Be careful firing someone who knows where the bodies are buried. (Also explains why Cummings didn't get fired when his Barnard Castle excursion came to light.)
Court papers indicate text messages from HMRC's 60886 number could snoop on Brit taxpayers' locations
Britain's tax collection agency asked a contractor to use the SS7 mobile phone signalling protocol that would make available location data of alleged tax defaulters, a High Court lawsuit has revealed. Her Majesty's Revenue and Customs had the potential to use SS7 to silently request that tax debtors' mobile phones give up …
COMMENTS
-
-
-
-
-
-
-
-
Friday 28th January 2022 05:54 GMT Anonymous Coward
I have some sad news for you. The laboratory that was studying the potential for the Cordyceps fungi to infect mammals as well as invertebrates has reported a slight mishap, and several batches of the vaccine inadvertently was contaminated with Cordyceps teletubbi spores instead of the expected self assembly 5G chips. You will not notice the effects yourself, but observant persons in your family may detect some minor signs.
Studies indicate that there will be no need to have a extra 5G booster for the affected persons, which is a small benefit in this unfortunate mix-up.
-
-
-
-
-
Thursday 27th January 2022 16:44 GMT phuzz
My dad had to fill out a passenger form recently, to fly back from Norway.
Being my dad, he didn't bother reading the instructions, so when it asked him for a contact number, he put in his home landline number, which of course meant he couldn't receive the confirmation SMS.
This got worse, because there was no way to change the phone number, and he couldn't create a new registration using the same email address.
I got him to use my email address and forwarded it to my mum so they could get it done, but maybe I should have just have left him stuck in Norway ;)
(Mind you, perhaps the page should have checked that the phone number started 07, and rejected or queried the number otherwise)
-
Thursday 27th January 2022 17:14 GMT ChrisC
SMS-based verification can be a problem even when you *are* using a mobile number... A few years ago when I was still working on cellular modem-based products, we used to have a pile of PAYG SIMs from various UK providers for testing how our stuff worked on different networks. One provider then decided, without warning, that their PAYG topup process would send a verification SMS to the SIM being topped-up, which you'd then have to read and enter the code into the topup page to complete the transaction...
All well and good when the SIM is being used in a normal mobile phone with even rudimentary SMS capabilities.
Not quite so good when it's in a device tucked away in part of a lab test setup which you'd need to switch off in order to extract the SIM, temporarily stick it in an old Nokia you've had to dig out of your box of crap at home (because the cellular modems are all using mini-SIMs and none of the work mobiles will take anything larger than a micro-SIM...) in order to get the code and confirm the topup went through OK, then put back into the test setup and get it running again.
Even less good when it's in a device you've had installed on a remote test location without any issues for the past few months, which you'll now have to go visit just to swap out the SIM for one provided by one of the networks that still allows topups to be made without the need to verify anything...
-
Friday 28th January 2022 11:46 GMT Doctor Syntax
"Mind you, perhaps the page should have checked that the phone number started 07, and rejected or queried the number otherwise"
They're not alone.
Exhibit 1. Local restaurant has (maybe had, for reasons which will become clear, I have no way of finding out) booking software which confirms the booking by text to the phone number. Some children at BT have decided that obviously landlines shouldn't be left out form the SMS fun and implemented S/W to accept an SMS, ring the landline and read out out This is a text message from $GabbledNumber $GabbledMessage
The one thing that stuck from that was "thank you for signing up to our service". It's a scam, right? After finally sorting out what it was all about - nothing more than a booking confirmation - words were said which left the distinct impression that I hadn't signed up for anything and that if they thought I had I'd better be unsigned because SMS spam is even worse when it's read out as gabble. Given that they thought this was customer service I haven't booked there since, not even by mobile.
Exhibit 2. You don't need a computer to make dumb assumptions. Our landline number is on a poster advertising SWMBO's patchwork class. The poster is in the hall where the class is held. Anyone standing there reading it should be well aware that it's a local number. So the phone rang with a text message from $GabbledNumber wanting to know if the caller should bring anything to the class. No chance of ringing back as the only contact was $Gabbled Number which has already receded into the irretrievable past. Whoever rung didn't turn up, presumably thinking that she'd been rudely ignored.
If the children at BT who'd come up with this scheme had properly tested it, including sending SMS messages to test subjects who weren't expecting the call, they might have correctly decided that it wasn't fit for purpose and should be abandoned. If they had gone ahead they should at least have supplied the originating number as CLI for the call so the recipient would have a chance of calling back to ask what the gabble was about.
-
Friday 28th January 2022 12:38 GMT ThatOne
> that it wasn't fit for purpose
Come on, since when this is a reason not to release something, if it has a slight chance of nevertheless earning you a couple bucks?...
"Customer satisfaction" is an old quaint notion which has long gone the way of the Dodo, nowadays the name of the game is "shareholder satisfaction".
-
-
-
Friday 28th January 2022 14:17 GMT ricardian
I do have a mobile phone but I can only get a signal if I stand at the bottom of the garden or over on the far side of the road. I moved from Santander to TSB because Santander insisted that I had to receive my OTP via mobile phone whereas TSB (and Paypal) are quite happy to use my landline phone.
-
-
Thursday 27th January 2022 15:23 GMT MickMackMoik
Why would they make it illegal for citizens _not_ to do something like carry a tracking device or an ID card, when they can instead force regulated entities to make your life difficult if you don't do it?
That way 'all this new-fangled tech' gets the blame, instead of explicit state regulations which people might hold the state accountable for.
For example, PSD5 will make it impossible to use a card online without having your tracking device with you (and of course if you make a card payment in person, then they know your location because you're y'know - in person).
-
Thursday 27th January 2022 15:30 GMT my farts clear the room
Any anonymising forwarder services out there?
What happens if the end user is connected via WiFi calling? - Three / O2 etc offer SMS and calls in and out bound over WiFi ......
Is anyone virtualising mobiles into a voip / wifi concentrator that receives SMS/calls and routes them down tunnels to the remote handsets?
Would all the crims be visible because their SS7 locations were a mast outside an industrial unit and a terraced house in Moss Side?
Asking for a friend .....
-
Friday 28th January 2022 12:46 GMT ThatOne
Re: Any anonymising forwarder services out there?
> What happens if the end user is connected via WiFi calling?
Actually even more precise location, since they know exactly where the WiFi endpoint you're connected to is, and WiFi has limited range.
No matter if it's a commercial hotspot or some private WiFi, Google (and Apple) knows precisely where it is on the map, and will gladly tell anybody who asks nicely.
-
-
Thursday 27th January 2022 13:21 GMT Gordon 10
WTAF
The operation of the service as described seems like a breach of GDPR to me.
At no time has my network provider sought my consent to provide my location to various unsavoury third parties. (The rozzers/emergency services are fine imo)
Telco Commentards - just how widely accessible/queryable is the SS7 protocol?
Feels like a class action is in the offing.
-
Thursday 27th January 2022 14:01 GMT Down not across
Re: WTAF
Telco Commentards - just how widely accessible/queryable is the SS7 protocol?
Kinda depends. The non-associated (not in voice-band) signaling used for SMS and HLR for example does require access to a Telco network. GIven fair few, some high profile, SS7 hacks in in last 10 years or so things have improved somewhat and its not quite as bad as it used to be. Still, all it takes is one telco to have a weak point.
-
-
Thursday 27th January 2022 16:57 GMT phuzz
Re: WTAF
I'm not sure why you got those downvotes, you're entirely correct. From the ICO:
The UK GDPR does not prevent you sharing personal data with law enforcement authorities (known under data protection law as “competent authorities”) who are discharging their statutory law enforcement functions. The UK GDPR and the DPA 2018 allow for this type of data sharing where it is necessary and proportionate.
Of course, we might think that HMRC having the ability to get location data from people's phones is not necessary or proportionate, but as the law stands, they are on the list of "Competent authorities" [sic] (see line 21).
-
-
Friday 28th January 2022 10:25 GMT Gordon 10
Re: WTAF
@David12.
It's complicated, and mostly one of outlook. The EU believes fundamentally in data privacy for individuals - the US doesn't. At the practical individual level you are right - there's probably not a lot to choose between them. Both the US and EU governments have stepped over the mark - but arguably its habitual in the US compared to EU.
Its different in terms of magnitude and the differing treatment of EU citizens. EU governments - more precisely their security arms - are more constrained in what they do whereas the NSA/DoJ have a history of bulk hoovering and mass interception (and getting caught). There have been multiple instances of US Govt overreach that got the EU riled up. The Microsoft email case for example. US border cell phone seizures. Their habit of gaining secret access to data centres using FISA laws also doesn't endear them to the EU. Basically if you are an EU citizen in the US you have much less data rights than a US citizen and that pisses the EU off.
Lastly the thing you have to realise is the Spirit of GDPR is really cool and hard to disagree with, however compliance to every last inch of a bunch of legal rules written by lawyers with only a faint grasp of technology is virtually impossible even before you get to cross border data exchanges.
Which is why nearly everyone sensible takes a risk based approach, but on the one end you get Facebook and AdTech firms actively abusing it, others keeping their heads low (Telco's & SMS triangulation), and people like Max Schrems - whom I admire but is a bit of a fundamentalist on privacy - who will use any tiny clause of GDPR to go after Facebook and anyone else he fancies.
HTH
-
-
-
-
Thursday 27th January 2022 15:56 GMT Lon24
Re: Funny...
Yes, the delight of knowing which extradition treaty to bang the villain to rights had me agreeing.
