There is a section of the electronic communications industry that is absorbed with choosing the right suppliers for network upgrades, with moving operations into cloud containers, and with debating whether Big Tech should subsidize Big Telco. The Commsrisk annual review may not interest those people. There are also other issues surrounding comms providers that generate intractable risk and will have even more influence on the wellbeing of society. The themes outlined at the beginning of the Commsrisk Review of 2021 remain almost exactly as important a whole year later, perhaps because people who want to succeed in their careers will find it easiest to ignore them. The key ongoing drivers of risk are:
- Cold War 2, the deepening of hostilities between China and the USA leading to an intensification of battles about and across networks
- The rising abuse of voice, SMS, and any comms service where an individual can be contacted using their telephone number
- Fundamental shifts in attitudes towards travel, leisure, social activity and working from home
- The potential for digital money to both increase personal freedom and enable crime versus the desire to use it for taxation and authoritarian control
- Telephony becoming subordinate to the internet and how this precipitates conflicts over the way they are both governed within a global context
The most contested of these propositions will be whether the pandemic will have a lasting impact on behavior and working patterns; some people who hid from COVID for two consecutive years will assume no long-term repercussions will inhibit their return to ‘normal’. This could be because people spend less time thinking about changes they like, such as a reduction in time spent commuting, than things they do not like, such as a rise in spearphishing attacks aimed at the mobile phones of homeworkers. With regards to the latter, we should always remember the golden rule: keep insisting that anybody can be fooled by a scam call or message and you will have an excuse for not being fired after clicking a dodgy link or divulging your passwords to a stranger, even though you made the same mistake seventeen times already. Technology keeps moving us towards greater mobility, by which we mean we will have employers that monitor our keyboard presses whilst we work from home instead of watching us from across the floor of an open plan office.
We know life will change but the rate of progress and the route it takes is not always predictable, as shown when nobody forecast how much carbon emissions would be reduced by gain-of-function research in Wuhan. The business formerly known as Facebook lost two-thirds of its value over the course of 2022 because they bet so heavily on the rise of the metaverse, but the difference between launching the next Apple iPhone and launching the next Xerox Star is often a matter of timing, as will be appreciated by anyone who recalls how much the Macintosh outsold the Star despite being so similar. At some point the use of virtual and augmented reality headsets will stop being gimmicky and start being good for business, just as the recent release of ChatGPT represented the moment when an AI’s ability to pass the Turing test stopped being an amusing philosophical whimsy and turned into a board-level analysis of the politically acceptable rate for laying off thousands of employees.
Even the most severe germophobes might grow nostalgic for the time when their biggest complaint related to the temperature of the air conditioning at corporate headquarters instead of the increasingly large energy bills for the home office they built at the end of the garden. From a security perspective, physical proximity might also prove to be the only effective countermeasure to criminals exploiting our inability to distinguish between a 3D representation of a colleague’s avatar and a chatbot-powered deepfake of the same of the person. The ultimate determinant of how much time we spend in transit relative to the time spent looking at screens will be whether Elon Musk can deliver fleets of self-driving cars to bosses who share Elon Musk’s stance on remote working. This is ironic, given that Musk’s low earth orbit satellites lead the race to bring internet connectivity to the remotest regions. But buying Twitter has distracted Musk from the quest to save the species through interplanetary colonization and improved batteries. It also means that 40 percent of Californians will now treat interplanetary colonization and improved batteries as fascist conspiracies to be opposed by all means available, because that is easier than admitting that a habitual user of social media might be right about some things whilst wrong about other things.
The self-imposed exile to Gulag Mastodon by most of the infosec community may help them realize one of their oft-repeated ambitions, by permitting more influence over the governance of the internet to be exercised by the 95.7 percent of the world that lives outside of the USA. Then again, the International Telecommunication Union (ITU) decided that putting an American in charge was a victory for diversity, when real diversity would involve finding a leader who can provide a roadmap for global communications collaboration that is not dictated by the selfish interests of the world’s most powerful nations. As usual, the ITU’s agenda keeps involving a lot of talk about the need to get more schoolchildren and women online, when their real concern is whether authoritarians will splinter the internet. Iranians whose movements are monitored via their mobile phones can already explain why being connected is not a solution to every problem. Sadly, it has become increasingly difficult to tell if Western liberal authoritarians are more or less authoritarian than all the other authoritarians. Meanwhile, commercial businesses will keep delivering the improved handsets, mobile money services and OTT comms services that have done so much to alleviate poverty and increase inclusion, except when the governments represented at the ITU choose to tax and regulate them into oblivion.
