All the User Experience, None of The Security?

EU telcos gather a lot of highly sensitive customer information. New research suggests it’s not as well protected as you might think.

By Deepika Gajaria, Vice President of Product, Tala Security

Mobile service providers are known for their content-rich user experience. But how good are they at securing it?

Few sectors collect as much sensitive information: from national ID/passport numbers and scans to payslips, bank details and payment card information, the amount of data the average customer enters to sign up for a contract or buy services online is significant. But what happens when the same applications and integrations that deliver that rich user experience inadvertently expose this sensitive information to over-sharing and theft?

New research that we recently completed indicates that data exposure is a significant, unaddressed problem for Europe’s top mobile providers – and the more than 253 million customers who sign up for their services and share sensitive personal data. At the heart of the problem: insecure website supply chains.

Unlimited calls, texts, data (sharing)…

We analyzed 13 of the top Mobile Service Providers in 7 EU countries and found that none had effective web security in place. On a ten point scale where a score of 50 indicates limited control, the average score was 4.5. This weak security is underscored by vulnerable site architecture:

• Sensitive data is at significant risk via form data exposure – Forms used to capture credentials, banking details, passport numbers, etc. are exposed to an average of 19 third parties. Without control, this sensitive data is at risk. This level of exposure, combined with the high value of the data captured make this an attractive target for Magecart attacks.
• 100% of the websites are vulnerable to cross-site scripting (XSS) – the most widespread website attack, which frequently results in significant sensitive data leakage
• The highest number of third party JavaScript integrations found on a single site was 735; the average was 162.

Why it matters

Unintentional data exposure is a significant, unaddressed risk for all of the telcos analyzed. Without controls, every piece of JavaScript code running on websites – from every vendor included in the website owner’s website supply chain – can modify, steal or leak information through client-side attacks enabled by JavaScript.  Telcos amongst this sample group averaged 31 third-party integrations.

In many cases, data sharing or exposure takes place via trusted, legitimate applications on the allowlist – often without the website owners’ knowledge. While most online businesses do a great job protecting data after the user has entered it, few seem to be aware of data leakage as an unintended consequence of the dynamic, rich website experience telcos are known for. This has potentially far-reaching implications for user privacy and, by extension, GDPR. With the lack of awareness of this very real risk its time for website owners to start caring about oversharing.

About the Author

Deepika Gajaria is the Vice President of Products at Tala Security. An experienced product leader and technologist, Deepika is responsible for product strategy and delivery at Tala.  Working closely with customers, she drives product direction and shapes the product roadmap to address their core needs.

Prior to Tala, Deepika was part of Cisco jasper where she led the launch of IoT smart city applications.  Her career in product management began at EMC, in the new product introduction team, working on key initiatives across the Storage and Data protection divisions.

Deepika is a longhorn, holding undergraduate and graduate degrees from the University of Texas at Austin, in Natural Sciences and the McCombs School of Business.