8 charged in AT&T ID theft fraud case, including outsourced contractor

8 charged in AT&T ID theft fraud case

AT∧T logoEight people have been indicted by a Florida court, accused of stealing personal info from files at US telecomms giant AT&T and using the data to defraud tens of thousands of dollars from credit and debit cards.

Twenty-two counts have been brought against the group, including access device fraud and identity theft charges against some members and a conspiracy charge against all eight, who are all aged between 23 and 31.

At least one member of the crew, 25-year-old Lauderdale Lakes resident Chouman Emily Syrilien, worked for call center outsourcing operation IRT, which provided both sales and customer service operations to AT&T.

It is suggested that Syrilien used the access granted to steal confidential customer files, which were then leveraged by other members of the conspiracy to gain access to bank accounts.

In many cases, additional “authorized users” were added to bank accounts, allowing them to request new cards in their names. These cards were then used to make purchases and withdraw cash totaling over $40,000.

If convicted, the group face some heavy potential sentences, with up to 30 years for the conspiracy charge, a maximum of 10 years for the access device charges, and up to 2 years for each charge of ID theft.

The case flags up two separate problems with the massively-interconnected world of modern communications and commerce.

The first is the amount of trust we put in the huge companies and bodies we have to interact with.

AT&T is a giant corporation, the largest landline provider in the US and the second-biggest mobile provider, with almost 250,000 employees and revenues last year of over $125 billion. Their mobile arm alone has over a quarter of a billion customers.

Managing the accounts and payments of such a huge customer base is an epic task, and large amounts of highly sensitive personal information on those customers will be accessible to large numbers of people.

The data held by firms like telecomms providers includes not only standard PII (personally identifiable information) such as contact and banking details and social security numbers, but also details of our phone and internet use, even detailed real-time location information from our mobile devices.

Keeping a close eye on who has access to what is a seriously difficult undertaking, and fully vetting and monitoring all staff requiring access to personal info is likely to be all but impossible, even when all those staff are in-house.

This situation is made much worse by outsourcing, with third-party providers being granted access to sensitive files and networks based on little more than trust and reputation.

The recent massive Target breach revealed similar risks when farming out work to third parties, with a maintenance contractor thought to have been the initial compromise vector.

Firms that entrust data to third parties need to ensure that assurances they receive regarding auditing and vetting are backed up by concrete evidence that their data is properly secured.

The second problem is the age-old issue of authentication.

We still rely in large part on security through obscurity to prove our identity to the various companies and institutions we interact with.

Many banks, like many government departments, still make use of semi-private information such as “mother’s maiden name”, “first teacher” and “first pet’s name” to check that we are who we claim to be, but even in the old days of paper records this info was never really secret.

It provided a minor barrier to would-be identity thieves, but one which could usually be overcome with a little background research.

These days, this sort of data is held in the databases of many different bodies, from tax authorities to e-commerce websites, and a leak at one exposes information that can be used to access others, just as recycling passwords across websites can lead to multiple account compromises after a single leak.

Of course, we don’t always have to provide accurate information, especially in areas like “favourite colour” which cannot be verified independently. But using a made-up value for these questions is difficult; as with passwords, there’s little value in using the same invented response in several places.

We could create new and unique answers to the same questions at each provider, but that would require a large amount of organisation (or memory) on the part of people who just want to get on with their lives without hassle.

Password management tools may be helpful here, but in most cases the invented response would have to be stored as a private note associated with each site and manually retrieved whenever needed, an effort which would deter all but the most paranoid.

What’s really needed is a better way of proving our identity to others. Biometrics may one day be the answer, but these technologies are still some way from providing a viable and universal solution.

For now we may have to simply do our best to keep our information and our accounts secure, and rely on our providers (and anyone they choose to hire) to do the same.