The Commsrisk Review of 2021

2021 saw the development of themes that will shape the landscape of electronic communications for many years but which some had hoped were only temporary interludes. Those themes are:

  • Cold War 2, the deepening of hostilities between China and the USA leading to an intensification of battles about and across networks
  • The rising abuse of voice, SMS, and any comms service where an individual can be contacted using their telephone number
  • Fundamental shifts in attitudes to the spread of disease which have implications for travel, leisure, social activity and working from home
  • The potential for digital money to both increase personal freedom and enable crime versus the desire to use it for taxation and authoritarian control
  • Telephony becoming subordinate to the internet and how this precipitates conflicts over the way they are both governed within a global context

The overarching themes need to be appreciated to make the most sense of each individual story. If we fail to map the prevailing currents then we risk being swept by the tides of history in directions we did not choose for ourselves. For example, without an appreciation of the bigger picture we may think we have read about individual data breaches, or about spyware on handsets, or about the tightening of security around 5G and the internet of things (IoT), when we are also reading about the permanent erosion of privacy and a modest reaction that seeks to prevent the rot from spreading even further. That theme became apparent decades ago but some are only now starting to acknowledge it.

It is no exaggeration to observe that the automated blocking of traffic and the consumer’s hostility towards unwanted and often misleading communications represent the beginning of a slide down a slippery slope that could ultimately break the consensus needed to maintain a global system where anyone can potentially speak to anyone else in real-time. Much good is done by advances in modern communications, and businesses will naturally accentuate the benefits of new technology. However, somebody has to manage the associated risks, or those risks will end up managing us. So please enjoy this review of the key stories for communications risk management during 2021, whilst keeping in mind the direction of travel indicated by the events described.

January to March

The experts in testing at Araxxe announced that they had found USD583bn of A2P SMS bypass fraud over the course of 2020. India introduced an SMS spam blocklist based on distributed ledger technology but had to briefly suspend its use; many A2P SMS messages were automatically blocked when businesses failed to upload templates of their messages in advance. Meanwhile, the US had to react quickly when it was publicly revealed that SMS messages could be redirected without the recipient’s knowledge by taking advantage of weak controls surrounding routing and the management of IDs supplied by NetNumber. The problem was collectively hushed up by pretending it had been fixed when it would have been more accurate to say the issue was neutralized by rendering NetNumber’s database irrelevant to the routing of messages sent to US mobile phone numbers.

The Federal Communications Commission (FCC), the US comms regulator, created a list of companies deemed to be an unacceptable risk to national security. Only Chinese businesses were listed, with Huawei and ZTE being the most prominent firms included. This represented the beginning of a sequence of events where the goal was to ban the use of Huawei and ZTE, and to strip their technology from US networks. Meanwhile, concerns that Russia and China could interfere with submarine communications cables prompted NATO countries to invest in their protection.

The media’s desire to create alarm about public safety and the absence of good data about telecoms crimes were both highlighted when Rob Chapman of the Risk & Assurance Group (RAG) submitted a Freedom of Information request asking the British police to explain numbers they had given to journalists that claimed to show a rise in SIM swap crimes. After a long delay by the police, their eventual response revealed the methods they use to query the database of reported crimes are so unreliable that they are literally incapable of reproducing their own SIM swap figures. Most anecdotal evidence suggests SIM swap criminals target rich individuals with large holdings of cryptocurrency. This was reiterated with the arrest of a gang of young men based in several countries who used SIM swaps to steal cryptocurrency worth USD100mn.

An American neo-Nazi was fined USD9.9mn for making thousands of racist robocalls with spoofed CLIs. North American plans to use the STIR/SHAKEN protocols to authenticate CLIs met resistance from Canadian experts worried that small telcos are more likely to have legitimate calls blocked. Meanwhile, a series of webinars created by the SIP Forum to advertise STIR/SHAKEN were found to have violated the privacy of participants by making the email address of everyone who registered visible to all the other 1,693 registrants.

