Monday, 26 June 2017

What is the scam here?

We have a (non) customer the keeps trying to buy a mobile number to receive texts.

Our automated credit control systems trap him every time! He makes new postal addresses, email addresses, bank details, telephone numbers, etc, but the systems are working well. The latest one flagged the account in 15 different ways!

Every time, he orders a mobile number and has some system send him a text from "AUTHMSG" to him which looks like Your Valued Opinions verification code is: XXXXXX.

He does not get the text due to the account being flagged as suspicious.

Obviously he wants a UK mobile number to get some code to do something, but I am at a loss as to what the scam is here.

I tried googling but still did not find what the scam is...

It is annoying the accounts staff, reversing out the account and invoices. 29 attempts so far!

P.S.....

Treading on thin ice? I am MD of a communications company - I (and the company) have to respect the Data Protection Act, and obviously as a company we take things very seriously, not just in terms of law but in terms of morals and ethics. In this case we have someone I cannot really identify as a person - but I have managed to identify (correlate) multiple fraudulent attempts as probably the same person that is trying to act illegally - so is there personal data? I posted the slightly redacted content of a message, is that personal data? Even so, there are exceptions in the legislation for prevention and detection of crime, so is that valid? It is a good point and maybe a fine line, on which I hope I am the right side.

At the end of the day, if the individual in question feels aggrieved, I am more than happy for them to identify themselves and raise the issue with me or the company. There are several outstanding invoices as well as possible criminal charges for fraud and breaches of the Communications Act that await if you feel I have breached your privacy - please go ahead!

10 comments:

  1. Valued Opinions is a market research company (https://www.valuedopinions.co.uk/) and they pay people to opine on various matters.

    Try a Google search on "Valued Opinions verification code" - include the quote marks! You can see various disposable SMS numbers with that very same text but different authorization codes.

    I assume the scam is that he's attempting to defraud the market researchers by claiming multiple quantities of whatever incentive by using multiple mobile numbers.

    Obviously if they're fake particulars that he's supplying to yourselves then it sounds like Valued Opinions have stopped sending codes to disposable SMS numbers and require a mobile number which has yet to be used with them.

    Depending upon the frequency of the applications you're receiving it sounds like he's running a bot in order to make as many applications as possible. I suspect you're not the only company he's targeting.

    ReplyDelete
  2. The information you published doeanot relate to an identified or identifiable individual, so no DPA issue.

    ReplyDelete
  3. Call me naive but I'm most concerned about a provider knowing the contents of a customer's SMS. Obviously I understand that it's technically possible but is it so easy that it's so routine and easy that you'd do it for a blog post?

    ReplyDelete
    Replies
    1. This is even in the CDRs we send by default (as is the case for these numbers). You can expect every SMS ever sent or received will have been logged by multiple telcos, I am sure. Why do you think I like iMessage, and Signal, and so on.

      Delete
    2. Oh, and of course, we are not routinely looking at people's SMS or CDRs. This came to me because of the fraud.

      Delete
    3. I've had second hand stories of a friend who called EE about a text message he was sent.. the agent, with minimal fuss, said "Oh yes, I see the message" and started to read back the content.

      EE agents appear to very easily be able to view previous SMS content.
      (Not first hand experience though, an experience a friend had and told me about).

      Delete
    4. If was an SMS sent by EE (e.g. a marketing or service message), then there's a strong chance it would be on the CRM notes.

      If a customer communication, then that's a little worrying.

      Delete
    5. I've worked for a CP where it's been readily available, a good many years ago they stopped logging message content unless the customer specifically required it.

      Obviously these services are *not* intended for person-to-person communications, but for automated SMS messages (e.g. transactional sms, 2FA etc) and responses to these, so the use case is a bit different from a typical MNO.

      Delete
    6. It does rather bring home the point that SMS is not suitible as a component of 2FA...

      Delete