The Commsrisk Review of 2019

2019 is reaching its end. The image for this article depicts the allegory of Truth being rescued by Time, as witnessed by History; this feels like an appropriate theme for the events of the year. But was 2019 dominated by tumult and change, or did it progress at a glacial pace? Decide for yourself by reviewing the big stories of the last 12 months.

January

The hacker who used a massive distributed denial of service (DDoS) attack to knock Libera offline was given a 32-month prison sentence.

The manufactured panic over SIM swap fraud reached its peak. Snopes, the fact checking website, debunked a fake news story about SIM swaps, whilst a women’s magazine made ridiculous claims that SIM swappers gather data using Facebook quizzes.

Indian RAFM vendor Subex showed where they expect growth to come from. They launched CrunchMetrics, a new brand which promises ‘automated AI based anomaly detection’ for businesses in several verticals.

A report by Cartesian claimed that a quarter of Americans watch Netflix and other video streaming services by reusing the credentials of a different household that pays for the account.

YouMail’s robocall index reached an all-time high, estimating that US subscribers received 5.2bn robocalls during January.

The Risk & Assurance Group (RAG) held its first conference in the Middle East, thanks to the generosity of hosts Batelco.

February

Tensions rose around Huawei’s promise that they will not spy for the Chinese government, but the European Union could not decide how to respond. Huawei’s public relations efforts were not helped by one of their employees stealing a robotic arm from T-Mobile USA.

SIM swapper Joel Ortiz was given a 10-year prison sentence after being found guilty of stealing cryptocurrency worth USD5mn.

There were disturbing revelations about US-trained communications spies being employed by the United Arab Emirates to monitor journalists and the leaders of other Arab countries. These were exacerbated when it was found that one of the spies had been given access to systems within Qatar’s incumbent operator immediately before she was recruited by the UAE.

March

The Telecommunications UK Fraud Forum (TUFF) was found to have repeatedly broken copyright laws, pirating content from Commsrisk, the New York Daily News, the Guardian and many others. They apologized and promised to include respect for intellectual property rights to the topics covered by their training courses.

Afghanistan’s government signed a deal worth USD11mn for a national revenue assurance system to monitor telco revenues, choosing suppliers with no experience of telecoms or revenue assurance.

European authorities worked together to knock internet TV pirates offline. Three British pirates were given 17 years of prison between them, whilst Spanish forces spearheaded a campaign which shutdown 66 servers used to supply 800 pirate channels across Europe.

US telco Verizon asked permission to lock new 4G handsets for 60 days from sale, in response to a rapid rise in handset fraud since 2015.

The Nok Nok biometric authentication platform won the security award at the Mobile World Congress.

The American response to robocalls made some slight progress with AT&T and Comcast connecting the first STIR/SHAKEN verified call between two US telcos.

A South African bishop explained how SIM swappers tried to trick his parishioners into sending them money vouchers.

Huawei failed the security audit imposed by the UK government for the second year running, ramping up the controversy about using their 5G equipment. Meanwhile, US authorities quietly signaled they would end the practice of bulk collection of telco CDRs for surveillance.

April

The Tanzanian government found themselves desperately short of cash, so suddenly decided to jail Vodacom Tanzania’s Managing Director, their Head of RAFM, and several other Vodacom executives on bogus charges of fraud. The accused were told they could not apply for bail and should expect to be treated like those jailed in a different case, where several men associated with Six Telecoms Limited had already been detained for 16 months without bail or a trial date being set, whilst prosecutors supposedly gathered evidence of their wrongdoing. One week later the Vodacom executives were released and allowed to return to work after their employer agreed to pay a USD2.3mn fine.

A High Court decision showed UK authorities were incompetent at banning GSM gateways. Any business which would have otherwise used GSM gateways became free to seek compensation.

RAFM market leaders WeDo issued a press release saying they had a “standout” year in 2018, without divulging any figures.

RAG Learning, the online education platform supplied free by RAG, celebrated its first birthday following a record month for enrollments.

May

SIM swapper Nicholas Truglia was order to pay USD76mn in damages to the cryptocurrency entrepreneur he stole from.

Subex announced a seven percent rise in annual revenues.

Joseph Nderitu, Head of RAFM at Vodacom Tanzania, wrote a letter of thanks to the friends, colleagues and thousands of professionals who supported him during his wrongful detention by the Tanzanian authorities.