Heavy expenditure on STIR/SHAKEN in North America prompted rivals to offer alternatives that would also assure the origin of voice calls but at a more affordable price for international markets. AB Handshake described their approach as the equivalent of the SWIFT banking system but for telecommunications. Pedro Rabacal of Vodacom Mozambique and Jeffrey Ross of 1Route appeared on RAG TV to argue there is a need for an international clearing house for call validation so different nations can have the freedom to implement their own flavor of authentication methods like STIR or AB Handshake without having to submit to US control or worry about interoperability of authentication for international calls.

Brendan Cleary of Cellusys also appeared on RAG TV to discuss the results of a study that showed 74 percent of operators remained vulnerable to signaling attacks. The survey found that only 1 in 5 of mobile operators believe GSMA/3GPP security guidelines cover all signaling threats.

An international law enforcement operation took down DarkMarket, which was said to be the largest illegal marketplace on the dark web. Anti-virus mogul John McAfee was charged with securities fraud after using Twitter to pump-and-dump investments in minor cryptocurrencies. McAfee committed suicide in a Spanish prison after learning he was going to be extradited to the USA.

Internal auditors at Cell C, the South African mobile operator, passed the results of investigations to the South African police, leading to the arrest of former IT executive Mohamed Ismal Adamjee on charges of having defrauded Cell C of ZAR130mn (USD8.6mn). Reports later in the year suggested the continuing investigation might find insider frauds worth over ZAR500mn (USD35mn) in total.

The UK operation of Telefónica was fined GBP10.5mn for overcharging a quarter of a million customers. However, the press failed to check the misinformation supplied by the UK regulator, Ofcom, who said billing errors had occurred for ‘at least’ 8 years between 2011 and 2019. These words were used in an Ofcom press release when the regulator already knew the errors began in 2003 and hence occurred over a 15-year period without once being identified by the billing accuracy audits they mandate. The regulator’s activities appeared even more suspicious when they waited 10 months to levy a follow-up fine because Telefónica UK had not provided complete and accurate information about the billing error.

Indian risk and analytics vendor Subex announced their first dividend in 14 years following a significant rise in the company’s share price. This interim dividend was followed by another dividend announced at the financial year end although revenue growth had been modest.

Telenor bravely opposed the violation of human rights in Myanmar by rejecting new cybersecurity laws from the military government that seized control of the country. The Norwegian telecoms group later decided to sell their Myanmar operations.

If imitation is the sincerest form of flattery then USD12bn business Infosys paid RAG a huge compliment by crudely copying the idea for the RAG Wangiri Blockchain. The idea was presented in marketing material as if it was new, without acknowledging Infosys had earlier gained access to RAG’s existing system, ostensibly to explore the potential for cross-industry collaboration on fraud prevention. Corporate goons from Corda, who were also supposedly partnering Infosys in the creation of an anti-fraud blockchain for telcos, demanded that Commsrisk drop the story. However, the claim that their intentions were genuine has still not led to an anti-fraud blockchain being offered to telcos by either party.

An online poll asked Commsrisk readers about the RAFM collaborative bodies and initiatives they respected most. RAG and the GSMA Fraud and Security Group (FASG) came top of the poll, whilst the Communications Fraud Control Association (CFCA) and the Global Revenue Assurance Professionals Association (GRAPA) were at the bottom.

April to June

RAG’s second study of leakage coverage showed that revenue and cost assurance was progressing at a glacial rate among communications providers, with only mediocre improvements in coverage since RAG’s previous study. The need for revenue assurance in other kinds of business was highlighted by cryptocurrency lending platform BlockFi exposing themselves to USD10mn of losses as a result of a mistake identical to those often found by reference data checks in telcos.