Making jokes at the expense of rich and powerful people will never make me rich or powerful, so I had better get on with summarizing the events of 2022. But I comfort myself that this particular brand of cynicism has assembled an audience comprising some of the world’s finest risk professionals. Thank you for following Commsrisk this year, for choosing to read this review, and for the hard work you put into managing all those risks that others fail to appreciate until it is too late.
January to March
They advertise 5G as being fast but the year opened with an example of the real pace of change as US President Joe Biden thanked his government for the ‘tireless work’ involved in delaying 5G roll outs because of concerns about radio interference around airports. This came a mere 10 months after US operators paid USD159bn for the right to use that spectrum. After yet more tireless work, the roll out was then delayed again. British telcos showed that companies can also fail to keep pace with the utterly predictable, by continuing to give customers free roaming around the European Union even though they planned to start charging after Brexit.
In contrast, Russian bullies started the year by getting straight down to business, launching cyberattacks against Ukraine with the promise that an invasion would soon follow. Unlike many other government promises, this one was kept. When Russia invaded, many telcos responded by providing free international calls to Ukraine and free mobile services to Ukrainian refugees. International fraud expert Colin Yates then acted to protect those telcos by sharing intelligence about the fraudulent abuse of free calls to Ukraine. Meanwhile, the sophistication of the Russian Army was brought into question by the revelation that it relied upon simboxes to make calls across Ukrainian mobile networks.
Relations between China and the USA were not improved by the Federal Communications Commission (FCC) deciding to ban two more Chinese telcos. The FCC also extended its ‘covered list’ of firms considered a national security risk by adding Russian cybersecurity provider Kaspersky, the first time they listed a company based outside of China. Western powers clamped down on many communications channels that could be used to spread pro-Russian propaganda about the war in Ukraine, but not the European satellites used to broadcast Russian TV.
Ericsson admitted that staff may have previously made payments to Islamic State terrorists in order to avoid taxes levied by the Iraqi government. An arrest warrant was issued for the former boss of Malawi’s telecoms regulator on several charges of corruption. The Nigerian government showed boundless optimism in the benefits of revenue assurance by forecasting that implementing a national RA system would more than double the amount of tax collected from telcos. They then handed the 10-year contract for that national RA system to the politician who originally proposed the telco taxes which he will now be paid to assure.
New revelations about phone spyware ticked over at a steady pace reminiscent of the countdown timer on the side of an atomic bomb in a James Bond adventure, except that real-life agents seem to be fighting to ensure our collective loss of privacy will eventually blow up in everyone’s faces. The Federal Bureau of Investigation (FBI) admitted to purchasing and trialing the NSO Group’s Pegasus spyware before the government banned its use. A Reuters exclusive reported that another Israeli company exploited the same phone vulnerabilities to develop a rival spyware product to Pegasus. NSO Group tried to defend their battered reputation with a lawsuit against a newspaper that said Israel’s police used their spyware illegally.
It was revealed that hackers extracted personal data from the billing system of UScellular. Meanwhile, the infamous LAPSUS$ ransom gang showed it is easier to obtain access by bribing telco employees than by hacking systems. It was later revealed that LAPSUS$ stole source code from T-Mobile US but they lost it all because they were too lazy to make a backup. In the UK, Vodafone UK signaled a welcome change in how telcos talk to customers about risk by explaining how they used a firewall to reduce SMS scams by 76 percent. Three UK followed with the news that they were blocking up to 5.8 million SMS messages each month.
The US telecoms industry felt its deeply flawed strategy for reducing nuisance robocalls cannot be failing because of any mistakes they made, so they largely agreed that the real blame for robocalls must lay with foreigners. Extrapolate from the success the US had with planning for 5G around airports to anticipate what this review is going to say about the rate at which robocalls were subsequently reduced.
