Episode 10: Graham Wilson

AML Talk Show host Martin Woods with guest speaker Graham Wilson, a former police detective and telecoms risk officer, discussing communication data, mobile phones, data management and privacy in the context of UK statutes.

AML, Financial Crime, Graham Wilson, Telecoms risk

AML Talk Show Hosted by Stephen Platt

In this series of podcasts, our hosts Martin Woods and Stephen Platt will interview key figures in the world of financial crime prevention and examine successes and failures in the global fight against money laundering and related crimes including drug trafficking, bribery and corruption, sanctions evasion, human trafficking and tax evasion.

Transcript

Well, good afternoon ladies and gentlemen. It's early February 2020, and I have the great pleasure of being with Graham Wilson, who's a former police detective in London, and a former senior risk officer with a major telecoms company in the UK.
The objective of today's interview is to talk mobile telephones, and what sits beneath the surface of an iPhone. Apple has recently said there's more privacy on our phones than there is in our house. I happen to agree with that. So, we'll look at that, we're going to look at a little bit of due diligence...

Well, good afternoon ladies and gentlemen. It’s early February 2020, and I have the great pleasure of being with Graham Wilson, who’s a former police detective in London, and a former senior risk officer with a major telecoms company in the UK.

The objective of today’s interview is to talk mobile telephones, and what sits beneath the surface of an iPhone. Apple has recently said there’s more privacy on our phones than there is in our house. I happen to agree with that. So, we’ll look at that, we’re going to look at a little bit of due diligence. And hopefully, by bringing this external perspective and discipline to this conversation, non-financial services, we’ll all learn a great deal more. Heads up, it’s right to say, to be open and transparent, Graham and I both used to work together many years ago on the drug squad. Graham, welcome.

Thank you, Martin.

So Graham, we left the police many, many years ago, you and I. Actually, I’m struck now that the mobile phone features constantly in investigations. Just what level of evidence, and what evidence is it leaving, or intelligence is able to be gained from a mobile phone by the police service? We’ll move to the private sector in a minute.

There is as much information that sits on a mobile phone as there is in a bank account. So everything that’s transacted through a mobile phone leaves a footprint, in the same way that electronic money transfers, or anything that happens through the banks or financial institutions. It leaves a footprint. And where there’s a footprint, then there’s the opportunity to recover that data and use if for evidential purposes.

But, my bank account’s static. It sits in my bank, and I transact on it occasionally, because Mrs. Woods wouldn’t let me do it too often. But my mobile telephone comes with me everywhere. It’s receiving information from third parties communicating to me, and I’m communicating to them. And I’m also communicating to not necessarily unknown third parties, but I’m unintentionally communicating, aren’t I?

In some instances, yes. A lot of that depends on the privacy settings, but a modern smartphone now is a computer. It’s a small computer you take with you wherever you go, and it has your bank details on it. In many cases, people have their entire lives on a mobile phone. Hence, some of the angst when they lose a phone, because there is so much data and information on it. So in that respect, it’s no different from a static bank account. It’s just something that you carry with you all the time.

But the bank account is limited. The bank account is financial information, where if you have your WhatsApp, your Facebook, you’re giving lots more … You have a device, a mini-computer, which contains far more than your financial information, and how accessible is that to a third party? Well, how accessible by law for me to the police service?

All the data potentially is available, subject to requests under statute, which are governed by either RIPA, DPA, or any of the other statutes around disclosing personal information. There are set rules and guidelines around what you can and what you can’t request. But effectively, every single bit of data around comms data, which is everything that constitutes the messages in the devices and signals that are used by mobile phones to receive and send messages, around to all the personal data and any information around top ups, account information, that’s all available through your mobile phone service provider, provided you do it under statute and it meets the requirements.

And in the private sector, if an employee has signed, let’s call it a correct contract with an employer, does the employer have access to all that information if it’s coming through this mobile telephone slash mini-computer?

If the mobile device is part of the goods, if you like, or the equipment that is provided as part of your terms of employment, then there will be certain conditions that are set to those in relation to the information that’s contained therein and anything that you use it for. And again, that can be available.

Most companies will have separate policies and processes that sit around employee communications and what businesses can and cannot do in relation to comms data or any other data that’s held on mobile devices, whether it be a tablet or a phone. They’re both communication devices, so they both have comms data. But again, in order for them to use it, yes they can, but they still have to go down the route to request it formally under statute. They can’t just automatically use it.

And the San Bernardino incident of several years ago with a terrorist suspect in America brought into focus the tensions between everybody’s privacy. And the data may be held on a device to belong to a terrorist suspect. What’s progressed since then? Am I secure, or do the authorities have a master key that can open any device absent a password?

Best of my knowledge there is no master key. Passwords can affect what can be recovered. But again, are you talking specifically about data that could be recovered as a result of an order through a mobile phone comm service provider, so you’re looking at what data they retain within their records, or data that actually physically sits on a phone, that if it’s in your possession can be subject to a forensic examination? Two big differences.

I am a bit of an IT dinosaur. What sits on a phone that is not data stored with a telecom provider? Might that be documents, or emails? What would it be?

