nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Indian call centre scammers are targeting BT customers

Useful info for the scammers

Great, so Mr BT has just given the scammers the info that they need to impersonate BT by mis-representing their CLI :-(

54
0
Silver badge

Re: Useful info for the scammers

Literally just coming here to say exactly the same thing.

You would think that a Telecoms Supplier, or in this case THE telecoms supplier, would know better. For those that don't know, putting any CLI you want on a phone call is trivial. Sort of like sticking a sticker over your Mondeo, that says Porsche.

17
0
Anonymous Coward

Re: Useful info for the scammers

Did you notice the way BT tried to push the problem back to the customer. You shred your bills, you don't give personal data out.....

Reading some of these reports the most likely explanation is that BT's IT systems have more holes in them than a tea strainer!

32
0
Silver badge
Coat

Re: Useful info for the scammers

After I shredded my bill, I didn't have to worry about remote access to my computer, as it was now in tiny little pieces.

10
1

Re: Useful info for the scammers

OMG!! Just peeled the Porsche sticker off my Porsche and it says Lada underneath. I fancy an upgrade, anyone know a good place to get Ferrari stickers from.

11
0
Anonymous Coward

How on earth can you tell the difference?

This sounds like normal BT behavior.

22
0
Anonymous Coward

Re: How on earth can you tell the difference?

It'll be the same issue that Talk Talk had.

Only problem will be BT is such a sprawling mess no-one will know how to find the leak, so they'll just blame customers instead and sweep the issue under the rug.

14
0
Anonymous Coward

Re: How on earth can you tell the difference?

Careful - leaking the BT playbook onto the Interwebs will make them send in the lawyers...

3
0
Silver badge

Re: How on earth can you tell the difference?

Talk talk actually got hacked though.

Chances are that somebody working for BT's Indian operation was offered a couple of (dozen?) times their annual salary in exchange for handing over a database to the scammers.

9
0
Silver badge

Re: How on earth can you tell the difference?

How do we know the scammers aren't just doing a bit of 'over-time' after their regular work (for BT) stops?

11
0
Anonymous Coward

Re: How on earth can you tell the difference?

Yes, that's exactly what happened to TalkTalk - it was unrelated to the data breach in October 2015:

Inside the TalkTalk 'Indian scam call centre' - BBC News (6 March 2017)

http://www.bbc.co.uk/news/technology-39177981

Quote:

"TalkTalk was hit by a cyber-attack in October 2015, but that hack appears to be unrelated to the Indian fraud.

Instead, it is alleged the scam is linked to problems in a company hired by the British broadband provider.

In 2011, TalkTalk outsourced some of its call-centre work to the Kolkata (Calcutta) office of Wipro, one of India's largest IT service companies.

Last year, three Wipro employees were arrested on suspicion of selling TalkTalk customer data."

0
0

Re: How on earth can you tell the difference?

The data used by the fraudsters after the Talk Talk hack did not actually come from the hack. It came from these who knew details of installation/maintenance visits. Guess where that came from?

1
0
Silver badge

I've drummed it into the friends and family for years ...

... If you didn't initiate the conversation, it's a scam. End of discussion.

Seems to have worked. Nobody's reported getting ripped of in years (decades?), and yet all of them gripe about getting scam phone calls & email on a near daily basis ...

27
1

Re: I've drummed it into the friends and family for years ...

The issue is (and something that happened in the TalkTalk fraud attacks to a neighbour of mine) was that those scammed had initiated the call to the ISP and were then expecting a call back from a senior technician. They just got the call from a scammer instead; expecting a call from the ISP and without any technical knowledge they had no reason to doubt that's who was calling them until it was too late.

22
0
Silver badge

Re: I've drummed it into the friends and family for years ...

It's confidence tricksters. They use a wide net, or use a focused attack.

In this case it is focused, and I know of examples from at least 6 years ago if not more. Same day calls, that, are not likely to be "random" coincidence (as with the normal BT/MS calls).

Call is same day or next day to the BT one. Call is specifically "From BT" not "From Microsoft". Call mentions customers last call/name etc. Call asks for a credit card/bank card for payment. Thankfully it was a credit card and payment cancelled on the one I know of.

So, they know what works and what does not, and wait for the time you (or anyone) will fall for it. Like dressing as a waiter in a restaurant to steal cards. Who would expect it?

4
0
Bronze badge

Re: I've drummed it into the friends and family for years ...

No

Its confidence tricksters with inside knowledge of the process and customer.