Britain’s worst bureaucrats and revenue assurance staff demonstrated they can also be world leaders in incompetence. UK regulator Ofcom spent a year producing a report that failed to explain why it took 15 years for O2 to fix a billing error that generated numerous complaints from the hundreds of thousands of customers who were overcharged. But at least they eventually noticed something was amiss. Fans of Monty Python might have realized that revenue assurance is no longer resting and is now as dead as an ex-parrot when they saw that the Wikipedia page for revenue assurance was turned into a stub and lined up for deletion. But then, they probably did not realize because nobody visits that page any more.
Ugandan authorities unexpectedly and forcibly removed mobile money kiosks from the city of Kampala, despite having previously licensed the same kiosks. This generated no howls of outrage in the West, presumably because the ITU and other international institutions only want news about digital inclusivity when it helps rich white people to feel good about themselves.
The importance of both submarine cables and business continuity planning was reaffirmed when a tsunami killed three, destroyed many homes, and disconnected the comms network of Tonga. Amidst the devastation, engineers worked hard to get the country back online.
There was no change to the rate of progress within the US legal system, which eventually allowed Digicel to secure a jury trial for its lawsuit against UPM, a US-based telco which it accused of using simboxes to bypass fees for international calls terminating in Haiti. Digicel started its legal action in 2015, the need for a jury trial was decided in January 2022, and the trial was eventually held in November.
Market leading telecoms assurance, analytics and security business Mobileum was sold by one private equity firm to another.
Everybody loves a good viral story about deepfake technology but not all scary innovations succeed in going viral. A string of mysterious YouTube channels uploaded hundreds of news videos with synthetic newsreaders designed to look like ordinary humans, but production of the videos stopped a while later because too few real people were watching them. The press paid far more attention to a story about Swedes implanting machine-readable chips inside their bodies as an alternative to carrying an identity card to obtain access to buildings. But that just showed how lazy human journalists can be when copying from each other, because the core of the story was a re-run of some old hype pushed by a couple of nobodies.
April to June
The European Union started flirting with proposals to end net neutrality just so they could force US tech businesses to subsidize European telcos. Being politicians, they realized their chances of success depended on avoiding the words ‘net neutrality’ for the same reason that advocates of net neutrality know that they must support net neutrality without knowing what those words mean. Objective research showed compelling evidence of email filters delivering politically biased outcomes in the choice of messages which are filtered. No politicians made a fuss because there was an equal and opposite bias depending on the email provider.
Netflix came to regret their previous encouragement of password sharing when faltering growth forced them to begin a global clampdown on naughty customers. An especially inept government minister laughed as she told parliamentarians that Netflix’s ‘generous’ policies led her to unlawfully share her password with four other people. Advertisers should be wary of bots being used to drive up streaming traffic, as confirmed later in the year when anti-fraud business DoubleVerify explained how networked devices like smart refrigerators can be turned into ‘viewers’ of internet TV.
Verizon played down the theft of an employee directory by hackers, despite increasing evidence that criminals find the easiest way to compromise systems is by first searching for staff they can compromise. In contrast, the US telco must have thought they hit the jackpot when they billed one unlucky customer for an enormously long and expensive wangiri call. However, it later transpired that the call was only long and expensive because Verizon’s billing was wrong. Spam blocking business Hiya announced the discovery of a sneaky new call back fraud which relies on voicemail messages that sound like the employees of a business are being overheard as they discuss the desperate need to reach the person they dialed.
A subsidiary of MTN Nigeria asked for a USD54mn refund from the country’s banks after it discovered that some of their mobile money transfers were ‘wrong’. Having done a lot to crush the use of mobile money by Zimbabweans who had grown to love it, Zimbabwe’s government took further steps to crush mobile money even more. The only upside to Zimbabwe’s upside-down economic policies is that strangling mobile money will make it harder for parasitic national revenue assurance
scoundrels suppliers GVG to pursue a strategy of pocketing as large a share of taxes as they can. GVG will have to console themselves by milking Zimbabwe’s voice services instead.
Ghana’s telcos showed it is possible to work together to reduce crime when they collectively blocked 28,000 SIMs associated with mobile money fraud. However, insiders at MTN Ghana were amongst those arrested for attempted SIM swap crimes that would have netted them over a quarter of a million dollars. Australia drafted new rules to make it more difficult for fraudsters to execute SIM swaps. Privacy concerns led the Philippine President to reject a new law requiring the registration of SIM cards.
