The Commsrisk Review of 2020

Most reviews of 2020 are going to be dominated by one story, but the world has as many stories as there are people. The comms industry allows people to tell their stories even when nobody is nearby. Preserving the freedom to communicate has never been more important. Here are twelve months of stories, featuring the risks, challenges, failures and successes endured and enjoyed by the people who try to ensure comms providers continue to share everybody’s stories, every day of the year.

January to March

The US authorities significantly intensified efforts to reduce robocall scams, both seeking to prevent the origination of illegal calls within the country and blocking entry via international gateways. The Department of Justice (DoJ) took the unprecedented step of filing for restraining orders against five VoIP carriers that provided gateways for fraudulent calls that mostly originated in India. This soon morphed into a crackdown on the global rise in spam relating to the coronavirus pandemic. Rolled out across the year, the US anti-robocall program encouraged the adoption of the STIR/SHAKEN protocols to prevent the spoofing of caller IDs on IP networks, new legal protections when telcos use analytics to determine if calls should be blocked, and the appointment of a new industry monopoly for call tracing.

The Risk & Assurance Group (RAG) surveyed the coverage of business assurance teams and found that none had addressed all 25 categories of revenue and cost leakage in the RAG Leakage Catalog. The summary results offered a roadmap for the transition from revenue assurance to business assurance, with assurance teams typically expanding their scope from core areas like billing assurance and usage assurance to those areas which only a minority of telcos have recently started to cover, including asset assurance and contract assurance. However, there were still many telcos who said they had not yet covered the most basic aspects of revenue assurance.

Worries about signaling security and the cost of testing prompted the UK’s National Cyber Security Centre (NCSC) to propose the creation of a National Telecoms Lab that would allow researchers to do ‘hands on’ testing of network security. The NCSC also noted the danger of becoming dependent on Huawei, though soon afterwards Stéphane Richard, Chairman and CEO of Orange, shrugged off the risks of relying upon the Chinese manufacturer and implied the US authorities were exaggerating the danger of Chinese spying.

Controversial national revenue assurance audit provider Global Voice Group (GVG) were again found to be engaging in dubious business practices. After successfully persading the Ghanaian government to sign a contract worth USD1.5mn per month on the pretext that they run a local business that would employ Ghanaians to provide all its services within Ghana, they treated a dozen employees of Ghana’s regulators to training at their base of operations in Spain.

Public warnings about wangiri fraud continued to emanate around the world but were sometimes greeted by telcos with complacent promises about automated detection and blocking. However, RAG successfully concluded the trial of a blockchain for exchanging wangiri intelligence, and this was followed by the implementation of a new production version of the anti-wangiri blockchain that included additional features such as the ability to integrate with the telco’s systems via an API. Over 80 businesses are connected at the date of writing.

Leading RAFM vendor Subex proposed the restructuring of its equity capital, including the halving of the nominal value of each share. The changes were approved and their shares went on a bull run, trading at the end of 2020 at approximately 10 times their lowest price during the year.

In other news, nine employees of Venezuelan state operator Movilnet were arrested for bypass fraud. Fraud expert Colin Yates revealed data that illustrates fundamental changes in the traffic for international revenue share fraud (IRSF) with the consequence that focusing on so-called ‘high risk’ countries is no longer a viable anti-fraud strategy. Seven members of a British gang who diverted phone calls and emails for 2,000 BT customers in order to use their credentials for online purchases were sentenced to 18 years of prison between them. Meanwhile, an Iranian RAFM consulting business called CTEG was revealed to have created social media accounts for bogus employees using the photos of famous singers and actors.

April to June

Conspiracy theories linking the spread of coronavirus to 5G prompted the vandalization of masts and threats to telco engineers. The pandemic caused not just fundamental changes in how we work, but also raised concerns that comms providers were being used to undermine the right to privacy. Privacy activist Max Schrems and his noyb group also highlighted the inconsistencies between the General Data Protection Regulation (GDPR) enforced in the European Union and the ways telcos actually operate by filing a GDPR complaint about A1 Telekom Austria.

Relations between the USA and China worsened following the announcement that the US comms regulator was considering barring four Chinese telcos for the sake of national security. The regulator also set a deadline of 30th June 2021 for IP networks to implement the STIR/SHAKEN protocols that prevent the spoofing of caller IDs. However, repeated delays and concerns about the high cost of implementation meant they later exempted smaller US telcos from the deadline. Meanwhile, the British authorities showed there are other ways to fight spam and reported a significant fall in nuisance calls.

There were multiple stories from Africa underlining the importance of mobile money not just to governments but also to ordinary people. Zimbabweans use mobile money for 85 percent of all transactions because of endless mismanagement of the national currency and poor access to traditional banks. However, this just prompted the government to extend its mismanagement into the digital domain and to justify this by claiming the country’s economic problems were caused by mobile money providers ‘printing’ virtual money. The growing power of mobile money was briefly demonstrated when leading provider Ecocash refused to suspend their service before they ultimately bowed to sustained government pressure. The government of Ghana took a more sensible approach to flexing their muscles by adopting policies designed to increase competition to MTN Ghana’s mobile money service, whilst Nigeria raised minimum capital requirements on firms with mobile money licenses.