Australia chose to use straightforward and inexpensive ways of identifying and blocking fraudulent calls from overseas, and the Australian Communications and Media Authority (ACMA) claimed a high degree of success by reporting that 44 million spoofed calls and 11 million wangiri calls had been blocked during the first three months of implementing a new plan to combat scams. Meanwhile, the long-overdue adoption of STIR/SHAKEN in Canada was delayed yet again. The UK regulator came under intense media pressure to do more about scams and responded by hinting it is considering a version of STIR/SHAKEN for the UK though there is little evidence that this has been followed up in practice. In the USA, lawyers warned there would be a ‘tsunami’ of robocalls following a Supreme Court decision that effectively decided how to interpret the meaning of a comma in a sentence about when it is illegal to use autodialers. The case concerned calls made by Facebook to a phone number that did not belong to the Facebook user who entered it.

Research by academics at Princeton University in the USA showed that recycling phone numbers can be a major threat to the privacy of phone users. It is often said that Germans are especially sensitive about surveillance but a new German law required telcos to actively help state security spy on phones with IMSI-catchers. Huawei intensified their public relations campaign by persuading some useful idiots from the GSMA and foreign governments to attend the opening ceremony for the world’s ‘largest’ privacy center. The mathematical relationship between the privacy of users and the size of buildings was left unexplained.

Saudi Telecom and Nokia showed leadership by openly publishing their 5G security risk assessment. SMS firewall provider Anam was bought by Croatian IT and comms business Infobip, whilst leading RAFM vendor Neural Technologies was purchased by Canadian conglomerate Volaris Group.

Fresh attention was paid to the corrosive influence of Global Voice Group (GVG) on the auditing of telecoms revenues, and upon the integrity of government more generally, when the head of Lesotho’s comms regulator accused a government minister of demanding bribes to award a contract to GVG whilst also pressuring her for sex.

The significance of the digital divide continued to receive increased scrutiny as a result of children needing to be educated at home. Dion Price of Trustonic came on RAG TV to explain why closing the digital divide requires a combination of smart credit policies and smart handset security practices.

Whilst various countries including China pursued plans to network and virtualize money by implementing their own central bank digital currencies, El Salvador opted for the off-the-shelf solution of making Bitcoin legal tender.

More than 800 arrests were made worldwide because organized criminals were lured into using an encrypted comms network that was secretly under the control of the US Federal Bureau of Investigation (FBI). A 23 year old Australian was shown leniency instead of being given a prison sentence despite making AUD680,000 (USD530,000) by discovering and reselling other people’s logon credentials for Netflix and various other online services. The vulnerability of old people was emphasized when phone scammers impersonated the police and stole HKD254.9mn (USD32.9mn) from a 90 year old resident of Hong Kong. Organized crime can also be bad for the scammers, as demonstrated when Turkish police announced the liberation of 33 Taiwanese who had been illegally trafficked and forced to work in a scam call center.

After half a billion dollars of expenditure and several years of delays, STIR/SHAKEN became mandatory for larger US telcos on June 30. Subsequent results have not been encouraging.

July to September

Mobileum and the GSMA hatched a plan to tackle fraud by persuading telcos to automatically exchange data. As usual with such brilliant ideas, nobody knows where they got their inspiration from. Mobileum also engaged in a series of deals to consolidate their position as the market leader in supplying risk and assurance products and services to comms providers. Meanwhile, their rivals at Subex pivoted towards cybersecurity and other verticals, including the energy sector. The perceived importance of signaling security was reinforced when Swedish software business Enea bought Ireland’s AdaptiveMobile Security in a deal worth EUR45mn (USD53mn).

Privacy campaigners reported about abuses of the Pegasus spyware that was created by Israel’s NSO Group and used by various governments to bug the phones of journalists, politicians and numerous others who have not been accused of crimes. A study of some feature phones manufactured in Russia and China found that several had pre-installed spyware that secretly sent SMS messages. Relations between Lithuania and China declined after Lithuania’s Deputy Defense Minister warned people to ‘get rid’ of Chinese mobile phones ‘as fast as reasonably possible’. This followed the discovery of troubling software on some Chinese-made handsets, including a system that allows a remote server to update instructions about the automatic censorship of phrases such as “long live Taiwan independence” or “democracy movement”.