There was more debate about the risks of using Huawei equipment, with the former CSO of AT&T arguing that President Trump’s technology ban would not deliver an improvement in security, whilst the Vice Chairman of Canadian telco Rogers warned the Chinese manufacturer would be ‘compromised’ if China’s government told them to spy on foreign telcos. Meanwhile, the World Bank debarred Chinese fibre optic supplier Jiangsu Zhongtian Technology Co., Ltd. (ZTT) after it committed fraud in Zambia.

RAG partnered with Orillion Solutions to pilot a new blockchain-based repository for sharing intelligence about wangiri fraud. The RAG Wangiri Blockchain was one of five collaborative projects launched at RAG’s European conference in Bonn. RAG also closed a record annual sponsorship round by signing deals with 13 vendors.

June

June saw the announcement of several deals that were indicative of wider industry trends. Network intelligence business TEOCO purchased CIQUAL, experts in measuring quality of experience, whilst wholesale carrier iBasis selected Mobileum to provide them with roaming analytics.

Researchers concluded that the best way to tackle illegal video streaming is to tear down as many pirate sites as possible because former users would then be more likely to switch to legitimate services.

It was the turn of several British politicians to row over the security implications of using Huawei 5G equipment.

July

Analytics and roaming business Mobileum used some of the money from their private equity backers to purchase WeDo Technologies for USD70mn. The price could rise to USD97mn if WeDo’s management meet performance targets.

Telenor warned investors that group profits would be hit by a USD35mn error in accounting for commissions owed by Bangladeshi telco Grameenphone. In the UK, virtual mobile operator giffgaff received a USD1.7mn fine from the regulator for billing errors dating back to 2011.

A prospectus for the stock market listing of Airtel Africa disclosed that employees had stolen millions of dollars from the mobile money accounts of customers. A new payments app from the Japanese operators of 7-Eleven convenience stores had to be removed from service just three days after launch after criminals circumvented lax security controls and took control of customer accounts, using them to make large purchases.

The CEO of Quintillion, a wholesale telco in the US state of Alaska, received a five year prison sentence for faking contracts.

The controversy surrounding the monitoring of Ghana’s telcos by Global Voice Group (GVG) was reignited by a Member of Parliament who claimed the national RA system could be used to violate customer privacy because encryption of calls and messages had not been implemented.

Kenyan telco Safaricom announced they had implemented an API to warn other businesses if a SIM has recently been replaced. The solution is designed to help other firms guard against SIM swap fraud.

Those who were tricked into paying money to the Global RA Professionals Association (GRAPA) were further embarrassed by the discovery that the association’s disreputable owner/founder, Rob Mattison, had deleted all mention of his position as GRAPA President from his LinkedIn profile.

Students taking free courses on RAG Learning were given the option to verify their identity and obtain certificates of completion for the first time, in exchange for a processing fee of USD25.

Many were sad to hear that Santhosh Gopalan, a well-respected telecoms professional, had passed away.

August

Seven simbox fraudsters were arrested by India’s elite anti-terror police, supposedly because providing cheap international calls to expat workers in the Middle East made them a threat to national security.

The US Department of Justice revealed that fraudsters had paid USD1mn in bribes to AT&T staff as part of a conspiracy that unlocked 2mn handsets so they could be exported and sold.

An investigation by the Wall Street Journal found Huawei engineers had assisted the governments of Uganda and Zambia to spy on opposition politicians.

19 year old Elliot Gunton was sentenced by a British court to 20 months in prison for stealing personal data and passing it on to SIM swappers. Gunton was already notorious for hacking TalkTalk but police supervision was so inadequate that they only discovered he was still committing computer crimes when they checked his hard drive for evidence of offenses of a sexual nature. Meanwhile, SIM swappers who call themselves ChucklingSquad duped AT&T into giving them control of phone accounts belonging to famous YouTubers and then demonstrated the lax security for Twitter by tweeting from the CEO’s account.

GVG sought damages from the government of Guinea for terminating their national revenue assurance contract. Although Guinea said GVG had been guilty of corruption and fraud, the notorious supplier of national telecoms audit services claimed they were owed USD107mn, or approximately one percent of Guinea’s GDP.

Google’s determination to monitor everything you do was further illustrated by the derisory argument that blocking cookies is bad for privacy.

September

AdaptiveMobile Security disclosed the existence of the ‘Simjacker’ vulnerability which allows bad actors to send secret instructions to phones by SMS, hence giving them the potential to monitor the user covertly. A billion phone users were thought to be at risk.

In the USA, the Federal Bureau of Investigation (FBI) advised businesses not to rely so heavily on SMS messages for two-factor authentication because of the danger of SIM swapping.

