Image Source: Visual China
The real-name system for mobile phones has tightened further, and the “wool party” has turned to using IoT cards to continue their “wool harvesting” business. Professional institutions estimate that the profits from the black market can reach 25,000 times the investment cost.
Author | Rao Wenyi
During e-commerce events like Double Eleven, not only consumers, merchants, and e-commerce platforms are having a blast, but also those adept at profiting from the discounts offered by the platforms – the “wool parties”.
According to Alibaba’s “Ali Ju Security 2016 Annual Report”, in various internet business activities in 2016, red packets or promotional activities lacking security measures were seized by the wool party using machines or small accounts, allowing them to profit from the discounts by selling at high prices.
“Basically, 70%-80% of the promotional discounts will be taken away by the wool party,” the report indicates.
In fact, after the “Xu Yuyu incident”, relevant departments have tightened regulation of the mobile phone real-name system. In May 2016, the Ministry of Industry and Information Technology issued a notice requiring all operators to further improve the registration of real identity information for telephone users, ensuring that the real-name rate of all telephone users reaches over 95% by December 31, 2016, and that all telephone users complete real-name registration by June 30, 2017.
On the surface, the introduction of relevant laws has restricted the living space of the wool party. In the chain of the internet black market, mobile SIM cards have always played an important role – by operating a large number of mobile SIM cards in bulk, the wool party has a higher chance of winning when obtaining relevant activity discounts.
Therefore, the tightening of regulation means that these black market operators can no longer apply for mobile cards indiscriminately as before to achieve their goal of “wool harvesting” from major internet business activities.
However, the tightening of the real-name system does not seem to have imposed too many restrictions on the wool party. Their predatory presence on various platforms is still everywhere. Because beyond mobile SIM cards, they have found a new carrier in IoT cards to continue their “business”.
1
“In the current internet black market, about 80% of the parts that use mobile cards are IoT cards,” said Zhu Keding, COO of the information security consulting company “Threat Hunter” to Jiemian News. “Threat Hunter” is a company focused on helping enterprises prevent and mitigate threats from wool parties, malicious registrations, and credential stuffing attacks.
Currently, there is no official definition of IoT cards in the industry. More often, IoT cards refer to SIM cards that do not have voice call and SMS functions, only providing data internet access.
Due to this characteristic, IoT cards are more often used in IoT devices, such as smart water meters, smart electricity meters, etc. By embedding IoT cards, different devices can achieve mutual connectivity of data.
In the past couple of years, shared bikes, which are currently a “hot topic”, are one of the fields with the most applications of IoT cards. Through the embedding of IoT cards, users can obtain real-time information about the status of the bike matched to their account, such as whether it has been successfully locked, etc. In May this year, Mobike announced a strategic cooperation with Sichuan Mobile to order 1 million IoT cards issued by Sichuan Mobile within the year.
However, Jiemian News reporters learned that although IoT cards nominally do not have voice call and SMS functions, these functions can be added to the card with certain modifications.
In this regard, a former employee of China Telecom, Xiaowen (pseudonym), explained that IoT cards essentially serve as a data channel and can be modified to achieve different functions. For example, a card that has enabled SMS functionality can be referred to as a “registration card”; a card that has enabled voice functionality can be referred to as a “voice card”.
However, a representative from China Mobile emphasized that enabling other functions can only be done through the internal operating system of the operator, and this process is generally not open to individuals. “For example, WeChat still uses SMS and voice functions based on the internet, which does not mean that the mobile card has these functions,” the representative said.
Among the three types of cards, the voice card can be said to encompass the most functions. A card dealer mentioned that currently, some platforms, including Meituan, have already adopted voice verification codes during registration, “in this case, only voice cards can be used.”
“(IoT cards) do not necessarily lack voice and SMS functions, so generally, when opening a card, the business manager will first understand your needs,” the aforementioned card dealer pointed out. Jiemian News reporters also found that in China Mobile’s IoT business, the packages for IoT cards include SMS-related functions.
Some card dealers also informed Jiemian News reporters that IoT cards can be either 11-digit or 13-digit. The 11-digit cards are similar to normal mobile cards, with voice functionality and the ability to send and receive SMS, but calls to other numbers are prohibited; the 13-digit cards can only send and receive SMS within the same operator.
“11-digit IoT cards are already very rare, and now operators prohibit bulk orders, making it quite difficult to obtain them,” the card dealer stated. The aforementioned representative from China Mobile also believes that 13-digit IoT cards can more effectively curb black market phenomena.
