by visiting a store in person.
However, the AEPD investigation took an interesting turn.
En la política de seguridad no constan las tipologías de preguntas que se pueden hacer para autenticar a un cliente, aunque sí consta que deben hacerse 3 preguntas para este propósito. Aparte del nombre y apellidos y nº DNI, los cuales son datos para identificar al cliente no para autenticarlo, solo se hicieron 2 preguntas más;” fecha de nacimiento” y “dirección” (en esta última debe entenderse incluida la del “código postal”).
AEPD’s review of Orange’s security policy found that it requires three questions be asked to authenticate a customer. However, the questions that ask for the first name, surname and national identity number (DNI) should not count as authentication questions. Their only purpose is to clarify who is making the request. On this basis, Orange Spain only asked two authentication questions proper in this case: they asked for the customer’s date of birth and address, both of which were provided by the person they spoke to.
There is then a lot of wading through the AEPD’s bureaucratic file notes, which include the observation that GDPR regulations permit fines of up to EUR20mn (USD22mn) or 4 percent of a company’s global turnover. Spanish bureaucrats must really enjoy being bureaucratic if they actually see value in repeating the full extent of their powers, which will not change from case to case, in each individual case file they produce. But after all the wading, AEPD’s analysis is then restated: Orange asked two authentication questions (date of birth and address) instead of three. Presumably nobody in Orange wanted to challenge AEPD by observing that their policy also permits them to authenticate by ‘asking’ the customer’s phone number, and that their submission already stated the request for call forwarding came from a Whatsapp account that matched the customer’s phone number.
AEPD concluded there had been a violation of GDPR.
En base a lo anteriormente expuesto, en el caso analizado, queda en entredicho la diligencia empleada por parte de la reclamada para identificar a la persona que solicitó el desvío de las llamadas.
En todo caso, no se siguió el procedimiento implantado por la parte reclamada, ya que, de haberlo hecho, se debió haber producido la denegación de la activación del desvío
A la vista de lo anterior, la parte reclamada no logra acreditar que se haya seguido ese procedimiento y por consiguiente hubo un tratamiento ilícito de los datos personales de la parte reclamante, contraviniendo con ello el artículo 6 del RGPD.
In plain English, AEPD states that:
- Orange’s diligence is called into question;
- they did not follow their own procedures, and would not have forwarded calls if procedures had been adhered to; and
- this means there was unlawful processing of AAA’s personal data as article 6 of GDPR was violated.
There then follows even more bureaucratic notes that explain what scale of fine is justified in a case like this. The equivalent of the English word ‘reckless’ applies to Orange Spain per the AEPD’s reasoning, requiring a fine of EUR70,000 (USD77,000), though this is then reduced to EUR42,000 (USD46,000) because Orange admitted guilt and was willing to pay quickly.
That is the whole of the case per the AEPD, if you ignore many pages of empty waffle about the law. But good professionals will ask themselves the following:
- What if Orange had simply written a policy which asked for two authentication questions instead of three? Would AEPD have been forced to reason there was no GDPR violation?
- Does the scale of the fine, and the discounts offered for acquiescence, discourage all parties from engaging in more useful analysis of the limits of authentication, such as would have occurred if Orange argued that the phone number associated with the Whatsapp account was also relevant to authenticating the customer? Orange Spain has previously been slapped with a EUR70,000 fine for a similar GDPR violation so may have already concluded it is cheaper to admit guilt than fight an unjust decision.
- How could somebody who does not have access to the phone be able to create a Whatsapp account using that phone number before control of that phone had been hijacked?
- Why is AEPD uninterested in the essential question of how bank accounts were raided if AAA is saying they were taken over by intercepting an SMS OTP but Orange Spain says no SMS messages were forwarded to anyone but AAA, the actual account holder?
- Is the likeliest explanation of these events that AAA faked the theft of money from their own bank account and then sought to blame it on others to claim compensation?
I cannot say I definitely know the answers to these questions, but I am sure that AEPD secured a EUR42,000 fine without knowing the answers either. It is when we do not have easy answers that we must apply ourselves most. We need to be efficient when addressing cases like these for the benefit of society, for our businesses, and to ensure we differentiate between victims and fraudsters so they each get what they deserve.
The laziest kind of journalist would write this story up with a headline about SIM swapping, because that is what grabs attention (as proven here and here). A data protection enthusiast might acknowledge there is a lot more going on with this story than the usual arguments about big businesses being ‘reckless’ with personal data. But what would be really interesting is a comparison of whether such a case would be likely to generate any fine, never mind a potential EUR70,000 fine, in any of the other countries that have adopted GDPR. That would require a degree of diligence that lies beyond the comprehension of most data protection bureaucrats. And that means anti-fraud professionals need to be conscious that doing the things that avoid fines is not always the same as doing the things that stop crime.