In a new regular column, Eric Priezkalns, MEF Director of Anti-Fraud and Integrity, examines how the abuse of Global Title represents the tip of an international iceberg of corruption stretching from the oppression of journalists in Cambodia to state-sanctioned surveillance in Chile.

The statistics for the readership of Commsrisk is impressive on one level, damning on another. Commsrisk has readers from all around the world; this is good! The readership of any particular Commsrisk article is heavily influenced by where the story occurs; this is a tragedy. Some problems are irreducibly global in nature. Emitting a tonne of carbon dioxide has the same impact on the cumulative problem of global warming that we all face, irrespective of where the omission occurred. On the other hand, activists may not rush to stage protests of the world’s most repressive regimes, no matter how much they contribute to climate change. A similar dichotomy occurs in the realm of communications. Criminals will use phone networks to exploit anybody, anywhere. But many of us continue to act like a problem located somewhere else on the planet is not a problem for the whole planet. We want our news to remain local even though we are threatened or protected because of choices made by people living 10,000 miles away.
The UK’s comms regulator, Ofcom, has proposed new rules to tackle the abuse of Global Titles (GTs). They are needed. GTs allow bad actors to unlock SS7 signaling and then do some very bad things, as Ofcom explains:
- spy on individuals;
- access personal communications; and
- compromise security measures (such as SMS security codes) to gain access to other services such as social media accounts and bank accounts.
The US Federal Communications Commission (FCC) has also talked about stiffening the rules surrounding Global Title but Ofcom is proposing to go further and faster than any national regulator before. This will upset some people. I have often used Commsrisk to criticize heavy-handed regulation, but not this time. The abuse of GT is a danger to everyone. You, your spouse or your child could be hurt by somebody on the far side of the planet, and you would never know they did it by exploiting GT. Risk managers weigh both probability and severity when determining the need for mitigation. The severity of these risks, with at least one known murder tied to the tracking of the victim’s location through the abuse of GT, justifies a more urgent tightening of the loopholes surrounding GT than we have seen so far.
My conviction was strengthened by research conducted on Ofcom’s behalf. Put simply, they showed that the information supplied to them by UK businesses does not cover all of the use being made of UK GTs in practice. So there are people who are choosing to be secretive about GTs despite being legally obliged to share information that was requested by Ofcom. Much can be gained through industry self-regulation, but not when there are some businesses that consciously choose to hide what they are doing.
The cost of abiding by Ofcom’s new rules, including prohibitions on leasing GT, may negatively impact the profits of some businesses that hold UK number ranges. A sensitive person may warn that increasing the costs to these businesses will not solve the problem of GTs relating to other number ranges being abused. Perhaps that explains why the GSMA’s Code of Conduct on GT Leasing has literally no signatories at the time of writing. It is a possible explanation, but not a justification. I feel shame at the communications industry’s lackluster response to the GSMA’s voluntary code. If businesses do not choose to act in the public’s interest then it is right for regulators to intervene.
The GSMA has never done me a favor, although they did screw me once. That makes me typically loathe to help them. However, the GSMA’s Code of Conduct on GT Leasing has been written by people who understand the topic and who are sincere in seeking needed change. Petty rivalries need to be set aside in such circumstances. Protecting the public from harm is more important than petty oneupmanship in business.
My relationship with Stephen Ornadel, editor of the code, has sometimes been fractious, stemming from the time we worked together at T‑Mobile UK. Back then, I once described Ornadel as a ‘monster’, whilst simultaneously arguing for him to receive a bonus in recognition of how much he contributed to the team. People should not always need to like each other in order to get things done. Only a monster possessing the size and determination of Ornadel could have convinced the GSMA to adopt this Code of Conduct. Ornadel was joined on stage by Deutsche Telekom at this year’s Mobile World Congress as he made the case for worldwide endorsement of the code. But not even Ornadel’s monstrous proportions and dogged advocacy has been enough. Deutsche Telekom is still not yet a signatory, and there are only two nominal ‘supporters’ of the code: Omantel and Sky UK. The latter is now home to another monster of this industry that I have occasionally fought with: Andy Mayo, former Deputy Chair of the GSMA’s Fraud and Security Group. It does not surprise me that change may be led by individuals with the biggest personalities, who are least afraid of stepping ahead of the majority. What disappoints in this instance is that so few have followed.
Recently I stated I would stop publishing Commsrisk because it was not accomplishing its goals.
This enterprise began with specific goals, and I must reluctantly conclude they will never be realized through this medium. The evidence has been piling up more rapidly in recent years, in parallel with the accelerating growth of this website’s readership. That is why I am sure that accumulating an even larger audience will still not influence the changes that are sorely and urgently needed to protect the public from harm, that are needed to drive increased investment in securing the integrity of comms services, and that are needed to defend the jobs of experienced risk professionals who have been made redundant in larger numbers each year.