Canada followed the lead of the USA by banning Huawei and ZTE from its 4G and 5G networks. Plans to recompense US telcos for stripping Huawei and ZTE from networks fell short when it was realized that the US government had not budgeted anywhere near enough money.
International opposition to Russia’s invasion of Ukraine and the difficulty of censoring all communications on the internet were both illustrated by large numbers of people using dating apps to send anti-war messages to Russians. Chinese experts advocated an innovative approach to curtailing free speech that would involve attacking US satellites. Several thousand tech ‘journalists’ who spend their entire lives on Twitter are now left pondering if the shooting down of Elon Musk’s Starlink satellites would be good or bad for democracy.
US predictions of handsome economic returns being generated by a half-billion dollar investment in STIR/SHAKEN ‘authentication’ of CLIs began petering out after several months’ data showed calls with a STIR/SHAKEN signature were more likely to be nuisance calls than the 80 percent of voice traffic which remained unsigned. This did not discourage plenty of propaganda about the need for even more STIR/SHAKEN for everyone everywhere. However, few wanted to talk about inconvenient examples of how US laws are enforced in practice. In one case that was almost completely ignored by mainstream US media, the Department of Justice reached a settlement with a telco responsible for spreading ‘tens of millions’ of illegal robocalls that said the telco nominally owed USD3.3mn whilst also agreeing that no actual penalty need be paid in practice.
North of the border, an expert described the implementation of STIR/SHAKEN in Canada as a ‘Kafkaesque nightmare’. The Australian Communications and Media Authority named and shamed Symbio for failing to investigate suspected spam calls. Having vilified foreigners as much as needed, the FCC’s Commissioners unanimously voted to impose STIR/SHAKEN on international carriers transiting traffic into the USA. You can already guess the likely ratio between promises made by the regulator before its rules were imposed and differences noticed by US consumers afterwards.
A surge of spam sent to Android phones in India via Rich Business Messaging (RBM) was abruptly halted when Google withdrew RBM from the country. After something of a recovery for its share price, the annual results for Indian analytics and assurance business Subex proved to be disappointing.
Identities are shifting to the digital domain, as exemplified by Barbados creating a version of their National ID cards that citizens save to their mobile phones.
Fears of COVID-19 died down and the Risk & Assurance Group (RAG) returned to business as usual with conferences in Dubai and New Orleans, followed by a new release of the most comprehensive inventory of revenue and cost leakages suffered by comms providers.
July to September
Rogers made themselves the least popular business in Canada by not just screwing up their national network for 15 hours but also by screwing up a lot of other businesses that had become too dependent on them. Security researcher Karsten Nohl had good news and bad news about protecting network functions transferred to the cloud. The good news is that malicious actors would need to go to more effort to spy on data or bring the network down. The bad news is that once they have found the means to compromise data, it is not much of an additional step to knock the network offline.
Executives who assumed the cost of a privacy breach is limited to writing some letters of apology may be thinking again after T-Mobile US offered USD350mn to settle claims following a 2021 breach. T-Mobile US were also reminded of the need to secure data relating to their own staff after fraudsters used the stolen login credentials of 50 employees to make USD25mn from a service that unlocked and unblocked handsets.
There is some irony in the fact that comms providers often seem to be better at giving away customer data than knowing who their customers are. A fine of AUD199,800 (USD142,000) was imposed by the Australian regulator on Circles.Life for contraventions of know your customer (KYC) rules when porting users.
The insecurity of mobile networked devices was confirmed by an authoritative Verizon survey. It found that 45 percent of organizations had experienced a security compromise effected via a mobile phone or other mobile device during the last 12 months. There were lots of conclusions to be drawn from the i3forum-RAG survey of international wholesale carriers, but the least surprising was that regulators and the police need to do a better job of tackling fraud.
One government agency did something useful; the Anti-Corruption Bureau of Malawi investigated the murky dealings surrounding government-procured revenue assurance systems and halted the contract for a national RA system. Ericsson’s corruption scandal grew worse when relatives of US citizens killed by terrorists lodged a class action law suit over the bribes that Ericsson allegedly paid to terrorist organizations. Ericsson was also accused of busting sanctions by selling equipment that could be used by the Russian military.