The repeated abuse of IMEIs by some manufacturers was underlined by a story where an Indian policeman discovered the reason he was unable to use his new phone was because it had the same IMEI as 13,556 other handsets despite Indian law requiring all IMEIs to be unique.

RAG canceled their London conference for telecoms risk and assurance professionals but saved the agenda by moving it online instead. This proved to be an unexpected success as the two-day live broadcast was watched by 2,000 viewers across 470 cities in 93 countries.

In other news, a 12-hour outage for T-Mobile’s US network was subsequently found to have prevented 250mn calls from being connected. The dangers of trusting sensitive information to other people’s systems was underlined by a privacy breach at a virtual telecoms conference. An operation by Spanish police led to the end of a pirate IPTV service with 2mn paying customers. Test call business Roscom claimed to be the first revenue assurance vendor to become carbon-neutral. Well-known RAFM consultant and RAG Hall of Famer Ambrose Nwadike sadly passed away.

July to September

US-headquartered Mobileum confirmed their determination to dominate the market for telecoms risk and assurance services by announcing the acquisition of German firm SIGOS, a leading provider of test call services. No price was disclosed and details were scant, but a combined staff of 1,800 employees in 30 locations suggested it was likely that Mobileum’s private equity investors would expect the enlarged business to reduce costs by shedding staff. On the upside, Mobileum’s finances will be bolstered by the European Union giving them a EUR1.8mn research grant to assist the development of a 5G RAFM platform.

The need for increased focus on the abuse of A2P messaging services was confirmed by the launch of a new i3forum working group on messaging fraud, and also by the Mobile Ecosystem Forum (MEF) opening consultations for a new version of their A2P SMS Code of Conduct. MEF are expected to reveal the new Code at the beginning of 2021. Meanwhile, Australian telco Telstra announced a pilot program to identify and block malicious SMS messages designed to appear as though the source is a government function or well-known business.

Lazy assumptions about which regions are innovators and which are laggards were once again proved wrong when British mobile network EE introduced controls to prevent SIM swaps that copy the approach taken by many African operators. The reputation of Japanese providers of digital money was further tarnished with another story of lax controls failing to prevent systematic crime, this time resulting in the theft of JPY27mn (USD260,000) via NTT Docomo’s e-money app. In the meantime, Rwandan public transport became cashless thanks to mobile money and a desire to reduce the spread of coronavirus.

The US officially designated Huawei a threat to national security, and instigated a ‘Clean Network’ program designed to persuade allies to shun Chinese network suppliers. The US government also offered loans and other incentives to persuade Brazil not to use Huawei’s equipment in their 5G networks. However, Huawei and fellow Chinese manufacturer ZTE both passed a GSMA security audit, along with Ericsson.

There were also concerns about the security of US operators following credible reports that a sophisticated gang of hackers had used custom spear voice phishing attacks to trick staff at businesses including AT&T into revealing their user credentials. The hackers apparently exploited the uncertainty created by the pandemic to call staff working from home and convince them they were speaking to a representative of their employer’s IT function who needed them to fix an issue with their remote access to systems.

Increased working from home was the simplest explanation for why Commsrisk traffic reached unprecedented levels, setting new records for the number of visitors both during a calendar month and for a single day. The rise could not be explained on increased social media activity, as the share of traffic from sites like LinkedIn remained relatively small.

The Global Revenue Assurance Professionals’ Association (GRAPA) once again vacilated between corruption and incompetence. An investigation by Commsrisk discovered that individuals who sell training on the basis of being a certified GRAPA fraud examiner had originally given the qualification to themselves. But obviously nobody trained GRAPA about online security because one of their many marketing websites was hijacked by Asian businesses that provide payday loans and online gambling. GRAPA and its followers are so technologically inept that they still have not cleaned the spam advertising from their website at the date of writing.

Max Schrems and his colleagues at noyb scored another victory by showing a second US-EU privacy deal was legally flawed, but authorities on either side of the continent responded by simply deciding not to bother with the rule of law. Human fallibilty was confirmed to be one of key reasons why privacy has been undermined and hacking is so rife, with the Verizon Data Breach Investigations Report 2020 observing that 22 percent of reported data breaches were caused by human error and that this was likely to be an underestimate because staff and businesses prefer not to admit to mistakes.

In other news, Polish police arrested notorious SIM swapping hackers believed to have made fake accounts used to send bomb threats to 1,066 kindergartens. Bitcoin scammers compromised security at Twitter in order to publish messages from the accounts of some of the most famous people in the world. There was better news from social media when the platform used for RAG’s streaming broadcasts reported that the channel has surpassed 10,000 views since the first pilot was broadcast, less than a year earlier.

October to December

The RAG RAFM survey received responses from 175 revenue assurance and fraud management professionals employed by comms providers, making it the largest ever survey of its type. The headline for the summary findings was that comms providers and their customers collectively lose USD142bn per annum as a result of accidental and fraudulent forms of leakage.