The heartfelt response of many readers, coupled with the reaction of the Mobile Ecosystem Forum, persuaded me that I was wrong. Please do not make a fool of me. If readers of this website believe we are doing anything of value, we must seek to stop the abuse of Global Titles. Two of the biggest monsters of fraud prevention are in agreement; let us not be afraid to back their frontal assault on crime. You can become a signatory or supporter of the GSMA GT Leasing Code of Conduct by clicking here.
Now here are some other news about events that may not have occurred on your doorstep. There was too much news this week; I ignored half of the headlines because this is meant to be a digest. Problems faced by the comms industry are ramping up so rapidly that they are giving me indigestion. It is no wonder that some prefer to narrow their perspective. But if you understand how networks function — and readers of this website tend to know about global networks — then you appreciate that everything occurs on your doorstep.
- Court Revives Massive Six-Year SIM Swap Case Against AT&T
- T‑Mobile US Agrees to USD31.5mn Deal over Data Breach
- Cambodian Journalist Who Reports on Scam Compounds Is Arrested
- Other News
Court Revives Massive Six-Year SIM Swap Case Against AT&T
It was 2018 when Michael Terpin started suing AT&T for a SIM swap that cost him USD24mn in stolen cryptocurrency. He wanted his USD24mn back, plus USD200mn in exemplary damages. It seemed like the lawsuit was defeated last year when a judge ruled that the wording of the standard contract with AT&T had limited the telco’s liability for losses suffered by customers. Terpin persisted, and took to social media last week to hail an unexpected turnaround in fortune.
As many of you have already seen, I prevailed in my appeal to the US Ninth Circuit in a unanimous decision by the three-judge panel, remanding my lawsuit against AT&T for its violation of the Federal Communications Act consent decree to protect consumer proprietary network information. This is an important victory in a landmark case that has been going on for more than six years…
There is still a long way to go in this case, but telcos cannot afford complacency. It may seem that the law is on their side, but the law is written by politicians, and then interpreted by judges. As long as there is SIM swap fraud, there will be the temptation to hold telcos liable, irrespective of telcos write into their terms and conditions.
T‑Mobile US Agrees to USD31.5mn Deal over Data Breach
The US Federal Communications Commission (FCC) would like everyone to believe they impose their rules impartially, but it does seem like ‑Mobile US always gets a stiffer punishment for each breach of personal data than their competitors would. Multiple breaches between 2021 and 2023 led the US operator to agree the following sanctions with their regulator.
- A $15,750,000 civil penalty
- Another $15,750,000 to be spent on strengthening cybersecurity over the next two years
- A compliance plan to protect consumers against future data breaches
- Appointing a Chief Information Security Officer with a regular reporting line to the Board of Directors
- Implementing a “zero trust” security framework and network segmentation
- Deploying phishing-resistant multi-factor authentication
- Adopting data minimization, inventory, and disposal processes
- Identifying and tracking critical network assets
- Conducting independent assessments of information security practices of third parties
This sounds like exactly like the kinds of controls that all telcos should have! Perhaps they should have been written into law, instead of written into a court settlement with a specific telco.
Cambodian Journalist Who Reports on Scam Compounds Is Arrested
Mech Dara, an independent journalist based in Phnom Penh, has been arrested on charges of “incitement to disturb social security”, which carries a maximum prison sentence of two years. Presumably the threat he poses is that he has been courageously reporting on the scale of human trafficking for scam compounds in Cambodia. 49 local and international NGOs have called on the Cambodian government to immediately release the journalist, stating that the arrest is “a clear attempt to silence a brave journalist whose investigative journalism has routinely called for accountability in cases of human rights violations”.
Journalist. Free speech. Consumer scams. Government corruption. Are we caring about this? Or do we only care if this kind of thing happens in a country that is both comfortably white and comfortably liberal? In other news, the US government keeps refusing to impose sanctions on Cambodia for trafficking the victims forced to work in scam compounds.
Other News
- 250 detained, including 190 Chinese, following raid on Manila scam compound; hundreds of phones, computers, local and international SIM cards used for alleged romance scams
- Airtel launches fancy advertising campaign promising to be ‘India’s first spam-fighting network’
- 90,000 South Koreans say they only want to deal with their bank in person, never over the phone
- New Hampshire Democrat primary STIR/SHAKEN spoofer admits that he knew what he was doing per FCC report
- Santander bank runs ‘fraudemic’ survey across 15 countries; finds 63 percent public support for telcos and ISPs suffering financial consequences for frauds they enable
- Tele2 group develops AI to tackle soaring fraud attempts
- Left-wingers and Communists fight Chilean government over IMSI-catcher surveillance
This post originally appeared on Commsrisk.com and is republished here with kind permission. All opinions expressed are solely those of the Author.