Patrick Donegan of Hardenstance issued a paper describing various ways that nation states threaten telco security. This should be obvious, but few seemed upset when Russian operator Rostelecom hijacked a lot of traffic from Apple. Russian marketing of telecoms crime was taken to a new level with a polished series of videos and a string of 5-star consumer reviews for a service that exploits SS7 security vulnerabilities in order to facilitate SIM swaps.
Just when you thought telecoms crime could not get more convoluted, an American company called Scammerblaster Inc was forced out of business after they were accused of conducting traffic pumping frauds to toll-free numbers to raise money for denial of service attacks against illegal robocallers. They might have got away with it for longer, but put themselves in the firing line by launching a denial of service attack on one of the people tasked with tracing the source of unwanted calls. Foreigners will be further shaking their head at the way US laws work (or fail to work) when they realize that the FBI and Department of Justice seized Scammerblaster’s website but new content keeps being posted to Scammerblaster’s Twitter and YouTube accounts.
The US public should have learned the truth about how poorly anti-robocall laws are enforced when the FCC said they were investigating a criminal operation remarkably similar to a criminal operation previously investigated by the Federal Trade Commission and prosecuted by the Department of Justice in 2013. That prosecution ended with a meaningless settlement where robocall conspirator Roy Melvin Cox Jr. received no prison time and paid no financial penalty, on condition he promised to be a good boy in future. As you can already judge, Cox did not keep his word. Sadly, the US public did not learn about the similarities about his recent crimes and his history of crime because the US press only wanted to praise government agencies instead of drawing attention to their failings. It was some comfort that an unprecedented number of Americans obtained the truth from this website instead.
The remainder of the US remained in a bubble of their own creation, repeating increasingly implausible rationalizations about why the mandatory adoption of STIR/SHAKEN will be essential to reducing spoofed calls everywhere. On the other side of the Atlantic, EE told its customers that they were blocking up to a million spoofed calls every day, despite the total absence of STIR/SHAKEN in Britain.
Having told the public that they were going to make lots of money by imposing new taxes on telcos and by ‘assuring’ the revenues generated by telcos, the Nigerian government followed up with another money-making idea: imposing new taxes on ordinary phone users. However, even the stupidest governments sometimes admit they cannot defeat reality, and so Tanzania cut taxes on mobile money by 43 percent in order to encourage Tanzanians to use mobile money services as much as they had before the introduction of prohibitive taxes. Meanwhile, Chinese telecoms vendors went to war with India’s authorities over how much tax they owed.
Flush with new private equity money, Mobileum started talking about yet more takeovers. British revenue assurance firm Symmetry Solutions outmaneuvered some of the biggest companies working in telecoms fraud prevention by purchasing the rights to the PRISM international revenue share fraud database created by Colin Yates. PRISM intelligence is a key ingredient in the services delivered by several suppliers of high-risk number range analysis.
British political activist George Monbiot was so outraged by the mishandling of a family bereavement that he used his soapbox to chastise Vodafone for overcharging the dead. Healthy Londoners were plagued by a criminal that steals mobile phones from gym lockers and then uses OTP SMS messages to raid each victim’s bank accounts.
By the third quarter of 2022 it was widely known that flash calling is a big thing, but there was widespread disagreement about what kind of thing it is.
A bad year for data protection grew even worse when Twilio’s systems were compromised after staff were successfully targeted by a smishing attack. AT&T adopted the least dignified approach to reassuring customers by insisting compromised data must have been stolen from some other business. Multiple US police forces saved themselves the trouble of obtaining court orders compelling telcos to hand over mobile location data by simply buying the same kind of location data from nosey app developers. Then Optus secured the grand prize for worst telco data breach of the year, when a leaky API allowed a hacker to exfiltrate personal data relating to 40 percent of all Australians. But there was some good news for those of us who want to hold on to what little privacy still remains: financial pressures forced the termination of 100 staff at Israeli spyware business NSO Group.
Sometimes cynicism goes too far, but the reasons to indulge cynicism become apparent when academics who research the spread of misinformation over the internet are themselves guilty of spreading misinformation which is then further spread by tech journalists. The US military put the cherry on top of the cynicism cake when it was revealed they created bogus social media accounts to influence foreign opinion.