Till I thought about other government departments using the same idea to locate folks who have very good reason to not want to be located whilst they exercise the civil rights (or what's left of them). Like No.10 checking up some of Boris's own MPs who might be a little too near Melton Mowbray at this time.
-
-
-
Friday 28th January 2022 10:23 GMT Aitor 1
Re: Low hanging fruit
It is more of shaking people for their valuables. Rich people tend to use expensive lawyers and accountants, so there are both more likely to file taxes correctly and be able to defend themselves. Plus they might be politically connected, so breaking the law to go after them might be risky.
This is why when enforcement increases it is the middle class who suffers the inspections, the malpractices, etc, rich enough to collect, poor enough not to be able to defend themselves.
-
Friday 28th January 2022 19:35 GMT Anonymous Coward
Re: Low hanging fruit
I'm not going to pretend that tax collection is ever going to be well loved but it's that inequity that really rankles with people.
With a tax agency that's generally a bit crap and ineffective the missed revenues are nothing personal. A tax agency that pulls out all the stops to squeeze particular people looks selective and, historically, that's revolution fodder if it goes on long enough
-
Thursday 27th January 2022 16:19 GMT quadibloc2
The Real Issue
It's one thing if the police can locate people through data that is used internally by the telephone system.
It's quite another thing, though if anyone - not just HM Revenue, but any private business - that uses a service, instead of a cell phone, to send text messages to people can request that their locations be given to it. The telephone service providers may have that information internally, as a result of how cellular phone calls are routed, but they should not be releasing it to anyone except the police.
Actually, location info should, of course, be provided in one other case in addition to use in assisting police investigations. It should be provided when emergency calls are made for police, fire, or ambulance services, such as when calling 911 in North America, or, I believe, 999 in the UK.
-
-
Friday 28th January 2022 11:54 GMT Anonymous Coward
Re: The irony… HMRC using a company owned in a tax haven
The freehold of HMRC buildings was sold to Bermuda-based Mapley STEPS as part of a 20-year PFI deal back in 2001, so the taxman has been paying rent to a tax-dodger... sorry, 'tax-payer in Bermuda'
Hmm... wonder who owns the property now? Private Eye need to be told!
-
Friday 28th January 2022 17:47 GMT Dave 15
Re: The irony… HMRC using a company owned in a tax haven
Yup, no wonder the government are screwing us all with yet another tax rise, they call it national insurance but it goes from my pay packet so it is income tax...
I dont think the government needs all these tax types and tax agents, a single flat tax is all we need, and a single flat benefit to stop people starving to death (though to be honest given inflation in prices and deflation in the wages of 99.99% I am pretty sure we are going to see that soon)
-
-
Friday 28th January 2022 12:03 GMT Citizen of Nowhere
Re: The irony… HMRC using a company owned in a tax haven
It would be ironic if they hadn't ;-)
"HMRC pays rent on its 600 regional offices from a company called Mapeley Steps Limited, which is registered in the tax haven Bermuda, as the result of a private finance initiative (PFI)."
April 2016
https://www.indy100.com/news/hmrc-actually-rents-offices-from-a-company-registered-in-a-tax-haven-7294711
"HM Revenue and Customs has struck a deal to relocate tax officials into a new office complex in Newcastle owned by major Conservative party donors through an offshore company based in a tax haven..."
November 2021
https://www.theguardian.com/politics/2021/nov/25/hmrc-to-relocate-to-newcastle-office-owned-by-tory-donors-via-tax-haven
-
-
Friday 28th January 2022 09:04 GMT Anonymous Coward
Location will NOT be available to HMRC via SMS
Mobile operators implemented ‘home network routing’ for SMS many years ago, resulting in only the network operator name, or the fact the number is no longer in use being learnt via SMS sending. This is aligned with what the HMRC discloses.
Even before they implemented home network routing, due to networks implementing ‘MSC in Pool’, you could only determine which country they were located in, and certainly not down to cell Id level.
The ‘other’ HLR queries related to the SS7 scandal were not SMS related and were blocked by mobile operators in response.
-
Friday 28th January 2022 09:51 GMT Colin Miller
Delivery receipt?
A mobile phone user can already turn on delivery receipts for all SMSs they send; when the SMS is delivered to the recipient's phone a SMS is sent back to the sender's phone. AFAIK the recipient can't prevent this.
Likewise for MMSs you can request both delivery and read receipts, although the recipient can block sending both of the receipts.
Is there any reason why HMRC didn't use this, instead of SS7?
-
Friday 28th January 2022 10:06 GMT stungebag
This is how SMS works
Most bulk SMS senders wouldn't use SS#7 as that's the internal phone network protocol suite (or was, last time I looked some years ago). But this company did. That suggests that either they're being treated as a telco by their peers, or perhaps they aren't doing anything, a real telephone company is doing the work for them.
In the GSM network any call or text causes a location lookup from the HLR. This is perfectly normal and not in any way sinister.
How else can the call/text be routed to wherever the phone happens to be today?