The CEO of Latvian comms provider Tet was charged with fraud following a 10-year investigation. Though he was accused of overpaying for digital TV equipment, the length of the investigation, the continued support of Tet’s backers and changes in Latvia’s government suggested a political aspect to the prosecution.

The founding of the AB Handshake Corporation offered the first real competition to the group of North American businesses selling STIR/SHAKEN. Jim McEachern, a respected expert in the governance of STIR/SHAKEN, responded to criticism about the cost of implementation and the technical limitations highlighted by the low number of US calls currently authenticated using the method. McEachern argued that the digital signatures at the heart of STIR/SHAKEN offer the simplest way to protect privacy and stop the spoofing of phone numbers, but this prompted a further rebuttal from the developers of the signature-free AB Handshake.

Arguments in favor of current US anti-robocall policy were not helped by public prosecutors investigating why voters had received millions of robocalls discouraging them from voting in the Presidential election. Reserach involving the largest ever honeypot for robocalls concluded that scammers rely on reptition more than sophistication, but will use foreign languages to target immigrants and other phone users who may have poorer access to reliable information.

20 Israeli cryptocurrency executives were reported to have been targeted by hackers who exploited SS7 signaling vulnerabilities to intercept SMS messages. In contrast, the USA said they had made progress in tightening the security of Diameter during the year.

China’s diplomats increasingly resorted to threats but it was too late to turn the tide after a string of major economies prohibited or limited the use of Huawei products in telecoms networks. Previous claims that Huawei pays insufficient attention to security were reinforced when the UK’s Huawei Cyber Security Evaluation Centre said it had found a network vulnerability of ‘national significance’ that forced UK telcos to take ‘extraordinary action’. Meanwhile, Taiwan’s police warned about new phones from mainland China that have scam malware preinstalled.

Concerns surrounding the increased use of Zoom’s video conference platform were confirmed when the US-based business admitted as part of a settlement with the US consumer protection regulator that they had not really delivered the end-to-end encryption they had promised to customers. Not all Zoom’s problems were home-grown as they fired an employee who was nominally responsible for liaising with Chinese law enforcement, but who seemingly spent his time fabricating evidence about users in order to disrupt video meetings held to commemorate the anniversary of the Tiananmen Square Massacre.

US network T-Mobile reached a settlement relating to government subsidies wrongly taken for low-income customers of telcos they had acquired. They agreed to pay USD200mn in civil penalties after it was found that subsidies had been claimed on behalf of 885,000 ineligible customers.

There was no end to the corruption of the Tanzanian government and its telecoms regulator who threatened another series of telco executives with prolonged detention without trail unless they pled guilty to charges of fraudulently affecting the government’s tax incomes. Six Vietnamese nationals working for Vietnamese-owned Halotel, including the telco’s Managing Director and Finance Director, were finally released in December after being imprisoned since March. They and their company agreed to pay the cash-strapped government a total of USD28mn in fines for a laundry list of crimes that are as unlikely as they are common to the charge sheet for every other telco executive imprisoned in Tanzania. This was the third time that the Tanzanian government had punished Halotel employees for vaguely-defined crimes since President John Magufuli took power in 2015. The methods used by the Tanzanian government to extort money had been detailed earlier in the year with the publication of the journals smuggled out of prison by Joseph Nderitu, former Head of RAFM at Vodacom Tanzania.

Customers faced hard times across the world, leading to a rise in disconnections. Some regulators, telcos and vendors sought to find a better way of managing the consequences by using analytics to advise customers to switch to tariffs that better reflect their usage and also by selectively limiting handset functionality.

In other news, Ugandan mobile money services were suspended after the discovery of a fraud involving the integrator between telcos and banks. The extent to which consumers are too trusting of insecure IoT devices was confirmed by the revelation that the manufacturers of a networked male chastity device refused to fix an issue that could allow a bad actor to permanently clamp the penis of every user. Whilst the news can sometimes be dominated by stories about deception and negligence, the RAG Hall of Fame inducted ten communications risk professionals who deserved to be honored for their lifetime contribution to our community.

Into the New Year

2020 has been a long year, but the good thing about a crisis is that it confirms all the reasons we need to manage risk, and all the ways that risks need to be managed. In some ways 2020 was both dull and terrible, but so much business experience was crammed into the year that I do not believe we have unpacked all the lessons it has tried to teach us. Understanding the past helps us to prepare for the future.

Instead of just reading about 2020, join the debate when Lee Scargall and I discuss the key learning points from last year for the first episode of a new season of RAG Television. The show be streamed live on Wednesday 6th January at 8am New York, 1pm London and 6.30pm New Delhi; save it to your diary by clicking here. We will broadcast live on consecutive Wednesdays so viewers can participate by sending messages during the show.

The coronavirus pandemic kept people apart during the year, but the services of comms providers helped to bridge the gaps that were created. I hope to see as many of you as possible during 2021, and if we cannot meet in person then we can keep telling stories and engaging in conversation online.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.