It's been a while since I've had a chance to write up anything, having been so busy with consultancy work over the last few years.
A number of people have asked what steps I'd take to keep your phone numbers off spam call lists and the answer is simple - don't give it out in the first place! However that's not really a practical approach is it?
Having had to go through the pain of successfully chasing spammers and cold-callers in the courts over the last half a decade (because the regulators for advertising and data protection weren't willing to lift a finger), I've devised more manageable approaches.
More likely what will work is burner numbers from platforms like Hushed, which allow you to create a number (at a price) for a set period of time. I find this really useful for CVs (resumes & business profile documents for tender submissions) with companies I've not worked with before or jobsites I know not to trust; and also email signatures at client site.
Often the level of information security requires that I do not move client information off their own systems necessitating an email address on their platforms - they also usually prefer a signature so I supply my own company details and a VoiP / burner number.
Once I've finished the client visit or project there's no need to get in touch so the number is removed. Same thing with tender documents and resumes - once I have enough clients I close down the entry on the jobsites or notify the companies that those tender documents are out-of-date.
Of course with your own phone number it's a bit different so wherever possible use the Telephone Preference Service. It's a Direct Marketing Association-led initiative to help it's members adhere to PECR and the Data Protection Act. However that's not really true as PECR states that no-one can send you unsolicited messages (section 22) or cold call you (section 21) without your prior consent or purchase of goods. The Data Protection Act states that your data cannot be stored, processed or used without your prior consent either - which means that the DMAs explanation of the TPS mechanism dodges the issue at heart - where did they get your data and what makes them think you want to speak to them in the first place?
You see, if a spammer or cold-call centre had asked you for your permission to acquire (c.f. buy leads database) your data first and you'd said "no", the TPS list would be unnecessary.
The concept of TPS then must focus on the scenario where you've engaged with, for example, a company to buy their products but never specifically stated that they may use your details for marketing purposes. If, in this example, the sale does not complete you should always state that the company may not re-use your personal data for any reason. If they were happy to store your data received verbally they must also accept the notice to destroy that data verbally.
This stops the issue at point although if they later spam call you, you'll need proof of that original conversation - email or support tickets are usually easiest.
Once you're on the TPS lists DMA-linked organisations must make it their priority to ensure that they regularly update the copy of the TPS phone numbers lists they keep - this should ensure that you don't get cold-calls from UK-based or UK-operating organisations.
Every year they'll send you a reminder email to renew your TPS registration - which is ridiculous. If you haven't spoken to a company for over a year why would you suddenly want to start getting cold calls and spam again? It's bad enough we're playing cat-and-mouse with the malvertising platforms that we shouldn't have to deal with the direct approaches too.
This years re-registration was a little more worrying - the email I'd received not only explained why and what... but included the username and password I'd need to log-in and verify re-registration. As an aside this is terrible practise - instead of account details I could register with initially and tidy away into a nice, secure password manager - they're not mentioning any account creation and sending me a username-password combo in a plain-text email! Added to that is the fact that the password is entirely numeric and less than ten characters. It'd take one of my Raspberry Pi's & John The Ripper the grand total of about 30 seconds to brute force that (assuming a hash had been acquired).
Looks like a Perl-based form submission - I hope it's appropriately secured but I'm not going to even think about taking a look without prior engagement with their SOC.
The domain they're using for renewals is "secure.dma.org.uk". Normally I'll use Tor for the unsubscribe / renew links I get to minimise the intrusion - although each link will have an embedded tracking mechanism Tor will prevent OS, screen res, lists of plugins etc. being available for scraping and trend analysis. There's no lawful reason to exclude Tor traffic for a service notification / required intervention.
Before I make the next statement I want to stress that this may be a Tor-specific issue and not necessarily related to the DMA at all, as the CA verification works fine in Firefox: The URL immediately gave me a "Unsecure [sic] site warning" and on closer inspection showed a self-signed certificate with issuer "Digicert Global CA G2". Bit odd. That's usually the middle cert in the chain back to the Digicert Global Root. The self-signed bit is what usually causes that red padlock in the browser address bar if you weren't aware already.
Not sure why but Tor seemed to have missed out the CA repository, but if I didn't know any better this would also look like a MitM attack.
I sparked up Firefox and used the same URL - all fine. Verified CA-issued cert matching the domain and domain name resolved via DoT + DNSSEC. And no, we don't use Google DNS or similar.
Ok, ok so perhaps a bit of click-baiting in the headline but quite a good example of what to look out for. I think it looks like there's some Tor exit nodes which are being proxied / filtered so I tried generating a new Tor circuit and then changing bridges but this didn't change the issue.
The DMA domains are not on the Tor blocking lists and other domains seems to be fine.
Regardless I'm not going to put any personal data into a web page that for some reason arouses suspicions. I used a different browser and checked the domain ownership vs. historic TPS emails and all seemed to check out.
TPS registration renewed via Firefox instead - perhaps one day the DMA will get their acts together and make this a permanent opt-in (on the basis of opt-in-by-default at their member organisations) with TPS as an elective opt-in for categories of products and services you want to hear about. This would even work well for consumers buying a new / previously used number.