Similar to ordinary mobile SIM cards, the issuance of IoT cards is also primarily operated through the three major telecom operators in China. Xiaowen told Jiemian News reporters that there are regulations requiring that IoT cards are aimed at enterprise customers, but there are also loopholes to exploit.
“Basically, as long as you can show a business license, you can obtain IoT cards,” Xiaowen said. From what he has learned, business managers often issue a batch of IoT cards to customers without thoroughly investigating the company’s qualifications.
The lowered threshold may be due to the pressure on business personnel behind the scenes. Tencent Cloud’s security director Zhou Bin told Jiemian News reporters that whether it is operators or their various agents, they all have card issuance quotas; to meet these quotas, they often issue IoT cards in excess.
“As far as I know, there is a certain discrepancy between the number of IoT devices on the market and the number of IoT cards; in fact, too many IoT cards are issued, so they are used in other fields,” Zhou Bin believes.
Therefore, the low application threshold is an important reason why the wool party favors IoT cards. Zhu Keding cited an example: “As long as you register a company, you can apply for thousands of IoT cards.”
Additionally, the reduced processing costs compared to mobile SIM cards is also a factor attracting the wool party.
“For the same amount of data, the fees for IoT cards are much lower than those for mobile SIM cards,” Xiaowen stated.
Jiemian News reporters obtained a pricing table for IoT cards from China Mobile, which shows that for 1GB of data per month, the IoT card costs 50 yuan per month; under the same data plan, a 4G SIM card package costs 88 yuan per month.
In addition to the processing fees, the reduced costs for IoT cards also manifest in areas including preliminary preparations. Independent TMT analyst Fu Liang told Jiemian News reporters that “Currently, one ID card can only apply for five SIM cards; if the wool party wants to obtain the same number of SIM cards, it means they need to prepare a batch of ID cards in advance, which adds extra costs.”
In other words, in terms of both processing difficulty and cost, IoT cards are currently a more “affordable” choice for the wool party.
2
Besides applying directly from operators, the most convenient way for individual users to obtain IoT cards is to purchase them from various personal card dealers hidden away from the spotlight of the telecom industry.
Jiemian News reporters quickly found several dealers selling IoT cards by searching for “IoT cards” in some communities, including Zhihu. Their promotional phrases often include “ample data” and “lowest discounts”, etc.
However, when Jiemian News reporters added a few of these dealers on WeChat to inquire, some stated that they were no longer able to issue “cards for receiving verification codes”.
“The company is strict, and does not allow issuing cards for receiving verification codes, or for tasks like bulk ordering,” one dealer cautiously stated. When reporters further asked whether they could recommend some phone cards that could be used for bulk ordering, he did not respond further.
Other dealers, however, still welcomed this type of business and actively recommended relevant IoT card packages to Jiemian News reporters, such as “supporting SMS functionality, sending SMS at 0.1 yuan/message, can register for WeChat, Weibo, and various apps and websites, with data priced at 0.2 yuan/MB” for registration cards, and “5MB of data for eight months with no monthly fee, can receive five minutes of voice verification” for voice cards. The former costs 30 yuan per card, while the latter costs 17 yuan per card, with a minimum purchase of 10 cards.
Additionally, some dealers even showed Jiemian News reporters some normal number segment SIM cards, pricing them at 120 yuan each. “These cards are normal mobile cards, with a number segment of 150, and all functions are complete; they can also be used personally, with only a monthly fee of 9 yuan.”
As for IoT cards that only have basic internet functions, these dealers prefer to sell them in bulk.
“We usually open cards in large quantities, generally in units of 100,000; the wholesale price for these is just a few yuan each,” a dealer told Jiemian News reporters.
Regarding the channels for obtaining IoT cards, the dealers are not evasive. The aforementioned dealer who can wholesale IoT cards hinted to Jiemian News reporters that he can stably obtain IoT cards from China Telecom and China Unicom, “the card fees from different operators also vary.”
The process of purchasing IoT cards from these dealers is much simpler than from operators. Except for one dealer who required signing a formal sales contract, other dealers did not express any requirements for additional materials. Basically, as long as interested users place an order and pay, they can receive the IoT cards delivered by express.
Former telecom employee Xiaowen was also astonished at the scale of these “cooperative businesses” between dealers and operators. He stated that in Shenzhen, for example, IoT cards were only launched as a new business by China Telecom a year ago. Due to the low fees, they have attracted a lot of users’ attention, and China Telecom has also intended to tighten the issuance of IoT cards.
“Generally, applying for several hundred or even thousands of IoT cards from the operators’ business managers is not a big problem; however, applying for 100,000 at once is not common.” Many industry insiders stated that it is unreasonable for an ordinary enterprise to obtain such a large number of IoT cards from operators.
