June 21, 2017

Why mobile networks need a culture of innovation to combat fraud

Hackers have emptied the bank accounts of a number of O2-Telefonica customers, reported Süddeutsche Zeitung last month. A security hole in the network protocol used by mobile networks around the world was key to these attacks. It’s the latest case to catch the attention of newspaper editors. But it won’t be the last.

Fraudsters are tapping into the SS7 signalling network – shelling out little more than pocket change for subscriptions – $500 can get them a ticket to eavesdrop on calls, access bank accounts, track users’ locations – those are just some of the exploits.

It’s a case of the weakest link: banks and other organisations are strengthening their internal processes. What’s left is an SS7 vulnerability hangover from the ‘security’ of the 1980s. The authentication built into SS7 is like a gate through a picket fence – because back in the 80s organisations with SS7 access were all state-owned, or large corporations – and they simply trusted each other.

In 2017, the landscape is of course very different. Network functions are different – the growth of Application-to-Person SMS being one example; and there are now 800-plus operators in the market. Operators and roaming hubs are selling access. Some operators have even resorted to selling their roaming agreements – and once someone has access in one territory, they have access to the SS7 network – and all subscribers – worldwide.

Fraudsters have a pretty easy time. To intercept a call or SMS they only need the phone number of their target subscriber and a little knowledge of the subscriber’s home network. Intercept a password sent by a bank via SMS and relieve the target of their hard-earned cash. Spoof the subscriber’s location, and use premium rate lines to defraud.

That’s just a snapshot of the vulnerabilities inherent to SS7. But mobile networks are transferring to the diameter protocol, so isn’t all this resolved? Why the need to innovate to combat fraud?

Well, here are some facts that are keeping network operators alert:

  • Many of the concepts used in the SS7 network environment have been ported to Diameter – and with that, come similar threats.
  • It’s still early days in the rollout of Diameter, which means there’s significant potential for the emergence of vulnerabilities and threats that haven’t yet been considered. As Diameter connections between networks become more prevalent, the risks increase.
  • Diameter is a simpler protocol than SS7, which makes for a much lower barrier to entry for companies developing solutions. With less domain knowledge and less expertise in signalling, comes less experience in delivering critical, telecoms grade solutions.
  • There is simply not enough expertise available worldwide to perform adequate penetration tests on Diameter equipment.
  • Diameter networks have an interworking function to legacy SS7 networks. The SS7 legacy will remain for years to come. SS7 vulnerabilities remain a concern.

All this means that Diameter is equally vulnerable to attack. And, because the Diameter network is an all-data IP based network, more interfaces and network equipment are exposed in attacks – the impact of intrusion may be even greater than in the legacy SS7 networks.

So operators are scrambling to secure the fortress. A peek at their shopping lists – they’re looking at installing a signalling firewall that detects and prevents all categories of SS7 and Diameter attacks specified by the GSMA. As new attack threats develop, they need to neutralise these with a simple rules update – rather than have rules and threat types hard-baked into a module that takes time to update. They need the ability to alter or remove any part of a message / create any new message, in any protocol, containing any parameters, so they can for example remove sensitive information such as Cell ID; and so they can return fake information – e.g. send a fake acknowledgement back to the attacker to deceive them into thinking the attack was successful.

And the landscape is continually reforming. With the growth of IoT for example, the task of sifting through masses of data to extract and manipulate threat elements is ever greater; and operators are looking for ways to do this without excessive manual effort. This is where the field of machine learning and artificial intelligence is likely to come to the fore – with an evolving system that identifies patterns and anomolies and presents highly usable insights to operators.

Network security is in catch-up mode; and the vulnerabilities are deep. Operators must outwit fraudsters as their methods become more sophisticated; and they must move ahead as they navigate the new terrain.

So we need innovation. That’s a bit of a buzz word. But a true culture of innovation is a fine art. Engineers must have a thorough understanding of the domain in order to tackle the problems – they need to be exposed to the entire ecosystem from defining requirements through to installation and ongoing support.

The engineering companies that will stay ahead are those that are interested in the evolution of ideas – those that continually take small steps in new directions. Sometimes these steps are not successful. Innovative thinking is needed to turn failures into successes. This comes back to simple trust – an environment where anybody in an organisation can put forward their ideas with confidence.

To compete with the fraudsters, whether it’s SS7 or Diameter, operators need to be conversant in the fine art of innovation. It’s not enough to see the word in print – bandied about as a buzzword. Operators need to recognise innovation in their security vendors. This is how they’ll put the culture of innovation to work, to combat fraud.


Daniel McTague is a Technical Architect at Cellusys, leading a team developing our Signalling Firewall.

Categorised in:

June 21, 2017