Useful info for the scammers
Great, so Mr BT has just given the scammers the info that they need to impersonate BT by mis-representing their CLI :-(
BT customers in the UK have been targeted by scammers in India – with one person reporting they were defrauded for thousands of pounds this week. The issue appears to have been going on for more than a year. Some customers said the fraudsters knew their personal details. One reader got in touch to report that his father-in- …
Literally just coming here to say exactly the same thing.
You would think that a Telecoms Supplier, or in this case THE telecoms supplier, would know better. For those that don't know, putting any CLI you want on a phone call is trivial. Sort of like sticking a sticker over your Mondeo, that says Porsche.
Did you notice the way BT tried to push the problem back to the customer. You shred your bills, you don't give personal data out.....
Reading some of these reports the most likely explanation is that BT's IT systems have more holes in them than a tea strainer!
Yes, that's exactly what happened to TalkTalk - it was unrelated to the data breach in October 2015:
Inside the TalkTalk 'Indian scam call centre' - BBC News (6 March 2017)
"TalkTalk was hit by a cyber-attack in October 2015, but that hack appears to be unrelated to the Indian fraud.
Instead, it is alleged the scam is linked to problems in a company hired by the British broadband provider.
In 2011, TalkTalk outsourced some of its call-centre work to the Kolkata (Calcutta) office of Wipro, one of India's largest IT service companies.
Last year, three Wipro employees were arrested on suspicion of selling TalkTalk customer data."
... If you didn't initiate the conversation, it's a scam. End of discussion.
Seems to have worked. Nobody's reported getting ripped of in years (decades?), and yet all of them gripe about getting scam phone calls & email on a near daily basis ...
The issue is (and something that happened in the TalkTalk fraud attacks to a neighbour of mine) was that those scammed had initiated the call to the ISP and were then expecting a call back from a senior technician. They just got the call from a scammer instead; expecting a call from the ISP and without any technical knowledge they had no reason to doubt that's who was calling them until it was too late.
It's confidence tricksters. They use a wide net, or use a focused attack.
In this case it is focused, and I know of examples from at least 6 years ago if not more. Same day calls, that, are not likely to be "random" coincidence (as with the normal BT/MS calls).
Call is same day or next day to the BT one. Call is specifically "From BT" not "From Microsoft". Call mentions customers last call/name etc. Call asks for a credit card/bank card for payment. Thankfully it was a credit card and payment cancelled on the one I know of.
So, they know what works and what does not, and wait for the time you (or anyone) will fall for it. Like dressing as a waiter in a restaurant to steal cards. Who would expect it?
"had initiated the call to the ISP and were then expecting a call back "
If you are good enough to find a company that will do that rather have on hold for 1/2 hour then surely that is a trivial problem to solve?
so the rules are
If they rang you - its a scam , unless you rang them 1/2 hour ago AND they can tell you the exact time you rang and the password you specified at that time.
The same day or next day callback is a telltale sign that it's a scammer calling. The real BT would never be that efficient in following up customer contacts
(I'm allowed to say this - I used to work for BT in a former life, and know from first hand experience what a shower of s**t they are)
But in this case, it seems the scammers knew that the BT customer had recently called up about a problem, and were able to give details of it. Therefore the BT customer was expecting a call back, and maybe didn't realise that BT don't return calls.
Something is really fishy here.
Either BT's customer DB got leaked, or somebody did some dumpster diving and got a treasure trove of customer bills and other information which was not disposed of properly, and in turn, passed this information on to ne'er-do-wells in India.
Or it is an outsourcer in India who passed on prospective marks to his buddies...
No way in Hell can a ne'er-do-well in India recite personal details perfectly without having access to the customer database.... or customer details...
Perhaps they already do. In the UK.
What's the probability that it is an inside leak? An accomplice, associate or relative on the inside passing on the relevant information?
Some irony that Lloyds are mentionned, given that that have just, or are in the process of outsourcing their backroom data processing to India.
"Some irony that Lloyds are mentionned, given that that have just, or are in the process of outsourcing their backroom data processing to India."
I'm sitting here in London looking at the Lloyd's IT staff smoking outside. It looks a lot like they already have. It is not a particularly diverse workforce; a monoculture even.
