In this week’s bulletin about risk for the comms industry and its customers:
- Innocence Lost: Children and Scams
- KT to Demonstrate On-Phone Tech to Detect the Voices of Fraudsters
- British Doctors Using Whatsapp to Share Confidential Patient Information
- AT&T Punished for the Abuse of Government Subsidies
- Told You So(mos): The Slightly Nearer Solution for Impersonation Fraud
- Commsrisk Will Never Be Censored
- Other News
Innocence Lost: Children and Scams
I spent last week in Granbury, Texas, a small town situated an hour’s drive from the Dallas-Fort Worth metroplex and home to Jeffrey Ross of 1Route, the call validation and fraud management business. Anybody who knows Jeffrey will appreciate how much he does for his community by raising money for charity or helping with the running of the schools that his children attend. And so I was roped into spending a day at Granbury Middle School (pictured) where I talked with 12 and 13-year olds about the good and bad sides of having mobile phones and accessing the internet. Jeffrey felt I would be able to teach the kids some things, but I learned at least as much as they did.
Many of the children shared stories about scam communications received by them or their parents. This was not surprising; the overwhelming majority own smartphones already, and are active on a variety of social media networks including Snapchat, YouTube and TikTok. I was particularly impressed by stories of the children warning their parents not to continue speaking to scammers who had called them. My time was divided into seven hour-long conversations with seven different groups of children over the length of the day, so it was profound to see children in a few different groups playacting the same physical movement of grabbing a phone from a parent’s hand to end the scammer’s call.
The inference is clear: some of these children are better than adults at intuiting the things that scammers might say. I was pleased that the kids were so wise, although this also makes me sad. Their agile minds are recognizing patterns of behavior indicative of deceit because they have been exposed to them. They are adapting because of a widespread breakdown of responsibility that has allowed adults to construct profitable but runaway systems for spreading lies.
Whether a tool is used for a good or bad purpose depends on the person handling it. One positive takeaway from my time at Granbury Middle School was that many of the kids enthusiastically recognized the word ‘scambaiter’. Adults fret about the content children may see on platforms like YouTube. The gleeful reaction to my mention of scambaiters was a reminder of the beneficial side of democratizing communication. Many of these children expressed a joyful desire to annoy and waste the time of scammers in a similar fashion to the scambaiters they had seen on YouTube.
That everybody can make and circulate content that entertains and informs is inspiring to those who want to share their passions. Scambaiters have likely taught these children more about scams than they would ever have learned from prosaic public information campaigns. Some adults who are paid to counter the abuse of networks would benefit from a dose of the youthful zeal I witnessed in Granbury.
KT to Demonstrate On-Phone Tech to Detect the Voices of Fraudsters
The South Korean government has given permission for operator KT and the National Institute of Scientific Investigation to demonstrate the use of AI installed on a phone to identify voices associated with scams. The announcement says the AI will identify similarities between the voice of a new caller and voices previously associated with scams. It also states that the technology works without being connected to a server, thus addressing some of the concerns that fighting crime will become an excuse for listening into private conversations.
The South Korean government does not want to appear anything like the totalitarian regime in North Korea that monitors all the communications of citizens. Shifting the focus to technology which runs on the handset somewhat reduces the risk of a centralized surveillance architecture. However, if phones have the means to identify certain voices or understand the meaning of what is said then they can also be programmed to deny some people the freedom to communicate, or to secretly report on occasions when specific people have conversed. Governments are being pressured to compromise privacy in order to protect phone users from harm. This pressure will be especially acute in South Korea, where voice phishing is so common that a film based on the true story of a laundromat owner who sought vengeance on scammers is one of the top grossing movies of the year.
British Doctors Using Whatsapp to Share Confidential Patient Information
The Financial Times reports that staff working for Britain’s National Health Service (NHS) are routinely using Whatsapp on their private phones to share information about patients in their care.
“Every day, staff are using it constantly across the NHS,” said a senior consultant who works in one of London’s largest hospitals. “I’ve got nurses, junior doctors and senior consultants all in this one group, using WhatsApp on their personal phones to do the work we do.”
Political polarization and the gross simplification of technology risks results in a poor quality of analysis surrounding privacy threats. Foreign spies and greedy corporations make better bogeymen then the archetype of a caring medical professional, but it is the latter who have unmediated access to sensitive information which could devastate a person’s life if it is made public. There is an obvious potential for data to be leaked from Whatsapp groups created by NHS staff, as pointed out by several campaigners to the FT. These are some of the risk factors that come with using an informal communications tool like Whatsapp:
- Staff that change jobs or retire are unlikely to be promptly removed from Whatsapp groups, and will continue to have access to new sensitive information that they have no reason to see.
- Old information about former patients is likely to remain available in the history of the group conversation long after it should have been deleted.
- Larger Whatsapp groups are more convenient but they also mean more information will be shared with people who do not need it.
- It is easy to forward content from a Whatsapp group but nobody within the group would know about it.
