information security

Privacy commission probes telcos, banks on smishing

Rappler
Privacy commission probes telcos, banks on smishing
Telcos tell the NPC that the smishing and text spams can be traced to China and India-web-hosted companies

The National Privacy Commission (NPC) on Monday, November 29, announced that it launched an investigation into whether telcos exercised diligence and accountability in transacting with third parties called data aggregators that may have links to the recent spate of text messages supposedly offering jobs and investments.

The government body ordered Globe, Smart, Dito to submit documents and information that will show the specifics on their data flows and transactions involving data aggregators.

Data aggregators are organizations that collect and process data sets from various sources, and repurpose these for various uses. The NPC in their press statement defined these as possible “legal entities tapped by companies such as global brands to act on their behalf and deal with telcos in blasting promotions and other company messages to their customers.”

β€œAt the meeting with the NPC on November 24, the data protection officers of Globe Telecom and Smart Communications revealed a complex chain of data aggregation and handling, involving data brokers, that is bringing new challenges to compliance and enforcement,” NPC commissioner Raymund Liboro said.

The telcos told the NPC that the smishing and text spams can be traced to China and India-web-hosted companies. Smishing is short for SMS phishing or phishing through text messages.

Globe identified one data broker, Macrokiosk, in its report to the NPC. Macrokiosk is said to have been tapped by a firm named China Skyline Telecom, and was identified by the telco to be the primary source of messages that “share the theme of job hiring and contain a WhatsApp contact link.”

Globe found about 1.55 million of such messages that went through its network from November 11 to 21.

Aside from telcos, the NPC also ordered the Union Bank of the Philippines, and GCash parent Mynt regarding their data flows. These two, according to the NPC, are the main payment channels where victims were asked to direct their money for the questionable investment schemes. Victims were enticed to deposit larger sums in exchange for bigger commissions.

Last week, the NPC reported that the surge of text scams may be linked to a global syndicate.

Liboro said they are also pushing for “attestation.” Through attestation, the NPC can “trace the owner of a number used in calling or sending texts as these are listed in a registry.”

An inter-agency group was formed to combat these scams and other related incidents. The group, formed on November 26, consists of the NPC, Cybercrime Investigation and Coordinating Center (CICC), Department of Information and Communications Technology (DICT), National Telecommunications Commission, Department of Justice (DOJ), Department of Trade and Industry (DTI), Department of Labor and Employment, Bangko Sentral ng Pilipinas, and the National Security Council and Anti-Money Laundering Council.

The CICC, headed by executive director Cesar Mancao, is the lead agency. The NPC said the group “will serve, among other things, as the hub that will receive complaints from cellular phone subscribers and will be tasked with forwarding the numbers used by scammers to telcos for blocking.”

The DOJ said on Friday, November 26, it would coordinate with its counterparts abroad to build cases against the perpetrators of this cybercrime.

The NPC has also encouraged telcos to “continue blocking these data aggregators, as well as the numbers, domains and internet protocol addresses that enable the smishing and text spams.”

Smart Communications has blocked at least 60 web domains relating to these scams while Globe has blocked 1 billion messages since January of this year. The telcos are said to be cooperating fully with government bodies, and proactively promoting awareness campaigns. – Rappler.com