Yes, documents, emails, SMS messages, instant messaging, things like Whatsapp, another instant messages. When you send those, things like Whatsapp are encrypted end to end, and it’s a big selling point for them. I think they’re owned by Facebook, if I remember rightly. But again, when you’re sending a message, as with tech messages, that data is not retained. The service providers are not allowed to retain it because it constitutes interception, and there are specific, strict rules around what interception, particularly for the UK. I don’t know what happens in other countries. Some are more lax than others, but the UK has a very strong process around it.

But if you actually physically have the device, so for instance if people want to know what messages you’re sending, even if you deleted them, a forensic examination using specific forensic tools may recover some if not all of the content of your text messages and who it went to. Likewise, you as the sender and me as the recipient, we both have phones, you could effectively put together an entire conversation.

And so can we deal with a myth or mostly confirm the truth of a rumor, can somebody buy a device that will recreate text messages that have been deleted?

Not to my knowledge. Certainly not from an airwave point of view. You physically need to have the device that was used to send or receive that device to have any chance of recovering the actual content of a text message.

So in a hypothetical matrimonial situation, one party to a acrimonious split has access to a mobile telephone, can they recreate text messages even with a court order?

The court order probably wouldn’t work. You’re looking at specific orders through the home office for interception. So from a live point of view, intercepting messages is subject to specific to security measures. To actually recreate text messages that have been sent you would either need the device that is used to send it or to send it back, they’re not retained. Mobile phone companies-

If I deleted my messages, can somebody recreate them?

Using forensic recovery tools, yes.

That’s not born of paranoia, that’s just an inquiry.

No, no, no it’s not.

I’ve nothing to hide, everyone!

Potentially, yes you can. It’s the same with other devices, laptops, tablets, satnavs in cars. Anything that retains records even if you delete them, there is a potential for those to be stored on the memory.

So again, back to a workplace situation and investigations that we may be drawn into, the police, and maybe an employee. Right now, you can locate my mobile telephone by triangulation of what [inaudible 00:09:56] has communicated with us, I’m here if a call comes in, and historically you can do it as well, right? You can track where a phone was at certain times?

Yes.

And moreover, I’m back to this … I’m very conscious of the way the crimes unfold from when you and I were in the police service. And now, I think you said this, the mobile telephone features so much in investigations and the evidence from it, the intelligence on one hand, but the evidence in the call is almost irrefutable, right? It’s scientific that day, that time, place, that telephone was used and made a call to this number. That’s a non-disputable, right?

It’s an electronic record that in many cases is irrefutable.

And so I recollect, I think we were talking about a story of the robbers entering a premises wearing crash helmets and mask and gloves seeking not to leave any physical evidence at the scene of the crime and when they’d finished, one of the robbers called his friend on the mobile telephone and said, “Now bring the getaway car.”

Very similar circumstances to those. And again, it’s not just that on it’s own. You actually need to know that that’s happened, to give you an indicator, so CCTVs is a great help. So just relying on a mobile phone on its own, from an investigator’s point of view, is one tool you are looking for an accumulative effect of the different red flags, different tools that you can use to investigate. But certainly, what we haven’t seen, unless it’s CCTV, one of the suspects actually physically using their phone allows you to do something called a [inaudible 00:11:26], or you can request it.

It’s not common, it’s not something that anybody can do. Again, it has to be subject to a very specific order through a law enforcement agency. It’s not something that even a civil investigation team can do. It must be through law enforcement. But effectively it gives you a complete dump of all selectivity in that particular area between specific times using algorithms and analysis you can, in certain circumstances, pinpoint down what phone number was used at that time, when you have a phone or a number of devices that you think have made that call. You then have all the call data that is available for that phone from this crime situation. Not just the simple fact of going, I think this is all done, take all of that load, thanks very much, it gives you background now on who he is.

That gives you a bit of a jigsaw puzzle, almost like from a financial investigation as a starting point. You then use that to cell service providers, go back to, I want to know numbers A, B, C, D. Previous numbers, who they’re subscribing to, IMEI numbers, can I please have call data records? If they’re pay as you go, then you’ve got to look in the top ups, and at any rate top ups are completely anonymous to a certain extent, yes, but the data from a post talk phone is exactly the same as the data from a contact phone.

You mean the data of the call to the call are actually … You worked for a major telecoms provider in the UK. Can I top up my mobile using cash? That’s probably going to be in our premises, here. Is why does a CCCV camera capturing me data time place topping up, right?

Often times. Potentially, you can also do it over the phone.

Okay, but then if I’m over the phone, I can’t do it with cash.

Can’t do it with cash, but you can do it with pre-paid debit cards.

Okay.

So there are a number of options. How many places actually have CCT really, if you’re going to [inaudible 00:13:23] agents. There are so many places where you can go in for cash in and receive for that to top off our mobile phone.

So, these are referred to as pay as you go, burner phones, dump phones. There is a lot of intelligence, that even if it’s used for a particular criminal enterprise, and then discarded. There’s a potential lots of intelligence, and even evidence, attached to that phone, and that phone number, and the IMEI number. So that’s talk about the pay as you go in a minute for now. And then let’s talk about different numbers that apply here. Well the reason, a lot of intelligence on pay as you go can be secured, right?