More of Twitter’s failings became apparent when they responded to a privacy breach by telling users not to associate their usual phone number with their Twitter account if they were worried about compromising their anonymity. This advice was supposedly meant to help Twitter users in countries where human rights are not respected, but not a single US tech journalist that claims to cover both Twitter and human rights noticed that most of those countries already insist on knowing who owns every phone line. Things soon got worse for Twitter’s management team when the company’s former Head of Security blew the whistle on ‘extreme, egregious deficiencies’ relating to security, privacy and spam prevention. However, all of these problems were forgotten as soon as Elon Musk took control of the company, not least because political partisans only take an interest in privacy and security when it can be used to club their opponents and not when those failings belong to members of their own tribe.
October to December
RAG published the first version of its crowdsourced fraud catalog, a companion to the long-running series of catalogs documenting revenue and cost leakages. There have since been over 500 downloads of the fraud catalog, which is distributed using a Creative Commons license that allows it to be circulated free of charge. The number of downloads and the swell of positive feedback suggests the fraud catalog may change the way that both fraud managers and academics categorize and educate themselves about all the varieties of fraud risks faced by comms providers and their customers.
A legion of bureaucrats demonstrated how difficult it is to reduce global warming by meeting in Bucharest to appoint a new head of the ITU instead of simply casting their votes online. 25 countries voted for the nominee from the country currently invading Ukraine but it was no surprise that he was defeated by Doreen Bogdan-Martin of the USA. Supposedly impartial tech journalists wrote this up as a great victory for diversity because a woman won the election for the first time, when what they really meant is that it was a great retreat from the experiment in diversity that allowed a Chinese man to win last time. Much was said about the ITU ushering in a new era of fluffy kittens and rainbows but what really mattered is that putting an American in charge means this particular United Nations agency will stop trying to govern the internet, which means the Chinese government will have less influence over the future of the internet than it would like. Decide for yourself if other international institutions that will continue to govern the internet and which happen to be based in the USA are more or less representative of humanity as a whole.
A government minister in Lesotho tried to stop the relentless spread of GVG’s national RA services by asking the High Court to scrap a contract with GVG because it had been corruptly awarded and because the regulator was not legally permitted to sign it anyway. However, the timing was strange as it coincided with the minister enjoying his final jolly at the ITU event in Bucharest, immediately prior to him losing his job when he and his party were defeated in a general election. The lawyers representing the Lesotho government also failed to file the necessary paperwork, leading the High Court to not just reject their claim, but to order the government to cover GVG’s legal costs.
The Russian offensive in Ukraine may have stalled, but pro-Russian businesses forged ahead with the launch of new telcos in occupied regions. These new telcos succeeded in keeping their owners and suppliers mysterious in order to evade sanctions. British telco Truphone, which has a subsidiary in the USA, was fined USD600,000 by US authorities for failing to accurately report how much of their company is owned by Russians. Nobody fined the US authorities for being so lax at enforcing their foreign ownership laws that Truphone’s violations went unnoticed for a decade.
The Chinese government is reportedly cracking down on corruption, and this was evidenced by the former boss of China Unicom being arrested on charges of taking bribes after he had already been expelled from the Chinese Communist Party. The US government preferred to crack down on foreign businesses instead of American criminals, and they continued to pick on the Chinese by banning Huawei and ZTE from selling products they have not even made yet. The idiosyncrasies of US law and culture mean it will still be a while before the US bans the sale of products that Huawei and ZTE have already made and which have previously been approved for sale. It ultimately only took a few days for a US jury to decide that Oregon-based UPM Technology used simboxes and abused roaming tariff plans in order to defraud Digicel Haiti, despite the seven years Digicel was made to wait for the trial. UPM and its CEO were ordered to pay damages collectively worth almost USD10mn, which was a lot less than the USD50mn that Digicel estimated as the total cost of UPM’s frauds.
A little bit of spyware can get into a lot of different phones, with the Indonesian government and military joining the long list of targets surveilled using technology from the NSO Group. One of the founders of NSO Group decided he was no longer interested in undermining security and would instead help to protect European infrastructure from cyberattacks instead. His first move was to recruit former Austrian Chancellor Sebastian Kurz to be his top salesman, because nothing conveys ethical standards more effectively than hiring a well-connected politician who was forced from power because of alleged corruption.
