It can be very frustrating when you’re asked to enter your details multiple times into your online banking, only to be told again that your bank can’t confirm who you are. Usually, the bank will then send either an SMS or call to your telephone number that includes an authorisation code which you can then enter into the app or platform to validate your identity. This additional layer of authentication is now frequently used by financial organisations worldwide.
You may recall the Metro Bank hack in February which highlighted a major problem with this process: SS7. This global protocol is used by mobile network operators (MNOs) as an international telecommunications standard required to trade data needed for transferring calls and messages between each other, and making sure they are charging their customers properly. SS7 is also in use when MNOs need to transfer data between networks, for example when a customer asks for data roaming when abroad. When it was invented in the 1970s, the SS7 vulnerability wasn’t even a consideration – the telephony industry was only made up of a few network operators who all trusted one another to be accountable for their actions. Fast-forward 40 years and we now have hundreds of MNOs meaning the task of tracking whether these SS7 messages are legitimate is a near impossible task.
Of course, there are some security measures in place to protect the consumer: if a fraudster is making an attempted hack, outbound calling or SMS is meant to stop them in their tracks. However, these individuals are smart, and have unparalleled knowledge about how to navigate this vulnerability. Consequently, they have the understanding and tools to hack into certain networks and launch attacks from there into any connected telephony network. With relative ease fraudsters can create a misdirection of the real customer’s SMS or outbound verification call by exploiting the SS7 protocol vulnerabilities.
Despite multiple news stories about the victims of SS7 attacks, the problem has not been easy to fix, which can partly be attributed to the complex nature of the legacy technology. Some MNOs have tried to help solve the problem but have come up against stumbling blocks. For instance, there are some valid circumstances where SS7 cannot be filtered out at the network boundary – again, call roaming is a good example of this. Subsequently, as soon as a hacker manages to get into an SS7 network, they can target victims by forwarding chosen SS7 messages to any network they like from a remote location. In addition, this can go undetected by the MNO and fraud target.
Although there is no solution currently available, businesses can start to follow a basic set of rules to help mitigate the problem and keep their customers safe.
- Get the right research – Using calls and SMS for authentication can still be a secure way of operating, but only if the company using them has the right defence and security measures in place. Paying a security company that has an integrated research arm means that any new attacks that crop up, including SS7, will immediately be flagged and methods of protection can be updated as required.
- Security policies are paramount – A flexible and robust security process is critical to being able to navigate the SS7 vulnerability. Businesses must mitigate against potential future scenarios where SS7 might be compromised. Of course, internal policies must be reviewed on an ongoing basis so that the company can be sure that the most appropriate methods of authentication are in place.
- Integrate an intelligence engine – The most comprehensive means of tackling SS7 is by integrating an intelligence engine which can identify unusual behaviour. By collating the maximum number of data points available, including device, SIM swap, call divert, roaming statuses etc. from specialist services and MNOs, businesses can generate a picture of what their customers’ normal behaviour should be. This way they can make an evaluation of an individual carrying out a transaction and compare these actions to how they would normally behave. Any information about attempted fraud can then be fed back into the intelligence engine so that it can build up an ever more detailed and accurate understanding of what unusual behaviour looks like.
So, what happens when an anomaly is flagged or a possible SS7 compromise recognised? For these actions a ‘higher risk score’ is given to the transaction in question and, in turn, the company is instructed to add in additional authentication steps to make sure the customer is who they claim to be. Extra layers of authentication could include using a card reader, answering security questions or extra behavioural authentication.
Even with the latest and most secure security policies in place, there are still ways for the fraudsters to exploit the SS7 vulnerability. Those in the industry are trying to solve the problem with newer protocols, including Diameter for 4G networks, but even these haven’t managed to completely eradicate the vulnerabilities that sit with SS7. For example, on 4G networks, calls and SMS are still using SS7 for backwards compatibility and so to guarantee reliable coverage. When designing the next protocol there are some considerations that must be taken into account so that consumers are more protected. Firstly, having an effective secure communication system which also reduces risk is key. Secondly, companies must consider potential cases of misuse from the outset, as well as regular usage scenarios. This way they can ensure that the required strategy can be instigated so they can dramatically reduce the likelihood of a repeat Metro Bank hack on their turf.
Head of Partnerships
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.