What makes telecommunication companies a fertile ground for attack?
Telecommunication is the first, and most robust network ever invented. This may seem like a brazen and bold statement, but when examined closely, it is not the stuff of fantasy. Prior to the invention and development of the internet, what other way could a person pick up a device, and “dial” a few numbers and end up seamlessly connected to someone across the vast expanse of a countryside?
Early telephones were a local only affair, consisting of a box with a crank that would connect to a local operator who would literally connect a patch cable to complete a call. Over time, as automation improved the job of switchboard operator was replaced. Soon, touch-tones were introduced, which replaced the old rotary dial phones. Phones were connected to a wall jack, and sometimes, the only way to have a private conversation was to physically drag the telephone into another room. Now, the idea of a hard-wired phone in a house or apartment is generally treated as a relic.
One problem with early telephone technology was that it was billed in the same way that transportation is billed. That is, you paid a fee based on the distance of the call. Of course, any time money is involved, there is a criminal mind at work to try to derive a “discount”. This gave rise to some of the earliest “hackers”, who practiced a technique known as phone-phreaking, all in an effort to get their calls for free. Phone technology has come magnificently far from the days of people whistling for free service. However, the growth of phone technology has also made it a prime target for crimes far greater than the mere theft of long-distance service.
What is it that makes telecommunications companies a prime target for cybercrime?
Your Personal Information
First, there is the amount of data that is collected when a person buys phone service. When you sign up for a phone contract, the application process is similar to a more traditionally big-ticket purchase, such as an automobile, or an apartment rental, rather than an item that is so portable. In most cases, the documents form a legally binding agreement. In some cases, the cellular provider will perform a credit check to see if you are worthy of entering into a contract with them. This process means that they will collect an incredible amount of information, not only of paying clients, but also rejected prospects. This information is also shared to credit reporting agencies. In the United States, the account history of telecommunication customers is held by the National Consumer Telecom & Utilities Exchange (NCTUE).
Individual Account Compromise
The amount of personal information held by the telecomm companies is extremely valuable, both on an individual, as well as a collective level. Individually, the information can be used to commit fraud, as well as identity theft. Since we all use our phones as our second factor device for many authentication schemas, another personal attack, known as the SIM Swap, or Port Out, can be used to hijack your accounts.
Collective Account Compromise
Collectively, the consumer data held by cellular providers can be held as part of the bounty in the latest fashion of exfiltrating data prior to a ransomware attack. Each individual cell number holds its own value, and the full set of consumer details is worth even more. While each individual record can be sold for a small fee, in the hands of a criminal, these can be used to gain greater benefits when used for crimes such as targeted phishing campaigns.
Another collective use of stolen data is to control large groups of internet connected devices for purposes such as Distributed Denial of Service (DDoS) attacks, or surreptitious cryptomining operations.
Irresistible Hunting Ground
There is no doubt that the telecommunication companies protect their consumer data as best as they can, however, breaches still happen. Efforts are underway to correct telecommunication security weaknesses, such as Port Out scams. In the meantime, the best way that a consumer can protect the records held by telecommunication companies is to restrict access to accounts by setting up extra security with the carrier, such as a separate PIN code. Another way to ensure that a SIM swap does not leave your online accounts inaccessible is to make sure that you keep backup codes for all multi-factor accounts. Another way is to contact the National Consumer Telecom & Utilities Exchange, or similar agency in your country and set up a security freeze, as well as opting out of pre-approved offers based on NCTUE data.
Utilities hold so much personal data about who you are that it is of vital importance to be aware of, and take measures to secure that information.