Telecoms fraud is a serious business. According to Cifas, the UK’s leading fraud prevention service, fraud against telecoms products accounted for more than half of the 364,643 cases recorded overall in 2019.
Vulnerabilities in networks mean mobile telecom operators and subscribers are susceptible to a host of attacks, including identity fraud, account takeover, or payment fraud. A global study by the Communications Fraud Control Association (CFCA) revealed that fraud in all its forms cost the telecommunications industry more than $29bn in 2018, eating into operators’ revenue by as much as 10 percent.
Telecoms fraud affects subscribers and brands as well, with calls being redirected and SMS messages intercepted in order to funnel illicit funds into criminals’ accounts.
For many years, criminals have been able to exploit critical weaknesses in signaling protocols such as SS7 and Diameter to carry out fraud. This year, Positive Technologies’ researchers found vulnerabilities on 100 percent of the networks they tested. It’s vital, therefore, that operators remain aware of the vulnerabilities in their networks, and how they can be exploited. Only then can they take the steps necessary to protect against further fraudulent activity.
Financial losses
SS7 (Signalling System Number Seven), a networking protocol, originally designed to transfer service data such as voice calls in the 1970s, is exposed to a number of vulnerabilities. It would be quite easy, for example, for an attacker to intercept subscribers’ SMS or eavesdrop on conversations.
Attacks using falsified SMS messages can result in direct financial losses for operators. Different fees are established for the termination of different types of SMS messages but by sending out advertising or phishing messages via falsified originating SMS, an attacker can avoid paying the associated fees.
What’s more, if an attacker finds a way of distributing messages usually sent by banks, social networks, and internet services, they can claim a significant portion of the funds usually paid by those services to the operator.
Voice calls can be redirected, too, for the benefit of the fraudster. By registering a subscriber with a fictitious network and an altered roaming number, calls will be redirected and made at the expense of the operator. If this is forwarded to a premium rate number the hacker can receive payment directly with the cost paid for - unwittingly - by the subscriber.
Lifting restrictions
During the move to 4G, some of the SS7 functionality of SS7 was replaced by the Diameter protocol which, like its predecessor, isn’t fully secure. According to our 2018 research, one third of networks were vulnerable to fraud, particularly the lifting of restrictions to enable attackers to use communication services for free.
To this end, attackers can make great use of information from subscriber profiles, such as phone number, mobile device status, and access point (APN) configuration. These profiles also contain billing parameters and restrictions on mobile services which, although it can be relatively difficult to implement, can be modified by attackers to suit their purposes.
Using services beyond the restrictions imposed by an operator can cause direct financial damage to that operator. Posing as trusted network nodes, an attacker can send a specially generated message to lift restrictions on the provision of services. This then gives them unlimited access to services not covered by a user’s tariff plan, and means they will not be disconnected even if their account runs out of money and the operator disconnects them from the network. Services of this kind can also be sold to third parties.
Proactive steps
Telecoms fraud, whether exploiting vulnerabilities in SS7 or Diameter protocols, can be costly - both financially, and in terms of a company’s reputation.
The UK’s Metro Bank, for example, was attacked in January 2019 when, by registering target mobiles on a fake network and triggering financial transactions, hackers intercepted the SMS authentication codes and collected customer funds. The accounts of Reddit’s employees were also compromised, with weaknesses in the signaling protocol allowing hackers to intercept sensitive details in SMS messages to access administration accounts.
Most signaling flaws are either due to misconfigured or vulnerable network equipment, or to fundamental issues in networking protocols, both of which require additional security measures.
These measures must be considered as a whole and must include regular analysis of network security, maintaining up-to-date security settings, continuous monitoring and analysis of signaling traffic, timely detection of illegitimate activity, and early response to emerging threats.
There’s little hope that the introduction of 5G will minimize the risk of fraud, at least not for the foreseeable future. Most 5G networks today rely on the infrastructure of previous-generation 4G LTE networks, and will, therefore, inherit existing vulnerabilities.
Given the levels of telecom fraud, and the frequency at which they occur, operators need to take proactive steps now to protect their networks.