How significant is the gap between perception and reality when it comes to understanding the impact and response to ransomware attacks
Telecommunications companies face millions in sanctions that could be easily avoided
When all filters fail and fraud and impersonation take place, even the most powerful company can face heavy losses. In addition to the financial aspect, security breaches have a huge impact on the image of organizations. Fortunately, the serious consequences of weak identity verification protocols can be prevented with the help of cutting-edge technology developers and experts.
A
s a result of a consumer complaint who denounced the fraudulent use of her personal data to register several telephone lines, Orange ended 2022 facing a fine of 70,000 euros imposed by the Spanish Data Protection Agency (AEDP). The sentence, however, can still be appealed.
The woman had reported in June of 2021 that a contract for services had been signed without her knowledge or consent, and that her data had subsequently been included in listings of unpaid invoices. After discovering that there had been identity theft, she filed a complaint with the Directorate General of Police and the AEDP. The AEDP defended its verdict on the basis of Article 6.1 of the GDPR (General Data Protection Regulation), which defines the unique circumstances under which the processing of personal data is legal. According to the agency’s conclusions, it was proven that Orange had made fraudulent use of the information relating to this user, installing equipment under her name and ID, but at another address, which means an unauthorized third party must have provided the necessary permissions. The telecommunications company did not carry out the relevant checks and, if that were not enough, neither did it provide the audios relating to the verification of the woman’s identity during the portability process, and which supposedly should be preserved.
This is not the only sanction that large telcos have had to face recently. Again, with Article 6.1 of the RGDP at the center of the matter, the AEPD fined Vodafone 100,000 euros for registering a telephone line in the name of a person who had not authorized the registration. In 2019 the complainant went to a Vodafone store to purchase a prepaid card. Shortly thereafter, this person was called to testify in a trial for a scam through Wallapop in which the contracted telephone line was involved. In his statement he assured that he had not given permission at any time to open this line and that, therefore, his identity must have been impersonated. In February 2022, the AEDP opened an investigation whose conclusions became known in November. The agency stated that “Vodafone’s security policy is clearly ineffective and insufficient”, blamed the company for not providing any evidence in its defense and for washing its hands by blaming only the third party who maliciously impersonated the complainant. It was also proven that the employee responsible for the registration of the irregular phone line did not diligently verify the personal data of the person in front of him. In this case, the sanctioned company may also appeal the sentence through the ordinary justice system.
It is surprising that certain frauds continue to operate, but, as we can see, telcos are now facing large fines and reputational crises as a result of these scams. At the beginning of 2022, the AEDP published the resolutions of several proceedings opened after a series of complaints from victims of SIM swapping. This form of fraud consists in duplicating the SIM card of a cell phone after collecting the necessary information through social engineering methods (using social networks, text messages with fake links, misleading phone calls, etc.). Once the card is duplicated, the fraudsters can access bank accounts, apply for loans or purchase products. Sometimes they only need a couple of hours to complete all these activities. By the time the user realizes they have no signal and reports the case, it is often too late. SIM swapping occurs globally and has experienced considerable growth in recent years. For example, in United States in the three years between 2018 and 2020, 320 complaints were received, and in 2021 this number grew to 1611, with losses close to $70 million for those affected. The fines mentioned and imposed by the AEDP, range from 200,000 euros to be paid by Xfera, belonging to MásMovil, to 3.94 million euros for Vodafone. Orange, with several fines totaling 770,000 euros, and Telefónica, with 990,000 euros, complete this series of charges. The AEDP highlights the infringement of several articles of the RGDP and the LOPDGDD (Organic Law on Personal Data Protection and Guarantee of Digital Rights) which state that service providers must treat personal data “in a way that ensures adequate security of these, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organizational measures (integrity and confidentiality)”. The accused companies tried to defend themselves by downplaying the importance of their breaches in security protocols and blaming the lack of zeal of users over their data or blaming the banks directly. Their arguments, at least in the first instance, did not work.
To prevent this type of fraudulent actions, TrustCloud develops video identification services in which transparency, user-friendliness and security at the highest level are paramount. TrustCloud VideoID is the perfect ally for telecommunications companies which, as we have seen, have ample room for improvement in terms of privacy and data protection.
Applying several layers of security (biometrics, document analysis, active and passive proof of life, etc.), TrustCloud VideoID offers rigorous identity verification. The platform’s team is thoroughly trained in identity and fraud, and TrustCloud also offers registration and qualified custody of all evidence generated in the procedures.
Companies that rely on TrustCloud VideoID have a solution that allows them to protect themselves in cases of fraud, such as the ones exposed in this article, which unfortunately have affected some of the most important global telcos.