8
0
Silver badge

Re: I've drummed it into the friends and family for years ...

"had initiated the call to the ISP and were then expecting a call back "

If you are good enough to find a company that will do that rather have on hold for 1/2 hour then surely that is a trivial problem to solve?

so the rules are

If they rang you - its a scam , unless you rang them 1/2 hour ago AND they can tell you the exact time you rang and the password you specified at that time.

3
4
Silver badge

Re: I've drummed it into the friends and family for years ...

The same day or next day callback is a telltale sign that it's a scammer calling. The real BT would never be that efficient in following up customer contacts

(I'm allowed to say this - I used to work for BT in a former life, and know from first hand experience what a shower of s**t they are)

18
0
Bronze badge

Re: I've drummed it into the friends and family for years ...

But in this case, it seems the scammers knew that the BT customer had recently called up about a problem, and were able to give details of it. Therefore the BT customer was expecting a call back, and maybe didn't realise that BT don't return calls.

3
0
Anonymous Coward

Something is really fishy here.

Either BT's customer DB got leaked, or somebody did some dumpster diving and got a treasure trove of customer bills and other information which was not disposed of properly, and in turn, passed this information on to ne'er-do-wells in India.

Or it is an outsourcer in India who passed on prospective marks to his buddies...

No way in Hell can a ne'er-do-well in India recite personal details perfectly without having access to the customer database.... or customer details...

32
0
Anonymous Coward

In theory BT's Indian call centres have strict security against staff exporting written notes about customer calls. Even if that was 100% effective - people only need "Kim" style trained memories to circumvent it.

9
0
Silver badge

Or it is an outsourcer in India who passed on prospective marks to his buddies...

Yes.

25
0
Silver badge

Timings.

Timings are too tight for this to be dumpster diving or historic user leaks. It has to be near real time leaks (staff passing on postits of phone numbers etc).

13
0
Anonymous Coward

Re: Timings.

They seem to have better information and be able to call back more quickly than BT themselves..... perhaps BT should hire them!

14
0

Data Slurp

Yep completely agree. There are so many ways an ill-disposed IT worker with admin rights could get bulk data access - remote admin login to the CRM, then use software robots to suck up responsive data through the front end UI.

0
0
Bronze badge

Re: Hiring

Perhaps they already do. In the UK.

What's the probability that it is an inside leak? An accomplice, associate or relative on the inside passing on the relevant information?

Some irony that Lloyds are mentionned, given that that have just, or are in the process of outsourcing their backroom data processing to India.

5
0
Silver badge

Re: Hiring

AFAIK from comments else where it is on the street side of the software/engineers. Those going out to houses, either their wifi enabled devices, or they themselves are leaking the data.

0
0
Anonymous Coward

Re: Hiring

"Some irony that Lloyds are mentionned, given that that have just, or are in the process of outsourcing their backroom data processing to India."

I'm sitting here in London looking at the Lloyd's IT staff smoking outside. It looks a lot like they already have. It is not a particularly diverse workforce; a monoculture even.

Not that outsourcing to India is bad if done correctly.

0
1
Silver badge

Re: Data Slurp

"Yep completely agree. There are so many ways an ill-disposed IT worker with admin rights could get bulk data access "

My bet would be IT too. Not sure why you're all so keen to assume it's the Indians, could just as easily be anyone anywhere in the world.

Personally I'd just have a trigger in the CRM pushing records to SNS, but that's a bit easy to stop and trace. Fits the real-time profile though.

It might not be BT's leak - they could just be playing the probabilities with data scraped elsewhere we haven't heard from everyone who didn't fit the profile.

0
2
Anonymous Coward

Its not as if

BT have any history or Phorm for abusing its own customers, is it?

29
0
Anonymous Coward

I had a scam call about "PC problems" on two separate occasions not long after contacting BT 151 about faults on my ADSL broadband. It seemed to be more than a coincidence as those calls had otherwise become very rare.

I received my first, and only, text scam after giving Wickes DIY my mobile number in order to place an online order. Otherwise that number was only known by family and close friends.

9
0
Silver badge

The problem is one of design.

First, nobody should have access to those numbers. Seriously, why does a call-centre operative work with a number? They don't need to. They just need a customer screen that has a dial button, they have no need to know what number you are, what address you are at.

Technically, depending on how you interpret their "need" for access to that data, giving them anything that isn't necessary is a breach of the DPA.

