T-Mobile and TELUS Hacks Illustrate Why Telcos Should Pay for Their Own Policing

Q. What does the theft of source code from Canadian operator TELUS have in common with recent revelations about SIM swapping on T-Mobile’s US network?

A. They were both discovered because the hackers advertised their crimes.

American security journalist Brian Krebs explained how he learned about systematic SIM swapping abuse at T-Mobile.

All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.

Just a week earlier, Ax Sharma wrote for BleepingComputer about the discovery of employee information and source code being stolen from TELUS.

On February 17, a threat actor put up what they claim to be TELUS’ employee list (comprising names and email addresses) for sale on a data breach forum.

By Tuesday, February 21, the same threat actor had created another forum post — this time offering to sell TELUS’ private GitHub repositories, source code, as well as the company’s payroll records.

Both stories fit a familiar pattern. Hackers have realized that telcos run systems which contain a lot of personal data and intellectual property but these businesses rarely do enough to secure this information from theft. In particular, criminals have realized the effectiveness of targeting employees who grant unauthorized access to systems because they have been bribed or socially engineered. But regular readers of Commsrisk know this already. There have been many other stories like these. For specifics about these new stories you can read KrebsOnSecurity and BleepingComputer, and whilst you visit those sites you may ponder how many other stories they have previously published along similar lines. Instead of just considering the particulars of each story, it is time to step back and ask ourselves a more general question: why do journalists and YouTubers learn about telco hacks, breaches and scams before anybody working at a telco or for law enforcement? The answer is as appalling as it is obvious. Journalists and YouTubers know more about crime because they actively research crime.

Telcos are largely led by a management class which knows little about technology. This management class is supported by marketing and PR professionals who know even less. They are already deeply worried that investors will soon get upset about expenditure on 5G networks when there is no reason to believe they will generate revenues additional to those delivered by 4G. They tend to implement each ‘G’ because others implement each ‘G’, and none can explain why they require another ‘G’ because they do not understand what they are seeking to accomplish with each new iteration of technology. Similar factors cause them to maintain a fanciful approach to information security. Put simply, they calculate if they under-invest in security, give minimal authority to security teams, prefer yes-men to critics of serious failings, and refuse to talk about security failings publicly, then security weaknesses will disappear of their own accord. This might be the termed the Ostrich Strategy, after the bird which erroneously believes that it becomes invisible to predators if it refuses to look at them.

Not every business is as stupid as an ostrich. Whilst telcos are notoriously incapable of working together to tackle crime, and offer a myriad of excuses for their ongoing and collective failures, other sectors successfully demonstrate what could be achieved under different leadership. It is striking that the media industry, which is smaller than telecoms in terms of global annual revenues, is supported by a string of anti-crime agencies, police units and politicians. This is no accident. It occurred because the media industry spent money on making it happen. They pay for joint initiatives with cash-strapped police forces, they fund independent bodies which hire ex-policemen, and they pay for research which feeds lobbyists who then succeed in harnessing the legal powers of the state to support their private sector interests. The same occurs in banking too, which is why so much lobbying for telcos to do more to prevent SIM swaps and reduce identity crime begins with associations that are trying to protect online banking services.

Contrast the lobbying efforts of media and banking with those undertaken by telcos. The latest lobbying wheeze from big European telcos is ‘fair share’. This is a silly name for a proposal that would undo net neutrality by giving telcos the freedom to charge companies like Google and Netflix for their part in stimulating internet use, in addition to charging end recipients for the internet connection required to consume Google and Netflix’s services. Put simply, European telcos want to charge two groups of customers for the same traffic. Most of the arguments made in favor of ‘fair share’ are technologically illiterate; the business models of Google and Netflix do not require 5G, and little of the demand they generate relates to the kinds of network upgrades that telcos have voluntarily undertaken. But telcos want more money to cover the cost of investments like 5G, so they have revisited an argument for charging multiple customers that has been deployed and which has failed before. The only difference this time is that Europe has so few Big Tech companies that resentment of US success makes it easier for European politicians to lend their support for what is effectively a tax on foreign companies.

‘Fair share’ dominates the lobbying efforts of European telcos. Meanwhile, the media and financial services sectors continue to seek help from the state in fighting crime, a topic never raised by the lobbyists demanding ‘fair share’. Does it not occur to any of them that assistance with reducing crime might be more politically palatable than demands for subsidies from more successful businesses, and that the money saved by reducing crime could also be spent on investments like 5G?

In addition to seeking more support from law enforcement, telcos could also do more to defend themselves. They could employ the equivalent of private detectives who gather intelligence about crime in the same way that journalists do. Private detectives also tend to be former police, so there is not much difference whether telcos directly fund specific police operations or pays for the establishment and running of independent bodies that hire detectives. Or we can continue to complain that nothing can be done and to wonder why nobody else wants to help this industry. But as I recently pointed out, politicians are tired of hearing what telcos cannot do to protect themselves or the public.

There are now countless examples of journalists embarrassing telcos and undermining their reputations by revealing data breaches and security lapses. Telcos could employ people to gather the same intelligence first. Such intelligence could be used to close gaps and vulnerabilities sooner, and to learn more generally about the areas where telcos are failing. If telcos will not employ such people then they must be ostriches, convincing themselves that ignoring a problem is the same as solving a problem. But every week there is somebody who keeps publicly proving them wrong.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.