Fu Liang believes that the process of dealers obtaining IoT cards from operators may not necessarily be compliant, “Operators should conduct qualification reviews of the enterprises applying for card issuance to verify whether the enterprise information is accurate.” He added that the occurrence of the above situation may be due to some lower-level business personnel relaxing card issuance regulations.
3
After purchasing millions of IoT cards from dealers, the wool party’s process of obtaining gray profits officially begins. This process is similar to the traditional process of using mobile SIM cards for wool harvesting.
First, to enable these IoT cards to receive large volumes of information simultaneously, a hardware device called a “cat pool” is essential.
According to Zhu Keding, a cat pool is a communication device that can support multiple SIM cards at the same time, with card slots ranging from 8 to 2048; users insert SIM cards into the slots and can perform batch operations via a computer. “The cat pool is similar to a multi-card mobile phone,” Zhu Keding said.
Those who own a cat pool can choose to place their “resources” on the dealer’s platform for the wool party to purchase and use. According to information in the article “Black Market Big Data: Investigation of Mobile Black Cards” published by the Threat Hunter public account, well-known dealer platforms in China include Thewolf, Starry Sky, Ailezan, and Corn, among which Thewolf and Starry Sky can also receive voice verification codes.
Jiemian News reporters found that the Starry Sky platform’s website provides a guide on how the wool party can carry out the entire process of receiving and sending verification codes. The guide shows that this platform covers applications including WeChat, Taobao, JD.com, Didi, and 58.com. Wool parties only need to fill in the relevant information in the verification code acquisition software downloaded from the platform to obtain the verification codes needed for bulk application registrations.
“For ordinary small enterprises or traditional businesses, due to their weak defenses against the black market, such wool harvesting behaviors are almost impossible to prevent,” Zhu Keding stated.
He cited an example where Threat Hunter previously served a traditional enterprise that had hundreds of employees, but only a few were truly familiar with security business. When faced with black market threats, the relevant personnel of the enterprise could only think of simple strategies to resist, such as stopping login permissions for an IP after it logs in over 100 times.
“For the current wool party, such resistance is almost futile; they can easily bypass defenses with some proxy IPs,” Zhu Keding explained.
Under intense attack, many enterprises often suffer significant losses. Threat Hunter has roughly estimated that a single mobile black card can generate nearly 100 yuan in revenue in the hands of a wool party or account dealer; if 40 million black cards are generated annually, related enterprises could lose 4 billion yuan each year. If calculated by an 80% share, the black market scale from IoT cards could reach 3.2 billion yuan annually.
Another internet business risk control service provider, Qian’an Technology, estimated that profits from the black market can reach 25,000 times the investment cost.
However, Jiemian News reporters learned that in this chain, enterprises are not entirely victims; sometimes they are also beneficiaries.
Qian’an Technology’s relevant personnel introduced to Jiemian News reporters that before 2014, there were instances where startups deliberately brought in wool parties to attract investors.
Zhu Keding confirmed the existence of this situation, showing Jiemian News reporters some “wool harvesting platforms” online. These platforms are established for wool parties to communicate information about internet business activities, but sometimes enterprises can also publish relevant activity information on them to attract wool parties.
“This behavior involves the enterprise’s cash flow and activity volume data, which can be inflated through bulk ordering to deceive investors, leading to a higher valuation during the next round of financing.” He stated that this also belongs to the network black market.
However, according to observations from Qian’an Technology, relevant phenomena have rarely occurred since 2014. “After doing this for a while, enterprises quickly discover that the disadvantages outweigh the advantages,” the relevant personnel told Jiemian News reporters.
4
When it comes to the prevention of black market incidents caused by IoT cards, do enterprises need to invest extra effort? At least from the perspective of professional teams, the answer to this question is negative.
Tencent Cloud’s security director Zhou Bin explained, “The biggest problem is that enterprises cannot determine whether the phone numbers behind these are real individuals or devices. Operators have not disclosed the principles for number segment distribution, nor provided relevant information to enterprises. From a technical standpoint, it is currently very difficult to make a judgment.”
In this case, for enterprises today, combating wool harvesting behaviors led by IoT cards does not require significantly different measures than those taken against traditional wool harvesting behaviors.
For instance, Qian’an Technology adopts strategies that utilize the enterprise’s own data to generate risk control strategies suitable for the enterprise, or leverage lightweight intelligence cloud platforms to assist enterprises in organizing defenses. Tencent Cloud uses a business security protection system called “Tianyu” for protection. These measures primarily target mobile black cards, including IoT cards.
