T-Mobile Data Breach Raises Retail M-Commerce Concerns
Written by Evan SchumanAs retail IT execs start to experiment with—and actually deploy—mobile-commerce applications more, the realization that they have to rely on their new telecom partners to safeguard their experimental data is proving to be unnerving.
Recent incidents involving T-Mobile—where the carrier was forced to confirm some claims of a supposed cyberthief who said that he had hacked in and stolen databases, documents and scripts—don’t help.
As e-tailers have learned the hard way from E-Commerce, customers don’t care about tidy legal contracts assigning responsibility and quality-of-service obligations. If they go to a Wal-Mart or a Home Depot site and they have a bad experience—whether it’s with uptime, a FedEx delivery hiccup, incorrect status reports, a video consumer comment that glitches or anything else that the retailer may or may not be directly handling—those customers are going to blame Wal-Mart or Home Depot and might take their business elsewhere. If M-Commerce is on your plate, you need to get used to living by the carrier’s standards.
The T-Mobile situation is much more than unsettling. It’s also baffling, with the public positions taken by both T-Mobile and the supposed intruder internally contradictory. (When a company seems to contradict itself in mid-statement, times are tough. When both entities in a conflict do it, welcome to telecom security discussions. If retail security in a time of PCI is 1984 and Catch-22, telecom security is Alice in Wonderland with major elements borrowed from The Lord of the Rings.)
This T-Mobile business started on Saturday (June 6), when someone identifying himself or herself as pwnmobile posted on the Full Disclosure mailing list that they had grabbed a ton of data from T-Mobile. “Tmobile has been owned for some time. We have everything: their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009,” the post said. “We already contacted their competitors and they didn’t show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Please only serious offers, don’t waste our time.”
The post then displayed lines of code ostensibly from a T-Mobile server and asked for offers to be made to pwnmobile@safe-mail.net, an E-mail address that isn’t working now (and it’s not clear if it ever was working).
The surprise came this week when T-Mobile took the unusual step of publicly confirming that the posted data had indeed been taken from a secure area of a T-Mobile server.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