Amazon received a record EUR746mn (USD888mn) GDPR fine from Luxembourg’s data protection regulator for the way it delivers behavioral advertising. However, this only became public knowledge because Amazon needed to report the liability in a US stock market filing; Luxembourg’s data protection regulator chose not to warn anyone but Amazon. Ireland’s data protection authorities separately issued Whatsapp with a GDPR fine of EUR225mn (USD268mn) but it later transpired this was only because the rest of Europe’s data protection regulators ganged up on the Irish and forced them to do their job properly. T-Mobile US disclosed that hackers had breached data relating to 40 million people. GVG was embroiled in yet another scandal when Ghana’s High Court ordered GVG and the comms regulator to destroy data collected about mobile phone users that was supposedly going to be used to reduce the spread of COVID-19. The court, like the rest of us, could find no plausible explanation for why GVG needed to know about mobile money transactions in order to improve public health.

The Mobile Ecosystem Forum (MEF) received unexpected push back from industry insiders after announcing Ireland and Singapore would adopt anti-smishing registries based on a prototype developed by MEF for the UK. Critics questioned if smishing had actually been reduced in the UK as a result of its registry.

A Pakistani resident who used bribes and malware to unlock 1,900,033 AT&T mobile phones so he could resell them on the gray market was given a 12 year prison sentence and ordered to pay USD200mn to AT&T as compensation. The UK government announced it was scrapping and replacing its national cyber fraud reporting agency. Any replacement will almost certainly be an improvement because it is difficult to imagine how a different team of people could do a worse job of tracking and reporting on networked crime.

New test data from Araxxe indicated there is a ratio of 3:1 for underbilling and overbilling errors made by telcos; this contrasted with the 2:1 ratio Araxxe previously reported.

The central banks of Australia, Malaysia, Singapore and South Africa agreed to trial a new exchange for digital currencies. Those questioning whether digital currencies have any value should consider that Ukrainian law enforcement raided a warehouse to investigate the theft of electricity only to discover 3,800 Sony Playstation 4 consoles robotically playing FIFA 21 in order to generate the in-game currency.

The Chief Security Officer of Deutsche Telekom recommended that security teams should become more entrepreneurial in nature. Cloudflare said they prevented a huge distributed denial of service (DDoS) attack that made 17 million requests per second at its peak.

An unusually large survey found that 1 in 10 Europeans say they have lost money as a result of receiving unsolicited phone calls. After struggling to reduce the number of robocalls, the FCC decided they had not done enough to blame monitor foreign owners of US telcos. The FCC enjoyed some relative success when finding technical reasons to impose a USD5mn fine on a pair of right-wing conspiracy theorists responsible for thousands of deceitful robocalls. The FCC cannot fine liars for trying to discourage voters from participating in the 2020 elections but they can fine political campaigners for calling people on their mobile phones instead of their landlines. US telcos were warned that from September 28 they were not allowed to receive phone calls from voice service providers that had not submitted a filing in the FCC’s Robocall Mitigation Database. This prompted a different warning when several parties intimated that the contents of the Robocall Mitigation Database are rubbish.

The RAG Hall of Fame inducted four veteran risk professionals known for their work in the electronic communications sector: Sebastian Milczanowski of Vodafone, Nixon Wampamba of MTN Nigeria, Geoff Ibbett of Symmetry Solutions, and Moly McMillan of Neil Ward & Associates. After a series of postponements, RAG finally held its first in-person conference since February 2020. The feedback to RAG London 2021 was overwhelmingly positive.

October to December

The results of RAG’s survey of revenue assurance, fraud management and cybersecurity professionals found that comms providers and their customers collectively lost USD149bn during 2021 as a consequence of addressable operating leakages. Security breaches represented the biggest category by value, followed by RA-style revenue and cost leakages. The cost of fraud was reported to have fallen significantly since 2020. The latter result contrasted sharply with news headlines though may be due to fraudsters concentrating more on crimes that target the customers of comms providers. For the second year in a row, the results of the survey suggested many telcos only monitor the cost of fraud to their business and have no idea of the cost borne by customers.

SMS giants Syniverse admitted that hackers had unauthorized access to their systems for five years. Criminals who use social engineering to steal passwords sent by SMS no longer need to worry about their accents or their spelling; hackers now sell bots that trick customers of various services including PayPal and Amazon into revealing one time passwords. A different kind of leak saw the online publication of the FBI’s internal guide to obtaining and analyzing CDRs from mobile operators.

BT received both praise and criticism when they proposed to work with the UK government on a new service that would track the movement of women’s mobile phones so alarms are raised if they do not arrive home on time. American concerns about Chinese privacy invasions continued with an FCC Commissioner wanting to add Chinese drone maker DJI to the list of companies considered a national security risk. DJI has 50 percent of the US drone market and was described as ‘Huawei on wings’ because their apps gather data from the user’s handset.

Banning Chinese firms is not a quick process in the USA. In November, President Joe Biden completed the process to stop Huawei and ZTE from supplying equipment to US telcos by signing the Secure Equipment Act into law. A few days earlier the FCC also completed all the reviews and proceedings needed to prohibit China Telecom’s subsidiary from operating in the USA. At the same time, other politicians proposed a new law designed to use US comms satellites to transmit unfiltered internet access to Cuba and other countries that censor the internet.

The government of Saudi Arabia agreed to end the most costly television piracy operation in the world and allow Qatar’s beIN Sports channels to be legitimately broadcast in Saudi Arabia again. Indian film star Shah Rukh Khan turned copying to his advantage by allowing his face and voice to be deepfaked in order to create thousands of personalized social media adverts for small businesses. Court documents revealed some of the downsides of deepfake technology by divulging that police in the United Arab Emirates believe the cloned voice of a company director was used to trick an employee into transferring USD35mn.

Chinese police arrested a gang accused of telecoms fraud and illegal cryptocurrency transactions worth RMB800mn (USD125mn) in total. Canadian police arrested a child who is too young to be subjected to normal reporting requirements after he or she spent some of the CAD46mn (USD36mn) in cryptocurrency that was stolen as a result of a SIM swap.

Wholesale carrier iBasis announced its wangiri fraud systems had blocked 191 million calls during the first half of 2021. iBasis also said they had demonstrated compliance with the GLF’s Code of Conduct, but a close examination of the GLF’s fraud report showed their compliance criteria requires less of carriers than is promised by the actual Code. Stéphane Richard stepped down after 11 years as CEO and Chairman of Orange Group because he was convicted of fraud.

The GSMA published a handbook to mobile money where the most revealing element is that it had nothing to say about ensuring revenue and transaction integrity even though it contained sections on other operating risks such as privacy, security, fraud, know your customer, and anti-money laundering. To encourage financial inclusion, the Indian regulator proposed the zero rating of mobile banking USSD messages.

GVG decided it was time to offer a new service where GVG would take a cut of all government transactions made by mobile money. Soon afterwards the government of Ghana, one of GVG’s existing customers, announced they would need to spend GHS241mn (USD40mn) on employing an unknown third party to perform just such a service. However, opponents of the new mobile money transaction tax briefly caused the rest of the world to pay some attention to the digital exploitation of poor Africans by throwing punches in the Ghanaian Parliament.

The IoT Security Foundation slammed 78 percent of manufacturers they studied for failing to provide even a ‘basic’ mechanism for reporting security vulnerabilities. Apple instigated a law suit against NSO Group for putting spyware on iPhones. A German study warned that Open RAN standards for 5G represent a security risk because they are not secure by design. ETSI launched a new standard which they described as ‘the first comprehensive global standard for securing smartphones’.

TT Network, the joint mast operation of Telia Denmark and Telenor Denmark, disclosed that it had been hit by a ransomware attack. Subex disclosed that a cyberattack had impacted 10 percent of their systems. Cox Communications warned an unknown number of customers about a privacy breach that was blamed on a hacker who impersonated one of Cox’s agents.

Things went from bad to worse for the US STIR/SHAKEN program when one of the certification authorities revealed that some kinds of certified calls are twice as likely to be nuisance robocalls than calls which have received no certification.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.