Data breach from T-mobile? It will be worse.

Currently reading
Data breach from T-mobile? It will be worse.

2,486
840
NAS
Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
I've stopped wondering. Large companies employ such light-skilled people in the field of security (and not just there) that this simply has to be a topic. People only notice the problem when their house is on fire rather than when it is already a disaster. CFOs appear to be born on the same planet in the same crater.

Last week, I returned from a business trip to a western EU company with more than XX subsidiaries worldwide. I try to keep them anonymous. You'll find out why. Very "modern" manners manage the company. Literally. I got into the building without anyone stopping me or ask me who I'm ... the people standing in front of the door let me go. Then I got into a beautiful open space. No lobby or reception. Right in the middle of the building. Straight to the coffee "capsuled" machine and cooling box with everything possible. Since I didn't know anyone there, I was waiting for a "local" who was on his way to the office. So I asked a passing young man if I could make coffee - sure. And if they have WiFi there - of course, there is a password on the board.

So I came to a big board where many (stupid) keywords were written, which are "in" today. And there were two big messages - a password for guests and a password for corporate. So I took the corporate, just for a check. Connected. So I turned on the scanner - everything connected as well. A moment later, the "local" came and greeted me warmly. Subsequently, we continued the topic of our meeting - how do the data science and data security rules for this kind of operation. I handed them my findings - the result - no one was surprised. No one even realized what that meant. "Who would put a long and complicated password in there?"

The next day I saw the same thing on that board as yesterday. Who cares? A data breach?
This company has an evaluation of + XXX M $ and works exclusively with end-customers data. Much more sensitive than telephone contacts. I will not describe more.
P.S: And the corporate WiFi password was "companyname2021". And, of course, that WiFi was available from outside.
 
Regarding T-Mobile and other mobile phone operators … remember that banks etc use SMS as a ‘strong’ mechanism to ‘secure’ access your data. All underpinned [undermined] by the telco customer service department’s much laxer security procedures.
 
@fredbert
I have to confirm that our banks use 2FA. And yes, the telco or entire utility segment is in the Stone Age.

Back to previous experience:
I ended my two-day debate in the start-up mentioned above with a recommendation to watch the Silicon Valley series from Netflix. It's a great educational resource for anyone who thinks that buying a system is everything solved. It should be part of the teaching in high school already, including professional interpretation of the events. Because this whole world is one house of cards built on the foundations: profit counts. I am correcting myself - company evaluation counts, regardless of the real profitability, for stock exchange purposes.

And since it is currently "in" to collect and analyze data, the start-up decided to build one large monolithic Data lake. So, I was not pleasantly surprised that they were looking for a way to get data directly from local production systems. Directly!!
So I asked, who is the Solution Architect for this project? Answer: None of them and they don't have such resource.
And when I drew the idea of a Local / Domain Distributed Data Lakes connected and orchestrated across the centre on a large glass board in their gorgeous open office, they said that's exactly what they do.
To my question, what is the purpose of their API that requests data directly from production databases - Answ.: so that we can get that data into a central data lake. So I asked if they had done an analysis of the data models of each input system. Answ.: they do not have - when necessary, so they will ask the locals. I asked where they want to do ELT:
- locally with knowledge of how the data was created,
- or in the central monolith, where they have no idea what comes to them.
Guess what their answer was - Well, of course, in that monolith.

So I showed them what caused it. They did reports through Tableau. Google advised them that Tableau is high in the Gartner magic quadrant. And that counts. They didn't know how to do it, but they paid large enough costs for licenses. One of their reports defined the degree of customer satisfaction with their services ( service tickets). It was enormous, over 90% every week. Great. Their marketing colleagues received excellent bonuses for it. The problem, however, was that the base of those >90% values was calculated from the <2% customer response rate from answers they didn't know who was answering (the one who gave the ticket or the one written in the contract). But they had excellent reporting, and that counts.
And since the investor is not interested in profit, but in the evaluation of the company and a successful IPO, the house with the cards will fall. As similar.

There were 12 people in that room (including four connected via Zoom). The oldest could be 28 years old. None of them has ever worked on a similar project. I have no doubt they are good at the algorithm they came up with, but the ecosystem needs rules. And this seems to be problem # 1, for similar start-ups.
In order to maintain my mental health, I decided not to continue cooperating.

Off-topic:
I have noticed that similar companies are literally an attraction for SalesForce vendors because they offer them an all-in-one as the easiest possible way to "success." Along with SAP, someone somewhere figured out that if they want to go start-up for an IPO, they must have SAP and SalesForce. OMG.
SAP marks your own data as SAP property and asks you to pay licenses for the data used in 3rd party systems.
And a SalesForce that will push you against the wall (cost) if you want to customize.
It's one snowball.
 
remember that banks etc use SMS as a ‘strong’ mechanism to ‘secure’ access your data.
Have you tried mentioning this to anyone in your bank? They just look at you like you’re someone who’s been living in a cave for the past 15 years and just walked into their branch. I tried it once, I looked so stupid. Now I encourage them to write the PIN numbers on their client’s ATM cards, so far they’re not listening 🤣
 
I got one bank to allow a landline number as that is less likely to get moved rather than “I’ve lost my phone can you transfer my number to this new SIM card”. Another wouldn’t so I opened an account I don’t use but it’s the one they give a keypad that works with all their other accounts/CCs.

I’ve had so many conversations, inc with the security team, about when they call me and ask me to prove who I am. When I ask them to prove who they are …???? !! Now I call back after a while on a different phone line. Plus I never enter an account number in the automated voice system as that’ll be remembered in logs at both the handset and phone system.

It’s all about reducing risk to the business not the customer.
 
Have you tried mentioning this to anyone in your bank? They just look at you like you’re someone who’s been living in a cave for the past 15 years and just walked into their branch. I tried it once, I looked so stupid. Now I encourage them to write the PIN numbers on their client’s ATM cards, so far they’re not listening 🤣

Too few people live for tomorrow. Most live today. They want to have better than yesterday, but with minimal energy expenditure. So, who would bother with something similar?
Does it work? It works. :unsure:
 
Does it work? It works.

"If it works don't fix it" – until you get hacked…
…deny it,
if discovered,
minimize its impact,
if the cover is blown up,
bring consultants,
if not enough, bring more consultants, change the security partner and the service name (and to be on the safe side, fire some people too).

Life is good, people are stupid. Another 4 digit sms arrives. Login. "if it works, don't fix it"
Repeat…
 
I will probably submit an application to change the Pareto principle from the original 80/20 to the current 95/5. The population is growing, and the probability of meeting someone wise decreases (in terms of the number of absolute meetings).
Then try to talk to someone on the topic, e.g. o global warming. On a daily basis, I meet people who do not recognize the difference between predictions and scenarios. But they can talk about how "computer models" are poorly set up for climate change research.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

How much you bet: That message would come with a link to: (Guess what!)
Replies
8
Views
1,926

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top