- The loss or theft of a phone may lead to the compromise of the data stored on it.
If Whatsapp was directly responsible for breaking privacy laws by recklessly sharing patient data then a slew of leader writers and politicians would be wailing about it. Public faith in the integrity of British health professionals does not appear to have been dented by a series of scandals, including cancer surgeon Ian Paterson getting 15 years’ prison for unnecessary operations and nurse Lucy Letby receiving multiple life sentences for the murder and attempted murder of babies. As a consequence, the threat posed by the inappropriate use of Whatsapp will not receive the attention it deserves until there is another scandal. That reflects a mistake that human societies keep repeating because they refuse to learn from them.
Read the FT story here.
AT&T Punished for the Abuse of Government Subsidies
“An SEP,’ he said, ‘is something that we can’t see, or don’t see, or our brain doesn’t let us see, because we think that it’s somebody else’s problem. That’s what SEP means. Somebody Else’s Problem. The brain just edits it out, it’s like a blind spot. If you look at it directly you won’t see it unless you know precisely what it is. Your only hope is to catch it by surprise out of the corner of your eye.”
Douglas Adams
Much of my career has involved commenting on things that are in plain view but which few want to see and even fewer want to discuss. They would prefer to treat these things as somebody else’s problem. Examples include the following.
- Many of the mistakes that cause undercharging can also cause overcharging, so it is nonsense to suggest that looking for these mistakes is bound to increase revenues. We should be searching for mistakes in the amounts we charge because all mistakes are bad, not because we are only interested in mistakes that favor our customers.
- Wholesale fraud is a zero-sum game because any amounts lost by one business are gains for the businesses that defrauded them. It is ridiculous to expect every business to be equally motivated to collaborate in the reduction of wholesale fraud, but much of the talk about industry collaboration makes no distinction between good and bad comms providers.
- Consumers are buying products and services to protect themselves from comms frauds because they perceive the need for enhanced protection and they are not receiving this protection for free. This means some comms providers not only profit from conveying fraudulent traffic, they also seek to profit by selling methods of hiding the same fraudulent traffic from those end users who are willing to pay for extra protection. This is a conflict of interest.
It is in this vein that Commsrisk has observed US telcos have been guilty of taking government subsidies on behalf of ineligible customers year after year after year after year. Another telco was punished for abusing subsidies just a few weeks ago. And yet, for all this industry’s supposed expertise in data integrity, revenue assurance and fraud prevention, almost nobody draws any inference from this repeating cycle of behavior. Now here is a new story about AT&T agreeing not to defraud taxpayers as much as it has before. These were AT&T’s failings per the US Federal Communications Commission (FCC).
First, from at least May 2021 through December 2023, AT&T sought and received EBB or ACP funding for subscribers that were improperly enrolled in the programs. The Company enrolled 3,912 subscribers with incorrect and/or invalid identifying information by repeatedly using the same nonsubscriber benefit qualifying persons (BQP) to enroll multiple subscribers…
Second, from at least May 2021 through November 2023, 21 AT&T in-store sales representatives were associated with EBB and ACP enrollments for at least 220 subscribers that included incorrect and/or invalid BQP and customer email address information. Each of these 21 sales representatives did not obtain a unique Representative Accountability Database identification number (RAD ID). The EBB and ACP Rules require enrollment representatives to obtain a RAD ID before providing information directly or indirectly to the National Lifeline Accountability Database or the National Verifier…
Third, service providers that do not assess and collect a monthly fee after applying the ACP benefit may only receive reimbursement for offering the ACP benefit when the subscriber has used the service at least once every 30 days, or has cured their non-usage during a subsequent 15-day cure period. In October and November 2023, AT&T claimed reimbursement for 3,289 ACP subscribers despite those subscribers having more than 45 consecutive days of non-usage of the service…
AT&T has agreed to pay a USD2.3mn settlement. This figure comprises a USD1.9mn civil penalty plus the repayment of the ineligible subsidies.
I am not alone in observing this pattern of fraudulent abuse of government subsidies by US telcos. A good number of professionals have spoken to me about subsidy fraud as a consequence of reading about them on Commsrisk. However, none are willing to speak on the record. The pattern is obvious to anyone who reads the stream of output from the FCC about the over-claiming of subsidies like the Affordable Connectivity Program (ACP) and the Emergency Broadband Benefit (EBB). There have been plenty of egregious cases over the course of decades, which also makes me wonder about how many other abuses were never discovered.
There are many American readers of Commsrisk. Some work for comms providers. Others will be taxpayers. Is there no anger at these frauds always being treated like they are somebody else’s problem? The prospects for tackling fraud that affects the profits of comms providers and blights their customers are bleak if the private sector cannot even tackle the frauds their employees commit at the expense of the taxpayer.
Told You So(mos): The Slightly Nearer Solution for Impersonation Fraud
Last week’s bulletin concentrated on the evolving design of a solution for impersonation fraud that would be based on taking a third party’s confirmation of the identity of a business and securely communicating it via a digital signature. Chris Wendt, formerly of Comcast and now of Somos, is seeking to plug a glaring hole in the STIR/SHAKEN architecture that he helped to create. Wendt’s fix comes in the draft VESPER standard he co-wrote and submitted to the Internet Engineering Task Force (IETF). VESPER would add the crucial ability to include verifiable proof within a signature that the originator of a call has the right to use the identity associated with the call. This week, Somos made their intentions even plainer by publishing a lengthy article on the topic. It does not mention VESPER directly, but the intention is clear. Here are some key excerpts from the piece.
STIR/SHAKEN… has not fully addressed the root issues of trust in communications. One of the major shortcomings is the absence of a robust Know Your Customer (KYC) process, which would ensure proper vetting of enterprises and establish their legitimate Right-To-Use (RTU) of the number. Without verifying the association between enterprises and their phone numbers, STIR/SHAKEN falls short of ensuring that calls are not only authenticated but also trusted.
…without proper vetting and KYC processes, there is a risk that even fraudulent calls could present [Rich Call Data] RCD, further complicating the trust landscape. This fragmented approach undermines the potential benefits of RCD and diminishes consumer trust.
One way to address these limitations is the expansion of the framework that the telecom ecosystem leverages to present calls to end users. Currently, there are Proof of Concepts (POC) initiatives in market that utilize telephone number authorized delegate certificates. These delegate certificates enable the party with the right to use a telephone number to be an authorized signer representing a trusted presentation to any terminating service provider authenticating a call end-to-end. Today, calls that lack a trusted delegate certificate are not being blocked, but the industry is moving toward a broader adoption of this practice to help prevent fraudulent calls from reaching a consumer. This non-monopolistic approach is establishing a more trusted framework, helping to restore confidence in the telecom ecosystem.
Note the use of the word ‘non-monopolistic’. A lot has been said about the US industry taking a ‘step in the direction’ of restoring trust in calls, but without presenting a complete roadmap of how they intend to arrive at their destination. This has been convenient for big US businesses that appeared to be using crime to justify the creation of new and lucrative monopolies. This would also explain their intense interest in lobbying wealthy countries to copy the US strategy. The hollowness of this strategy should be apparent to anyone who appreciates that scam calls may originate anywhere in the world, not just in rich countries, so any global monopoly would need to price its services at a level that even the poorest countries would be prepared to pay.
Profit is important but power is more important. The lazy assumption behind the monopolistic plans was that foreign governments would simply go along with the monopolists because nobody would offer an alternative to the problem of scamming. This reasoning is inane; corrupt governments want transnational scams to originate in their countries as a means to generate income. The would-be monopolists have also ignored the realities of international relations. A lot of countries have been trying to break the unique stranglehold on international trade that the US can exercise through banks because of the worldwide reliance on the dollar. These countries failed to apprehend the significance of US institutions gaining dominance over the internet until it was too late, but they are not going to repeat the same mistake with telephony. A more pluralistic approach is required to appease the various authorities who have a vested interest in telephony, and it is good to see that this is starting to be recognized by technologists too.
Commsrisk Will Never Be Censored
It was inevitable that somebody would attempt to use the new relationship between Commsrisk and the Mobile Ecosystem Forum to exert influence over this content. The first attempt has failed. Attempts to censor Commsrisk will never succeed. This fact will be appreciated by anyone who has consistently read Commsrisk over the years.
I owe it to committed readers of Commsrisk to remain consistent. However, the people who attempt censorship are not avid readers of Commsrisk. They may have an opinion about headlines, but they are not the type of people who would read as far down as this paragraph. They do not monitor everything; they can only succeed by motivating self-censorship. That is why I also criticize the routine self-censorship exhibited by those associations that have been entirely consumed by SEP. It is no coincidence that the leaders of these associations never speak of failings of the type mentioned above.
Please think about the content presented in these pages. Does it feel like the comms industry is on the right track, and that customers can feel safe when they pick up the phone? Have previous risk mitigations succeeded in their goals? I see awards being handed out willy-nilly to nincompoops just to gain their favor. Meanwhile, this industry has too much self-censorship, just like it has a surplus of yes-men. That is why Commsrisk needs to keep doing what it has been doing, irrespective of the discomfort felt when we confront hard facts about failure. Preventing and rectifying failure is reason to employ professional managers of risk. Your professionalism is why you read Commsrisk, right down to the bottom of the article. In exchange for your time and attention, I owe you the uncensored facts as I find them.
Other News
- Telia Norway warns that children are at greatest risk from phone scammers
- Safaricom CEO talks about using data to locate SIM swapping fraudsters
- Latest Android security features not available on Pixel handsets
- FBI investigates claim that Chinese hackers penetrated Verizon’s network to target the phones of Donald Trump and J.D. Vance
This post originally appeared on Commsrisk.com and is republished here with kind permission. All opinions expressed are solely those of the Author.