Not that outsourcing to India is bad if done correctly.
"Yep completely agree. There are so many ways an ill-disposed IT worker with admin rights could get bulk data access "
My bet would be IT too. Not sure why you're all so keen to assume it's the Indians, could just as easily be anyone anywhere in the world.
Personally I'd just have a trigger in the CRM pushing records to SNS, but that's a bit easy to stop and trace. Fits the real-time profile though.
It might not be BT's leak - they could just be playing the probabilities with data scraped elsewhere we haven't heard from everyone who didn't fit the profile.
I had a scam call about "PC problems" on two separate occasions not long after contacting BT 151 about faults on my ADSL broadband. It seemed to be more than a coincidence as those calls had otherwise become very rare.
I received my first, and only, text scam after giving Wickes DIY my mobile number in order to place an online order. Otherwise that number was only known by family and close friends.
The problem is one of design.
First, nobody should have access to those numbers. Seriously, why does a call-centre operative work with a number? They don't need to. They just need a customer screen that has a dial button, they have no need to know what number you are, what address you are at.
Technically, depending on how you interpret their "need" for access to that data, giving them anything that isn't necessary is a breach of the DPA.
They don't even "need" to see your address by default. They certainly don't need a way to capture, dump or whatever else the screen. If they need it, it could be greyed out until they specifically request it.
Hey, Steve, why are you requesting the addresses of hundreds of customers that you aren't directly dealing with and which in the phone conversations you have with them aren't needed? Oops.
But people don't design the call centre software that way. And phone companies don't design calls on an "by invitation only" basis. You're basically putting your entire customer database into the hands of easily-bribed minimum wage staff who have enormously quick job flux, and then expecting that information to stay secret, not be mis-used and for customers to deal with it rather than the telecoms companies (CLI should NOT be able to be faked, even if people try... why does false CLI information get propagated from country to country?)
I'd also question - AGAIN - why a callcentre operative needs a general purpose computer, rather than a list of "1) Request Customer Address, 2) Change Customer Address, ...." because the SECOND they get a virus on that machine, your database is gone if they have access to it all. But apparently what we do nowadays is give them a full Windows 10 machine that isn't even locked down, and then have them access an intranet web page.
Because most of these compromises are not deep-level technical staff. They are front-users with smartphones taking screenshots or just saving everything they can see and then selling it off to make up for their minimum wage when they move from company to company every week.
But then... let's go through this.
Does your application admin need access to the live production database? No.
Does you network tech? No. Especially not if even the usual users don't.
Does your DBA? Possibly
Does you Sysadmin? Probably not. Maybe it's possible to compromise the database but he doesn't need access to the data inside database itself.
In fact, the only places where the data will appear are DB admins and live web-interfaces.
Centralise those. Make them accountable. Audit their access. And then if the ENTIRE db is compromised, you know who to go to.
Everyone else? They won't be able to compromise your entire database, only portions, and will similarly leave a very plain audit trail which can be tracked - by the portions of compromise if nothing else.
It's not about stopping the possibility entirely. It's about taking reasonable measures. And if your database keeps going wandering, and is this important and contains these kinds of details, reasonable measures are the above because you don't NEED that kind of access. It could even involve things like "watermarked data" entries where little red herring data is inserted into each user's account when they request large data (even as simple as altered capitalisation, changed spacing etc.) so that any leaks stand a good chance of pointing a finger at a particular dump by a particular user in a court of law. It's how things like map-theft is caught - by slightly misplacing a few entities that doesn't affect the usage of the map but means that you can tell if someone else just copied your map data/map directly rather than happened to collect the same information.
That nobody implements such measures, that customer support are able to give me all kinds of details about myself immediately, and that nobody is every publicly fined/caught for being the source of the leak suggest that nobody in those kinds of businesses takes data security seriously in the first place.
When there are no consequences, of course data thefts like this will happen.
Put in logs, measures, difficulties, audits,c ontrols and consequences and they'll greatly reduce, if not stop altogether.
If you see a CLI of 0800 xxx xxxx, it is always a fake CLI, even if it is coming from the owner of that number, because an 0800 number redirects to a geographic number, or possibly a group of geographic numbers.
