KT mobile payment breach rattles users over new security threat

Second Vice Minister of Science and ICT Ryu Je-myung speaks during a briefing at the government complex in Seoul, Wednesday. Yonhap

A series of unauthorized mobile payment fraud cases have recently hit KT users in Seoul and the surrounding Gyeonggi Province, sparking an unprecedented type of security threat, with suspicions that rogue cellular base stations were used for the crimes.

During a press briefing Wednesday, the Ministry of Science and ICT said KT has confirmed 278 cases of mobile payment fraud cases among its users with the total losses expected to surpass 170 million won ($122,460), double the previous counts of reported cases as new cases continue to emerge.

The mobile payment breach first surfaced last week as police investigated unauthorized mobile charges affecting KT users residing in Gwangmyeong, Gyeonggi Province. About 20 victims reported that they were suspiciously charged for transactions such as digital gift cards and transit card top-ups from Aug. 27-31. The issue quickly escalated when more payment fraud cases were reported in Seoul.

KT filed a cyber incident report with the Korea Internet & Security Agency (KISA) and the ICT ministry on Monday evening, leading the ministry to set up a joint public-private investigation team to look into the damages and find the cause of the security breach.

The incident is particularly alarming for Koreans as the country has never reported similar types of cybercrimes, with victims telling police that they had never clicked on any malicious links or installed any suspicious apps.

Cyber criminals are suspected of using illicit micro base stations to carry out unauthorized payments. Low-power base stations, often used to offload data traffic or resolve blind spots in communication coverage, provide coverage within about 10-meter radius.

A person passes by a KT retail store in Seoul, Wednesday. Yonhap

The device is speculated to be used to reroute traffic and intercept verifications needed to make the mobile transactions. As these base stations are portable and can be operated while moving, the damage could extend into other regions.

“KT had detected an abnormal calling pattern and began blocking the related traffic at 3 a.m. Friday. But judging that the pattern was due to users’ devices being infected by smishing, the company did not report it as a cyber incident,” Second Vice Minister of Science and ICT Ryu Je-myung said during a briefing at Government Complex Seoul.

“Later, it confirmed access from unregistered base stations on Monday afternoon and filed a cyber incident report.”

KT assured that it had implemented measures to block unregistered base stations from accessing its network to prevent further losses.

“After analyzing the victims’ call patterns, we identified a specific suspicious pattern associated with a particular base station ID … and implemented a method to fully block such connections. No further attempts have occurred since,” the company’s official said.

The ministry said it will continue its investigation into the breach to verify how the unauthorized device was used to access KT’s core network and will share the information with other two telecom companies, SK Telecom and LG Uplus, to prevent similar crimes.

Digital screens are seen at KT's headquarters in central Seoul, Friday. Yonhap

“While we confirmed unregistered devices, further investigation is needed to determine whether this alone led to the crimes, or if other mechanisms were involved,” Ryu said.

“All three telecom operators are now fully restricting new micro base stations from connecting to their networks. KT will also share information about abnormal traffic detected from illegal micro base stations with other operators today, enabling them to conduct their own security checks.”

KT noted that it also had been blocking suspicious payment attempts since Friday morning, adding that it found no indications of a breach in users’ personal information during the incident.

However, despite the company’s assurances, KT has faced growing outrage from the public, especially with allegations that it delayed responding to the incident even after police notified the company of the reported fraud cases earlier this month.

Civic group Seoul YMCA released a statement urging KT to conduct a company-wide inspection for possible damage, adding it should immediately and transparently notify all of its users of the event.

“The actual extent and details of the damages could be far broader than figures from the currently reported cases. KT should accurately investigate and do a full-scale survey covering all KT subscribers and network users,” it said.

“To prevent the further spread of damage, (KT) should send out straightforward messages to all subscribers, including older adults and the digitally vulnerable, to clearly explain the current situation and how to check for unauthorized payments.”

Meanwhile, the Personal Information Protection Commission also launched an investigation into the data breach allegations against KT and LG Uplus Wednesday, following a report in global hacking journal Phrack Magazine that two anonymous white-hat hackers had obtained 8 gigabytes of leaked data, including some from the two companies.