It’s the same electronic data, the same electronic footprint is left by pay as you talk phone as it is by a contract phone. The only difference is that contract phone is associated to a subscriber with a monthly payment of the fee back [inaudible 00:14:12] credit card. So that gives you lots of identification data. The pay as you talk phone is just simply the same without having the registered subscriber, which is not legal requirement in the UK.

In some countries it legally required?

Some countries it is, yes.

Okay, so Let’s talk about numbers then, I have a mobile telephone number, I have an IMEI number. What other numbers are there which store data, relate to data, and how do they fit into the whole thing with a phone and the call records?

There’s your SIM card. So the IMEI number is a unique identifier for the actual device itself. Now that isn’t interchangeable, so that sticks with the phone. But in order to make a phone call or try and send a text message, you need to have a SIM card. And the SIM card creates a record which is called the IMSI number.

How is that spelled?

IMSI. It’s the International Mobile… now you’ve got me.

Is that a combination of the SIM card and the actual IMEI coming together to create the IMSI number?

So the actual IMSI number, and I don’t know if we’ve had conversations about this in the past and it may have been a little bit misleading, the actual IMSI number, which is the subscriber number, which is the mobile phone number, which is the SIM card itself. Those two, in order to make a call, a device needs to have a SIM card to make the call. The only difference is now, you can use WhatsApp and similar WiFi calling where you don’t need to have SIM card for it. So you can still use your device, but to do a standard phone call, or to send a text message, you need to have the SIM card.

And that SIM card contains a lot of information about the number and the phone. And when it generates the call data record, you’ll have the IMSI number and the IMEI number which will associate the two. So the SIM number is interchangeable, you can take your SIM card out from one phone and put it in any other phone that you want to, where the SIM card is compatible and where the network itself is compatible to that SIM card.

So you can have two call data records, can’t you? You can have a call data record for a telephone, and a call data record for a SIM card. And they can be different depending if the SIMs have been switched in the phone?

Soon as you switch your phone, then the call records will change which is very relevant particularly when we are looking to identify things such as the SIM swap calls, which is certainly impacted on the financial institute.

Tell us more about that. Because you work a lot with a group of UK telecom service providers and financial institutions to combat a crime type which is known as a SIM card swap. What was that crime and how effective has communication been to reduce that crime?

So firstly, SIM swaps are a very genuine and very regular issue that happens with all [inaudible 00:17:07]. So it’s not to say that every single SIM swap is bad. So there’s a very high proportion of SIM swaps which are quite legitimate and since coming different houses, if you are changing your phone, you’ve got to change your SIM to match that. So there are genuine transactions. But what the SIM does, is basically control the telephone number, so your telephone number follows you, your device doesn’t necessarily because you can change it.

So what it allows is, bad guys, who have sufficient personal data, information about you, who want to access your financial records, transfer of funds, particularly around bank transfers, [inaudible 00:17:48]. Most of the banks use their secondary authentication as a one-time four digit code which is sent bites to your device which is on file. So they will use the information that they’ve obtained to contact a mobile phone provider and effectively, take control of that number.

So they will ask to swap the SIM to a new device, which will effectively, your phone will lose signal. You won’t be able to make or receive phone calls or text messages.

And they will retain the number? The number is retained?

The number is retained.

But how instantaneous is this? How long will it take them? Hours, days, minutes?

If you were to phone up a mobile phone company and say, “can I have a SIM swap?” They would affect it straight away. And it can be instantaneous. Normally, the SIM swap can take up to 24 hours.

Why would I SIM swap within the same network? Would that be because I’ve got a different contract? So I’ve motor phone, I don’t want to swap for a SIM that’s still motor phone?

Yup.

Would that be because I’ve got a different contract?

No, it could be because you are changing your device. And you’ve got a Micro SIM and a Nana SIM, and you’ve got the wrong SIM and you want to change it. You’ll see Micro stop working, it might’ve got wet, it might’ve got broken or damaged, and you want to swap it.

Okay.

So there’s a lot of work that’s been done by all the mobile networks. Certain conjunction with some of the work that has been done with the banks and financial institutions and there is a good working relationship with them. There is an organization called the FF Framers, the Financial Fraud group, which sits in London. And they have an intelligence team, which for telecom’s intelligent side has spent a lot of time relating with the working world. So there is work that goes on between the two, crossing the street, and I’m not entirely sure how many people appreciate how much work goes on to help combat this. But a lot of what is going to change the rules and make it more difficult to do SIM swaps and make it highly, this transaction requires a great level of identification.

A user, if I was impacted by someone accessing my account, and engaging in SIM swap fraud, my phone would stop working right?

Your phone would stop working. You wouldn’t be able to receive or send any phone calls or text messages. The little bars on your phone would go…

And I couldn’t even phone my provider and say, “excuse me, what’s going on?”

No, unless you are on a smartphone, which you use WiFi.

Okay. How is the bad guy targeting in the first place? What was the intelligence coming from? Is it coming from within the bank? Is there a rouge in the bank saying, “this is an account worth attacking.”

Invariably not. Invariably, it’s social engineering, fishing, vishing, smishing. Which ever one of those particular types of transactions you want to do. And it’s farming for present data. And it could be in the form of an email that’s sent innocently to your email, hundreds of them get sent out every minute. By people talking, and contain viruses or malware which can infect the computer and effectively then allow the bad guys to pull off personal data from within that email account. Could you bank-

And the way that they then identify, through that malware, that there’s money in my account worth taking, then they initiate the SIM swap? Because I’m wondering if the whole thing’s fishing, and they do the SIM swap and hope I’ve got some money in the account?

So, from my experience, the SIM swap is the final piece in the jigsaw, because that’s the final piece of the transactions required to affect the transfer. On the information they need, they’ve already got access into the account, they’re in the account, they pick transfer, and the second level identification tab comes up, we will send your four-digit code to your phone number, you click send. Within 30 seconds you’ll get a text message to the phone which they now control, which has the number that will input the code, and the transaction’s complete. So the SIM swap fraud aspect is probably the very last piece in the jigsaw puzzle.

And the bank is on the hook for that? They think they was given authorization by the customer, but they were not.

Yes, they’re not.

Hence the banks have very busy records, telecom companies, good, very good to reduce that fraud because they’re on the hook right?

So, again, when we’re online banking, it’s something I was always distrustful of, but having seen some of the levels that the banks have gone to to increase the security in it, and for me to access my online bank account is now almost like a work vault [inaudible 00:22:28] to actually get in to do that.

So now you’re a believer, you’re an online banker?

I’m more comfortable with online financial transactions than I was, say five years ago.

When did you switch over?

Don’t know, about 8 months ago.

All right, but that’s a long journey.

I actually didn’t have an online bank account until about 6-8 months ago.

But I don’t. First, that’s new. When you showed up to the room, I get old school, old fashioned. What other frauds then, that you can share with us, there’s a mobile phone play into financial services.

In what respect?

Is there a hijacking of the phone? Or is there some interference with the phone that’s unbeknown to the customer? Or is that the primary one, the SIM card swap?

It’s the most favored one, because there’s maximum bang for your buck, using that sort of expression. SIM swaps can also be used for mobile phone conferences, ordering devices, on the [inaudible 00:23:32] that are compromised. But effectively, if you can get into a mobile phone, you can control that particular phone number and that person’s bank details, their email accounts.

So we often transfer to money to stop ordering goods using…?

You can order all the goods, you can close down whole email accounts and open up new email accounts. Set the terms of alternative delivery addresses, which is again one of the red flags for address changes away from [inaudible 00:24:02]address. But if they have access to your phone, and all the data that’s sits on your phone-

Email access of course, because they can memorize it what by what, every way.

And if they enter your email accounts, then they can do untold damage, which is very quick to do and difficult to prevent. In effect it’s quite old school and [inaudible 00:24:20]

So how do I counter it?

The simple safe guards. One of the biggest things that people see, and you see it, you must’ve, people sit in coffee shops, sitting on the train, using a train’s free wifi, or sitting in coffee shops and using hotspots. 99% of those are completely unsecured.

Right.

Which means people using those, unless they have sensible safeguards in place, are effectively sending to everyone out there, “here you go, take my data.” Because it’s not secured, its not encrypted, and anybody with the right level of equipment, with the know how, can access your main accounts, or your devices that you are using. You’ve got a tablet on the table there, that contains as much information as the phone does. It’s endless amount of information.

So simple safeguards like, and you hear about this, I’m not a salesman, VPN’s, Virtual Private Networks, relatively inexpensive and they effectively provide a security tower.

It’s what big firms have been using for a long time, right?

Effectively, yes.

How do firms stop their staff and put some type of control in place [inaudible 00:25:38] and being and doing as they’re told? How do firms stop their staff from using hotspots and using unsecured networks?

Education.

So there is no physical, if the phone has it’s own mind and said, “look there’s a hotspot available for us here, should we use it, yes or no?” That moment it’s down to…

[crosstalk 00:25:55] if I pick up a number for instance, I have an iPhone, and on the settings here, I can pick up WiFi, you can enable hotspots, you can turn them off. Something as simple as that is important. NFCs, near field communications. So I’m sure you’ve heard, I know my wife in particular and my daughter has it, and when she’s out shopping, she’ll walk past a particular shop, and within 30 seconds, she’ll get an email, or she’ll get a WhatsApp or text message giving special offers at that particular shop. And that’s big business.

Because it’s targeted in a way because of proximity as well. It’s all down to did I turn off or turn on near field communication?

So it effectively tells people where you are. It’s like having your location data. Do you turn location on, do you not? If you’re constantly in places where you’re looking at your maps, or using some of the compass apps, or a number of other apps, you will get a prompt that comes up and says, “Turn your location on, go to settings.” I always have mine off, it’s the same with Bluetooth. Do you automatically have your Bluetooth switched on? There are many security settings on your phone, very very simple. Which you can set yourself, which will give you protection.