The caller may want you to call back on the 0800 number so they can distribute the calls around their call centres, and anyway it is free to call that number whereas the geographic number might not be, depending on your phone contract. My contract gives me unlimited minutes, so it would be free anyway, but only for calls of up to an hour in duration. Other people might have to pay for them, so 0800 nos are never a bad thing. And if the geographic number is in India, it would almost never be free from the UK.
How do you allow that without allowing fraudsters to fake CLI? I suppose it would be possible to have a system where the owner of the number can specify permitted geographical numbers to call from.
"... after giving Wickes DIY my mobile number ..."
Ah ha! Have a cheap PAYG mobile for this purpose, if you really have to give a mobile number to anyone. You can store the number on your 'real' mobile to read out to people who 'need' it. You can always dump and replace the SIM card after a while if scam texts and calls get annoying.
My "suspected scam" instruction sheet:
If they mention "accident":
"THAT DIDN'T HAPPEN, NOBODY SAW THAT" (Repeat verbatim in response to whatever they say, increasing volume/agitation each time.)
"But, but, how did you know? - I was wearing brown trousers."
"That was no accident, she deserved all that and more." *click*
If they mention "Microsoft", "Windows", "Virus"...
"Oh dear!, is this to do with the computer thing? My grandson normally helps me with all that, it's upstairs, could you hold on while I get it please?" (Leave phone off hook, if you have time, do your best impression of someone simultaneously suffering from dementia, lack of short-term memory, and near total computer illiteracy.)
For general use:
"Please take a minute to think about your parents and grandparents - would they be proud of what you are doing? You should get an honest job." *click*
I'm getting about eight scam calls a day, just had two in the last 30 minutes. Because of this I don't answer any international calls. Maybe our politicians or GCHQ should do something about it. Like drop malware onto the call centres. I answered one call from "Bob at BT" and after confusing him (ctrl+r doesn't work on Linux) I asked him if he had children. When he said that he was still single I asked in a calm voice if his parents knew that he was a criminal. After a few seconds of silence he hung up.
I get these all the time the 'BT Call Blocking' phone can't block the numbers are they use fake caller id that is an actual BT Call Centre number.
Unless it's someone with an English, Welsh, Scottish, or Irish accent I'll just hang up on them.
If it's important they'll post a letter.
"If it's important they'll post a letter."
I've never had the pleasure of one of these scams , but thinking about it , thats because whever the ancient pulse dialing rotary phone that i plug onto my landline just for shits and giggles as i never use it rings , i just lift the receiver and drop it .
I havent managed to get any scam calls on my mobile either , which is more of a mystery given I've had the same number for 15 years or so and used it for quite a few things.
"A BT spokesman said: "BT takes the security of its customers' accounts very seriously. We proactively warn our customers to be on their guard against scams. Fraudsters use various methods to 'glean' your personal or financial details with the ultimate aim of stealing from you. This can include trying to use your BT bill and account number."
He advised customers should never share their BT account number with anyone and always shred bills. "Be wary of calls or emails you're not expecting. Even if someone quotes your BT account number, you shouldn't trust them with your personal information."
Standard stock response about how they really do care. Then it goes on to basically say it's not our fault but the fault of the people getting the calls. I seem to remember Talk Talk said similar things.
Nice BT, what are the odds it's an outsourcer passing details on?
Oh for some public PSA adverts warning people about trusting emails, website ads or cold phone calls to not poison their computer.
I'm kind'a surprised people are still falling for it. If a government agent phone me up with my national insurance number, place of birth and known political affiliations (philosophical anarchist), I would still ask that he (or she) send me a snail mail letter with a phone number that I could verify as being a UK gov based number before refusing to let him (or her) near my PC (at least without a warrant).
Some banks now do TV ads about how to spot the phone scammers. Yet still my credit card company phone me up and ask for name, date of birth and credit card number to prove who I am!
Your phoning me! On the mobile number I gave you on setting up the account! There's a good chance it's me, or my mobile's been stolen in the last day or so and I've not had time to cancel it. Yet who the fuck are you!
At least that Verified by Visa non-security web pisstake thingy has a word you gave them, so you know there's a passing chance it may be their computer you're talking to.
Biting the hand that feeds IT © 1998–2019