I'm sure we'd all race to sign up for cold calls and spam emails after all :)
A number of people have asked what steps I'd take to keep your phone numbers off spam call lists and the answer is simple - don't give it out in the first place! However that's not really a practical approach is it?
Having had to go through the pain of successfully chasing spammers and cold-callers in the courts over the last half a decade (because the regulators for advertising and data protection weren't willing to lift a finger), I've devised more manageable approaches.
More likely what will work is burner numbers from platforms like Hushed, which allow you to create a number (at a price) for a set period of time. I find this really useful for CVs (resumes & business profile documents for tender submissions) with companies I've not worked with before or jobsites I know not to trust; and also email signatures at client site.
Often the level of information security requires that I do not move client information off their own systems necessitating an email address on their platforms - they also usually prefer a signature so I supply my own company details and a VoiP / burner number.
Once I've finished the client visit or project there's no need to get in touch so the number is removed. Same thing with tender documents and resumes - once I have enough clients I close down the entry on the jobsites or notify the companies that those tender documents are out-of-date.
Of course with your own phone number it's a bit different so wherever possible use the Telephone Preference Service. It's a Direct Marketing Association-led initiative to help it's members adhere to PECR and the Data Protection Act. However that's not really true as PECR states that no-one can send you unsolicited messages (section 22) or cold call you (section 21) without your prior consent or purchase of goods. The Data Protection Act states that your data cannot be stored, processed or used without your prior consent either - which means that the DMAs explanation of the TPS mechanism dodges the issue at heart - where did they get your data and what makes them think you want to speak to them in the first place?
You see, if a spammer or cold-call centre had asked you for your permission to acquire (c.f. buy leads database) your data first and you'd said "no", the TPS list would be unnecessary.
The concept of TPS then must focus on the scenario where you've engaged with, for example, a company to buy their products but never specifically stated that they may use your details for marketing purposes. If, in this example, the sale does not complete you should always state that the company may not re-use your personal data for any reason. If they were happy to store your data received verbally they must also accept the notice to destroy that data verbally.
This stops the issue at point although if they later spam call you, you'll need proof of that original conversation - email or support tickets are usually easiest.
Once you're on the TPS lists DMA-linked organisations must make it their priority to ensure that they regularly update the copy of the TPS phone numbers lists they keep - this should ensure that you don't get cold-calls from UK-based or UK-operating organisations.
Every year they'll send you a reminder email to renew your TPS registration - which is ridiculous. If you haven't spoken to a company for over a year why would you suddenly want to start getting cold calls and spam again? It's bad enough we're playing cat-and-mouse with the malvertising platforms that we shouldn't have to deal with the direct approaches too.
This years re-registration was a little more worrying - the email I'd received not only explained why and what... but included the username and password I'd need to log-in and verify re-registration. As an aside this is terrible practise - instead of account details I could register with initially and tidy away into a nice, secure password manager - they're not mentioning any account creation and sending me a username-password combo in a plain-text email! Added to that is the fact that the password is entirely numeric and less than ten characters. It'd take one of my Raspberry Pi's & John The Ripper the grand total of about 30 seconds to brute force that (assuming a hash had been acquired).
Looks like a Perl-based form submission - I hope it's appropriately secured but I'm not going to even think about taking a look without prior engagement with their SOC.
The domain they're using for renewals is "secure.dma.org.uk". Normally I'll use Tor for the unsubscribe / renew links I get to minimise the intrusion - although each link will have an embedded tracking mechanism Tor will prevent OS, screen res, lists of plugins etc. being available for scraping and trend analysis. There's no lawful reason to exclude Tor traffic for a service notification / required intervention.
Before I make the next statement I want to stress that this may be a Tor-specific issue and not necessarily related to the DMA at all, as the CA verification works fine in Firefox: The URL immediately gave me a "Unsecure [sic] site warning" and on closer inspection showed a self-signed certificate with issuer "Digicert Global CA G2". Bit odd. That's usually the middle cert in the chain back to the Digicert Global Root. The self-signed bit is what usually causes that red padlock in the browser address bar if you weren't aware already.
Not sure why but Tor seemed to have missed out the CA repository, but if I didn't know any better this would also look like a MitM attack.
I sparked up Firefox and used the same URL - all fine. Verified CA-issued cert matching the domain and domain name resolved via DoT + DNSSEC. And no, we don't use Google DNS or similar.
Ok, ok so perhaps a bit of click-baiting in the headline but quite a good example of what to look out for. I think it looks like there's some Tor exit nodes which are being proxied / filtered so I tried generating a new Tor circuit and then changing bridges but this didn't change the issue.
The DMA domains are not on the Tor blocking lists and other domains seems to be fine.
Regardless I'm not going to put any personal data into a web page that for some reason arouses suspicions. I used a different browser and checked the domain ownership vs. historic TPS emails and all seemed to check out.
TPS registration renewed via Firefox instead - perhaps one day the DMA will get their acts together and make this a permanent opt-in (on the basis of opt-in-by-default at their member organisations) with TPS as an elective opt-in for categories of products and services you want to hear about. This would even work well for consumers buying a new / previously used number.
I'm sure we'd all race to sign up for cold calls and spam emails after all :)