They don't even "need" to see your address by default. They certainly don't need a way to capture, dump or whatever else the screen. If they need it, it could be greyed out until they specifically request it.

Hey, Steve, why are you requesting the addresses of hundreds of customers that you aren't directly dealing with and which in the phone conversations you have with them aren't needed? Oops.

But people don't design the call centre software that way. And phone companies don't design calls on an "by invitation only" basis. You're basically putting your entire customer database into the hands of easily-bribed minimum wage staff who have enormously quick job flux, and then expecting that information to stay secret, not be mis-used and for customers to deal with it rather than the telecoms companies (CLI should NOT be able to be faked, even if people try... why does false CLI information get propagated from country to country?)

I'd also question - AGAIN - why a callcentre operative needs a general purpose computer, rather than a list of "1) Request Customer Address, 2) Change Customer Address, ...." because the SECOND they get a virus on that machine, your database is gone if they have access to it all. But apparently what we do nowadays is give them a full Windows 10 machine that isn't even locked down, and then have them access an intranet web page.

14
0
Silver badge

"... after giving Wickes DIY my mobile number ..."

Ah ha! Have a cheap PAYG mobile for this purpose, if you really have to give a mobile number to anyone. You can store the number on your 'real' mobile to read out to people who 'need' it. You can always dump and replace the SIM card after a while if scam texts and calls get annoying.

3
0
Silver badge

@ LeeD

You are assuming its a Call centre operative that's the problem. Could be anyone. Sys admin, DBA, network tech, application admin, etc.

You can't deny everyone access to the database.

6
0
Silver badge

Re: @ LeeD

Because most of these compromises are not deep-level technical staff. They are front-users with smartphones taking screenshots or just saving everything they can see and then selling it off to make up for their minimum wage when they move from company to company every week.

But then... let's go through this.

Does your application admin need access to the live production database? No.

Does you network tech? No. Especially not if even the usual users don't.

Does your DBA? Possibly

Does you Sysadmin? Probably not. Maybe it's possible to compromise the database but he doesn't need access to the data inside database itself.

In fact, the only places where the data will appear are DB admins and live web-interfaces.

Centralise those. Make them accountable. Audit their access. And then if the ENTIRE db is compromised, you know who to go to.

Everyone else? They won't be able to compromise your entire database, only portions, and will similarly leave a very plain audit trail which can be tracked - by the portions of compromise if nothing else.

It's not about stopping the possibility entirely. It's about taking reasonable measures. And if your database keeps going wandering, and is this important and contains these kinds of details, reasonable measures are the above because you don't NEED that kind of access. It could even involve things like "watermarked data" entries where little red herring data is inserted into each user's account when they request large data (even as simple as altered capitalisation, changed spacing etc.) so that any leaks stand a good chance of pointing a finger at a particular dump by a particular user in a court of law. It's how things like map-theft is caught - by slightly misplacing a few entities that doesn't affect the usage of the map but means that you can tell if someone else just copied your map data/map directly rather than happened to collect the same information.

That nobody implements such measures, that customer support are able to give me all kinds of details about myself immediately, and that nobody is every publicly fined/caught for being the source of the leak suggest that nobody in those kinds of businesses takes data security seriously in the first place.

When there are no consequences, of course data thefts like this will happen.

Put in logs, measures, difficulties, audits,c ontrols and consequences and they'll greatly reduce, if not stop altogether.

3
0
Bronze badge

If you see a CLI of 0800 xxx xxxx, it is always a fake CLI, even if it is coming from the owner of that number, because an 0800 number redirects to a geographic number, or possibly a group of geographic numbers.

The caller may want you to call back on the 0800 number so they can distribute the calls around their call centres, and anyway it is free to call that number whereas the geographic number might not be, depending on your phone contract. My contract gives me unlimited minutes, so it would be free anyway, but only for calls of up to an hour in duration. Other people might have to pay for them, so 0800 nos are never a bad thing. And if the geographic number is in India, it would almost never be free from the UK.

How do you allow that without allowing fraudsters to fake CLI? I suppose it would be possible to have a system where the owner of the number can specify permitted geographical numbers to call from.

0
0
Bronze badge

Re: @ LeeD

What if it is the level 1 support person who is taking the details for the callback who is leaking it?

0
0

My "suspected scam" instruction sheet:

If they mention "accident":

"THAT DIDN'T HAPPEN, NOBODY SAW THAT" (Repeat verbatim in response to whatever they say, increasing volume/agitation each time.)

or

"But, but, how did you know? - I was wearing brown trousers."

or

"That was no accident, she deserved all that and more." *click*

If they mention "Microsoft", "Windows", "Virus"...

