It’s 2016 and you have a cell phone. You also probably pay your cell phone bill online or through an app. Telecom companies handle the world’s communication and part of what that entails is securing that communication to guarantee privacy and integrity to their customers. Here at UpGuard, we scanned ten of the major telecom corporations with our external risk grader to see how their web and email security measured up. These are big money companies with many moving parts, but we’re focusing on the primary web presence a person would consider, for example www.att.com. Turns out there’s some good news and some bad news... depending on which carrier you use.
Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common?
The average score for the ten companies we scanned was 533 out of 950. We measure things like SSL strength, email verification mechanisms SPF and DMARC, breach history and CEO/company ratings to determine the overall external resiliency of an organization and express that in a single score called CSTAR, much like a credit rating. For many with low scores like Verizon, NTT and CenturyLink, the lack of sitewide SSL has left their main web presence open to unencrypted traffic. Higher scores, such as top of the pack Sprint, AT&T, or Australia’s Telstra come from a combination of different security practices, as we’ll explore in detail with each company. Click on any of the CSTAR images to run a live scan on the site yourself.
AT&T - www.att.com - 689 out of 950
AT&T is the largest telecom corporation in the world by revenue and employs almost 250,000 people across the world. Its score of 689 falls within the average range, though it's on the high end of the group we scanned. First and most importantly, AT&T uses sitewide SSL, keeping the website portion of its score fairly high. AT&T has not yet secured their cookies, and they don't have SPF enabled for email, which is highly recommended. Finally, it should enable DNSSEC to ensure protection against DNS spoofing. That said, AT&T is relatively secure for a telecom company, and their CEO's 73% approval rating, while not stellar, keeps the business portion of the score from dipping. AT&T has, of course, suffered breaches in the past, most notably in 2015, when employees in some AT&T call centers accessed customer information without authorization and sold it to a third party, compromising around 280,000 records and costing AT&T $25 million for privacy violations. Protecting against internal breaches is a topic for another article, but AT&T's external security was not to blame for that one.
Bottom Line: AT&T has most of the basic security measures in place, but there's still room for improvement.
Sprint - www.sprint.com - 731 out of 950
Sprint is the 4th largest wireless network in America and has the best score of any of the telecom sites we scanned. With a 731 out of 950, Sprint was the only provider to fall within the good range of scores. Like AT&T, it all starts with a good, sitewide SSL configuration. Unlike AT&T, however, Sprint has SPF set up for its email domain, which helps protect against spoofed messages. Sprint's breach history is comparatively mild, with an insider breach incident occuring back in 2010.
Bottom Line: Sprint has the best overall score and one of the best security histories of the companies we researched. Like AT&T, it could tighten things up even more by securing cookies and utilizing DNSSEC.
Verizon - www.verizon.com - 386 out of 950
Verizon is another major player in the telecom circle, providing wireless phone service and broadband to millions of people. Additionally, Verizon has its hands in security, issuing the yearly Verizon Data Breach Incident Report (DBIR). Ironic then, that Verizon has our second lowest score at 386, placing them squarely in the warning category. Important to note is how the score is distributed. Verizon's communications score (email and DNS security) is quite high at 922, but its website score is a miserable 282. How did this happen? Simple: Verizon lacks sitewide SSL. This means that pages can be loaded without SSL encryption, and if those pages contain forms, data entered into them (usernames, passwords, credit card numbers-- you name it) is transmitted in plain text across the internet. Verizon's revenue in 2015 was around $130 billion, more than many countries GDP. Implementing sitewide SSL and other security measures on its main webpage seems like a modest investment for the benefits it provides. This should go without saying, given the potentially huge data breach Verizon disclosed earlier this year, after one and a half million customer records went up for sale on the dark web. And unlike the AT&T and Sprint breaches we mentioned, this one came about as a result of a vulnerablity in Verizon's website.
Bottom Line: If Verizon fixed its SSL, its score would likely be higher than Sprint's. Until it does, however, if you use Verizon's website, check for the padlock on your browser to make sure your connection is encrypted before sending or receiving sensitive data.
T-Mobile (Deutsche Telekom) - www.t-mobile.com - 522 out of 950
T-Mobile is the English friendly name of Deutsche Telekom, a German telecommunications company operating out of Bonn. Although much of its business is European, it also has the 3rd largest wireless network in America, with over 65 million customers. T-Mobile clocked in with a middling score of 522, mostly due to the fact that it too lacks sitewide SSL. SSL is the most basic form of internet security. It's what encrypts data between the client and the server, making it inaccessible to third parties. It's rather easy and cheap to implement, and the benefits it provides are many. This might sound familiar, but T-Mobile suffered a data breach in late 2015 as part of the Experian hack, affecting over 15 million customers. This was an example of a third party breach, where a trusted partner or vendor's security is compromised, leading to the breach of sensitive data owned by the primary company.
Bottom Line: Like Verizon, T-Mobile needs to sort out its SSL situation ASAP. Requiring encrypted connections should be standard practice across the board. Until then, the burden is on customers to use caution when transmitting important info.
CenturyLink - www.centurylink.com - 347 out of 950
Centurylink is an American landline and broadband company, the 3rd largest behind AT&T and Verizon. It also scored the lowest of the companies we scanned, with an 347. Its other site, centurylink.net, was about the same, scoring a 482. The lack of SSL and SPF drops CenturyLink's website and communications scores, while the CEO's 60% approval rating and the company's poor overall rating by employees drops the business score down as well. The reason we include these ratings as part of a company's external security profile is that the more unhappy employees are with their company, the higher the likelihood of an internal breach.
