Questions linger after ISP blocks TeamViewer over fraud fears

Last Wednesday, for no apparent reason, the TeamViewer remote desktop application stopped working on the network of one of the UK’s largest ISPs, TalkTalk.

It’s a popular application with remote support professionals and power users alike and so support forums soon filled with complaints from perplexed users who noticed that access was possible with 4G and some TalkTalk business connections but not home broadband.

Complaints such as the following:

No access in North Yorkshire with TalkTalk – nightmare for work. If they can’t fix this within the day will have to cancel as I need this connection for my livelihood (sic). Terrible.

By Thursday, journalists dragged the truth out of the company that it had “blocked a number of applications including TeamViewer,” which led to a joint statement confirming this on TeamViewer’s website:

TeamViewer and TalkTalk are in extensive talks to find a comprehensive joint solution to better address this scamming issue.

We now know (as some suspected at the time) that the block was connected to abuse of TeamViewer by criminals based in India who had been using it as part of a tech support scam targeting TalkTalk customers.

The BBC reported on this two days before the block, including the disturbing claim that the criminals had been able to quote stolen customer account data to make scam calls sound more convincing.

On Thursday, TalkTalk turned off the block and TeamViewer started working again. Still puzzled, we decided to probe deeper.

Pulling the plug on an application without warning is, as far as we know, almost unheard of for a UK ISP, so one might assume that this happened because the company believed it was an emergency situation.

But why block an application without informing customers until a day later? Forum comments suggest that even TalkTalk’s own telephone support staff were unaware of the TeamViewer block at first. And what changed on Thursday to allow it to be unblocked?

TalkTalk told Naked Security:

Like all ISPs we constantly monitor our network and testing regimes in order to protect our customers from any potential and known risks.

That’s hardly elucidating. TeamViewer, meanwhile, told us that it had raised the issue of the block with TalkTalk as soon as it heard of it and took the view that filtering one application missed the point that criminals could abuse numerous others too.

TeamViewer was not at fault for what happened. On that basis “you could go ahead and block email,” TeamViewer’s Axel Schmidt told Naked Security, pointedly.

Both companies alluded to improving security without giving detail. We’ll refrain from mentioning one or two possibilities for security reasons but an obvious mitigation would be for TalkTalk to temporarily filter application traffic from Indian IP addresses, a short-term solution at best. Presumably, TeamViewer is also combing its user base for fraudulent accounts.

Although far from new, it’s where this is going that worries us. Tech support scams that hijack remote desktop tools look like an ever-expanding front for fraud that, even without stolen customer data, is hard to counter. TeamViewer and TalkTalk will not be the last victims, nor India the last host. The industry – and customers – should take this threat very seriously.

Defence is about following simple rules:

Never allow a cold caller to install anything on your computer – hang up.

Never respond to web pop-ups suggesting you call a support line.

Be aware that fraudsters are now using stolen data to make their calls sound more convincing – no cold caller is trustworthy, period.

When encountering scams, complain through official channels such as Action Fraud in the UK or the FBI.

Above all, spread the word.

And the industry:

Start communicating. When blocking an application, tell customers ASAP.

Work pre-emptively with remote desktop providers

Customer intel is vital – don’t ignore complaints