What that recent massive data leak will look like to us
It all began on 19th October, 2017, when Low Yat noticed suspicious behaviour in their forums, and reported about it. Less than two weeks later, this was followed up by a comprehensive report that confirmed 46.2 million mobile phone numbers had been leaked, along with the list of telcos that ‘leaked’ them. No one can confirm what caused the leak or whether it has been plugged, but what we do know is that Malaysia has a population of less than 46.2 million. In the words of an industry player, “This is embarrassing, because it may point to old records being leaked, and that the leak has been going on for a very long time, without anyone realising it.”
Low Yat also reported that 81,309 records from the Malaysian Medical Council, Malaysian Medical Association (MMA) and Malaysian Dental Association were also leaked.
What does this mean for Malaysia?
Data leaks are not new, and there is a new data leak being reported almost every week.
Besides the stricter enforcements that MCMC and PDPA need to execute (this is another article coming soon), what should Malaysians do?
How is all our data floating around out there, going to come back to bite us? More importantly, What Will It Look Like?
First off, is the increased number of scam calls that you, I, and almost everyone we know, are already getting.
They come in many forms:
1. As phone calls from foreign countries and locally
2. As text messages from foreign countries and locally
WHAT TO DO:
– Do not answer them, and do not click on any link they ask you to click!
Some of these callers even masquerade themselves as from your Bank or from your other Service Providers (telcos, insurance, even police stations and legal courts etc) that seem legitimate.
They are very convincing, because they have information about you, which they will use to try and trick you!
Then, before they proceed further with the call, they ask you to verify your identity, by giving them more information. Do not give them any information, because they have not verified themselves to you!
Your safest bet is to physically go to the nearest branch and perform your transaction.
That’s what I did.
And when I showed them the text message I got from “their bank”, they advised me to ignore it, next time.
What does your information in the wrong hands, mean.
Postpaid and prepaid numbers, customer details, addresses, SIM card information, unique IMEI and IMSI numbers. These were the kinds of information that Low Yat reported had been leaked.
All these information, on their own may not mean much, but when used in combination with each other and/or with other personal information, could wreak one hell of a havoc.
IT security researcher, Mahathir Abdul Malek, said, “Any leaked data is an advantage to the attacker.
“If they have your home address i.e via resumes on Jobstreet, they can start sniffing your mails and/or steal your credit card statements, Astro bill, magazine subscriptions etc.”
Also, the last time that your ‘bank’ called you, did you manage to verify they were really your bank before giving away answers to verification questions that they had?
So, back to the recent leak that Low Yat reported.
We know about that leak today.
But, we ourselves (and family and friends) may be ‘giving’ away our information, and not realise it!
What does our info in the wrong hands look like?
It looks like any number of things. One of them is SIM card fraud.
This happens when bad guys have enough information to convince your telco that they are you. They would have walked into your telco service centre, and by pretending to be you with enough information about you, they can get your telco to deactivate the SIM in your phone, and activate the new SIM which they are holding.
From thereon, there is any number of possible scenarios.
Just one of these scenarios is this: If they have earlier succeeded in creating a fake account using your information and in the same bank as you (there would be lesser security checks if it is an existing customer), they could obtain a new banking password (sent to the thieves’ phone), and weasel their way to getting money transferred from your account to the new fake one that is in your name.
Our IMEI and IMSI
An IMEI is a unique 15-digit number used to identify mobile devices on mobile networks. Telcos have ability to block your phone from accessing their networks, based on this IMEI.
The International Mobile Subscriber Identity or IMSI is used to identify the user of a cellular network and is a unique identification associated with all cellular networks.
At a glance, these information may not mean much.
But, the conniving hacker is probably already carrying out his next con against you, using this knowledge that he has about you.