Unlike police forces everywhere else, British police showed too little interest in extracting data from phones. An official review found that 25,000 devices were waiting to be examined to see if they contained evidence about a crime. On the other hand, Brits can be grateful that the new Product Security and Telecommunications Infrastructure Act means the UK is leading the world in tackling the risk of insecure IoT devices being used to spy on consumers.
The consequences of the Optus breach reverberated on, with one survey claiming a tenth of Optus customers had churned. The Australian government introduced new rules that permit customer information to be shared between telcos and banks to mitigate the risk of accounts being taken over by criminals. Optus’ parent company, Singtel, made a provision worth AUD140mn (USD95mn) to cover the cost of cleaning up the mess. It will be little comfort to them that Australian rivals Telstra also suffered a breach when the details of 132,000 customers who should have remained unlisted were wrongly included in their directory services.
Privacy fans welcomed the launch of a new MVNO service based on technology called Pretty Good Phone Privacy (PGPP). The founders claimed the service would protect phone users by rotating IMSIs and obfuscating locations so that nobody will be sure who or where users are. However, telecoms security expert Silke Holtmanns explained that PGPP will not work in real life. Some hackers demonstrated how law-breakers sometimes do a lot more to protect privacy than governments, by leaking manuals that explain how Iranian mobile operators automatically feed surveillance data to the state.
American telecoms criminals find it easy to hide their identity by changing the names of the front organizations they hide behind, as demonstrated by transcripts contained in legal petitions submitted by the Attorney General of Indiana. Legitimate comms providers can also be a little bit crooked, as suggested by the sixth-largest US telco allocating USD11.5mn to settle legal claims about bills that made rapidly-rising fees look like they were government taxes.
Indian police raided a series of locations associated with cybercrimes, including two call centers that made scam calls to US victims. The Indian regulator also sought to protect Indians from scammers by proposing a national system to present the caller’s name on the receiving handset.
Everybody is very excited about the UK switching to all-IP networks in 2025. That is, everybody except customers, who have no idea why it is happening and just want the engineers that visit their homes to make less mess. After various US experts publicly predicted that the UK would adopt STIR/SHAKEN, none of them publicly commented on the reasons why the UK did not adopt STIR/SHAKEN. It probably had something to do with UK telcos massively reducing spoofed calls by blocking inbound international traffic presenting a domestic CLI. It may also have had something to do with that being much cheaper than implementing STIR/SHAKEN. And it could have had something to do with the following…
British taxpayers remained blissfully unaware that they spent one million pounds on an alternative to STIR/SHAKEN. However, the academics who received that money proved to be worth every penny by telling the British authorities that STIR/SHAKEN does not work very well. Spending one million pounds to avoid wasting hundreds of millions of pounds represents a good deal for Brits. However, the use of a new authentication technology by Deutsche Telekom suggested Germany might become the biggest roadblock to the international expansion of STIR/SHAKEN. The methods being trialed in Germany have the advantage that they would work equally well across both IP and non-IP networks.
US authorities vacillated between blaming the failure of STIR/SHAKEN on foreigners and blaming the failure of STIR/SHAKEN on the continued existence of non-IP networks within the USA. This was odd, given that everybody who knows how STIR/SHAKEN works must have been aware that it could not possibly be implemented across non-IP networks without adopting horrendous workarounds. 80 percent of US calls will now depend on these workarounds, suggesting it would have been a lot easier to devise and implement methods like those which were tested in Germany. But the US regulator is sticking to its plan for world domination by first nagging every US telco to switch to all-IP networks. There is 100 percent consensus that the US will soon demand that all foreign telcos must switch to all-IP networks but nobody dares say it aloud, much like nobody admitted that Qatar was bound to switch the World Cup to a Winter event until one day after the tournament was awarded to them.
For those who were not paying attention, the number of unwanted robocalls did not fall in the USA as previously promised. The number of US robocalls actually rose to the highest level since STIR/SHAKEN became mandatory. So let me remind you again of the many occasions the public was told STIR/SHAKEN would lead to a reduction in robocalls.
Glenn Hovey, a respected member of our professional community and a fine human being, passed away in November. He was taken too soon.
Commsrisk published its 3,000th article. The wheel of life keeps turning.