Reports are being released that French police have arrested a ring of mobile phone hackers involved in fraud worth millions of Euros. Nine people have been arrested, including employees of mobile phone companies.
The French fraudsters were buying codes to unlock victims’ SIM cards for €3 from employees of mobile phone companies who had access to the companies’ databases. They then sold the codes online for €30. Using these codes hackers could access any SIM card – even overseas SIMs – with their own mobile phones.
The employees did not hack into the database; it was an internal attack where they abused normal functionality and privileges granted to them. This was probably a case of over privileged users as these employees probably should not have been granted access to that data in the first place. In this scam, employees sold codes so that actual fraudsters could actually use these codes to make money.
This gang has been operating for around 10 years. Not ironically, 10 years ago database security, access controls – all were very new concepts. The Telco companies would probably have put into place a very initial, raw access control policy back then and not updated in the past years when these companies turned into huge enterprises.
I don’t believe that many employees start working with an organisation with an initial intent to steal data; rather, they are usually approached by someone else who can use the data for nefarious purposes. So the real malicious person who is usually part of an organised criminal gang makes the big money, whilst the laymen takes the blame when caught and is poorly rewarded compared to the risk involved. It is down to the organisation to monitor and control access to sensitive data to prevent this type of insider fraud.
A database activity monitoring system that looks at the rate at which data is taken out of the database would have detected this problem but it is not enough to have a simple monitoring solution because the access to the database is usually through an application so you need to be able to maintain end to end visibility through all the different tiers.
The system should alert on any abnormal amount of data retrieved from the database and also apply geo-location analysis and alert on an illogical access to database by a user who should not be accessing the data so many times or retrieving a large number of details in a single session.
The reason you need end—to-end visibility is because users connect to a database via an application, the application accesses the database through a pool of connections using a single account. If you only monitor the traffic between application and database server you see a single account making all the access requests so you cannot distinguish between individual application users and cannot say whether this number of records accessed is ok, so you need to maintain end to end accountability.