"Oh dear!, is this to do with the computer thing? My grandson normally helps me with all that, it's upstairs, could you hold on while I get it please?" (Leave phone off hook, if you have time, do your best impression of someone simultaneously suffering from dementia, lack of short-term memory, and near total computer illiteracy.)

For general use:

"Please take a minute to think about your parents and grandparents - would they be proud of what you are doing? You should get an honest job." *click*

12
0

"There is nothing for you here" in an ominous voice.

Absolutely accurate, too :)

8
0

other good responses are

'The internet is the work of the devil and you are a tool of satan'

'That would be an ecumencal matter'

'Can I talk to you about Jesus......'

They all seem to work quite well

1
0
Silver badge
Flame

Argh!

I'm getting about eight scam calls a day, just had two in the last 30 minutes. Because of this I don't answer any international calls. Maybe our politicians or GCHQ should do something about it. Like drop malware onto the call centres. I answered one call from "Bob at BT" and after confusing him (ctrl+r doesn't work on Linux) I asked him if he had children. When he said that he was still single I asked in a calm voice if his parents knew that he was a criminal. After a few seconds of silence he hung up.

14
0
Silver badge

Re: Argh!

Maybe you're right.. but I'd rather the telcos (UK or US as I'm in the US) start blocking calls with spoofed numbers. That would go a long way to stopping these things. I guess they make some money by allowing it.

4
0

fake cli

I get these all the time the 'BT Call Blocking' phone can't block the numbers are they use fake caller id that is an actual BT Call Centre number.

Unless it's someone with an English, Welsh, Scottish, or Irish accent I'll just hang up on them.

If it's important they'll post a letter.

12
1
Silver badge

Re: fake cli

"If it's important they'll post a letter."

true dat.

I've never had the pleasure of one of these scams , but thinking about it , thats because whever the ancient pulse dialing rotary phone that i plug onto my landline just for shits and giggles as i never use it rings , i just lift the receiver and drop it .

I havent managed to get any scam calls on my mobile either , which is more of a mystery given I've had the same number for 15 years or so and used it for quite a few things.

2
0
Silver badge

"A BT spokesman said: "BT takes the security of its customers' accounts very seriously. We proactively warn our customers to be on their guard against scams. Fraudsters use various methods to 'glean' your personal or financial details with the ultimate aim of stealing from you. This can include trying to use your BT bill and account number."

He advised customers should never share their BT account number with anyone and always shred bills. "Be wary of calls or emails you're not expecting. Even if someone quotes your BT account number, you shouldn't trust them with your personal information."

Standard stock response about how they really do care. Then it goes on to basically say it's not our fault but the fault of the people getting the calls. I seem to remember Talk Talk said similar things.

Nice BT, what are the odds it's an outsourcer passing details on?

31
0
Gold badge

BT care so much about your security - they outsourced their email to Yahoo! Then did bugger all after the multiple data breaches, other than forcing password resets.

11
0

Oh for some public PSA adverts warning people about trusting emails, website ads or cold phone calls to not poison their computer.

I'm kind'a surprised people are still falling for it. If a government agent phone me up with my national insurance number, place of birth and known political affiliations (philosophical anarchist), I would still ask that he (or she) send me a snail mail letter with a phone number that I could verify as being a UK gov based number before refusing to let him (or her) near my PC (at least without a warrant).

7
0
Gold badge

Some banks now do TV ads about how to spot the phone scammers. Yet still my credit card company phone me up and ask for name, date of birth and credit card number to prove who I am!

Your phoning me! On the mobile number I gave you on setting up the account! There's a good chance it's me, or my mobile's been stolen in the last day or so and I've not had time to cancel it. Yet who the fuck are you!

At least that Verified by Visa non-security web pisstake thingy has a word you gave them, so you know there's a passing chance it may be their computer you're talking to.

7
0

Re: I ain't Spartacus

"that Verified by Visa non-security web pisstake thingy"

sums it all up beautifully. What an ergonomic and functional waste of space it is.

3
0

I had a long debate about just that with a man who said he was from a company with which I have a couple of investments. He did not see the illogicality of asking me for identification details when he had actually called me and I would not accept that he was who he said he was without some identification from him. In the end, I received a letter which was genuine but I still do not accept calls from them.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing