Business security

SME’s inaction on cybersecurity is bad for business

simon chandler

SME cybersecurity – should they care?

Small retailers and businesses aren’t doing enough on cybersecurity. This, at least, is what emerges from a survey published recently from domain provider 123 Reg, who canvassed 13,000 online retailers and discovered that 10% of them aren’t taking any steps whatsoever to protect their customers’ personal data.

This is a worrying figure, and while 10% isn’t perhaps a massive percentage on its own, the survey also found that 50% of e-commerce owners admit to not being prepared for an attack and to not having a recovery plan in the event of a breach.

While such findings are already disconcerting enough in simple terms of cyber and data security, they’re also troubling for another reason, which is that they reveal how smaller online retailers are jeopardising their businesses and their trustworthiness by neglecting the security of their websites and platforms.

This isn’t something suggested only by 123 Reg’s recent survey, but also by other research. For example, in June 2016, Barclaycard conducted their own survey on SME cybersecurity, learning that only 20% of small and medium enterprises held up online security as a top business priority. This was despite the fact that 48% had knowingly been the victim of a cyberattack and the fact that 54% were concerned about hacking.

And this stands in marked contrast to larger enterprises. Larger businesses take cybersecurity more seriously and invest more in it, with the latest Thales Data Threat Report revealing that 73% of large international corporations will be increasing their security spending this year. Similarly, the report also shows that 88% are highly concerned about data security, while a similar Zurich Insurance survey of SMEs from last year found that only 8% rank cybercrime as the top risk to their business.

Of course, larger companies are targeted in more high profile ways than their smaller counterparts, yet what should be unsettling for SMEs is that attacks against them are on the increase. In 2016, smaller businesses were hit by some 230,000 attacks, while the percentage of breaches targeting SMEs grew from 18% in 2011 to 43% in 2015.

One way of interpreting such growth is that, as cybercrime grows and becomes almost ‘professionalised’, cybercriminals are increasingly realising that smaller retailers are a soft target. And as the surveys mentioned above indicate, this is because SMEs aren’t devoting enough attention to the security of their websites, servers, networks and platforms.

As a result of this inattention, 74% of SMEs suffered an information security breach in 2015, according to Government figures. And this proportion is likely to grow, especially in light of how an August 2016 survey from Close Brothers revealed that 63% of SMEs have actually decided not to invest in improved online security in light of the EU’s General Data Protection Regulation.

Somewhat luckily, SMEs lack the kind of visibility that would result in breaches being widely reported in the media. However, if attacks against them do indeed continue increasing, and if the public become increasingly aware of these attacks, then trust in smaller online businesses and retailers will be damaged.

And as the notorious TalkTalk hack from October 2015 plainly revealed, a violation of customer data wouldn’t result only in a loss of trust, but also in a loss of customers. And for smaller retailers and businesses eager to hold onto as many of their customers as possible, such losses would be very damaging.

It would result in small and independent retailers losing even more custom to giant online outlets such as Amazon and eBay, in the process strengthening even further the stranglehold such larger companies have on digital spending and shopping. At the moment, a whopping 55% of all online product searches are made on Amazon (at least in the US), and this share will only increase if SMEs continue being too inactive on cybersecurity.

This is why, even with smaller budgets, SMEs must take greater action to strengthen their data and cyber security. More of them need to adopt such measures as multifactor authentication for important company accounts, drawing up contingency plans for cyberattacks, conducting regular tests and assessments of the strength of their cybersecurity, and tightening physical and online access to sources of sensitive information.

By taking such steps, and perhaps by going so far as to employ dedicated information security officers where possible, SMEs will be in a much better position to guard themselves against the rising tide of cybercrime.

Yet more generally, they’ll be in a much better position to guard their businesses, their reputations, and their relationships with their customers. And given that they make up 99% [PDF] of all UK businesses, they’ll also be better placed to protect the British economy at a time when it needs more than ever to grow.

This is a guest post by Simon Chandler, News Editor of Choose, a consumer price comparison and information site covering broadband and personal finance services. Simon wrote the post a few weeks ago and I’ve been a delinquent in sticking it up. I don’t typically take guest posts from sites who are doing it for their own SEO benefit but in fairness to Choose they supply good quality copy and I wish them well with it.

End User scams

Christmas phishing anyone? especially naive law firm PRs

raise your hands if you fancy a bit of christmas phishing

Got this email the other day. In my wisdom at some time in the past I said yes to being on some central PR database mailing list and now get spammed from all over the place with press releases with very tenuous links to my own areas of interest, which themselves are pretty wide. The email I have to believe is from a subscriber to that list and looks to me like a bit of Christmas phishing.

Who on earth in their right minds is going to click on the logo as suggested. I’m sure it leads to a very humorous landing page intended to show it’s sender, dlapiper, in a good light. All it did for me was to make me think dlapiper  were not that clued up and why should I even think of using their almost certainly extremely expensive legal services.

I took a screenshot to use with this post, labeled the sender as spam (I do this to most emails that address me as “Hi”) and deleted the email. Having done so I am a little curious as to what the message from the president. It might have been funny or it might have been that he was looking for someone to temporarily deposit $100m in their bank account until after he had left office.

I’ve asked to be taken off the central PR database but it’s probably going to be some time before I stop getting spammed like this. I might have to manually start unsubscribing for a bit to see if it has any effect.

First post in a while. Must do better.Going to have some interesting (well to me anyway) news in the new year so don’t go away. Not out of hearshot anyway. Or leave a number where I can get you.



Bad Stuff End User

Yahoo hack a sign of things to come in the UK post snoopers charter

Yahoo hack is a shot across the bows

There have recently been two high profile cybersecurity hacks in the news. The anti drug agency job where the medical records of some top athletes have been made public and now the theft of 500million Yahoo customers’ data.

All I’m really going to say is this comes as no surprise. Just as it will be no surprise when all our web browsing records are stolen and made public one they start collecting the data post Snooper’s Charter.

Been in Belgium for the last 3 days btw. Plenty of armed soldiers patrolling the streets. Difficult times.

Check out loads of other posts on bad stuff here.

PS I didn’t realise Yahoo had so many users. Mind you I have a Yahoo account but only ever looked at it once about ten years ago.

Bad Stuff Business Legal ofcom Regs scams

Information, Connection and Signposting Services (ICSS) Update

ICSS update

A little while ago I was approached by someone else that shares an interest in the subject of Information, Connection and Signposting Services (the so-called ICSS), about which I have previously written on Trefor.Net.

As a brief reminder, someone will buy up all the Google Ad-words (or, I suppose, the Yahoo equivalent if they’re still a thing) for “British Gas Customer Services” and variants thereof, and show a revenue sharing phone number, such as 0844 (which can be upto 7 pence per minute plus your phone company’s access charge) which they then translate to the actual customer service number and pocket the difference.

Since I last wrote about this, the Consumer Rights Directive was transposed and the Financial Conduct Authority implemented a similar requirement to outlaw the use of “premium rate” calls when contacting a company in connection with a contract.

Firstly, some pedantry from me. The term premium rate is bandied about far too often by everyone. It has a very distinct legal meaning, which is based in the Ofcom Premium Rate Services Definition. Broadly, that means it has to be more than 7 pence per minute in terms of the Service Charge element; and as the National Telephone Numbering Plan (given force by virtue of General Condition of Entitlement 17) prohibits the use of anything above 7 pence per minute to just 087x and 09x ranges, then 084 numbers and 03 numbers are not Premium Rate by definition. Hopefully some sub-Editors for the Daily Mail shall take note. Incidentally, the numbering plan doesn’t prevent 087 being used below 7 pence per minute – in the changes to the non-geographic call services market in the summer of 2015, many operators set a service charge of 1-2 pence per minute for 0870 numbers to maintain the status quo. This means they are not “premium rate” despite the fact the next number block in sequence might be 13 pence per minute.

So, now we are all up to speed, why the renewed interest? Well, PhonepayPlus intervened in the ICSS market where the Service Charge element was over 7 pence per minute (i.e. premium rate where they have jurisdiction). They set a prior permission regime, which denoted ICSS has high risk, but then softened this to Special Conditions along with the rest of the prior permission regime in an update to the PhonepayPlus Code of Conduct. Their intervention wasn’t a smooth one, with some ICSS operators seeking a judicial review of their intervention. That will give you an idea of what the market is worth – a view supported by the growing number of entities apparently offering such a “service”. I have a list broken down by year and it has demonstrably been growing over time.

I cannot think of any direct PhonepayPlus censure of an ICSS provider; however, the Advertising Standards Authority has intervened in a couple of cases. The first brought to my attention was in 2014 whereby the ASA ruled against them on the basis it wasn’t clear it was a connection service. Interestingly, in a case in 2015, they went further, discussing that customers looking for a number for customer services wouldn’t go into detailed small print. This is heartening as it means the ASA is almost going further than PhonepayPlus and is a useful alternative body to make complaints to.

Unsurprisingly, the Fair Telecoms Campaign made a suggestion that all ICSS should be treated as Premium Rate Services (i.e. under Phonepayplus control) in their response to the Ofcom consultation on the latest Phonepayplus Code of Conduct. Ofcom dismissed this in their Statement due to a lack of consumer harm being evidenced, which is a stock Ofcom answer for “not important enough to warrant our resource or attention yet”.

That Ofcom position also correlates with me having made representations on behalf of some financial institutions who were rather aggrieved at being passed off (which is still the advice I give people – treat it as impersonation more than a telecommunications regulation issue).

So, it’s clear there’s still a problem, and potentially one that is growing. Where do we go from here?

Well, it is heartening that a Google search I have performed for a few private sector companies people may wish to call (including those I referenced in my original piece) has them in the top couple/three hits with ICSS at least being less obvious and less baiting then I recall, although they are still there. This of course doesn’t get around the natural human instinct of just dialling the number that’s there at the top, of course. However, I cannot say the same for government departments who appear to be subject to it, and, in terms of Ofcom’s statutory duties, should have them pay more attention as it presents services used by the more vulnerable in society.

I believe that the ASA has broader power and is clearly more disposed to using it in situations where ICSS is misleading. The problem here is two-fold though. First, it is a lot harder for a commercial entity to make a complaint to the ASA (something I found out when ITSPA were going to refer EE for its “shed load of data” advert a couple years ago). Secondly, there is a balance between offering a service at a premium taken willingly by lazy consumers (the economists would say “reducing their search costs”); just like being put through to a number given to you by the guys in moustaches at their 118 rates, ICSS can be argued to have a legitimate role in society.

That means we need to have a debate, which is where Ofcom should come in. They are the subject matter experts and have a wide range of powers available for them to research and intervene as they feel appropriate. So, I think my advice needs to be updated as follows;

  1. Complain to the ASA. It is easier for it to be given attention if the consumer does it as opposed to the passed off company.
  2. Be in control of your search engine results and outspend the ICSS people if needs be. I haven’t experienced it myself as it isn’t my area, but one ITSPA members tells me Google are receptive to  companies complaining they are being passed off, so that should be something done as well.
  3. Complain to Ofcom. Google “Ofcom contact us” and pray I haven’t been mischievous and bought the ad words for it and translated an 0908 number to their 0300 to fund an Aston Martin. In all seriousness, their details are here.


My experience from dealing with fraud, net neutrality and other issues that various agencies want to try and ignore is that once there’s a clear weight of evidence, in fairness to those agencies, they do start to act. So let’s get the evidence to them and break the vicious cycle of “no action because no reporting” and “no reporting because no action”.

Business Legal security

House of Commons Culture, Media and Sport Select Committee report on Cyber Security

House of Commons Culture, Media and Sport Select Committee report on Cyber Security and all that jazz

Email came through from ITSPA this morning regarding the House of Commons Culture, Media and Sport Select Committee report on  Cyber Security: Protection of Personal Data Online Contents

In general, the report focused on the need for increased consumer awareness of cyber security breaches and recommended that the Information Commissioner’s Office (ICO) should have a robust system of escalating fines to sanction those who fail to report, prepare for, or learn from data breaches. It also stated that Government need to urgently address the huge amount of data that will be created by the Investigatory Powers Bill and how this will be secured from data breaches.

I’ve listed the key recommendations together with my own comments below:

  • Companies should report their cyber security and data protection strategies to the ICO

This is somewhat naive. How many companies are there in the UK? The ICO would be swamped and in anycase to have the resources to do anything with the information.

  • The ICO should have additional powers of non-consensual audit, notably for health, local government and potentially for other sectors

More red tape and you have to question the efficacy of this. I can understand auditing the public sector but private industry???

  • The Government should initiate a public awareness-raising campaign on cyber security
  1. Waste of time though. For a campaign to be effective it would have to be prolonged, permanent even, and cost a fortune.
  • It should be easier for victims of a data breach to claim compensation

Seems like a good idea if likely to be somewhat complicated and difficult to do.

  • All relevant companies should provide well-publicised guidance to customers on how they will contact customers and how to make contact to verify that communications from the company are genuine

What makes a company relevant? In principle this sounds sensible but it is red tape.

  • All telecommunications companies should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers

The more I think about this is its interference in private industry.

  • Cyber security should sit with someone able to take full day-to-day responsibility and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack

Cost. Overhead.

  • To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security


  • The vulnerability of the massive new data pools that will be created by the Investigatory Powers Bill needs to be urgently addressed by Government

I’ve been saying this for years but all you will get is lip service.

There you go. The UK approach to cybersecurity. I’m not saying it isn’t an important subject and that we all need to be cyber secure. I’m not sure that more rolls of red tape is the way to do it.

My thanks to the ITSPA secretariat for their contributions to this post (which is most of the post apart from my comments)

Business scams

Takeaway messages from telecoms fraud workshop

Telecoms fraud workshop learnings

We covered a lot of ground in yesterday’s telecoms fraud workshop. A big thanks to everyone who made it and to sponsors Netaxis and Gamma. I don’t think there was a singe person in the room who didn’t contribute in some way and I’m sure everyone got something out of it.

A special thanks to the speakers Colin Duffy of Voipfone, Ben O’Leary from Gamma, DS Nick Kemsley of the City of London Police, independent fraud expert Dave Morrow and Manuel Basilavecchia of Netaxis.

Much was discussed in the three hours but the key points can easily be summarised here:

  1. If carriers were able to stop international settlement payments for known fraudulent traffic to premium rate numbers the problem would disappear overnight. “Apparently this is not possible”. Nobody could really say why.
  2. Fraud mitigation systems need to be automated and work in real time or as near to real time as possible. Most fraudulent “attacks are over in a short period of time. Manual systems that rely on human intervention take too long. This may result in “false positives” where genuine traffic is blocked but it is better this way than for end users to be hit with big bills.
  3. There has been plenty of work done that would help people model their automated (and non automated for that matter) systems. Get in touch if you want me to point you in the right direction.
  4. Criminals use automated processes that work their way through number ranges until they find an unblocked series to use as targets for their fraudulent calls. An automated system should be able to anticipate fraudulent activity by seeing calls from one destination working their way through such number ranges. \


I’m not going to go through the types of fraud involved. Much has been written before on this blog if you want a read. I’ve made it easy for you by providing a link to telecoms fraud posts.

Click on the link for Dave Morrow’s white paper on Missing Trader Intra Community Fraud.

End User security surveillance & privacy

I break my silence on the Snooper’s Charter

my latest observations on the snooper’s charter

I have in the past been very vocal when it comes to the snooper’s charter. Especially when I was more active in the ISP industry. Having throttled back a bit I let others, the professionals, have their say and stuck to my own counsel.

Just received a summary of the comments from MPs in respect of the latest incarnation of the Bill from the ITSPA Secretariat. I’ve pasted it below with a few of my own observations.

Internet Connection Records

  • Burnham said that whilst the Government’s position in the draft code of practice makes it clear that URLs are not communications data and therefore, by definition, cannot be included in ICRs, it would be more useful to have a single, clear definition of ICRs in one place in the Bill.
  • Burnham stated that communications data should not be capable of being accessed to investigate any crime, regardless of how serious the offence is and the impact on victims.
  • Member of the Public Bill Committee, Gavin Newlands MP, said that the measures in the Bill are not limited to internet access, email or telephony and include, explicitly, communication without human intervention. He added that the industry has indicated a willingness to work with the Government to help implement ICRs, but the trouble is that the industry does not know what ICRs are, and it seems Government still do not know either. He said that these powers were intrusive and needed to be properly defined.
  • Member of three Committees which scrutinised the Bill, Matt Warman MP, said that people needed to be reminded that it was CSPs and not govt who would hold ICRs and govt would not be dipping into this information for any other purpose than to stop serious crime.
  • Alistair Carmichael MP said that it was unacceptable at this stage of proceedings that there is still no proper clear definition of ICRs.


Tref writes: Government has no idea what it is talking about in respect of ICRs and is probably keeping things deliberately vague so that they can apply the “definition” to anything that suits them.

Matt Warman is also missing the point. It doesn’t matter who keeps the data – it will be hacked into and leaked. Also we hear all sorts of stories about RIPA requests from councils wanting evidence on relatively trivial “crimes”. The concern is that once the data was available all sorts of people would come out of the woodwork wanting to look at it.


  • Member of the Public Bill and Joint Committee, Suella Fernandes MP, said that the UK wants world-class encryption and privacy, but also wants world-class security and citizens should trust the skill and restraint of the analysts, the cryptographers, the mathematicians and the codebreakers who safeguard security and have maintained confidence and discretion in relation to the secrets they have seen.
  • Stephen Hammond MP said that encryption was hugely important to the digital economy and said it should not be undermined, however, he said he had faith in the security services that they would use restraint.


Tref writes: they are totally missing the point here. If encryption methods are designed to be hackable by government codebreakers then criminals and hostile foreign powers can do the same. You can’t have “world-class” encryption if it can be hacked.

Cost Recovery

  • Newlands highlighted that owing to uncertainty about the extent and definition of ICRs and the extension of CSPs that will be affected by the proposed provision, the cost is difficult to estimate, but industry figures have said that they expect it to be anywhere between £1 billion and £3 billion. He said that it was not good enough that govt had not produced robust figures which could be examined whilst the Bill was being scrutinised.


Tref writes: they have no idea what the implementation of the Bill is likely to cost and are keeping quiet about it because the eventual figure is likely to be unpalatable.

Bad Stuff End User scams

Facebook notifications with phishing links

Don’t do it! – Facebook notification phishing.

Facebook notification phishing whereby someone shares a post on your page and provides a phishing link within the text is new to me. Our Anne’s Vans website Facebook Page just received such a notification using a link to a phishing site. My wife spotted the notification and asked what she should do. The notification said that unless she verified the page it would be shut down.

I took a look and it is clearly a phishing site. The interesting thing is that whilst I reported the page there doesn’t appear to be a means of deleting the notification – I don’t particularly want the link hanging around. Even reporting the page only lets me block it. In fact it was a post within the page that let me do this rather than the page itself.

I don’t particularly want to hang around the page to play with it any more so I’ve moved on, other than to pen this swift blog post on the subject.

I guess the issue is that this going to catch some people out. Anne wasn’t sure what to do so she asked me. Some will just take the notification as read and fill in the facebook login details that were being requested.

Facebook notification phishing is new to me and is a slightly disappointing attempt at a scam. The previous ones I’ve seen have involved friend requests from scantily clad females which I have,with a heavy heart, reluctantly had to block 🙂

It would be interesting to hear if others have seen such phishing attempts.

It remains to be seen  whether Facebook takes down the page. I will let you know, obvs. In the meantime I’m getting ready to go off camping in Derbyshire for the weekend. The forecast is rain, sleet and temperatures approaching zero!

facebook notification phishing

confirm your page

Loads of posts on scam subjects.

Business scams

Telecoms Fraud, Liability and Responsibility: A Contractual Approach from a Telecoms Specialist Lawyer

Telecoms Fraud Liability and Responsibility

Danny Preiskel of Preiskel & Co is one of the world’s leading telecoms lawyers. In this final post of Manuel Basilavecchia curated posts on telecom fraud Danny looks at the subject of telecoms fraud liability from a legal perspective.

Considering the devastating effects telecoms fraud can have on a wholesale or retail telecoms business this post looks at some of the legal aspects and provides some guidance to minimise the impact from a contractual perspective.

Civil Litigation for Civil Fraud

Successfully suing in civil litigation for fraud and recovering damages is only possible in certain circumstances, and with fraud being notoriously difficult to prove, the risk of losing in court and being liable for the defendant’s costs often outweighs the potential award of damages.  This is exacerbated by the fact that even if the telco victim is successful, the defendant company may not have the funds to actually satisfy any judgment awarded.

As with other jurisdictions, English law also allows shareholders and directors to hide behind the veil of incorporation.  Only in limited circumstances will the English courts pierce the veil of incorporation to convict or fine the individual shareholders behind a company, though directors can incur liability in addition to the company.   Typically in the UK we have seen that fraudsters can simply re-appear and commit more fraud by hiding behind another company name.

Another legal principle which may accidentally protect fraudsters is the privity of contract doctrine, whereby contractual obligations are only due to the contracting party and not its sub-contractors. For example BT fraud department will usually not deal with carriers with whom it is not directly contracted with. This can be problematic as often BT’s call records as well as the knowledge and actions of its fraud department can be hugely useful.

And finally, there are the UK insolvency laws which make it hard and expensive to recover monies from a company in liquidation or administration.

Insolvency Proceedings

Insolvency proceedings in the UK involve an application to court for the winding up of the company, usually after service of a Statutory Demand; and the appointment of an insolvency practitioner (to collect and distribute amounts for all the creditors).  

If the insolvency practitioner is not convinced there are sufficient funds in the insolvent company then it will ask the company appointing it to guarantee its costs. Whilst this is understandable it can be a huge disincentive bearing in mind that any amounts recovered by the insolvency practitioner will be for the benefit of all the creditors. It is not just in the telecoms sector that it is rare for creditors who are unsecured to get any meaningful percentage recovery.

If an insolvency practitioner is funded then it could potentially sue the fraudulent director and attempt to get a recovery as well as make a report recommending the person be disqualified as a director for several years. However the harsh reality regarding insolvency related proceedings in the UK, means that the failure to properly fund an insolvency practitioner often results in a director getting away with the telecoms fraud.

The Telecoms LCR Chain – Profiting From Fraud

When it comes to the wholesale industry we find ourselves in the curious position that, often it is not just the perpetrator of the fraud who seeks to profit. Understandably carriers in the chain want to be paid in full (including their profit margin), meaning that they profit from fraud, albeit not a fraud they have committed themselves. In essence it can be quite galling for a carrier that has been left with a gaping revenue hole, to have its supplier insist on recovering not only its cost of transiting the traffic but also its profit margin.

Contractual Protection

Please consider the important recent case Frontier Systems Ltd (t/a Voiceflex) v Frip Finishing Ltd [2014] EWHC 1907 (TCC), where the Court required the telecoms carrier to be liable for the calling costs, even if the traffic was fraudulently generated.  We advise that in light of this judgment in particular that carrier review carefully and make amendments to their end user and wholesale agreements.

Carrier contracts should not only exclude, to the fullest extent permitted by applicable law, all express and implied warranties but should require the other party to be responsible, even if traffic was fraudulently generated by a third party.  Looking up the supply chain, we advise our client carriers to require that the supplier’s systems should be set to block fraudulent traffic and accordingly be liable in the event that they fail to block such fraud, even if it has passed through our client’s system undetected.

There is a lot to be said for such provisions to avoid uncertainty at the outset, minimising our clients’ exposure in terms of liability whilst importantly drawing the carriers’ minds to implementing appropriate anti-fraud measures before exchanging traffic.

What the Industry Can Do

Beyond the various technical measures (not mentioned in this blog note), the blocking of certain destinations by the way of default and some anti-fraud security provisions in the contract protecting the single carrier, the telecoms industry should consider an industry code of practice:

agreeing to help other carriers in the chain in identifying the fraud, even though there is no contractual relationship;

agreeing not to profit from fraud, i.e. take out profit element of charges;

appointing industry representatives to have a better working relationship with the fraud sections of the police and the regulator;

allowing companies to refuse to pay up the supply chain where there has been fraud suspected, albeit subject to certain provisos to ensure that nobody unduly benefits in such case;

providing a reseller kitemark approach to help combat dial-through fraud (e.g. the FCS’ fraud group that Preiskel & Co helped set up; or the International Interconnection Forum For Services Over IP (I3 Forum))

considering an industry fund to make a contribution towards costs of bringing enforcement action against fraudsters

identifying a cost effective insolvency practitioner who understands the industry

This concludes telecom fraud week on, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts from the week:

Colin Duffy on “is encryption the answer to data loss
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s
Manuel Basilavecchia on “A mobile operator fraud case study
Jonathan Rodwell on “Telecoms and IT Security” and with part 2 here

Business scams

Jonathan Rodwell on Telecoms and IT Security part two

SIP Trunk Plus CEO Jonathan Rodwell in Part two of his posts on Telecoms and IT Security

Fraud week sponsored by Netaxis continues with part two of Jonathan Rodwell’s post on Telecoms and IT Security. In part one Jonathan discussed “Telecoms and IT security in the UK” together with “Technical best practice”.

The second post  concludes with  “the human wild card” and says “we need a new way of thinking”

The weak link?

The elephant in the room is the weak link in all telecoms/network scenarios. Us human beings. The bigger question being that if the ‘human’ wildcard element cannot be controlled, can any network (Telecoms or otherwise) ever be truly secure?

I suspect that even some of the most technically astute individuals cut corners.  We just can’t help ourselves sometimes. Using similar passwords on email accounts perhaps?  Not bothering with voicemail passwords?  User log on credentials that are not sufficiently robust?  No matter how robust a technical architecture is when people cut corners they expose their business to another’s malicious intent.

Larger organisations certainly have more tools at their disposal to exercise greater control over protecting their services, or offering training and technical solutions to manage passwords and so forth. But even they face challenges, particularly when staff bring their own devices onto the network.  Larger organisations often present a more attractive target to groups of individuals intent on hacking. It is generally accepted that if a group of skilled individuals with sufficient resources wants to penetrate your security, they will undoubtedly find a way. TalkTalk can tell you all about it.

As Telecoms providers, we know that as our service is predominantly IP Based, our clients and our businesses are exposed to potentially massive costs.

Both The Federation of Communication Services (FCS) and the Internet Telephony Service Providers Association (ITSPA) understands these challenges and is working with industry experts, the police and stakeholders across the board to try and help mitigate the potential risks. The FCS have a Fraud panel dedicated to working with industry professionals to help deliver best practice. ITSPA work closely with the likes of Action Fraud and the Metropolitan Police. 

FCS’s experience is instructive:  less than two years ago, fraud was a taboo subject at FCS meetings.  No business CP liked to talk about it, for fear of admitting weakness to their competitors.  Today it’s the industry’s number one pain-point.  

These trade associations provide a single voice for their members to Ofcom and to policy-makers. This protects members from the risk of individual damage to their brands. 

What can we do?

This all seems somewhat daunting, particularly for the small business owner – remember, the challenges for a multi-national are immense, too. So where do we start? A good place is the set of recommendations from GCHQ: The Cyber Essentials Scheme. Essentially, this focuses on protecting against Internet-Originated attacks against IT/IP Comms services. Cyber Essentials focuses on five key controls:

  1. Boundary Firewalls and Internet Gateways – devices designed to prevent unauthorised access, and setting them up effectively.
  2. Secure Configuration – of systems relative to the needs of the organisation.
  3. Access Control – Ensuring appropriate permissions within systems, with sensible passwords.
  4. Malware Protection – Ensuring it is installed and correctly maintained.
  5. Patch Management – Ensuring they are applied and utilised this is particularly pertinent for users of all PBXs. They need to be patched as much as any other network device.


This is all perfectly sensible and a good starting point, especially if your staff are office-based, but many businesses in 2014 support flexible working environments, such as staff who work from home and so forth. Indeed, some businesses do not have offices at all; so consider item 3: how do you control access when a home internet service is provided by BT or Sky and they have direct access to the router? If your IT support is provided by a third party, what happens if their own security is penetrated; are you vulnerable too?

BYOD (Bring Your Own Device) adds a further layer of complexity when employee or visitor devices are allowed access to the network. Companies must balance the benefits versus the risks and what mitigation can be implemented (realistically) on a technical basis.

Suppliers must emphasise and help implement best practice when it comes to the protection of PBX and handset architecture. Granted, some end clients are more willing than others to be proactive on this front, but suppliers have an obligation to emphasise the security protocols that can best protect the PBX and handsets (essentially network devices). Suppliers should also take some expert advice when it comes to their client contracts, with terms and conditions requiring specific attention paid to liabilities in case clients simply do not implement best practice.

Carriers and Telecommunications providers are in an interesting and powerful position in the equation. The carrier position is interesting because they can in theory, actually benefit from Telecoms Security breaches – a £20,000 phone bill still has to be paid after all, be it by the resale partner or by the client. Moral issues aside, the dilemma arise when fraudulent activity places the client’s business in jeopardy: if a business folds, then recovering the money becomes a much harder proposition. This is not to suggest that carriers encourage fraud, rather that history has shown that the responsibility of managing security and cost has always been pushed down the supply chain. Most carriers, at best, offer simple credit limiting or algorithmic analysis of traffic patterns.

The industry has a responsibility to do more, not just from an ethical point of view, but by offering enhanced protection at the Carrier level.  Doing so means changing the whole dynamic between resellers and end clients. If we can empower both the end client, and the reseller to control in real time the volume of minutes to every possible global destination (or group of destination), we can ensure end clients will always know what their maximum liability would be. This is minute limiting for the global business environment that is both dynamic and at the control of both key stakeholders – the business and supplier chain.

Consider now the dynamic of the supplier / client relationship if ‘cost of fraud’ wasn’t an issue. How would your approach to IT and Telecoms security change if a business-crippling financial penalty wasn’t threatening to be the end result of a security breach?

If the acceptance of ‘risk’ becomes easier to tolerate because there is a layer of protection and mitigation delivered through the telecoms supply chain by partners who are proactive, rather than reactive, then choices made by end clients become simpler, and could actually be different.

This can be taken a step further, so much so that if we accept that there is no perfect system and there is always a risk, then we can decide which method of working, or what telephony connectivity represents an acceptable level of ‘risk’. Clients can then assess the practicality of a heavily locked down infrastructure versus the ability to be dynamic and innovative in working practice.

We are not advocating businesses becomes an open door to hacks, rather that the whole supply chain can be chosen to facilitate a sensible approach to IT and Telecoms security that is simple to manage and doesn’t become a rod to the back of a business.

Thought leaders for the future

So what do we do about it? Well first of all, there is no perfect solution. If you admit to yourself and accept that people by nature will always be the weak link when it comes to telecoms security, then how you deal with peoples’ nature will be the defining aspect of IT and Telecoms security for your business, either globally or domestically.

Accept the view that once a file is emailed, voicemail sent out, or words have left your mouth, you have ultimately lost control over them. From that point on they can be copied, re-purposed and distributed without your permission on an exponential scale. Within Telecoms security however, you can at least limit the financial damage to an almost negligible level.

We are therefore in a more fortunate position than our friends in the IT and Data security industry where personal information, intellectual property and company data stores are also at risk.

It is time for the telecommunications industry to regain the initiative, the ‘old way’ of doing things, and the old business paradigms the industry that apply brakes to progress. Instead of playing catch-up and adopting a siege mentality, we have to change the way with think about security. Acceptance of risk, balanced with technical mitigation solutions should be weighed against the potential cost of a security penetration.

Suppliers and clients must be both pragmatic in the implementation of security protocols, and both parties must understand their responsibilities and the corresponding risks of waiving them. This is certainly an matter of education, and business owners have a responsibility to take the time to understand what those risks are, as there are currently no formal benchmarks in the industry currently that relate to telecoms security to guide selection.

A crucial step to understanding your risks and developing a strategy that suits your business is obviously working with the right supply chain: Partners can be trusted advisors to business owners and IT specialists, that offer the right solutions, even if those solutions don’t necessarily come from an established brand that has been around for decades. Telecommunications has become a managed service.

We are now, more than ever, part of a corporate ecosystem of applications. The more you lock it down, the more you dampen the dynamism and creativity within a business. So think carefully about how you deliver services to your clients.  Deliver value and don’t be afraid of breaking from tradition.  Learn from the past, but don’t be shackled by it.

This is telecom fraud week on, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s
Manuel Basilavecchia on “A mobile operator fraud case study
Jonathan Rodwell on “Telecoms and IT Security

This second post is an adaptation of an article first published by Jonathan Rodwell last year in the Journal of the Institute of Telecoms Professionals but is only available to members behind a firewall.

Business scams

Jonathan Rodwell on Telecoms and IT Security

Telecoms and IT security in the UK and Technical best practice

In an excellent and wide ranging two part series, SIP Trunk Plus CEO Jonathan Rodwell dives into the world of telecom fraud. In this first post he looks at Telecoms and IT security in the UK and Technical best practice.

Executive Summary

Telecoms and IT security is a massive industry in 2015, but the lack of security and the results thereof are talked about much more quietly. Instead service providers and technology delivery partners prefer to speak of uptime, and resilience. It is hardly surprising that what we don’t hear mentioned is who suffers from fraud. Big consumer data breaches hit the headlines frequently though only vast corporations like Target, TalkTalk and Sony really hit the headlines of the business community. Target was the result of a third party supplier breach but the snowball effect affects the entire business community.

Fraud is perpetrated every day. We fear being the victim but the reality is that often we are the problem as much as we are the solution. The IT and Telecommunications industry’s challenge is to effectively address the “elephant in the room”.  Talking about fraud with clients is interesting because service providers don’t want to sell on ‘fear’. Yet, at the same time, when they provide only one aspect of client infrastructure (e.g. telecoms), they may have no direct control over the infrastructure or the end user’s business or employees. When ‘fraud’ is perpetrated the initial and historical reaction is ‘fire fighting’ by identifying the cause and implementing a solution. Finally, they determine who gets the blame. One thing is certain, regardless of ‘fault’, the provider’s brand is damaged simply by association.

This first post is an examination of:

  1. The Telecoms and IT security in the UK
  2. Technical best practice


The second post  addresses:

  1. The human wild card
  2. We need a new way of thinking


Perfect solutions may not be available, but by removing the most painful and immediate result of a telecoms security breach – the financial cost – companies can change the way they approach security. Removing the risk of an expensive pay-out – which a service provider does not want to request, nor a client receive – massively changes the dynamic of the whole security equation.

By removing the risk, core stakeholders can then (in theory at least) work together in a cooperative, and constructive ways to firstly, ensure that a process of best practice is implemented, but also ensure that the cause of most hacks – human error – means that scapegoating and blame can be turned into a justification and positive reinforcement exercise that strengthens the client’s focus on increasing their information and network security across the board. Happy clients mean happy service providers and protection for the industry’s reputation.

Telecoms and IT security in the UK – where are we today?

In 2015, Telecoms and IT security are one and the same. A Legacy or IP PBX, or IP handsets are simply network devices that can provide huge business benefit and are crucial to most business operations. They are, however, devices that must be managed carefully along with every other network device so that they are not open to misuse. Similarly to the Local Network, infrastructure services like ISDN and SIP Trunks must also be managed, and some legacy services such as ISDN have more inherent risks associated. PBX security does not happen ‘out of the box’, it requires careful planning and control of both the network and connectivity.

Worldwide spending on Information Security showed an increase of 7.9 percent on 2013 and is predicted reach $71.1 billion in 2014 and to grow a further 8.2 percent in 2015, with roughly 10% of security capabilities delivered through cloud services1. Malware and processing power are available on an industrial scale at relatively low cost and businesses must prepare themselves to prevent becoming targets.

An enormous telephony bill at the end of the month, for some, could be the only indication that they are the victim of Telecommunications fraud. A frightening situation for anyone – be it the business owner or the IT Manager responsible for making sure that such a situation doesn’t happen. What is the initial reaction? Apportion blame? Deny liability for the costs? Fire a supplier or an employee? Contact the police or seek remedy in court? Two things are certain, a business will not be happy to pay such costs; and the resulting fallout can destroy even the longest standing business relationships.

The first question is what we can define fraud as? Is it simply exploitation of third party resources for financial gain? Or does it also extend to company employees costing their employer more, by extending their use of services provided by the company for personal benefit? We work on the basis of the full definition and focus on any expenditure that would not have been authorised by a company (in relation to their Telecommunication systems) is fraud.

Experience to date shows that the costs of fraud often never see the light of day. The reporting rate to the police the Action Fraud Bureau is just the tip of the iceberg. The Telecoms industry has been forced into a position where liability is the responsibility of the end clients simply to protect their own businesses, which in turn stimulated the development of the entire Info Security industry.

European Commissioner Neelie Kroes, Vice President for the Digital Agenda, was typically direct in her views of the Telecommunications industry: ‘Sometimes I think the telecoms sector is its own worst enemy.’ She went on to ask whether we will be leading the industry or whether we will be dragged ‘kicking and screaming’2. This may seem negative, but the Telecommunications industry has been around for over a hundred years, and like many mature industries, change can come very slowly.  While consumer telecoms, driven by the likes of Apple and Samsung, has commoditised the industry and radically adjusted consumer perception, the more traditional business to business market moves much more slowly.

The business and technical challenges

The fact is that we, as providers of telecommunications services, are providers of business critical services; the security of which we don’t necessarily have control over. This seems counter intuitive, doesn’t it? However, the challenge does not end there; types of exposure to fraudulent activity can vary significantly depending on a number of factors, not the least of which is the actual size of organisations.

For example, a company with 5 employees may have no IT expertise in house; they could rely on outsourced network support (or no network support at all) and leave themselves exposed on a variety of levels. A FTSE100 company on the other hand, may have an IT department consisting of dozens (or even hundreds) of staff, with a multimillion pound budget, but the sheer volume of devices that access their network and potential complexity of the network alone doesn’t offer them certain protection. Consider the recent cases of Home Depot and Target in the US, for example, who were penetrated at the point of sale at a cost to their own brand and their bottom line.

So what are the key considerations when it comes to telecoms security?

An onsite PBX is inherently vulnerable.

Physicality – As we know, unless equipment is in a secure environment with biometric and prescribed access control procedures, the PBX can be accessed and call routing tables amended. Note that organisations such as the NICC refer to a plethora of documentation in respect to best practice for such installations; however, how many companies are in a position to adopt such best practice?

Unauthorised access can be gained by anyone, from a systems administrator to a cleaner.

Remotely – many PBX’s are connected to the internet to enable remote access from their providers and to interface with cloud servers such as Jabber for IM and contact centre technologies, for example.

The first challenge is securing the local network, such as blocking port 5060; however, who controls the network? Is it the IT support company (in-house or contracted) or the communications provider? More often than not it is both – two brains potentially acting separately. This creates grey areas of responsibility as demonstrated by a recent High Court case where £35K of fraud was held against the communications provider.

There are two principal methods by which fraud is perpetrated:

  1. Hacks over the internet
  2. Dial-through fraud – Hacks via voicemail pin


Both of these methods aim to divert traffic to premium rate numbers (usually international) whereby the fraudsters are rewarded with the profit generated from such numbers.

What about at a national and global level?

Typical Methods of Prevention

The Telecoms supply chain can be very complex.  A carrier provides minutes to a sub-carrier and in turn to a reseller and in turn to, say, a SIP trunk provider and then again to the end client, or indeed another reseller. There are many combinations and permutations in the supply network.

What about at a Carrier Level?

Responsible carriers will offer protection using two principal methods:

  1. Referring to a fraudulent number repository – and blocking calls to such destinations
  2. Algorithmic – detecting unusual traffic patterns and blocking calls accordingly.


At Sub-Carrier Level

  1. Credit Limits – Imposing credit limits on resellers globally


The only real way to protect against fraud is the intelligent and real time monitoring of call traffic via Call Detail Records, or the logging of minutes. The challenge the reseller community has is that they are reliant on carrier provided monthly CRDs which only deliver the information after an incident has taken place, over a period of time. A very large cost can be accumulated in the space of an hour, let alone a month.

There is a major consideration too for the reseller community: They will have a company credit / supply limit with their SIP Trunk carrier globally. If that reseller hits their credit limit an automatic block on their services is implemented (automatically); that could potentially mean a block on all of their clients trunk services – a total service outage in effect. It is absolutely crucial the telecoms channel be able to manage their client base at a granular level and in real time.

This is telecom fraud week on, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s
Manuel Basilavecchia on “A mobile operator fraud case study

This post is an adaptation of an article first published by Jonathan Rodwell last year in the Journal of the Institute of Telecoms Professionals but is only available to members behind a firewall.

In his second post, to be published tomorrow at 1pm Jonathan conclude by looking at

  1. The human wild card and
  2. We need a new way of thinking


1 Gartner Press Release, Sydney, Australia, August 22nd 2014
2 Adapt or die: What I would do if I ran a telecom company, FT ETNO Summit 2014, Brussels, October 1st 2014

Business Mobile scams

Mobile operator fraud case study

A Mobile Operator Fraud case study but it could apply to any type of network

In this article this week’s guest editor Manuel  Basilavecchia of Netaxis describes a mobile operator fraud – in other words a telecom fraud that impacted a mobile operator. He describes the type of traffic pattern (destinations) and fraudster behaviour. For obvious reasons we are keeping the name of the operator out of it. It could happen to anyone dropping their guard.

The mobile operator in question underwent some planned maintenance work on its network.  Few details are available on the nature of the planned work but from a security point of view the activity was a total failure as the following day their switch was accessed from outside their network. We may assume that the planned work cleared the access list on the SBC/firewall.

Once the fraudster had access to the switch, he initiated some test calls. The goal was to check if it was possible to terminate traffic to specific destinations. To avoid detection the tests calls were kept to a low volume.

It is important to note that the hijack and the test phase took place on weekdays. On the Friday evening, fraudster rolled up his sleeves and got on with the real work of sending volume traffic to several destinations.  

The traffic pattern was as follows:

  • Fake CLI’s used like 1001111,1000001,123456; etc
  • Massive calls to Latvia, Lithuania, Moldova, Gambia etc….
  • Big volumes generated per CLI

The fraud was detected the next day in the morning by a service provider of the mobile operator. The time elapsed between the beginning of the fraud and the detection allowed the fraudster to generate quite high volumes.

As it was a week-end it was difficult for the SP to get in touch with the mobile operator to inform him about the ongoing fraud and to align on measure that needs to be taken. Again here, few hours lost which benefits the fraudster……

Once the decision to block fraudulent traffic has been taken a game of cat and mouse started. Indeed,  when the fraudster identified that a destination was not generating revenues due to barring implemented, he immediately and simply switched to targeting another country. The same principle applied for CLI’s. Any time he noticed that a CLI was blocked he just moved on to another. This game lasted the entire day.

On day two, a major change in the destinations targeted was seen: Nauru, Senegal, Maldives Zimbabwe was now part of the fraud scheme.

Again, barring had to be implemented on the targeted destinations. It is important to note that the barring had to be implemented so as to stop fraudulent traffic but without impacting the legitimate traffic

In parallel, the mobile operator attempted to solve the security breach which took some time.  Once the issue solved on the SBC, fraudulent traffic finally stopped.

Lessons learnt:

Security is key to protect  a network and in the case where a modification is made to a SBC, a cross check needs to take place after the intervention

Based on the short time between the planned work and the hacking it is clear that networks are scanned by fraudster to find an open door.

Fraud monitoring needs to be made live or near real time to minimize the impact and this 24 x 7

Barring solution must be available to stop fraud. This barring solution needs to be flexible (A number, B number, range, destination).

This is telecom fraud week on, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s

End User scams

Telecom Fraud – industry’s problem not the customer’s

Industry needs to take ownership of telecom fraud says VanillaIP CEO Dave Dadds

The ongoing “quiet” debate about telecom fraud which for the Voice Carriers and Resellers in the UK typically shows itself in the form of “dial through fraud” is a continued ongoing discussion, but the truth is that it is everyone’s dirty secret.

We all know the ways dial through fraud typically happen by either the PBX being hijacking or impersonating the SIP credentials, then big bills being sent all the way down the chain typically ending up on the customer doorstep.  

The first thing I would say is this is not an end user problem, why should the customer be expected to know the inside out of the black magic art of telecoms to somehow work out how to stop it? If the banks turned around to us and told us all that our next credit card fraud is our problem to sort we would rightly tell them where to go.  No, this problem is for the industry to sort out and get its house in order and start spending the money to resolve the problem. It would also help if our regulator Ofcom took more interest in this issue rather than just passing the buck.

Why this is everyone’s “dirty secret” is because no vendor is keen to talk about how much they have been hacked for as they see it as a loss of face and a reflection of weakness in there system. This in itself means that the problem is being tackled with one hand behind everyone’s back.  The other major issue which does not always get asked is where exactly this money is being sent?  

Various stats are given as to how much this fraud is worth worldwide, millions, billions, trillions who knows but the key question is are we all funding ISIS?.  When this possibility is put in the ring this becomes not just a commercial concern for all of us but just as importantly a moral concern with the recent tragic incidents around the world including Paris.

The industry needs to get its act together and tackle the problem head on. Anyone that is running a SIP based network service these days will no doubt be putting their own preventative measures in place but the biggest leak in all of our cumulative “Buckets” is the fact that the large carriers continue to be happy to pay the out payments with NO questions asked.  If UK based carriers refused to pay their international partners this fraud would soon start to be stopped, we saw the change in the UK fraud market once out payments could be withheld for UK routed 09x, 08x and 070x numbers.  We ourselves today at VanillaIP see very little attempted fraud to UK numbers as there is no financial incentive, what a surprise!

As an industry we need to be putting a much brighter spotlight on the subject, we must all be prepared to talk openly about this problem and share best practice.  Both FCS and ITSPA have been working on strategies to help resolve this problem and we could all start by reporting all frauds through which is a website run by the City Of London Police and the National Fraud Intelligence Bureau.   We should push for greater engagement with the large carriers and the regulator as this is everyone’s problem. In reality there is absolutely no reason why we can’t resolve this to the benefit of everyone apart from the criminals and terrorists out there.

Dave Dadds ([email protected]) – is CEO of and Deputy Chairman at FCS

This is telecom fraud week on, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss
Manuel Basilaveccia on “Missing Trader VAT Fraud

Business scams

Missing Trader VAT Fraud

Missing Trader VAT Fraud

Fraud is for telecommunication companies a wide problem. Several fraud scenarios are well know like IRSF, PBX hacking, Bypass, and could be managed using a Fraud Management System (FMS).

Nevertheless, there is a fraud mechanism that could severely affect the business of a company even if this company is using an FMS. This fraud mechanism is called Missing Trader VAT fraud and is a significant problem for both business and tax authorities.

This type of fraud becomes possible because of the way the VAT system works within the European Union. This article aims to describe the Missing Trader VAT fraud mechanism at least at the top level.

How it works?

As a first step, fraudsters create a company (telecom reseller in this case). As a second step, traffic is purchased and resold.  Following the normal VAT mechanism, VAT is charged to and recovered from the end customer by the fraudster.

Up to this point, everything is ok. However the fraudster then disappears before having handed over the cash to the VAT authorities.

This in turn can cause a problem for the innocent party who has handed over the VAT to the crooks because the taxmen believe that they can recover it from said innocent party. This is a major risk for the business, especially as tax authorities can apply penalties. 

They get you with the “should have known” clause. They repeated say that you must know your customer and your suppliers and you have to prove to them that you’re innocent – a reversal of natural justice.

It is important that you read the leaflet linked to below. If you do not take due care and HMRC can demonstrate that you knew or should have known that your trading was linked to fraudulent tax losses then you will lose your entitlement to claim the input tax linked to those transactions.

missing trader vat fraud

In reality of course, when a MTIC is established, it is made is a more complex way than the basic principle described above.

Indeed, the fraud can be perpetrated on genuine traffic, meaning that no alarm will be triggered by the FMS. Also, a “clean” supplier with which a customer has business relations since years can suddenly enter in this bad game

Last but not least, in many cases several companies involved in the supply chain are complicit (buffers). This help to hide the full picture if the fraud and enable carousel mechanism.

How to detect Missing Trader VAT Fraud?

We have seen that this fraud can occur on legitimate traffic which makes detection more complicated. For that reason, a number of different checks must be made on various aspects of the workings of a business: legal, financial, and traffic analysis.

This is especially although not uniquely for new interconnections. Existing interconnections also should also be regularly checked.

Market intelligence is also a great added-value in order to avoid to connecting with suspect companies or companies managed by people who have had issues with tax authorities in the past

Considering the nature of this fraud it is important to set up alert processes across your finance, legal and fraud management departments.


MTIC (VAT fraud) in VoIP- B.U school of law/Boston University, School of law Working Paper No10_03. Richard T.Ainsworth

ETNO/ Missing Trader Fraud. Telecommunications Industry Standard Risk Management Process

HM Revenue & customs/ Missing Trader Intra Community (MTIC). VAT Fraud presentation. Joanne Cheetam MTIC National Co-Ordination Unit . 2012

Bad Stuff Business security

Is encryption the answer to data loss?

Is encryption the answer to data loss?  Voipfone CEO Colin Duffy thinks not

The TalkTalk hack and subsequent data loss – and to a lesser extent the Vodafone hack only a few days later – bring the issue of data security and telecommunications into the news. In the media, much emphasis has been placed on the use of encryption as a line of defence against data loss. This is only very partially true – encryption is not a panacea.

When it is useful, the system has already been compromised, the data is already lost and can be worked on at the criminal’s leisure or sold on to more sophisticated criminals with the tools to decrypt it. Encryption is not perfect and through cryptanalysis it can be broken. For example, knowing that you are looking at a list of tens of thousands of postcodes that are encrypted with the same key can provide sufficient information to decrypt the entire list. Moreover, the encryption key itself then becomes a prime target for hackers.

Encryption is most useful when it is used to protect data transport over a hostile medium e.g. when data is exchanged between two parties over the Internet or a laptop being taken out of the office or situations where physical hardware can be stolen.

But inside private networks it is far less useful. This is because customer data is in constant use by multiple users – for billing, reporting, and customer support and by customers for updates and information. Customer databases need multiple entry points and authorisations for both human and machine access. Encrypted information is unencrypted on the fly by the computer which processes it. If the hacker gains access to that computer as a user the data is automatically unencrypted and visible.

Any breach that allows an attacker access to a component such as remote code execution and login access would also give them access to the encrypted data and the encryption key. There are very few remote attack forms where encryption would prevent data loss once the hacker has penetrated the system.

In these circumstances, encrypting data adds extra load on processors and systems, adds system and managerial complexity and cost and mostly does little more than provide a false sense of security. In reality, encryption of data inside networks is of most use not for the protection of the data, but from subsequent media accusations of security laxness.

Finally, encryption does not protect against the database deletion or interference.

For a limited number of risks, data encryption can bring some security value to a system, but for most it has no benefit whatsoever. Therefore it certainly isn’t a replacement for the other security measures – protecting access to systems, minimising SQL injection or code execution vulnerabilities. It has to be considered a last line of defence, added on top of all other reasonable measures.

Colin Duffy

This week of telecoms fraud posts is edited by Manuel Basilavecchia of Netaxis.

Bad Stuff Business scams

It’s telecoms fraud week on

Telecoms fraud – a massive cost to the industry

I periodically run themed weeks on this blog. This week it’s going to be a few posts on telecoms fraud, edited by Manuel Basilavecchia of Belgian anti fraud specialists Netaxis. Manuel has already contributed a post on PABX fraud during a previous fraud week.

The telecoms industry loses a huge amount of money to fraud. The total amount has been estimated to be in the tens of billions of dollars (see global fraud loss survey by cvidya). It is a problem that affects most businesses of any size. The worst aspect of the problem is that it often alienates service providers with their customers. The fault is often down to inadequate network security practices amongst end user companies who in turn blame their communications provider.

It is in everyone’s interest to do something about telecoms fraud but because these scams are usually perpetrated across national boundaries with multiple networks involved in the loop making any progress is a difficult thing to do. It is only the local communications provider who has the problem – of recovering the cash from their customer.

This week’s contributors include some heavy hitters in the industry including Colin Duffy of Voipfone and Dave Dadds of Vanilla IP. Keep your eye open for their posts.

First one goes live today at 1pm. Catch ya later…

End User scams

Chinese domain name scam returns – yay

We take a break from our Lincolnshire broadband posts to bring you this exciting message. The Chinese domain name scam is back:)

I used to get these scam Chinese emails quite frequently when I was at Timico. Dunno if they specifically target email addresses of businesses. I look back at them with fondness because they were obviously attempts to extract cash.

General Manager
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huayin Ltd on November 9, 2015. They want to register ” broadbandrating ” as their Internet Keyword and ” broadbandrating .cn “、” broadbandrating ” 、” broadbandrating “、” broadbandrating ” 、” broadbandrating .asia ” domain names etc.., they are in China and Asia domain names. But after checking it, we find ” broadbandrating ” conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

I got this one recently. Don’t recall when exactly because it was in my spam folder and I deleted the lot after copying the text. Good old Google caught this one for me. Had some words of warning: “Emails like these have been known to be attempts to take money from your bank account” or words to that effect.

I should probably take it a little more seriously but my initial reaction was “Ah bless, they’re at it again”. Presumably it must work with some people otherwise they wouldn’t bother.

PS I wonder what Huayin Ltd notionally do?

End User scams voip

Hi it’s Michael here – do you have an Apple or Microsoft computer in the house?

snom dect and Michael the Microsoft pirate

I was thrilled to answer the home phone this morning to find it was Michael at the other end. I’m sure it was Michael though it did take him a couple of goes to get his own name right. He wasn’t your average Michael. He sounded very sub-continental, if you get my drift.

I had just come in from doing mellow fruitfulness stuff in the back garden and had to race to answer the (SNOM DECT SIP) phone before it rang off so I wasn’t totally on the ball meself. I did answer the phone with my right name though, I think.

Mike got straight to the point. Actually I’m not sure that he calls himself Mike but I didn’t get that far in relationship building in our short time together but that is by the by. Anyway Mike informed me that he was ringing regarding the Microsoft or Apple PC in the house. I asked him how to could tell the differenced and how he knew it was either Microsoft or Apple. He said most people had either Microsoft of Apple PCS.

Now the frustrating thing about our very short lived conversation is that Mickey didn’t hang around long enough for me to tell him I didn’t use either but was a Chromebook aficionado. Before I knew it click, he was gone. V disappointing. I was just in the right mood for a long conversation about the fact that my PC had a virus or simlar.

Never mind. Mick had a dirty target to reach and couldn’t waste time chatting with me about the pros and cons of browser based operating systems versus the old fashioned stuff.

With an element of sadness, nay mellowness in keeping with the season, I put the handset back in its cradle.

Our home phone use btw has been revolutionised by the use of SIP but I’ll keep my powder dry on that one until next week as we are having a Lincolnshire Broadband week on the blog. I currently haver around 10 posts in my sights but can still take more if you want to contribute. Can be about apps running over broadband or about broadband tech itself. Or even how broadband has changed your life for the better. Hey it happens 🙂

The featured image btw is a snom dect handset on a background of black granite. V artistic I thought although the handset itself didn’t come out in perfect focus as I kept taking pics to try and get the red led in shot – at least I got that bit. Adds a bit of colour don’t you think?

Bad Stuff Business voip

Tickets now available for Exec Dinner with Danny Prieskel – Telecom Fraud Experiences

Danny Prieskel discusses Telecom Fraud at Exec Dinner

Fraud is a big problem for providers of telecommunications services, be they traditional voice or VoIP services. ITSPA runs workshops where we discuss the subject and has been very active in working with the Metropolitan Police where it comes to fraud response and anti-fraud measures.

The next UC Exec dinner will focus on Telecom Fraud and has Danny Prieskel along as guest speaker. If you want to understand more about Telecom Fraud and be part of the debate then you need to be at this event.

Danny PrieskelDanny Prieskel is a co-founder of Preiskel & Co and has over 20 years’ experience working in the telecoms, media and technology sectors, advising across the globe. He has been ranked for over 15 years in major independent research guides as one of the world’s leading communications lawyers.

He is a friend of our industry and has very generously agreed to come along to this dinner to chat about his experiences with VoIP fraud.

voip fraudTelecom fraud is a subject that affects most of us in the communications game. Both the Internet Telephony Service Providers Association (ITSPA) and The Federation of Communication Services (FCS) have active programmes on the subject and the joint ITSPA/ biannual workshops frequently cover the topic.

This evening is an opportunity to get together with senior peers in the industry to discuss the issue.

This event is very generously supported by anti-fraud vendor NetAxis who are currently offering free trials of their Engo fraud detection services to ITSPA members. Exec Dinners are events that gather together leading players from industry for evenings of debate over dinner. Our guest speakers are experts in their field and are there as a catalyst for the debate which is conducted under Chatham House rules. The speakers get as much out of these dinners as the other attendees so we are able to attract some of the leading players in their field.

Previous dinners and lunches have had an interesting variety of guest speakers:

  • Tony Cox of Microsoft talking about the future of Lync
  • Huw Rees of 8×8 on the USA market for hosted Internet Telephony
  • Joe Baguley of VMware talking virtualisation futures
  • Mehdi Nezarati of talking about the Google Unified Communications landscape for business
  • Prof Alan Johnston talking WebRTC
  • Steph Watson on the future of the PBX
  • Andy Davidson on “instant on” WANs
  • Dean Elwood on the Large Telco market
  • Kevin Murphy of BT on the challenges of moving Voice to the 21CN
  • Curtis Peterson Global SVP Operations RingCentral


What people have said about Exec Dinners:

Sally Fuller – Director Marketing & Centres of Excellence, KCOM
Trefs annual UC dinners are held twice a year and that should give you a clue about their surprising nature from the outset. Tref has a knack of picking interested, interesting and inspiring people that are at the core of making our industry a great one (yes I sneak in on the b list). Tref’s guests get more from sharing their insights and ideas than withholding them. Every time I learn something new, meet someone new, get a new perspective & miss my last train home.

Colin Duffy – CEO,  Voipfone
The dinners are always good for high quality gossip, industry chit chat and networking – you can guarantee learning something or meeting someone new and useful. Far more importantly though, they’re just a damn good evening out.

Tim Meredith – Director of Unified Communications and Mobile, Daisy Group PLC

I just wanted to thank you for being an excellent host and putting on a really informative (and fun) evening. I hope to attend many future evenings!

Andy Davidson – CTO Allegro Networks, Chairman LONAP, Chairman IX-Leeds, Director Euro-IX

Lively, informative, and tasty!  That’s how I’d describe each evening I’ve spent in the company of Tref and his invited guests.  You’re guaranteed several conversations with colleagues and key decision makers at organisations across the industry over a relaxed dinner at a fantastic hand-picked menu and location.

End User security

Secure data stolen from Lloyds Bank datacentre

lloyds bank data theft

I note Police are investigating the disappearance of a storage device that contains people’s names, addresses, sort codes and account numbers, after it was taken from a data centre in July (Telegraph).

Some thoughts here.

  1. Why would the Telegraph store this kind of info unencrypted on a data device? Indeed why would they store it on a physical device that could be stolen at all? Doesn’t sound like a very secure situation to me at all.
  2. Lloyds might have argued that Datacentres themselves are inherently secure. Well yes they are but there have been a number of examples over the years where people have stolen kit, usually expensive routers, from “secure” racks in “secure datacentres”. Datacentre security usually involves multiple layers of sign-in/verification and also involves cctv. Doesn’t seem to stop this kind of thing happening though.
  3. On this basis we should consider all data to me inherently insecure and open to theft at some point and assume that it will be stolen. The only way around this is to have a regime that involves regular password changes. I assume you all do this right? Even then it doesn’t guarantee the security of your data.
  4. If we assume that data will inevitably at some point be stolen then the question arises as to whether we are storing this data unnecessarily. eg do you need to keep your online banking login information stored somewhere that may be stolen. How about on a bit of paper hidden in a sock instead? (no clues being given here btw:)
  5. We should also question it when others propose to store your personal data for their own purposes. I’m sure there are many examples of this – you can name your own.

At this stage if I let it get to me I’d be a quivering wreck. There’s a lot of stuff out there about me. What can I do about it?

Part of the problem (problem?) is that stick a lot of stuff online myself without being prompted. Yesterday’s video of a goods train passing in front of me got over 4,500 views on Facebook with no effort whatsoever.

People will know I was at that specific railway crossing at the time the video was taken. Given enough time you could build up a profile of my regular movements and habits just from information publicly available on the web.

Although I know some people who shy away from platforms like Facebook for this very reason I don’t. In fact I’ve started to use Facebook more and more as believe it or not it is good for business. I’ve even installed the Facebook app on my droid despite my previous misgivings about the personal data it wanted to access on my phone.

I’ve basically just said “to hell with it” and plunged into the deep-end instead of playing about where I was able to stand up without the water coming over my head.

I don’t know where all this is going. On Tuesday one of my kids became the proud owner of a macbook pro. During the (brief) install phase he told me the machine was asking him whether he wanted to encrypt the disk. I googled this and found that Apple had introduced this feature as standard to make it harder for governments to snoop on their customers’ data.

We probably need to rely on these big companies doing the right thing because they have the resources to be able do it right. It is a worry though especially when half their business model relies on them collecting enough personal information about you to be able to sell it.

I’ve gone on enough here and it’s nearly time to go home. I’m cooking a pork casserole so that we have something ready for when we get back from Galashiels at the weekend. Look out for a post about The Pylons gig we are going to see at the 100 Bands Festival. In fact if you are in the area come and see them. 1pm main stage Saturday.

Lots more posts on the subject of data theft and online security in the security category of this blog.

PS I am a Lloyds Bank customer and user their mobile app. I am happy to do this because they guarantee to cover any losses due to theft arising from my use of the app. It’s the way ahead.

Apps End User mobile apps spam

WhatsApp spam

WhatsApp spam endemic

whatsapp spamAaaargh just received my first WhatsApp spam message. I don’t even use WhatsApp though I do have the App on my droid. It’s getting uninstalled right now.

The spam originated from someone who created a group , added me to it, sent the spam and then removed me from the group. Must be a machine in play there.

An App must truly be labelled useless if all it does is serve you with spam.

I also still get phone call spam. I spent much of this afternoon getting my Snom M700 DECT system working. Wasn’t totally straightforward as it isn’t a Voipfone supported device but they have some great engineers and we got it sorted.

So now our home phone number points at two Snom DECT handsets (kitchen and TV room), a Yealink (conservatory/office) and on the CSIPSimple App on my mobile. I was just running through the ringtone options with the family when a son told me my mobile was ringing. This was somewhat confusing as so was the phone I had in my hand. Trouble is I was trying out a ringtone when it happened so little old me got confused initially.

I eventually did answer the Snom only to find it wasn’t a sales call from the subcontinent but a survey (from the subcontinent). The caller told me he was from a company called UK Surveys, or simlar. I asked him where in the UK he was and told him I didn’t trust him so he put the phone down on me. Oh ok.

I told the family that these calls would start getting less frequent as I would be implementing call barring where the inbound number was withheld. This raised a chorus of complaints on the basis that the call might be important. My view is if a person doesn’t have the courtesy to tell me their number they don’t deserve to be answered.

Anyway we are now a landline-less household. The home number is virtual. It is the way of the future present. I am now also WhatsApp-less. A truly uninspiring experience. At least WhatsApp spam is no longer going to be receivable on my phone.

See previous tome on WhatsApp. If you get WhatsApp spam they have a page on the subject that isn’t massively helpful.

PS I realise some of might not consider one spam message to be “endemic”. I do.

PPS I’m back. Hols are over. They were great. Now I need to get some work done and lose some weight.

End User security

Global village – a world where everyone knows everyone else

Online privacy is a thing of the past

My son Tom is currently editing the next video. You will have to wait and see what it is all about but if follows on from last week’s pig racing (if you haven’t seen that vid click on the link – it’s very good). The next vid is taking a while because there was lots of footage that included kids faces. Tom, having been on the BBC’s political correctness course, is blurring out the faces one frame at a time!

Anne and I were in London over the weekend. There was a big cycling event going on – thousands of cyclists pedalling around St James’ Park, down The Mall, around Trafalgar Square etc etc. It was a bit of a stop start affair – lots of tourists trying to do the usual touristy stuff – being fleeced by ice cream vendors, buying cheapo tat at top dollar, you know the kind of thing. Oh and crossing the roads which necessarily involved frequent stops to the cycling.

I took a few photos. That’s what made me think about the global village thing. That and the extreme busyness of central London. The time is not very far off where I’ll be able to scan the internet for images of the people in my photos and find out who they are. In fact I can do it now to some extent – searching for similar images. The natural extension of this is real time video streaming from my Google Glass or other wearable device and in real time telling me who it is I am looking at. LinkedIn profile, Facebook profile, the lot. Our security forces probably already do this.

The consequences are a bit obvious. If I were to stand videoing the cycle ride for an hour or so I’d capture images of each rider’s face and subsequently be able to identify everybody who took part, including children.

There are many obvious uses to this application, good and bad all bad as far as I can see. One simple one is that advertisers could identify people who liked cycling and push them as for bikes, hemlets etc etc.

As the owner of, a site that makes its money by attracting visitors specifically interested in broadband I am keen on the idea of having new ways of targeting prospective customers to the site.

As a prospective punter I am less keen. I’ve decided I don’t like seeing ads eerily pushed to me on subjects that I am interested in. As often as not they are too late anyway – I’ve normally already gone and booked the hotel room etc. It makes me think that “they” know too much about me.

I’ve decided I am ok with finding things online using search but not ok with businesses finding out about me on the basis of those searches. In other words if I stick a page up saying I like baked beans and someone searches for people who like baked beans and finds me then that is ok. It’s not ok for me to know who those searchers are.

I realise this has big implications to the business model of the internet but I’m sorry, that’s what I’ve decided:).

There is another angle to this whole subject. In the good old days (where the average life expectancy was 40 and people lived as serfs in villages working from dawn until dusk for their master and died of cholera, typhoid, rickets, polio etc etc – you know, the good old days) we all lived in villages and every one knew everyone else.

Nowadays there are 7 billion or more of us on the planet and a big chunk of us live out our sad anonymous lives in large urban conurbations where don’t talk to our neighbours. There are in any case far too many people to be able to remember their names.

This will not be a problem in the future. With our new technology we will know who everyone is. People will start talking to others. “Hello Mr Williams/Gladys/Sanjay” you will be able to cheerily say to the neighbour down the corridor as you pass them coming back from Tesco. “How’s the alcohol/problem?”photo bomb

Maybe, maybe not. I’ll leave it to you to decide.

I’ll finish with a scene from our weekend in London. I’m taking a picture of my lovely wife Anne with the Houses of Parliament in the background.

Coincidentally someone else is doing the same thing. It looks almost as if the guy is photo-bombing our bomb

Actually from the second photo you can see that he was having his own photo taken.

I have no idea who he is but if someone can tell me his name I’ll buy them a beer. The technology is out there…

More on privacy on this blog here.

Bad Stuff End User security

Fancy a bit of stuff on the side?

Ashley Madison helps you find other people who want to cheat on their partners

The older I get the more I realise how sheltered I am. I spotted a comment by @ruskin147 on Twitter whilst whiling the time away waiting for a late train to arrive:

Intrigued I looked up Ashley Madison to find a site that arranged extra marital affairs for people and claimed it had millions of customers. Not my kind of thing. What all the attention was about however was the fact that Ashley Madison had been hacked and details of its users nicked.

Notionally the hackers wanted AM to stop charging people to remove their details. I’m not really bothered. He who lives by the sword dies by the sword. Harsh but hey…

I am more concerned with the concept that these databases can be hacked. Of course they can. Even the Pentagon apparently gets hacked every now and again. Shit happens.

I have lots of personal details held at many locations online – Facebook, Twitter, Google and maybe another hundred other places online where I have an username and password. It’s my choice to give this info to the specific websites.

What I don’t want is someone keeping all sorts of information on me without my consent that could will inevitably be hacked and published online for all to see. The government, in compiling its latest version of the Snoopers Charter would do well to note that no database is safe. They will take no notice.

It wouldn’t surprise me to find out that the Prime Minster’s voicemail account was actually hacked by the News of the World and that the information was being suppressed. Merely conjecture, rumour spreading, but entirely plausible.  I heard it on good authority from a man in a pub.

The only safe way to stop information from being stolen is not to store it in the first place.

PS note the trusted security award on the Ashley Madison site.

Bad Stuff End User scams spam

HMRC scam spam

HMRC scam spam forwarded to my accountant

Thought you’d appreciate this public service service announcement re HMRC scam spam. Got the following email text notionally off HMRC and with lots of links:


You can’t afford to miss your payment deadline

If you submitted a self-assessment form in January, your second payment instalment is due on or before 31st July.

Filing your return means you’ll know how much you’ll need to pay, making it easier for you to plan ahead and put money aside.

Here’s a short video clip explaining ‘Paying HMRC – Self Assessment’

Take a look at the following YouTube videos to find out about key dates regarding Self Assessment and details of how charges are calculated. Each is only a couple of minutes long.

Self Assessment: Tax return deadline dates (HMRC YouTube)

Self Assessment: Payment deadline dates (HMRC YouTube)

Self Assessment: Tax return late submission penalties (HMRC YouTube)

Self Assessment: Missed payment charges (HMRC YouTube)

You know it makes sense.

I thought it was a bit odd as I don’t pay my personal tax by instalments so I just forwarded it to my accountant without clicking on anything.

Lo and behold the accountant came back and said trash it it’s a HMRC scam spam (I like that phrase – not sure it accurately describes the email but it rolls poetically off the tongue so it’s in.)

It’s second nature for most people these days to distrust dodgy looking emails but you can get caught out. That unwary moment. The dropped shield etc etc etc.

Anyway gotta go and pick up a hire car as the Jeep is in being mended (again). Tomorrow we are off to York to film some pigs for If you didn’t see the last video you can catch it here. This one’s going to be similar but totally different.

You heard it first on…

PS loads of scam stuff on this site – check it out here.

Bad Stuff End User fun stuff scams

Stop Press – wonderful LinkedIn invite

LinkedIn spam

Just seen this wonderful invitation to connect on LinkedIn. See the featured image. As you can see it’s from


I was so excited by it I had to drop writing a post on how I’m going about choosing a new broadband provider and share it with you straight away.

We are back to the old Nigerian General with money to get out of the country scam. I assume so anyway. It’s such a pleasure to have them try it on through this new platform. Taken a while mind you but hey…

I didn’t click on anything or accept the invitation although I am just about to report it. It’s the first scam I’ve seen via LinkedIn. Facebook went through a phase of it whereby gorgeous women with large breasts (apparently) wanted to be my friends. Pained me but I declined them all (yes I did).

When I first saw this invite I thought it was from Wales – Bala is a place in North Wales. Anyway I leave you with a tune in my head – Abdul the BullBull Khadir. Olden but golden 🙂
Back to the other post. Mundane bread and butter stuff but just as important 🙂
Still time to enter the Wimbledon Competition btw.
Bad Stuff End User spam

Our records show you work in shipbuilding

Multiple spam phone calls in one day and how I hate being called Mike

It all started as I left the tube, just after 8am on Tuesday. The phone rang. No one calls me at that time of day.


The kids have hurt themselves or the office is on fire (metaphorically). Usually something bad.

So I answer..


Ominous pause..

“ ‘ello.. is that Mr Daly??”


“Im calling from ‘Some random posh sounding solicitor’s name’, our records show that you have been involved in an accident and are entitled to compensaaaation” (Yes… at least 5 a’s..)

Now, I agree, its a failing on my part that I just can’t hang up on these calls. I figure if I’m rude then I’m just being unpleasant to someone who, probably, doesn’t like the job but needs it to keep house and home together and doesn’t need me having a pop at them.

“No, I haven’t had any accidents so, no I’m not…”

“Oh, but we have an insurance application that..”

“No, really I’m not interested, please don’t call me again.”

“Thank you….. Bye..”


Click.. burrrrrrrrrrrr.

michael dalyAbout an hour later, the phone rings again..

I’m expecting a call from someone, no idea where they are based, so this could be it..


Ominous pause..

“Goooood morning Mr Daly, my name is Phil1, Im calling from the pension clinic2, are you aware that there have been changes to pension regulations, and we’d like to offer you a free pension health check”

“Yes thanks, I have my own financial advisor who I’m happy with so I don’t need your help.”

“Yes, but as I said its free and will only take a few minutes to take some details and we promise not to steal all your money”3

“No.. Really, no… please don’t call me again..”

The next one Lunch time-ish..

Now this one was a blocked number, and I know that you probably shouldn’t pick up a blocked number call, but my Mother-in-law blocks her outbound number and the last time she called during the working day, well.. let just say it was a good job I took the call.

“Hi, Is that Michael?”

“yep, who’s calling?”

“Hi there, my name is Kelly4, and our records indicate that you are entitled to a PPI claim for a mortgage you had in….”

“No, I have never had PPI…”

“Yes, many people think that but mortgages were mis-sold before (Some previous date), so if I could just take some details….”

“No thank you.. Good bye..”

By this point I’m just a little narked.. Then the next one takes the biscuit.

“Hi, is that Mike?”

Now, I hate being called Mike. You may as well call me George. Mike is not my name. It has NEVER been my name. The only person who gets (got) away with calling me Mike was Grandma and that was because it came with sweets or cake, and by the time cake and sweets stopped she was too old and fragile for me to get worried about it.

Even my teachers got ignored when they called me Mike.

Apologies to all the Mikes out there, there is nothing wrong with the name but its just not mine..


“Oh er.. can I speak to Mr Daly..”

“Speaking.. “

“Oh… er… OK.. Im calling from (wherever), Our records show…” (here we go again) “ that you

have worked in industry and may be entitled to compensation”

“NO, I have never worked in industry..”

“You have never worked in industry?”

What I want to say is;

“Well yes.. clearly I have, but not in the kind of industry you mean”

What I actually say is;

“Define Industry?”


“What do you mean by ‘industry’?”

“OH… our records show that you worked in shipbuilding”

I see the link – I used to work for a company that owned (among 30 other businesses) a shipyard..

“NO, I have never worked in shipbuilding.. Thanks for the…”

She hung up on me..

Thats a new one.. 🙂

Cue the tweet that triggered the invitation to write the blog…spam phone calls

I’m now a bit fed up.. the next call..


“erm.. hello, is that Mr Daly?”

“yep” (Blimey, that was terse.)

“Hi, this is Sarah from…”

“Sorry, Im busy, I have had enough today, I don’t care what you are selling I’m really not interested”

“Oh, ok.. Im sorry.. Just to let you know, that I have the quotes we discussed last week,”

(you remember the call I was waiting for..)

“…shall I just email them to you?”

A very large helping of humble pie, an apology and a quite pleasant discussion about cold calling.

But it’s not really cold calling. They must have my number somewhere, I must have forgotten to tick (or un-tick) the box that said please don’t bother me. So not reading the small print properly somewhere has caused this. Unfortunately I have no answer. There is no great reveal coming about how we all solve this problem.

None of us has the time (or, frankly the inclination) to read the 70 page list of T’s & C’s before we click the “I agree…” button because they are written in some arcane legal language that we just can’t read, without taking a course on British consumer law so we can understand it… (breath… ) so what we actually need is better protection from the regulators.

Most of this crap is some kind of scam. The goal is to get you to pay for a service that you can probably get for free if you do a little bit of work yourself. So its not actually illegal.

If only there was some kind of list.. Oh wait.. there is..

The telephone preference service is supposed to help you get out of this stuff.

Am I registered? – yep.

Does it work? – Nope.

Because somewhere, some time ago, I accidentally ticked (or didn’t tick) a box that enabled one organisation with iffy morals to sell my phone number.

So how about a bit of crowd sourcing?

Lets share all the random calls we get on a site, so we can add the calls to our block lists. I think there is even an idea for an app in there somewhere.

I think I know someone who can help with that.

1Could have been Phil, I didn’t hear properly..

2Could have been… cant remember that one either..

3I added the “The We promise bit…”



Michael is the Engineering Manager at Cloudflare, having previously designed, built and managed infrastructure and networks for Nominet, Mercedes Benz and Virgin (amongst others). When not at work, he can usually be found with his family or with a guitar in his hand.

Anything written here is his own work, and has nothing whatsoever to do with his employer. Follow him on twitter at @michaelscloud.

Business fun stuff spam

How to market online

Or online marketing marketed offline

The good old fashioned postman dropped some good old fashioned snail mail through my letterbox. I’m working from home today so excitedly picked the mail up off the floor and flicked through it.

One was addressed to “The lovely person who lives at…”. I gave it to son 2 to open as he was disappointed that there were no letters for him personally. “It’s a £130k cheque” he exclaimed excitedly (no strikethrough).  Nah. Only joking.

The letter was an invitation to “join the online community for Lincoln”. I sighed and put it in a pile of other junk ready for recycling.

Then it occurred to me that hey, here was a website trying to drum up business using traditional direct marketing methods. The website was called

Now I don’t know which B@$!&rd business has sold them my address. Maybe no one as the letter wasn’t addressed to me personally. Shouldn’t be allowed to spam me anyway.

Then I thought “what an expensive way to recruit new website users” and “how inefficient”.

Just goes to show how much money it really takes to get your stuff seen these days. The holy grail is free viral online marketing but that very rarely happens. When you are actively promoting something you get visitors to your website. When you stop this the visitors stop, or at least there are fewer of them. This is why you see lots of online affiliate marketing websites advertise on TV. It’s big bucks. The more visitors you want the more you have to actively promote the site.

This costs money in the case of it’s money spent on direct mail. It’s also probably money spent with a marketing agency. The letter tells me their site has been featured in the Guardian, Sunday Times, Woman & Home and BBC News. It is probable that this exposure was down to time spent pitching to journalists (one assumes). Money.

Woman & Home tells me who their audience really is, as perhaps does their mode of address. Personally I already have as many social media platforms as I can handle, probably too many as G+ isn’t doing anything. Without looking at it seems to me that Facebook already serves the same purpose as streetlife.

I won’t be signing up with streetlife. Call me a miserable git.

On the upside streetlife have now got themselves some major free exposure on 😉 As I finish a tune enters my head: Streetlife, there ain’t no place I can’t go…

End User internet security surveillance & privacy

Anderson Report on Terrorism Legislation

Anderson Report on Terrorism Legislation

The Independent Reviewer of Terrorism Legislation, David Anderson QC, yesterday published his report into investigatory powers. The Anderson report on terrorism legislation is almost 400 pages long and includes 124 recommendations so you need some stamina to plough through it.

Following the report’s publication Home Secretary, Theresa May MP, gave a statement (watch it here) to the House of Commons. She set out a timetable and provided some general comments:

A draft bill (Snooper’s Charter revisited) will be published in the Autumn and subject to pre-legislative scrutiny by a Joint Committee. A Bill will then be published early in the New Year with a view to passing a final act before the DRIPA sunset clause come into effects at the end of 2016.

While generally accepting Anderson’s recommendations, May seemed to question the viability of his proposals to require judicial authorisations for warrants, highlighting the need for balancing the responsibilities of the Judiciary and Executive.

In addition to the draft bill, Government will look at a reform of the mutual legal assistance framework (in response to the Sheinwald Report which has not yet been published).

The Anderson Report

Overall approach by David Anderson is as follows:
‘A clear, coherent and accessible scheme, adapted to the world of internet-based communications and encryption, in which:

a. public authorities have limited powers, but are not shut out from places where they need access to keep the public safe;

b. procedures are streamlined, notably in relation to warrants and the authorisation of local authority requests for communications data;

c. safeguards are enhanced, notably by:

i. the authorisation of warrants by senior judges;

ii. additional protections relating to the collection and use of communications by the security and intelligence agencies in bulk;

iii. greater supervision of the collection of communications data, including judicial authorisation where privileged and confidential material is in issue or novel and contentious requests are made;

iv. improved supervision of the use of communications data, including in conjunction with other datasets and open-source intelligence; and

v. a new, powerful, visible and accountable intelligence and surveillance auditor and regulator.’

This forthcoming bill is going to require very careful scrutiny and it will be interesting to see how many of Anderson’s recommendations are implemented. Governments have a habit of listening to these things only when it suits them. Theresa May is already suggesting that she wants the power herself that Anderson is saying should be given to Judges. It’s exactly this situation that we want to avoid.

In principle I don’t think any sane person can object to a government wanting to make it easier for themselves to catch more crooks. However we don’t necessarily need to give them authority to monitor every one of us. Why can’t they stick to just monitoring suspected criminals?

Thanks to the ITSPA secretariat for some of the inputs to this post.

Other Snooper’s Charter posts (lots of them) here.

Business security surveillance & privacy

Snooper’s Charter a honeypot for security breaches

Snooper’s Charter security breach – an “accident” waiting to happen.

The Snooper’s Charter, they aren’t going to get away from that name, is the proposed law where the Government seeks to legitimise spying on all our internet communications. They of course have very legitimate reasons for wanting to do this – national security, prevention of terrorism etc and promise not to look at the information of innocent persons.

I’m not going to go into the lengthy list of issues with this (list here). Except that is to say that one of my objections to the Snooper’s Charter is the fact that once the government has gathered all this communications data it will lose it. Once lost it will eventually it will find its way into the public domain.

“No no no don’t worry it will be very secure” says a government minister (I’m sure). “Oh no it won’t” says I, as sure as hard drives will fail or get left on a bus.

It isn’t just that the information will get left on a bus. Someone will hack into the vault where it is stored and steal it.

The latest news from the US is that some overseas government (allegedly) has hacked into the Office Of Personnel Management and pinched details of the entire staff of the US government.

Just imagine if this was the Snooper’s Charter database. UK government ministers would have details of their affairs made public, or at least placed in the hands of agencies that might make “good use” of the information.

Who will be the first to be blackmailed? When will the first really serious compromise of national security happen as a result?

This is just an example of a possible scenario. It could be information about you. No national security involved but quite possibly embarrassing. Maybe you don’t want the world to know that you buy women’s underwear for your own use, or that you are a trainspotter.

It will happen if we implement the Snooper’s Charter. It’s up to you to decide whether that is a good thing or not. I don’t think it is.

Snooper’s Charter security breach – an “accident” waiting to happen.

End User Legal security

Snoopers Charter Revisited – here we go again

Gets tedious doesn’t it, this constant battle to introduce defend against the Snooper’s Charter. You will all have seen from the Queen’s Speech (gawd bless ya Ma’am) that the Comms Data Bill (Snooper’s Charter) has been reincarnated into the Investigatory Powers Bill (Snooper’s Charter).

Page 64 is what you are looking for. Details yur if you can’t be bothered to look.

The purpose of this legislation is to:

Provide the police and intelligence agencies with the tools to keep you and your family safe.

Address ongoing capability gaps that are severely degrading the ability of law enforcement and intelligence agencies ability to combat terrorism and other serious crime.

Maintain the ability of our intelligence agencies and law enforcement to target the online communications of terrorists, paedophiles and other serious criminals.

Modernise our law in these areas and ensure it is fit for purpose.

Provide for appropriate oversight and safeguard arrangements.

The main benefits of these clauses would be:

Better equipping law enforcement and intelligence agencies to meet their key operational requirements, and addressing the gap in these agencies’ ability to build intelligence and evidence where subjects of interest, suspects and vulnerable people have communicated online.

Maintain the ability of our intelligence agencies to target the online communications of terrorists, and other relevant capabilities.

Provide for appropriate oversight arrangements and safeguards.

This will respond to issues raised in the independent review by the Independent Reviewer of Counter-Terrorism legislation, which is due to be published shortly.

The main elements of the clauses are:

The legislation covers all investigatory powers including communications data, where the Government has long maintained that the gap in capabilities are putting lives at risk.

The legislation will enable the continuation of the targeting of terrorist communications and other capabilities.

On the face of it none of this text is controversial. The problem lies in the detail. My guess is it is unlikely to have changed materially from its previous incarnation although the bit that says “This will respond to issues raised in the independent review by the Independent Reviewer of Counter-Terrorism legislation” is an attempt to smooth things over.

It’s the snoopers charter revisited. Our problem this time around is that the Lib Dems aren’t around to stop it happening. We may be in for a fight.

For a general read around this subject see the multifarious blogs on this site here. For a more specific list of issues see here.