How many companies put in their contract that you must not turn on near field communication, you must not use Bluetooth. Have you seen those kinds of contracts?

I haven’t. And to be honest with the near field communications is an advertising and marketing tool which is worth big bucks. It’s big business, it’s an industry all in itself, which is the advertising and marketing around mobile phones for people when they are shopping. Quite legitimately. I know people that love it, and they can’t do without it.

On about [inaudible 00:27:50] Mrs. Woods might want to know should she put my dinner in the oven yet? Am I near home? So she tracks me that way. Again, that is this crossover between privacy, and if it was a company phone, the companies phone, so there are limits to what a company can tell you to turn on and off do you mention or no?

They can advise and recommend, but the customer has a right to be able to know what it can and what it can’t do. What services are available and what are not. If there are particular security issues, and you’ll find the banks doing it, and I’ve also noticed mobile phone companies are now doing it, if there is a specific issue affecting their customers. You’ll may well find that they post something on the front page of their websites. The banks [inaudible 00:28:35] have been very good about that recently, particularly that scam center or particular scam sites, mobile phone companies, and now businesses are doing exactly the same.

Okay, so given lots of information, referencing back to San Bernardino, there’s a lobby that would suggest the authorities want access, need access to all this information to keep us safe and we, to do that, have to totally surrender privacy. That’s a win for the terrorist isn’t it if we do that?

I wouldn’t actually agree with that.

Good, because I like people to disagree with me on these podcasts.

I understand people must have the ability to know that their data is being protected. But also, as a family man, as you are, I also want to know that my wife and my family, immediate family, my extended family, and my friends, have the best level of protection that we can give them.

Now the data that we have available to us would, unchecked, potentially allow for some rouge behavior, but with the right safeguards in place, I don’t foresee any massive concerns for me. If there’s a [inaudible 00:29:51] and from a terrorist or a bad guy point of view, that can only be bad news for them. Because it basically means we have more past their elbow.

If you go to NCIS, program on television, it’s very popular, it’s been running for many many years, and there’s a guy there named Tim McGee, and I do love him, because they walk in on this episode and say, “I’ve got his telephone number” They tap the keyboard, and this information comes up straight away. It isn’t actually like that, but if that’s what you’re potentially talking about. Provided the data is available for use by security forces in a controlled environment, I cannot see there is a massive argument for saying, “You shall not do this, because it impacts upon my privacy.”

Well, we are almost going to get into politics about how your governments or preferred party might use your data and people desperately seem to hang on to power for example, might use your data to target you of an election campaign. Who knows? And numbers, you’ve got me onto a whole different subject. Let’s talk reverse telephone number directories.

Yes.

What are they? How do they work? And where are they actually legal and illegal?

They’re exactly what they say they are, you can go into the internet, any one of the search engines, and you can type in a telephone number and you might get a result, you might not. At the very most, you’d be able to tell which network it’s on, in some cases you can tell whether it’s live and on what network. But from a subscriber point of view, there is no specific mobile directory that’s available. But there are licensed tools which provide consented data, which can potentially identify a person from a mobile telephone number.

But, remember that what it does is it tells you that that record matched against a particular person on a specific date and time. It doesn’t necessarily say that that’s their phone.

And which countries, does that happen in the UK?

In the UK.

So they’re always consented data in those circumstances?

Different types of consented data, but effectively if you will sign the contract, or you put your name to record of any sort, you have a number of boxes you can tick around your rights. Because all of them have to tell you what your rights are and how people will handle your personal data and your security information.

What happens, if you don’t tick the box, or you do tick the box, depending on how it’s worded, that then becomes consented data. If you don’t tick the box, or mark there to say that you don’t allow them to do that, lots of people don’t. Then that data can potentially be sold or used for fraud prevention, for marketing diligence, for credit checking.

And to where am I when I go to an industry seminar or conference, and I keep having to take my chance and put my business card into the goldfish bowl to try and win the raffle prize. Am I giving implied consent to use my data because I want a free lunch or a free raffle ticket?

This is a conversation we’ve had before, isn’t it? Effectively, and how I explain it, when they’ve said, “put your business card into the bowl, and we will pick the winner out, and the winner will get so and so from it.” Whether that is consented data or not, you’ve got to look at what’s personal data?

So some commercial data can also be personal data. I’m not an expert on the data protection or the GDPR, so I’m not going to go down that route, but on a business card, if your given 500 business cards as public business, you’re expected to use those, you’re expected to give that information away. So in doing so, my view is that data becomes available for you to use for contact databases, for anything you want.

So it’s got my name, it’s got my mobile telephone number, that is provided to me by my company, and the bill is paid by my company.

Potentially.

Does the phone number there not become personal data because it was a company business number?

That’s a question I can’t answer for you.

But it’s interesting, because you might take ten lawyers, you might get ten different answers, hence…

Potentially, but if it’s on a business card, which you are open to giving out to third parties who you either know or don’t know, then my argument would be that that’s data that doesn’t become personal data because you’ve consented to it being given out.

Yeah. I was at an event last week, and people were encouraged to put their business cards in to win the prize, and credit the actual event organizers, they said, “per data protection, this is not marketing. Having drawn the winner, we will be destroying all the other cards, your personal data will not be used or will not be lost.” What methods for destruction, they didn’t go into.

So again, people might not be aware of the fact that you can put your phone number in, because going back to that we were police officers many years ago, fraudsters may have multiple addresses to operate their fraud. But very seldom do they have multiple telephone numbers, because they only want to carry one telephone with them. And consequently, when you’re looking at due diligence, not a lot of people failed to recognize due diligence, it’s usually check certain loan systems to see do you already have this person, particularly on the telephone number.

Yes.

That’s a failing at times for a lot of people with moving fraud. The telephone number is often a constant, static. It’s always on. You can have a false name, but the number has to be the same, because why do you have to carry a belt full of telephones?

You mention about burn phones earlier on in the conversation. Certainly, dedicated bad guys will use, and I’ve seen it, I’m sure you have, they’ll use one phone for one job. But the difference from that is, even though it is a throw away phone, the data itself is not throw away, that data still remains.

For the law enforcement agencies, they’re required to return call data records for up to 12 months. And that’s for law enforcement.

But any other records, contacts, or any other information, the IMEI number, the SIM number, or any other cam information, top ups, or any other information that’s available from the raft of columns that you get on a call data record, that data can bank for a period of time. And even if you’re dealing with and offense two, three years down the line, potentially the data that you get from that might provide you with a [inaudible 00:36:34] fact on everyone. So there’s no such thing, for me, as a burn phone or a throw away phone, just forget it, we’re not going to get anything.

Yeah because even for the job, you turn it on, it’s a communication device for this particular operation between the criminal and the third party or parties that they’re engaged with, so at a point it’s turned on, you can locate trace, where was it when it was turned on? Where was it made that call?

You have a cell ID for the time that cell event started and the time it ended.

And where it was. But it’s roughly…

The cell ID will give you the location where that particular cell signal was done at the time. You won’t necessarily get the actual location data from it.

And when you say location, do you mean a broad location? United Kingdom is location, Europe is location. So how narrow can we look?

Where we are now, you’ll probably have three or four cell masts within five hundred yards of each other.

Okay so it’s going to give me a pretty narrow location.

And again, the cell signal will be transmitted by the cell site which has the stronger signal. If your out in the countryside you may have cell sites 2-3 miles apart. So that’s the difference, but it’s for me, and going back to my police days, it is far more practical and sensible to turn that data in and retain it at the time, you’re not going to come back 6 months later and say, “I wish I’ve got that” when it may no longer be available because you’ve started your retention periods. It doesn’t take a huge amount of time, but again it comes down proportionality, does what you’re investigating warrant the additional work.

Did you know it, right now, some police officers you’ve worked with until last year when you left to make a telecom company, some of these guys and ladies are smart enough to know, the first thing you’re going to go for to my mobile telephone data right?

Yes.

Because it’s such strong evidence, the intelligence is far better, it connects parties together who may say, “we don’t know each other” Well, following the phones, you spoke together on that day. It’s pretty strong stuff isn’t it? It solved a lot of crime, this stuff.

It is, but because now, the majority of the UK adult population, and many of them under the age of 16, have phones, at least one phone, some have more. A lot of crimes that need investigating means that there’s a lot of phones that need interrogating. So one of the issues that comes in is how relevant is it to the investigation? Do I really need this?

I had one person fill out opinion, it’s a bit sad, if you think it’s relevant as the investigating officer, then you should be allowed to get it.

There’s a big cost factor isn’t there?

There is a cost factor in it, but also there is a proportionality behind it. The level of data that you want to get, for instance, if you’ve got a phone number, and you ask for subscriber check from the police disclosures team. The DPA, the rules around the disclosure request are that you can only be given what you ask for. So it matters not what else can be seen by the police disclosures team, if you’ve asked for the subscriber details, that’s all that they are legally allowed to give you.

And so police disclosure team is the teams at work in the major telecom companies serves in these requests for information?

All the telecoms company units that sit with them, police forces, and they will have this [inaudible 00:39:58] as single points of contact. They will have access to [inaudible 00:40:01]system, which is the system that runs all out. They can do certain checks themselves, because there are protocols in place if we’ll have them do that.

But You must’ve seen that evolve from an early stage. You worked for this major telecom company and for other telecom companies for over ten years. You must’ve seen that evolve, that those requests are smarter now? They’re more forensic and they’re asking for information other than just who is the subscriber of this phone?

It’s a Catch 22. Because then you potentially have to ask subscriber for this phone, if it’s contracted you want all the account details, bank information, if it’s a pager talk phone, you want to have the call data records with IMEI numbers, you also then want to have associations, so you want that telephone number to be associated to any other ambiance.

And the payment method. When was it bought, how was it bought, top up, there’s lots, even as you say, that burner phone, there’s a lot of information.

But then it comes down to proportionality and justification for making the order. So every order is examined and the police disclosure team is in the mobile phone, all the telephone service providers, they have a duty to review all the applications and to make sure that they’re justified and they are proportional.

But in the private sector, if we are victims of a major fraud, and we see this mobile telephone number’s in there, it helps us to know what’s available, because we can certainly ask the police, and then we even have our own lawyers workout, how can we even fund that? How can we pay? So listen, go and get the orders, whatever it cost, we’ll pay the police officers, go and get the information. Because it’s important to us to recover their money and or find the people and stop them from doing it again.

Again it comes down to proportionality and ultimately, each request has to be signed off, pre signed by an enforcement agency by the supervisor officer. I’m not aware of what the actual authority levels are, but I know that has to happen, so potentially, there may be a restriction. And may be that we’ll have to do two or three, and it’s not unusual to see. What’s his telephone number? And we’re supposed to talk no other information. You come back and say, “well can I please have the telephone records.” And they come back and…

Don’t see that as the end of it.

Don’t see that as the end of it, depends entirely from what’s been investigated and whether it’s relevant? And that’s from the police side. From the civilian side, from insurance companies, or from private investigation companies, they don’t have the same level, where they have to request information under the data protection act. That goes through to separate team that would then assess it.

Yeah, I think in these times when the level of online crime increasing so much, more corroboration and support we can give to the police working with us when we’ve been a victim of a fraud, must help.

But let’s move away from investigations, let’s talk due diligence really and how the phone plays into that. So presently, you work for a company called Fusion 85. Tell us a little bit about what Fusion 85 do.

They’re an international brand protection anti-piracy and anti-counterfeiting company.

Okay, so you have multinationals, what you are touring the web and actually seeing where the brand might be abused or where people are selling counterfeit goods in that name?

It’s intellectual property theft, an infringement on intellectual property in whatever form it takes. And honestly, we have a number of different aspects of that which require for me, a common sense investigation type mindset.

Well using that common sense investigation type mindset, before you went to Fusion 85, you worked for major telecoms for investigation companies, so when major telecom companies looking at big new contracts, and you worked in partnership with the financial services on defeating certain kinds of frauds, what a difference in due diligence applied by telecom companies and those for banks for new customers?

So I think up until recently, the big difference is that banks and financial institutions have been regulated for many years. Telecom’s industry hasn’t, up until recently, with money transfer in some of the products they’re selling, they haven’t been. But also, the scope that financial services and markets act now covers, and the regulated market, means that some of the services that mobile phone companies and fixed line companies provide mean that they are then…

Payment service providers, right?

So that’s made this a bit of a mindset and mind change around the due diligence process that sits behind certain parts of the KYC process.

Yeah, and that evolution. So many years ago, and Tescos and Sainsburys, initially went into cash handling. They went into fund to reduce their cash handling charges. Then they looked at banking and said, “you make a lot of money here, we got automatic customers that are in the banking business.” Are we going to see most telecom’s companies thinking, they use our devices for this? We are facilitating the international payment, we might as well become payment service providers and make money there.

Good question, I can’t answer that one. It’s something, whatever the mobile phone industries are going to do. It’s going from being a mobile phone service providers to being communications providers, separating from data or a fixed line, a broad band and mobile phone services. So there is potentially no stopping them looking at end revenues.

Okay, apparently you are good at this, and we spoke about it before, I have never, to my knowledge, accessed the dark web. If I’ve done it, it’s inadvertently. And you do at times, in your investigations, you’ve done this and you’ve done it with Fusion 85 because you’re targeting people who are criminal organizations seeking to sell counterfeit goods and that’s often the dark web market place. So I’m a due diligence person, financial services, should I be learning to access the dark web? Or should I be using a professional to do it for me?

You could do both. But it may take a while for you to actually learn about dark web, I don’t have a specific knowledge or experience of it. I know certain aspects of it, I know enough about it to use professional service providers who do this all the time and actually provide services to small, medium enterprises up to the multinationals. And effectively, the thing to remember, is there’s three different parts of the web. There is the surface web, which is the stuff like going along and searching for, shopping for bits and manners if you want.

Then there’s the deep web, and that’s the bit where you have personal information which is protected, so it’s a deeper part of the web where you can’t specifically ask for [inaudible 00:47:09] online account. You have to go into whichever bank you’ve got and then you open and use your login credentials. So that’s the deep web. And then you’ve got the dark web, which is the bit which is not indexed. So you can’t look at the dark web or go into the dark web on a mobile browser. You need to have a specific browser that will allow to go to it. So you will find that if you see a web address that is .onion at the end of it, then that effectively means it’s a dark web. So you can’t just go into the dark web and search for credit card details, you need to have a specific form of reference to go to which is a URL. So the companies that do that, are specifically set up to do it quite legitimately, with all the governance and protocols and set guidelines in place.

My personal preference would be that, I would use a reputable third party agency to do that. Because they can look up, not just for things like personal data or for devices, but if you’ve got [inaudible 00:48:07] with individuals, you’ve got VIPs and your board, or whatever, you are looking at a threat landscape which might affect your organization or able to get inside of it.

Okay, and that’s pretty explanatory, I would definitely go for the third party and when might I use that for due diligence or for an investigator? Let me put some context around this, I’d like my community, a global financial service community I’m speaking to right now compliance colleagues, to subscribe to the notion, you can’t hold me accountable for something I didn’t find on the dark web when I barely even know how to get on the dark web. More so if it’s on the first level of web, not the deep web. So the first level of web and it’s available to me, to the media, you can google it, it’s high profile, and you were just talking about these allegations against APAP, and I’m ignoring it. I made the account, I may need to explain why I didn’t know, why I didn’t react, but it’s in the dark web, I didn’t even know it was there, so there should be no anxiety about not finding something on the dark web if I did find it and hold you accountable, right?

It’s not a yes or no answer. I think you’ve got to look at, again it comes back to the threat level or the risk level, your particular organization is looking at. They’re different. So potentially, mobile phones which landscape is different than that of a global money lender for a number of reasons.

Would you provide some level of due diligence for a mobile telephone company taking on consumers, small business or the large businesses as you would to a global money lender who’s potentially lending out hundreds of millions, if not billions of pounds to third parties for whatever reason. But you would probably want to enhance due diligence around the money lending as you would to a mobile phone customer.

You would spend more, using the word you used earlier on, proportion, I would say it’s a level of risk, and the risk in this instance is losing all of your money, so makes sense.

I’m going to go off on a different track. How then, have you used or seen used, social media in your due diligence processes? Be it Facebook, WhatsApp, LinkedIn. Where I have a LinkedIn page and I’m saying to a potential employer that’s my friends, I’m always saying, “look at me, look at me, look at me.”

And again, that’s a problem, that you’re putting it there. There’s even a section on LinkedIn that says, what are you looking for, why is it that you’re looking for employment? But you can set your own privacy settings. So you can restrict people who can see your profile. You can also restrict who can see that you are looking at them. So there are security settings for that.

If you were out then, you haven’t got the right security settings. A due diligence professional searches you, looking at a part section, they can find an awful amount of information about me because my social media activity.

Not just about you as an individual, but about the type of posts that you’re sending. For instance, geofencing, so there are third party service providers who will effectively give you the facility to look at social media posts which are coming out from a specific geographical area.

For example, in investigations, you’re looking for have we lost any sensitive information over a particular period of time? Then there are tools that exist that allow me to see some of the major social media posts.

Who may have been talking about you.

They may have been talking about it. And again, they are very powerful tools in the right hands, but they can also be very powerful tools in the wrong hands.

So to get back to your question earlier on about should we make everything available? If it’s available, the right people use it. You always have to run the risk that the wrong people may also get a hold of that data.

Yeah, I know and actually when we go on a plane, we now have to have a lock that the authority can open, but I’m going on a plane [inaudible 00:52:33] and I accept that. But in my ordinary day to day life, I’m not giving anyone a key to my information. I’m entitled to my privacy, my secrets, and we could debate that longer. We won’t.

Final point for you, last week I was advised that somebody, a firm, the due diligence committee, located an individual using a chip on his dog. Is that legal?

Potentially yes.

How and why? The dog didn’t sign anything?

Right so, for instance, there are [inaudible 00:53:07] for an operation but they have a product which is very [inaudible 00:53:11]. So I have three pets, I have a bag, and I have the auto, and they are effectively, little chips that you put in the dogs collar to track it, in bags.

Is for the kid, we saw this emphasised…

It was quite interesting.

It was good.

And then they also have a plug in device which you can plug into your car which acts as GPS tracking device.

But that’s private information, I want to know where my dog is, I don’t want you to know where my dog is.

That works in the same way as your phone does, it has a SIM card inside it.

But that’s a private company. How does a private company access that data, it’s more than the police. If I hired a private due diligence company to locate my dog, it wasn’t mine, but you know.

The only way they could legitimately do that is through requesting data from the service provider. Also of course, in a civil court.

Absent to that, that’s probably not legal what I did.

[inaudible 00:54:04]

Probably. In certain jurisdiction, but probably not legal, right?

Right, so it is possible. There are legal, legitimate means, by your example, for a dog collar with a chip in it. You can potentially track a person from that because that leaves a data footprint in the same way a phone does, and where that data exists, then you can recover it, legitimately and potentially-

But what it leads me to, if and when some of the listeners are engaged in an investigation, or a form of due diligence for a big piece of business, you need to be very careful which third party you engage with, and the processes they use, because it could leave you exposed as well.

Absolutely. Because if you are found to use data that’s been obtained without the right authority, then in the same way that from a police point of view, if you turned evidence on failure of PACE, then you not only lose that evidence, but everything that’s formed from it. From a commercial point of view, you can then effective find yourself liable to prosecution potentially and also to all the negative band impact that will come with that. So again, yes, it is important not only to understand who you are asking to do this, but for them to justify and actually quantify providence where that information is coming from, the legitimacy of it.

That’s fabulous. Just for the listeners, PACE is…

Police and Criminal Evidence Act

Of 1984 is it? Are we that old?

We are that old, both of us.

But it’s a very important piece of legislation that covers a way investigations and evidence are produced in UK Criminal Courts.

Graham, you’ve been very very helpful, very insightful, thank you so for your time and I wish you well with your new world.

Thank you Martin.

See less