KT CEO Kim Young-shub on Wednesday admitted to the mobile carrier’s mismanagement of miniaturized cellular base stations, called femtocells, which became the main loophole exploited for a series of unauthorized mobile payment fraud cases targeting its users.
He promised the telecom’s full-fledged efforts to address the aftermath of the breach. In response to controversy over repeated reversals in its disclosures to the authorities, the CEO said the company had no intention of downplaying the significance of the incident.
“There were several loopholes in (our) management practices of femtocells, and the process of re-collecting (inactive) devices was also inadequate,” Kim said during a National Assembly hearing in Seoul.
“We are deeply sorry for causing an unexpected incident related to unauthorized payments, which unsettled not only our customers but also the wider public.”
The mobile payment breach came to light earlier this month after police began investigating unauthorized charges affecting KT users in parts of Seoul and Gyeonggi Province.
The incident alarmed the public after initial investigations revealed that attackers had used femtocells to intercept verification calls sent to users during payment processes. It was the first case of its kind in Korea.
KT initially said on Sept. 11 that a total of 278 people suffered damages worth 170 million won ($122,000), while approximately 5,500 people’s personal information may have been compromised. A week later, however, the company said the total number of victims was 362, with damages totaling 240 million won.
KT CEO Kim Young-shub views a screen capture of ads selling fake femtocells on the Chinese black market during a National Assembly hearing in Seoul, Wednesday. Yonhap
Femtocells are typically used in homes or small offices to cover a range of 10 to 50 meters. Unlike other mobile carriers here, KT relies largely on femtocells, operating nearly 190,000 devices to improve its cellular signal coverage.
KT said there are 43,000 femtocells that have not accessed the network for the past three months, which could mean the devices are malfunctioning or untraceable and therefore at risk of being exploited for fraud.
During the hearing, Rep. Lee Hai-min of the minor opposition Rebuilding Korea Party said that KT lacked preventive systems to disable inactive femtocells when their locations are suddenly changed. While SK Telecom and LG Uplus automatically block femtocells moved beyond a certain distance, KT relies solely on customer contact to retrieve inactive femtocells.
Kim noted that KT has been outsourcing the management of its femtocells to contractors, but added that the company has taken measures to prevent inactive devices from connecting to the network.
Regarding changes in the company’s announcements about the fraud, Kim denied allegations that KT attempted to downplay its significance.
“It took time because there was a large volume of data to process, and we shared information as soon as it was confirmed,” Kim said. “At first, most of the damage was related to call-based authentication, so we prioritized analyzing that, but we are also conducting analysis on SMS and app-based authentication.”
A pedestrian walks by KT headquarters in Seoul in this March file photo. Yonhap
Lawmakers also criticized KT for attempting to cover up a suspected hacking at its servers in July.
In July, the Korea Internet & Security Agency (KISA) asked KT and LG Uplus to check whether their servers had been breached following a report. KT reported that no breach had occurred, but internally it had received information from an outside contractor suggesting a possible breach at its consultation service servers.
On Aug. 1, KT began scrapping the servers, which were scheduled to operate until Aug. 21. Despite reports of possible server breaches, KT remained silent on the issue until Sept. 18, when it reported to KISA that there were traces of intrusion and suspected hacking on the servers.
During the hearing, lawmakers raised concerns that the company attempted to destroy evidence. A KT official said the company first acknowledged the possibility of hacking on the servers in early July but reported no breach to KISA because no traces were found. The official added that the company disposed of the servers because “it felt uneasy maintaining servers which had shown suspicious signs.”
Kim also said the company “should have not scrapped the servers” and “will consider exempting early termination fees for switching carriers for the 20,000 customers whose personal information may have been compromised.”
During the hearing, lawmakers pressured Kim to step down from his role as CEO, but Kim reiterated that he will do his utmost to address the situation.
link