8 charged in AT&T ID theft fraud case, including outsourced contractor

Filed Under: Data loss, Featured, Law & order

AT∧T logoEight people have been indicted by a Florida court, accused of stealing personal info from files at US telecomms giant AT&T and using the data to defraud tens of thousands of dollars from credit and debit cards.

Twenty-two counts have been brought against the group, including access device fraud and identity theft charges against some members and a conspiracy charge against all eight, who are all aged between 23 and 31.

At least one member of the crew, 25-year-old Lauderdale Lakes resident Chouman Emily Syrilien, worked for call center outsourcing operation IRT, which provided both sales and customer service operations to AT&T.

It is suggested that Syrilien used the access granted to steal confidential customer files, which were then leveraged by other members of the conspiracy to gain access to bank accounts.

In many cases, additional "authorized users" were added to bank accounts, allowing them to request new cards in their names. These cards were then used to make purchases and withdraw cash totaling over $40,000.

If convicted, the group face some heavy potential sentences, with up to 30 years for the conspiracy charge, a maximum of 10 years for the access device charges, and up to 2 years for each charge of ID theft.

The case flags up two separate problems with the massively-interconnected world of modern communications and commerce.

The first is the amount of trust we put in the huge companies and bodies we have to interact with.

AT&T is a giant corporation, the largest landline provider in the US and the second-biggest mobile provider, with almost 250,000 employees and revenues last year of over $125 billion. Their mobile arm alone has over a quarter of a billion customers.

Managing the accounts and payments of such a huge customer base is an epic task, and large amounts of highly sensitive personal information on those customers will be accessible to large numbers of people.

The data held by firms like telecomms providers includes not only standard PII (personally identifiable information) such as contact and banking details and social security numbers, but also details of our phone and internet use, even detailed real-time location information from our mobile devices.

Keeping a close eye on who has access to what is a seriously difficult undertaking, and fully vetting and monitoring all staff requiring access to personal info is likely to be all but impossible, even when all those staff are in-house.

This situation is made much worse by outsourcing, with third-party providers being granted access to sensitive files and networks based on little more than trust and reputation.

The recent massive Target breach revealed similar risks when farming out work to third parties, with a maintenance contractor thought to have been the initial compromise vector.

Firms that entrust data to third parties need to ensure that assurances they receive regarding auditing and vetting are backed up by concrete evidence that their data is properly secured.

The second problem is the age-old issue of authentication.

We still rely in large part on security through obscurity to prove our identity to the various companies and institutions we interact with.

Many banks, like many government departments, still make use of semi-private information such as "mother's maiden name", "first teacher" and "first pet's name" to check that we are who we claim to be, but even in the old days of paper records this info was never really secret.

It provided a minor barrier to would-be identity thieves, but one which could usually be overcome with a little background research.

These days, this sort of data is held in the databases of many different bodies, from tax authorities to e-commerce websites, and a leak at one exposes information that can be used to access others, just as recycling passwords across websites can lead to multiple account compromises after a single leak.

Of course, we don't always have to provide accurate information, especially in areas like "favourite colour" which cannot be verified independently. But using a made-up value for these questions is difficult; as with passwords, there's little value in using the same invented response in several places.

We could create new and unique answers to the same questions at each provider, but that would require a large amount of organisation (or memory) on the part of people who just want to get on with their lives without hassle.

Password management tools may be helpful here, but in most cases the invented response would have to be stored as a private note associated with each site and manually retrieved whenever needed, an effort which would deter all but the most paranoid.

What's really needed is a better way of proving our identity to others. Biometrics may one day be the answer, but these technologies are still some way from providing a viable and universal solution.

For now we may have to simply do our best to keep our information and our accounts secure, and rely on our providers (and anyone they choose to hire) to do the same.

, , , , ,

You might like

10 Responses to 8 charged in AT&T ID theft fraud case, including outsourced contractor

  1. Andy · 547 days ago

    "with almost 250 million employees and revenues last year of over $125 billion."

    That's a lot of employees. Is the U.S. workforce even that large?

    • Paul Ducklin · 547 days ago

      Changed it to 250,000 which is (I am told) about right.

      Thanks for the notification.

  2. Freida Gray · 547 days ago

    I thought all banks required that both the account holder & all authorized users be physically present at the bank to sign the authorized user documentation.

  3. chase43 · 547 days ago

    Different 'favourite colour' or 'mothers maiden name' type information for each organisation/site, stored in a password manager is actually feasible.

    This type of challenge/response is only infrequently used by most organisations - unlike username/password.

    Big downside is that you obviously can't remember all those 'favourite teachers names' and that is the information they are going to ask for if you ever loose your password.

    Best back up that password manager !

  4. Me · 547 days ago

    I must be paranoid. None of the answers to security questions are real. I have a notebook that records the pertinent information for each online account. I don't even have them in the computer.

    • Paul Ducklin · 547 days ago

      Many security questions are patently absurd, not least because:

      1. The answers are likely to be well-known (especially for younger users who grew up with social media).

      2. Sometimes, the answers are likely to come from a very small set.

      3. Often, the answers are invariable, and since the questions are too, if 1 and 2 are a problem to you...then what?

      One I find particularly stupid is "what street did you live on when you were eight years old"?

      For a reasonable proportion of users (notably young ones), that will be their current address.

      • SillyRabbit · 546 days ago

        Another flaw is that your access is usually stolen by either family or close friends who already KNOW the predictable answers. How many "Ex-es" have accessed their former partner's accounts? Another security method not mentioned is when you are signing up for an account, use a ficticious birth date because that is an item we seldom think of when signing up and provides access to those who know us well.

  5. Anonymous · 546 days ago

    If you really have to have a set of security questions, I don't know why more sites won't let you make up your own security questions, if you don't like the ones suggested. A question like "What did Janet say about bulldozers when you were 8?" could be forever memorable to you yet never shared anywhere, as long as you don't reuse the same question at several sites, and Janet isn't trying to get into your account.

    • Pete · 544 days ago

      "...I don't know why more sites won't let you make up your own security questions..."

      I'm with you. I presume the reason is that it requires somewhat more complicated programing, which they don't want to do. But it would be vastly superior to some of the idiotic pre-fab questions many sites ask.

      I have a vivid imagination, a decent memory, and an excellent password manager. I can make up schmezillions* of questions to which no one else in the galaxy knows the answers...not even Janet.

      *NOTE: 1 schmezillion = a number larger than the number of websites I visit.

  6. Private · 60 days ago

    When I went to an ATT kiosk in Fort Lauderdale, FL (8/5/15) to pay my monthly Uverse bill, the 2 machines were shut down. An employee, Christopher, said they shut them down because they weren't working right. He said he would take my check payment. He took my FL drivers license and swiped it on his IPad. Then he said "Oh, that didn't work" and proceeded to make the transaction on the ATT computer, which did accept my personal check.

    My concern is my DL information is now on his IPad and how will my personal information be used? Should I call ATT to report this? Who would I report it to? Or is this action nothing to be concerned about?

    Btw, security fraud is heavily evident in South Florida.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.