US telco Sprint was found to have taken government subsidies to provide phones to 885,000 people who were ineligible because their phones were inactive.

Prosecutors and law enforcement bodies across Europe worked together to take down 200 servers used to supply pirate internet TV to 800,000 paying users.

Google and its YouTube subsidiary agreed to pay a record USD170mn fine to US authorities for violating the privacy of children.

October

The Six Telecoms bypass fraud case in Tanzania was finally resolved, without a trial and two years after the accused were first put in jail, when the jailed executives were offered instant release if they pled guilty instead of waiting for a trial that never came. It was reported that the Tanzanian government collected USD40mn in ‘fines’ from the hundreds prisoners they released during the same brief ‘amnesty’ for others held in detention whilst awaiting trial. The problem of government corruption was discussed at the RAG conference held in South Africa, where professionals from around the continent listened to Joseph Nderitu, former Head of RAFM at Vodacom Tanzania, telling the story of what happened when he was wrongly detained.

Vodafone UK somehow forgot how to comply with European Union ‘roam like home’ rules, and started charging customers enormous amounts for data usage whilst abroad.

A survey conducted by academics blamed low pay for the scale of mobile money fraud in Ghana.

MTN generated plenty of positive press in South Africa by explaining how they counter SIM swap fraud.

Following the successful sale of his business to Mobileum, erstwhile WeDo CEO Rui Paiva announced he was standing for election to Portugal’s National Assembly. However, he only received 425 votes.

November

Test call specialists Araxxe shared research which analyzed the causes of 3,665 charging errors detected using their tools. A third were blamed on incorrect pricing, and customers were undercharged twice as often as they were overcharged.

AT&T, the world’s largest telco by revenue, agreed to pay USD60mn in compensation to customers of ‘unlimited’ data services whose download speeds were throttled after their monthly usage exceeded a threshold that had not been disclosed to them. A Federal Trade Commissioner described AT&T’s behavior as a “massive scam”.

The second annual fraud report from the ITW Global Leaders’ Forum (GLF) presented a bold roadmap for change alongside a lot of useful information.

The Communications Fraud Control Association (CFCA) generated plenty of attention for themselves by publishing the results of their global fraud survey, which once again concluded that fraud was worse than before. However, a closer examination of the survey findings showed that the sample is small and skewed towards rich Western countries, and flawed calculations were used to generate some of the most eye-catching statistics.

A data breach at T‑Mobile USA leaked information relating to one million prepay customers.

Ghanians were told they all need to re-register their SIM cards, in person, if they want to keep using them.

Further (slow) progress was made in the battle against robocalls when T‑Mobile USA, Comcast and Inteliquent became the first telcos to verify a single STIR/SHAKEN call across three separate networks.

December

Swedish network equipment suppliers Ericsson paid USD1bn to US authorities as punishment for bribing government officials and telco executives in Djibouti, China, Vietnam, Indonesia and Kuwait.

New York prosecutors accused a teenager of swapping 75 SIMs and stealing USD1mn from victims who were targeted because they own cryptocurrency.

Rocco Research repeated their annual survey of which vendors are best for detecting simboxes. The winners were Araxxe, LATRO and SIGOS.

The GSMA published ‘best practice’ on how to prevent mobile money fraud, but their advice was thin.

Leading vendor Subex agreed to connect all customers of their ROC fraud management system to the RAG Wangiri Blockchain. They descirbed the anti-wangiri consortium as “a great opportunity for the industry to come together and move collectively against fraud”.

All Year Long

Huawei, SIM swaps, the (painful) transition to business assurance, and high-level corruption were major recurring themes of conversation during 2019, but there was one topic that generated headlines all around the world, every single month. There were many regulatory warnings and plenty of adverse press for wangiri fraud attacks, where con artists leave a missed call for customers in the hope they will dial back to an expensive destination. These are just some of the wangiri articles published by Commsrisk during 2019:

If wangiri proves anything, it is that the supposedly hectic change of pace in telcos is not leading us to fix some old and familiar problems. Wangiri has caused massive reputational harm for telcos, with the result that ordinary people around the world now know the Japanese for ‘one cut’. Despite this, there are still many telcos that only offer excuses when challenged by the media and the public.

The telecoms industry is passing through a turbulent period, but too many professionals are still relying on old and inadequate mitigation techniques to address problems that have persisted even longer. Customers are losing their patience with telcos, and criminals often shame us by eagerly and effectively adopting new technology whilst successfully corrupting our staff. 2019 was a rough year in many respects, but it showed we can and must do better in 2020.