Wednesday, 2 November 2016

Giving the police more power? (#IPBill/#IPAct)

With the Investigatory Powers Bill reaching final stages I expect to have some detailed comments by next week, once we have the final text of the Act.

However, we had a rather odd email today from the police, a Cyber Distribution & Prevention Team, no less. You would hope they have some clue, but their email shows drastic lack of clue...

We do occasionally get requests, usually under RIPA, usually related to telephony, and almost never actually correct. Typical errors are:-
  • Not one of our numbers!
  • Number too short
  • Number too long
But also issues they would not know, but still a nuisance:-
  • Number simply not in use, and hence must just be spoofed CLI
  • Number leased to another telco
This request was different. It was a request to suspend a "line" which is in fact a VoIP service. But it shows some serious lack of clue here.

Firstly they are entirely going on the CLI. They have not attempted to trace the source of the calls via the telephone network in any way (else they would not have got to us as it is part of a block leased to another telco). But even though only based on CLI they are assuming the CLI is genuine. No hint that they know it could be otherwise, and indeed, asking us to suspend a line based only on CLI provides a means to "attack" a victim by using their CLI for something iffy and getting the police to get the victims line suspended! Our reply refers them to the wikipedia article on spoofing CLI.

Also, it is marked "Classification: PROTECT - INTERNAL USE ONLY" yet they have sent it externally to us. Ooops.

Then they explain "Attempts to contact the line have not been undertaken to prevent jeopardising any ongoing or potential investigation that may follow." Hang on?!? What would we say to a customer (if it was our customer) when we suspend them that would not jeopardise ongoing or potential investigation - seriously - suspended line is going to be a tad noticeable.

Then there is the actual request "We request that you consider suspending this line as soon as possible to prevent further harm to members of the public occurring and for a minimum period of 12 months." which I am not sure I understand. This is just a number. If we suspend it at all, the end user can have a new number to make calls within seconds, so not going to stop him, just alert him that they are on to him. Also it means the fraudster is now using a new number which nobody is blocking or watching out for, so actually that increases harm - by always using the same number one can alert people "don't accept calls from X" if that was a sane thing to do when considering CLI spoofing anyway. It also makes handling the reports they are getting easier to collate as they know it is the same person. But also, why suspend for 12 months? How does that help?

But then we have the fraud itself - a simple matter of someone calling an claiming to be something official (I am not giving details here), but a key point is the victim is then asked for "bank details" to pay something they have been convinced is due. As far as I know that only allows a direct debit, and a direct debit can always be reversed. So either the victims are getting really bad advice and not getting the DD reversed and their money back, or the fraudster is particularly stupid. The email is quite specific, and says the other trick is to ask the victim to get "I tune"[sic] vouchers and read the number, but that again makes no sense as this is someone claiming to be from an official body which nobody would be stupid enough to think could be paid in iTunes vouchers. What they are saying here really makes no sense. I suspect the fraudster is smarter than they are saying and the police are recording the details totally wrongly.

I hope they catch the fraudster, but in this case there is nothing we can do to assist further - as the calls are not through us or from one of our customers.

These are the people we want to give access to details of every web site visited by every person in the UK. Seriously?


  1. "an official body which nobody would be stupid enough to think could be paid in iTunes vouchers" -- there are definitely people out there that are that stupid...

    1. Indeed.

      I read something about a year ago which totally changed my perception of the entire online fraud industry... which is that the reason that fraudulent emails are so incompetent, so full of blatant spelling mistakes, so obviously fake, is NOT that the fraudsters are stupid, it's because they have exhaustively A/B tested their messaging and have selected for the type of target they want to reel in which is... ignorant/uneducated/gullible people.

      The fact that you and I immediately see through scam emails is absolutely intended. The scammers have no interest in wasting their time on us because they know we'll never actually send them the cash/iTunes voucher. What they really want is people who are only just literate, and they're the ones who don't notice that "tommorow" is misspelled or that Barclay's Bank shouldn't have an apostrophe.

  2. > Classification: PROTECT

    There has not been a classification of "PROTECT" for a couple of years now...

    In 2014, "PROTECT", and some others, was replaced with "OFFICIAL", sometimes with the additional "SENSITIVE".

    1. That is even funnier, and perhaps even brings in to question the authenticity of the "request" in the first place.

    2. I know it's only a 1% liklihood but have you actually contacted the police to verify its authenticity? Somehow the title 'Cyber Distribution & Prevention Team' just doesn't ring true, almost like one of those titles the scammers often invent. The National Cyber Crime Unit is the main body for overseeing such investigations and I wasn't aware that many local forces had a dedicated cyber crime unit.

    3. We are assuming incompetence rather than malice here and so not, but that is largely as we have not taken any action or revealed any information.

    4. Interestingly, if one Googles """Cyber Distribution & Prevention Team""", the only result which comes back is this blog...

    5. Increasing police forces are setting up cyber crime units. As an example of a joint unit between Suffolk and Norfolk:

      This is due to the every increasing amounts of online crime happening, compared to traditional crimes.

    6. It's only now that the police are moving over from the Government Protected Marking Scheme (NOT PROTECTIVELY MARKED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET) to the new Government Security Classifications (OFFICIAL (which can have several compartments including OFFICIAL SENSITIVE), SECRET and TOP SECRET). A force I am aware of literally moved over today, other forces have until next year to move. The reason for the delay is the sheer number of systems the police have and the complexity in charging operational systems.

      PROTECT was the highest classification one was allowed to use over public email, the next level, RESTRICTED, could only be used over secured email. Everything should be OFFICIAL (which you don't actually mark at all) with compartments being using such as SENSITIVE where necessary.

  3. Perhaps I'll try paying my next bill in iTunes vouchers. I mean, if I give you the code for a £25 voucher, and the code for a £5 voucher, you could pass on the code for the £5 voucher to the HMRC, as VAT?

  4. Either the email you received was fake or they have revealed details to you about someone who is not one of your customers (their first contact should have been to confirm that the number was one of yours before they gave you any details). If it's not a fake you should report them to the ICO!

    1. Well, we cannot identify any individual from the email, the number was not ours, so not actually a breach of DPA is it! It the number was ours then we could identify someone, but they would be allowed to disclose under the exceptions in DPA I expect.

  5. Quite common scams in the states using iTunes vouchers to pay for IRS tax amounts. There must be a reasonable market for these to convert to real currency somewhere, or they order hardware and sell that on.