Tencent Cloud has previously assisted a Guangdong enterprise, Dongpeng Special Drink, in resisting a “wool harvesting” event. Dongpeng Special Drink had previously launched an activity called “Scan the Bottle to Win Prizes”, but later found that wool parties had profited by scanning in bulk.
In response, Tencent Cloud’s measures involved calculating factors such as device usage characteristics, device-number matching relationships, and IP change frequencies to assess the risk level of a user. If the user is deemed too high-risk, access to the activity page would be denied.
“The final result was that we detected about 20% of users as wool parties, saving our client about 30 million in promotional expenses; when we called these numbers afterward, almost all were unreachable or did not answer,” Zhou Bin said.
However, no matter how much security companies strengthen their research on anti-black market technologies, it seems to only address the symptoms rather than the root cause. To fundamentally resolve the black market incidents related to IoT cards, the most essential method is for relevant departments and operators to strengthen legislation and regulation.
Many industry insiders expressed the view that operators should raise the application threshold for IoT cards. They believe that unlike ordinary mobile SIM cards, operators’ regulation of IoT card applications is too lax, allowing anyone to obtain IoT cards at a low cost and participate in the internet black market.
“Generally, for mobile cards, operators can implement some pre-settings to limit certain functions; however, the specific execution depends on the operators’ attitude towards control,” Fu Liang told Jiemian News reporters.
From the perspective of internal personnel, the ambiguous attitude of the operators has indeed brought certain negative impacts on the proliferation of IoT cards. Former China Telecom employee Xiaowen told Jiemian News reporters that often, operators have been indecisive about whether to strictly control the application for IoT cards.
Of course, from a legal standpoint, operators have the responsibility to manage the purposes for which the network is used. Article 36 of the Tort Liability Law stipulates: Network service providers who know that network users use their network services to infringe on the civil rights and interests of others, and fail to take necessary measures, shall bear joint liability with the network users.
However, this is not easy to implement. “According to the principle of communication freedom, operators should not interfere with users’ purposes for using communication tools, otherwise, the operators’ purposes would become dual, making management difficult,” he believes. If operators were to regulate this incident, they would be acting as both referees and athletes, which could lead to management chaos.
Zhu Keding from Threat Hunter also stated that monitoring IoT cards from the source is not an easy task. “Operators are profit-driven, and their goal is to issue cards to make money; limiting the issuance of mobile cards inherently contradicts their interests.”
Therefore, the task of regulating the use of IoT cards seems to fall solely on the legal side.
According to Jiemian News reporters, there are currently no explicit legal provisions regarding IoT cards. However, in November 2016, the Ministry of Industry and Information Technology issued the “Implementation Opinions on Further Preventing and Combating Communication Information Fraud”, which required: “For new industry cards, strict audits of industry user units’ qualifications, required industry card functions, quantities, and business volumes must be conducted, adhering to the principle of ‘minimizing functions’, disabling voice and SMS functions, and utilizing technical means to strictly limit and bind the usage scope of industry cards (including accessible IP addresses, ports, calling and SMS numbers, etc.) and usage scenarios (such as device IMEI corresponding to card IMSI).”
Moreover, some enterprises have begun to sense the dangerous trend and are trying to control IoT cards. In September 2016, Taobao released a notice regarding the adjustment of the ban on the sale of card-type mobile phone products, establishing prohibitive measures for IoT cards that have not undergone standardized processes for real-name registration and have risks in real-name registration.
In November of that year, Taobao also issued an announcement on the special rectification of the sale of IoT card products, emphasizing that attaching IoT cards to products is equivalent to the same nature and is subject to the ban.
However, in February of this year, Taobao again adjusted its control measures, stating that IoT cards cannot be sold separately, but merchants can offer IoT card services along with hardware devices; at the same time, merchants providing IoT card services along with hardware devices need to be registered and contracted through the Alibaba Communication Tianji platform to ensure compliance with mandatory requirements for IoT card binding and real-name verification.
In fact, promoting the development of the IoT industry has already become a trend. In June of this year, the Ministry of Industry and Information Technology issued a notice on comprehensively promoting the construction and development of mobile IoT (NB-IoT), mentioning that by 2020, the NB-IoT network should achieve nationwide coverage.
Therefore, it can be anticipated that the number of IoT cards will continue to increase in the future, and how to balance the development of the IoT industry with the abuse of IoT cards will become a topic of concern for regulatory authorities.
·END·
▽Click “Read the original text” to download the Jiemian News APP