The Telco Industry Leak: Updates
Last week, we received confirmation of the largest leakage of customer data in Malaysia. At a glance, the whole local telco industry, not just mobile operators but also MVNOs, had somehow leaked all these data.
But, Low Yat, and almost all reports that come out after, also mention the loss of customer data by the Malaysian Medical Council, the Malaysian Medical Association and the Malaysian Dental Association, as well as also online employment site, Jobstreet.com.
At this time, it is unclear whether the cause for the telco leaks, are the same as the causes for the medical and Jobstreet leaks.
No one can confirm or deny.
In any case, only the medical associations and Jobstreet have come forward to take responsibility and release advisories of what to do, for their members and users.
To date, none of the telcos have said anything.
The whole industry is under an NDA at the moment, and MCMC’s response to my queries are unhelpful:
“With regards to your request for a reply on the data leak issue, kindly be informed that the case is still under investigation by the police.
Besides that, the Minister of Communications and Multimedia, the IGP and the COO of MCMC have already issued respective statements on the matter, recently. You may refer to their statements for your reference.”
On MCMC’s website, here is what they have:
“MCMC bersama pihak PDRM sedang menyiasat laporan bahawa terdapat pengiklanan untuk menjual data pengguna yang disyaki diperolehi secara tidak sah.
Sebagai langkah pencegahan, pihak MCMC telah meminta pentadbir laman sesawang lowyat.net untuk menurunkan iklan penjualan tersebut. Pentadbir laman sesawang tersebut telah memberi kerja sama menurunkan iklan serta artikel yang berkaitan.
MCMC menggesa agar semua pihak tidak membuat sebarang spekulasi sehingga pihak berkuasa melengkapkan siasatan.”
Sources close to the matter do not believe the breach is caused by telcos. For now, I’ll say there is a 50-50 chance it isn’t. So, what is the source of the breach? The questions we should be asking are probably this:
What’s the one common thing that all these telcos and MVNOs share? Is it a vendor? It is a service like Mobile Number Portability?
And did MCMC want Low Yat to remove the news of data leak because they are protecting someone?
What’s floating out there?
Regardless of whose fault this is, the risk to all Malaysians is real.
There has been no advisory from parties involved about what can be done, except for a note from Low Yat to replace our SIM cards.
But, as far as I can tell, all of Malaysia is still going around with business-as-usual.
To date, based on Low Yat’s report, we know that our prepaid and postpaid numbers are out there, along with customer details like addresses, ID numbers, SIM card information, IMSI numbers and IMEI numbers.
They are all likely matched to customer identities.
The bad guys are getting a more complete picture of each individual Malaysian, and all of this is going to come back to bite us, if it hasn’t already!
Mobile phone number – one attack surface
According to manager of regional IT security, Mohammed Juzair Talib, “As an attacker, to compromise mobile devices, all I need is its mobile phone number.
“As Android-based phones are most-commonly used smartphones, I just need to create a fake application (.apk) file, with certain tools that are easily available online.”
He goes on to say, that from thereon, he only needs to create a very legit looking message and spam the mobile numbers that he has, requesting the target users to install the bad app.
The above is just one example of how RAT or Remote Access Trojans, could end up on your phone to spy upon you and your data.
With more of your details, criminals could devise more convincing social engineering tricks to get more details from you.