T-Mobile Data Breach Raises Retail M-Commerce Concerns

Written by Evan Schuman
June 10th, 2009

As retail IT execs start to experiment with—and actually deploy—mobile-commerce applications more, the realization that they have to rely on their new telecom partners to safeguard their experimental data is proving to be unnerving.

Recent incidents involving T-Mobile—where the carrier was forced to confirm some claims of a supposed cyberthief who said that he had hacked in and stolen databases, documents and scripts—don’t help.

As e-tailers have learned the hard way from E-Commerce, customers don’t care about tidy legal contracts assigning responsibility and quality-of-service obligations. If they go to a Wal-Mart or a Home Depot site and they have a bad experience—whether it’s with uptime, a FedEx delivery hiccup, incorrect status reports, a video consumer comment that glitches or anything else that the retailer may or may not be directly handling—those customers are going to blame Wal-Mart or Home Depot and might take their business elsewhere. If M-Commerce is on your plate, you need to get used to living by the carrier’s standards.

The T-Mobile situation is much more than unsettling. It’s also baffling, with the public positions taken by both T-Mobile and the supposed intruder internally contradictory. (When a company seems to contradict itself in mid-statement, times are tough. When both entities in a conflict do it, welcome to telecom security discussions. If retail security in a time of PCI is 1984 and Catch-22, telecom security is Alice in Wonderland with major elements borrowed from The Lord of the Rings.)

This T-Mobile business started on Saturday (June 6), when someone identifying himself or herself as pwnmobile posted on the Full Disclosure mailing list that they had grabbed a ton of data from T-Mobile. “Tmobile has been owned for some time. We have everything: their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009,” the post said. “We already contacted their competitors and they didn’t show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Please only serious offers, don’t waste our time.”

The post then displayed lines of code ostensibly from a T-Mobile server and asked for offers to be made to, an E-mail address that isn’t working now (and it’s not clear if it ever was working).

The surprise came this week when T-Mobile took the unusual step of publicly confirming that the posted data had indeed been taken from a secure area of a T-Mobile server.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.