Sophos Cloud Optix
Mobile phone company 3 is the latest UK telecommunications firm to become the subject of a data breach story.
3’s breach is already being compared with the UK’s infamous TalkTalk breach of 2015, when somewhere in the region of 1,000,000 email addresses, phone numbers and addresses were stolen.
A teenager was recently convicted in connection with the TalkTalk hack (he won’t be sentenced until later this year); TalkTalk itself was fined £400,000 (about $500,000) by the UK’s Information Commissioner.
For all the comparisons with TalkTalk, however, 3’s breach troubles sound rather different.
It’s fair to say, at the moment details are sketchy. The breach came to light when three men were arrested in connection with the incident, but it appears to involve just eight of 3’s customers.
The men are out on bail, with investigations under way, so the police are playing their cards close to their chests.
As far as we can tell, this is what’s called an “upgrade interception scam,” exploiting the process followed by mobile phone companies when you get near to the end of your current contract to induce you to renew.
You’ll typically be contacted by your provider near the end of your term and offered a chance to upgrade to a new phone in return for agreeing to stay on as a customer. If you agree, you don’t have to go through another credit check, or sign loads of new forms, or get a new SIM or number…
…and you get a cool new phone delivered to you by courier a few days later.
In this case, it sounds as though the crooks got unauthorised access to 3’s phone upgrade system; fraudulently authorised numerous upgrades; hung around the delivery addresses waiting for the couriers to show up; signed for the handsets; and then cleared off with them.
If that was the modus operandi, you’ll appreciate that it was a high-interaction, high-risk strategy: you have to be in the right place at the right time for each handset, and if you miss one of the couriers, you leave behind a rather visible indicator that something went wrong.
Indeed, if you aren’t able to alter the user’s address and have to intercept the delivery outside their home, you run a real risk that the item will end up handed directly to your victim, who will be left holding a brand new phone tied to a new contract that they know nothing about.
What to do
With just eight customers affected, 3 ought to be able to right the wrongs done fairly quickly, but there are still some lessons we can all learn from this incident.
We don’t know whether the crooks had inside help, or somehow acquired a password to use themselves. If the latter, it sounds as though two-factor authentication (2FA) would have helped here.
2FA means that a password alone is not enough to access someone’s account – a secondary code that changes every time you login is also required.
We recommend adopting 2FA wherever you can.
We don’t know how 3 and the police found out about this scam, but it’s possible that the crooks drew attention to themselves when a delivery interception went wrong and a customer had an anomaly to report.
As always, both cybersecurity and physical security benefit from an attitude of “if you see something, say something.”
If you’re an employer, make sure your staff are encouraged to report security issues, from tailgating into the office to phishing emails, and from suspicious phone calls to unexpected login notifications.
Consider giving rewards, even if they’re modest: a congratulatory box of chocolates is a nice way to thank to a colleague who reported a potential security problem.
It’s not 8 customers affected. It’s 133,827:
”I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained…” (David Dyson, CEO, Three Mobile UK)
http://www.theregister.co.uk/2016/11/18/three_ceo_admits_hack/
As far as I can see, the *intercept scam* did indeed affect just eight people (that we know of so far). The 133k records exposed as well are indeed additional damage, but it looks as though the alleged crooks got arrested before they could target any more of those customers with fake upgrades. It was the intercept scam that I wanted to focus on in this article – a good example of what you might call “cyberenabled crime”, with an old-school fraud/theft part that required the crooks to be there, and an IT related angle apparently involving a data breach.
Also a good reminder of how assurances that “no financial data was stolen” after a breach, though good to know, doesn’t mean a cybercrook didn’t stitch you up financially, for example by triggering a contract renewal against the part of the system where your financial data *is* stored…
You’ve missed a crucial detail stated by the company – that there was an increase in burglaries at 3 shops.
I think they were having the handsets delivered to the shops and then breaking into the shop, which is worth the risk to a criminal if they know what is inside.
I saw that detail, but the story I saw (forget where) strongly suggested that the burglaries were a separate issue, with 100s of handsets stolen from stores in what sounded like a matter of old-school break-and-enter. The men arrested in this case haven’t been charged with any “nicking-related” crimes as far as I can see.