Bottom Line: Not looking good for CenturyLink, who has issues in every category. It needs to re-evaluate its external resilience and employ common security mechanisms to improve its site.
Frontier - www.frontier.com - 587 out of 950
Like CenturyLink, Frontier operates in the broadband/landline market. Unlike CenturyLink, its score is average at 587, with strong communications and business sections. What's interesting about Frontier's score is that while it has sitewide SSL enabled, it doesn't have hardly any of the other security measures in place, such as securing cookies or hiding headers. However, at least Frontier's website communications are encrypted correctly and it uses SPF for email. Although landline operators like Frontier and CenturyLink might seem like less of a security risk than wireless operators, the reality is that they all have sensitive customer information and need to take care of it.
Bottom Line: Frontier is middle of the pack, with decent security and a lot of room to grow, but it has SSL, so you know your transmissions are encrypted.
Vodafone - www.vodafone.co.uk - 527 out of 950
We also looked at four telecom providers outside of the US, starting with England's Vodafone. Vodaphone is the second largest mobile phone provider in the world behind China Mobile and has over 100,000 employees worldwide. While its overall score was an average 527, the website portion of its score was a dangerously low 296. If you guessed that Vodafone didn't have sitewide SSL, good for you, because the lack of SSL cost them dearly. There's an old belief that only certain pages or forms need to be encrypted, and that the rest of the site should be served unencrypted. The problem with this way of thinking is that hopping between SSL and non-SSL connections puts the burden of proper SSL management on IT. Whenever a new page goes up, someone has to make sure it's in "the SSL section" of the website if it has sensitive information. With the way configurations change and systems and people are replaced over time, it's easy to see how an oversight could occur. And many do, some leading to the interception of credentials, PII or credit card info by malicious third parties. Vodafone made headlines in late 2015 when a data breach compromised the financial details of over 2,000 customers.
Bottom Line: No sitewide SSL means a big dent in the score. Vodafone's strong communications security and business profile help keep the overall score average, but its website needs some attention.
Telstra - www.telstra.com.au - 680 out of 950
Telstra is Australia's largest telecom company, providing services in multiple spheres, including landline, mobile, broadband and television. With the 3rd highest score, slightly behind AT&T, Telstra has some great security measures in place. Its website score of 826 places it well above most of the other businesses we scanned in that section. Telstra's SSL implementation is thorough and well-configured. What bumps its score down is the lack of SPF and DMARC for their email. Mechanisms like SPF, DKIM and DMARC exist to combat spoofing attempts, whether they be (spear-) phishing attacks or malware deliveries. They verify that mail is from who it says its from. Lack of these measures makes it much easier to exploit employees and customers through email.
Bottom Line: Telstra's website is almost perfect, but it needs some security mechanisms around its email domain to help protect against attacks from that vector. Overall, Telstra is above average, despite having less revenue than many of its competitors with lower scores.
China Mobile - www.chinamobileltd.com - 475 out of 950
China Mobile is the largest wireless provider in the world. It's owned by the state, which at least cuts the middleman out between private communications and domestic state surveillance. China Mobile's revenue is huge, its customer base is huge and its external security is very poor. Its score of 475 puts it in the warning category, with only its business score holding it up at all. There's no SSL, no SPF, no DMARC, no DNSSEC. Their website and communications scores take major hits from lacking these basic protocols. China Mobile also operates a customer portal at hk.chinamobile.com but that site rated even lower, at 389. There is SSL on some parts of its site, but non-SSL elements within the page and regular http pages make the site a mishmash of encrypted and non-encrypted items, which always eventually ends in vulnerabilities.
Bottom Line: Poor security all around, on multiple sites. China Mobile should rethink its SSL policy and implement secure email protocols.
NTT (Nippon Telegraph & Telephone) - www.ntt.co.jp - 390 out of 950
Japan's NTT is the third largest wireless provider in the world and employs close to 250,000 people. Like China Mobile, its external security profile is quite weak, with its communications score hitting a dangerous 226, with nearly a complete lack of verification mechanisms. NTT's website score reflects a lack of SSL and proper defense configuration, which is dangerous, as NTT serves a customer portal directly through this domain. It doesn't bode well that communications giants like NTT and China Mobile are not making cybersecurity a priority. The nature of their business puts them on the vanguard of information defense and if they are not prepared, it's their customers who will pay the price.
Bottom line: NTT needs to reevaluate its cybersecurity strategy and take steps to improve external resilience.
With the amount of information telecom corporations handle, security should be one of their top priorities. But the data shows a relatively lax approach to security from most of the providers, with some failing to provide adequate protection altogether. It's no surprise that data breaches are on the rise, with the increase of sophisticated cyber attacks and the absence of equal response from their targets. At the very least, companies should be expected to provide sitewide SSL for their customers, and if they don't, why not? The habit of security must be practiced to stay effective. Attacks will change and the necessary defenses along with them. Doing business in the internet age means dealing with the risks of the internet age. Failure to protect against those risks puts both businesses and customers in danger of costly, embarrassing data breaches.
Scan any website with UpGuard's external risk grader to see how its security stacks up.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >