Is the TCF mobile blacklist fuelling New Zealand’s latest crime fad?

By Steve Biddle, in , posted: 8-May-2018 12:26

Stolen or lost mobile phones are a global problem. With the introduction of GSM phones in the ‘90s, the ability to simply move a SIM card between phones started a crime wave because phones were such an easy target. Once somebody had a stolen phone they could simply use it themselves, or on sell it, and the buyer could simply put their SIM card in the phone and use it – in many cases probably oblivious to the history of the phone.

The solution was blacklists of International Mobile Equipment Identity (IMEI) numbers – the serial number of the phone. Operators could block IMEI numbers to prevent devices working on their network, and share the IMEI data between themselves to stop the device working on other networks.

While such blacklists are common place around the world, no global blacklist exists, meaning that devices that are reported lost or stolen in one country can still be used in another country. This has created a global black market for phones, and I’ve seen retailers in Hong Kong selling refurbished “as new” phones that will not work with Hong Kong SIM cards, but will work outside the country.

In 2014 the Telecommunications Carriers Forum (TCF) introduced a mobile blacklist with data shared between New Zealand’s mobile networks – 2degrees, Vodafone, and Spark. Phones that were reported lost or stolen could have their IMEI added to this blacklist which would result in the phone becoming inoperable on any of the networks in New Zealand.

Prior to the introduction of the TCF backed blacklist system, blacklist data was shared between Spark (who were still Telecom at the time) and Vodafone, but not 2degrees.

This fuelled a market in New Zealand for devices that were sold on Trademe and advertised as “only works on 2degrees”, and a number of threads exist here on Geekzone detailing experiences of people people purchasing such devices. Sellers of these devices were clearly aware these devices were blacklisted on the Spark and Vodafone networks, but buyers who didn’t understand the reasons for such a statement were left perplexed when they tried to use their device on Spark or Vodafone and found it didn't work – while it did work fine on 2degrees.

Even when they were sharing IMEI data only with Vodafone, it was well known that Spark were adding IMEI numbers to the blacklist that were not only for stolen or lost devices, but from customers who had abandoned a term contract with a subsidised handset or hire purchase deal. Around this time there was even an online retailer selling new devices that were also clearly marked as “only works on 2degrees” where the source of the handsets was apparently a cancelled corporate contract.

In 2014 when the TCF blacklist was introduced, the TCF made the purpose of the blacklist service pretty clear in its voluntary code -

What it is

The IMEI Blacklisting Code allows consumers to report lost or stolen handsets to their mobile provider so it is blocked and cannot be used on any mobile network, nationwide. Purpose

The purpose of the code is to co-ordinate sharing of IMEIs between mobile networks to discourage theft and disrupt the operation of illegal markets.

Section 5.3 of the code also details what the blacklist should (and should not) be used for -

5.3 Operators shall not Blacklist or un-Blacklist an IMEI in order to gain any commercial advantage or inflict any damage on any other Operator or party.  Blacklisting cannot be used to withhold service or resolve commercial disputes (including bad debt scenarios).  Operators cannot use any contact made by a former customer requesting to Un-Blacklist an IMEI for any “win back” or sales activity.

Over the last few years I’ve seen a number of threads on Geekzone as well as a number of posts on social media from people who have purchased mobile phones both via Trademe and privately, and found that several months later the phone has suddenly stopped working. In all cases the phone has been found to have been blacklisted.

In several cases the buyer had checked the phone using the TCF blacklist  lookup when they purchased it, and saw the device was not blocked. One example of this is detailed below.

tcf imei pg1

So what’s going on?

It would seem that Spark, and possibly 2degrees, are still using the TCF blacklist for purposes outside the scope of the blacklist, ie a bad debt scenario.

A customer purchases a device on a contract or an interest free free deal, sells it to an unwilling buyer who even checks the TCF blacklist and find it passes, pays the contract for a several months, and then suddenly cancels it or decides not to pay it. The device IMEI is added to the TCF blacklist, and the third party buyer of the device suddenly finds their device doesn’t work.

They then often find themselves in a situation where there is very little they can do. The original seller is often nowhere to be found, and the buyer is stuck with an expensive brick that is now useless.

In this example I’m using from Geekzone, the seller did eventually offer a refund. In other cases people have not been so lucky.

tcf imei pg2

The TCF have pushed their blacklist search as a way for a buyer to check their handset and ensure that it’s not blocked – which is fine for checking if a phone has been blocked due to being reported stolen or lost, but it’s very clear now that this search is now pretty limited when it comes to checking the real status of any phone purchased privately. A phone that passes an IMEI check could still be blocked at any time if if the seller of the default defaults on payments.

The TCF themselves do vaguely warn of this on their website but most people would probably not realise under what circumstances this would occur. Most people would assume a second hand phone that passes the check would be safe to buy  - after all that was the whole point of the online tool to allow people to check a device.

tcf imei pg3

All of this poses the question of why the TCF are permitting carriers to use their blacklist for a “bad debt” scenario, something that would seem to be in breach of their code surrounding the use of the blacklist.

When high value products are sold by retailers on finance deals, most use the Government funded Personal Properties Security Register (PPSR) to lodge the sale – with the purpose of the database being to provide a central register of products that may have a financial claim against them. It poses the question of why mobile providers don’t appear to be using this database for high value phones, but instead relying on a blacklist.

It also poses the question of whether carrier has a legal right to effectively block a device that they have not bothered lodged a PPSR security interest over.

Right now buying a second hand phone carries significant risk unless you know exactly where the device came from, and can be certain that no money is owed on the phone. My attempt to check an IMEI with Spark showed they are unwilling to provide this information when asked, as any information relating to the phone or IMEI seems to be regarded as personal information. With no authority to access the account of the person who originally purchased the phone, it’s impossible to get a clear answer from them.

Right now the TCF searchable blacklist is essentially broken – and urgently needs to be fixed. If carriers aren’t going to stop blacklisting devices for bad debts, the TCF urgently need to expand the search to include whether money is owed on a phone.

People are being scammed, and the TCF online search is being used to benefit the scammer and hurt the unwitting buyer. That is simply wrong.

 

UPDATE:

I have received the following response from Spark regarding the issue.

Spark do not blacklist IMEI numbers if a customer has bad debt, or defaults on a payment. The exclusive purpose of blacklisting handsets is when devices are either stolen, lost or involved in fraud.

There are a number of steps Spark take to determine fraud or fraudulent activity before we blacklist a device. Where it is deemed that fraud or fraudulent activity has occurred the case must satisfy the burden of proof and the following must apply:

  • There must be documentary and/or other evidence which prima facie supports the allegation of fraud; and,
  • There must be sufficient evidence to lay a Police complaint.

However, fraudulent activity can take some time to identify – which is why telecommunication companies have up to 120 days under the blacklist policy.

We understand it is very frustrating for individuals who find their phone has been blacklisted months after they have purchased it, but this is unfortunately a risk when purchasing from a second-hand site such as Trade or Facebook Marketplace.

While Spark say that a device will not be blocked due to a bad debt, it’s a grey area between defining a “bad debt” and “fraud”. Somebody buying a device with falsified details and defaulting on a payment would likely be treated as a case of fraud, and the device blocked.

The response from Spark really emphasises the failings of the TCF system. A individual buying a second hand device can have no certainly at all that the device will not be blocked at some point in the future after they have completed the sale, and more importantly after they’ve checked the TCF mindyourmobile site and verified that the device they are wanting to buy is not listed as blocked on the site.

People know they can easily on sell devices to unsuspecting people who will check the blacklist, but have no idea the phone effectively has a security interest registered against it, and more importantly no way of actually knowing this or being able to check this. That's a broken system, and it needs to be fixed.

If a device is purchased on account or as part of an interest free deal and effectively has a security interest registered against it this should be lodged with the PPSR, and the TCF website should be doing a lookup against that to not only show the current status of the IMEI, but also whether security is lodged against it. This would allow any potential buyer to be fully aware of the risks associated with buying the device.

Anybody looking to purchase a second hand phone needs to be fully aware of the risks. You could easily end up with an expensive brick despite through no fault of your own, and then find there is very little you can do when you’re in this situation.



Other related posts:
Spark Paging network shutdown – the event nobody cares about? Not quite.
UFB voice, power cuts, copper invincibility and mainstream media FUD.
New Zealand’s growing BUBA problem (AKA I feel sorry for you if you’re on a Conklin)






comments powered by Disqus

sbiddle's profile

Steve Biddle
Wellington
New Zealand


I'm an engineer who loves building solutions to solve problems. I'll also a co-founder of the TravelTalk.nz travel site. 


I also love sharing my views and analysis of the tech world on this blog, along with the odd story about aviation and the travel industry.

My interests and skillset include:

*VoIP (Voice over IP). I work with various brands of hardware and PBX's on a daily basis
  -Asterisk (incl PiaF, FreePBX, Elastix)
  -Polycom
  -Cisco
  -Linksys
  -Patton
  -Zyxel
  -Snom
  -Sangoma
  -Audiocodes

*Telecommunications/Broadband
  -xDSL deployments
  -WiMAX
  -GSM/WCDMA
  -WiFi

*Structured cabling
  -Home/office cabling
  -Phone & Data

*Computer networking
  -Mikrotik hardware
  -WAN/LAN solutions

*Wireless solutions
  -Motel/Hotel hotspot deployments
  -Outdoor wireless deployments, both small and large scale
  -Temporary wireless deployments
   
*CCTV solutions
  -Analogue and IP

I'm an #avgeek who loves to travel the world (preferably in seat 1A) and stay in nice hotels.


+My views do no represent my employer. I'm sure they'll be happy to give their own if you ask them.


You can contact me here or by email at stevenbiddle@gmail.com

twitter.com/stevebiddle