Friday, 14 November 2014
Telecom Fraud Reveals Oft Overlooked Security Flaw
Cyber security these days focuses almost entirely on electronic data breaches by way of network hacks, malware and the like. And rightly so however the recent fraud conviction of a telecom director suggests that we might be ignoring one of the most fundamental aspects of fraud – to our own detriment. What is it we are ignoring? The old-fashioned con artist.
Matthew Devlin, a 25-year-old telecom director from Halifax, recently appeared before a magistrates’ court after he was caught impersonating a security official in order to gain sensitive customer information. Devlin apparently contacted Everything Everywhere (EE), among other telecoms companies, in an effort to obtain user names and passwords for customer accounts. He succeeded in obtaining the information he was after, relating to more than 1,000 customers.
Devlin intended to use the information to determine when mobile customers were in line for an upgrade so that he could contact them and pitch his own company's products and services. Magistrates’ court fined him £500 and assessed a £50 victim surcharge and more than £430 in court costs.
Upon reading the penalties imposed on Mr Devlin, it is hard to imagine he will be deterred from trying the scheme again. After all, what is a £1,000 bill if he can successfully sell tens of thousands of pounds in new products and services? Not much, according to Information Commissioner Christopher Graham. Graham was quoted as saying:
“Fines like this are no deterrent. Our personal details are worth serious money to rogue operators. If we don't want people to steal our personal details or buy and sell them as they like, then we need to show them how serious we are taking this. And that means the prospect of prison for the most serious cases.”
The thing we seem to be forgetting is that fighting con artists is completely different from fighting cybercrime at the local data centre or commercial IT department. By their nature, con games involve the human element which, unfortunately, makes them harder to thwart. The only way to combat them effectively is with a combination of efficient training and harsh penalties that make such activities a losing proposition.
In most parts of Western Europe, we tend to take an approach toward crime that only deals with the issues around the edges. Simply put, we are more prone to deal with the symptoms of crime than the actual cause of it. Therefore, while we can continue to develop sophisticated digital technologies to protect networking and sensitive communications, we allow people such as Mr Devlin to brazenly impersonate security personnel to steal personal data. Moreover, when caught, we impose penalties that amount to nothing more than a slap on the wrist.
Christopher Graham is right. If we are to prevent this sort of fraud in the future, the penalties for such crimes need to be tougher. They need to be harsh enough that criminals will be forced to think two or three times before perpetrating such crimes.
Source: ICO – http://ico.org.uk/news/latest_news/2014/company-director-fined-for-illegally-accessing-mobile-phone-companys-customer-database-11112014