This is page 2 of:
T-Mobile Data Breach Raises Retail M-Commerce Concerns
The surprise came this week when T-Mobile took the unusual step of publicly confirming that the posted data had indeed been taken from a secure area of a T-Mobile server. But T-Mobile said it’s not a concern because officials there “believe possession of this alone is not enough to cause harm to our customers.”
Fair enough. This is implying—appropriately—that if the cyber thief actually had the kind of juicy customer information that he/she implies he/she has, a sample of that would have been posted instead of the relatively innocuous lines of code that was published.
If this was a serious ransom attempt, the seller would certainly have to disclose more details to any prospective buyer so at least a sample might as well be disclosed upfront. (How such a public random offer could work is another mystery, as the seller would almost certainly have to assume that some of the prospective buyers would be undercover Secret Service agents. But that’s another issue.)
USA Today had a nice take on another part of the statement. T-Mobile’s statement said: “At this moment, we are unable to disclose additional information in order to protect the integrity of the investigation, but customers can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible.” That prompted USA Today to ask: “If you’re a T-Mobile patron, your mind should now be at ease, right? According to T-Mobile, until you otherwise hear from them, you can discount Pwnmobile’s claims that he has been pilfering from the T-Mobile’s databases ‘for some time.’”
But it gets better. T-Mobile then added to its statement, saying that the document was “copied” by Pwnmobile and that the document “did not get into his hands via a hack,” according to the USA Today story, which then quotes that same supplemental T-Mobile statement as saying—with a presumed USA Today paraphrase–that T-Mobile’s “investigators can’t yet say for certain how Pwnmobile got his mitts on a copy of the document.”
Wait a second. If T-Mobile doesn’t know how this document got out, how can it say with such certainty how it did not get out? On what basis are they ruling out that someone hacked in and grabbed that file? Surely they can’t be relying solely on server logs as that’s the first thing that an intruder would alter.
It doesn’t help that T-Mobile’s owner, Deutsche Telekom, confirmed last year a data breach grabbing some 17 million records. Could the file in question have been part of that heist? Do bad security habits run in the family?
For years, T-Mobile has been among the most aggressive telecom companies in the area of tracking customer locations, using technology that has allowed them to pinpoint more precisely and in different ways than others, which might explain why they’re such an attractive target.
But no matter how the T-Mobile situation turns out—and please don’t rule out the possibility that we’ll never officially hear how it turns out—this should be something that all major retailers need to seriously consider as they move into M-Commerce. This isn’t to say that they shouldn’t make those moves, but that they have to insist that their new partners take data as seriously as they do. (pause) Ok, perhaps I should rephrase that last line.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
