Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Telecom under attack: demo of fraud scenarios and countermeasures
Similaire à Telecom under attack: demo of fraud scenarios and countermeasures (20)
Plus de PositiveTechnologies
Plus de PositiveTechnologies (6)
Dernier
Dernier (20)
Telecom under attack: demo of fraud scenarios and countermeasures
- 1. Telecom under attack fraud cases and countermeasures demo positive-tech.com
- 2. On call today Milan Březina Telecom and SMS fraud expert, Pre-Sales APAC, milan.brezina@positive-tech.com Sergey Puzankov Lead Security Researcher, sergey.puzankov@positive-tech.com
- 3. positive-tech.com Agenda A2P SMS termination with security bypass OTP SMS interception SIM swapping Attack demonstration & countermeasure techniques
- 4. 18 years of experience in R&D for enterprise cybersecurity services and products 9 years of dedication to telecom cybersecurity 2 R&D centers in Europe 41countries where we have done projects 60 assessments per year are performed by our experts for telecom companies 5G cybersecurity leader Positive Technologies is a leading global provider of cybersecurity solutions for telecom & mobile operators, a pioneer in signaling security research and active contributor to industry standards. RESEARCH & CONFERENCES 1st Telecom Cybersecurity Vendor We are the only company in the world focused on end-to-end cybersecurity for mobile operators Company profile
- 5. Positive evolution PRODUCTS SERVICES 20212002 2019 2020 Started as enterprise cybersecurity services company Service portfolio extended with IoT security, anti-fraud, and monitoring offerings Telecom Network Attack Discovery 5G-ready IP-traffic analysis product released #1 Signaling Firewall Award 2016 Second R&D center opened in Brno Telecom Attack Discovery Included in market guide 2014 World’s first fundamental SS7 security research released Telecom Attack Discovery IDS Signaling IDS released Starting as a cybersecurity services company, PT has enhanced its service portfolio with products that help to continuously deliver expertise and intelligence to customers. A separate business entity based out of Europe is rolled out Portfolio extended with cutting-edge 5G services 2018 Telecom Attack Discovery NGFW Next Generation Signaling Firewall released #1 Signaling Firewall Award
- 6. 88% of consumers say their perception of a business is improved when a business invests in customer experience, namely security. Experian — Global Identity & Fraud Report, 2020
- 8. A2P Trend
- 10. Grey route methods Termination through other MNOs Blending Termination through national aggregators Sim Box fraud
- 11. International SMS A2P FROM: Google Facebook YouTube WhatsApp Banks etc Alphanumeric Originating Address (OA) Facebook Originating Address (OA) 39353535 AGGREGATOR AA.19: “Addendum to the International GSM Roaming Agreement: SMS Interworking Agreement” Home Signaling Network MNO-1 MNO-2 MNO-3AGGREGATOR SS7 + AA.19 SS7 Attempts to send SMS
- 12. Solution on signalling layer ATTACK NAME ATTACK DESCRIPTION 1 Inconsistent SMS source Sources of the SendRoutingInfoForSM and ForwardSM signaling messages related to the same short message are different. This indicates an attempt to bypass an inter-operator charging system. 2 ForwardSM to an open SMS-C A short message of an outbound roamer was sent to an open SMS-C instead of home one in order to bypass short message charging in roaming 3 ForwardSM with incorrect OA format A mobile originating SMS was sent with incorrect address format of the SMS-C or MSISDN parameters in order to fool an inter-operator charging system. 4 ForwardSM with home SMS-C spoofing A mobile terminating SMS was sent with a spoofed SMS-C address by an address from the System owner range in order to bypass an inter-operator charging system 5 ForwardSM with foreign SMS-C spoofing A mobile terminating SMS was sent with a spoofed SMS-C address by an address from foreign range in order to bypass an inter-operator charging system 6 A2P SMS termination A mobile terminating SMS from an external connection contains a TP-originating-address in Alphanumeric format in order to bypass charging of the A2P SMS traffic. 7 Spoofed MO SMS sender In MO-ForwardSM, the SCCP CgPA does not correspond to address of a node where the subscriber is registered. This can be an attempt to spoof the SMS sender address.
- 14. General information Task to solve: User Authentication Process: OTP security tokens Validity: Up to 60s Medium: SMS, native application Motivation: Avoid common pitfall Avoid weak password Avoid sharing credentials Avoid reusing same password Usage: 2FA Google Authenticator Social media accounts Bank accounts Email accounts
- 15. Use case External SS7 Network MNO’s SS7 Network Malefactor HLR SMS-C 1. Registering the subscriber in a fake network 2. OK 4. Where is the subscriber? 5. Fake MSC/VLR 3. Subscriber is unable to receive SMS 6. SMS is sent to the attacker
- 16. Use case with security monitoring Malefactor Hacker GT International / National SS7 network Mobile Network Operator Bank 1. Register victim subscriber on a fake network with Hacker GT 4. OTP SMS redirected to the Hacker GT 3. OTP SMS IP network 2. Attack online bank on IP networks $$$ $$$
- 17. Use case with NG firewall Malefactor Hacker GT International / National SS7 network Mobile Network Operator Bank 1. Victim subscriber registration on a fake network is unsuccessful 3. OTP SMS IP network 2. Attack online bank on IP networks 4. OTP SMS delivered to the subscriber
- 19. Telecom Attack Discovery PT Telecom Attack Discovery (PT TAD) is a next- generation signaling security platform that empowers mobile network operators to secure core networks that use Signaling System 7 and the Diameter protocol, protect subscribers, and safeguard assets from hacker attacks. * Rated as the best signaling firewall platform two times in a row by independent market researchers Ongoing automated TAD FW configuration via integration with TAD IDS Blocking of malicious activity 5G-ready Next-Generation Signaling Security plattform Passive monitoring Retrospective analysis IDS FW
- 21. Shades of SIM swap SIM Swap Sim Jacker Sim cloning Fake owner Spoofed SMS
- 23. SIM swap types An insider in the MNO helps to issue a SIM card illegally. An attacker convinces a call centre operator to set up unconditional call and SMS forwarding. Physical change Telephone call
- 24. Who is affected MNO Bank Money transfer SIM swap OTP The victim is a client of the third party companies, who is simultaneously is the MNO subscriber. $$$
- 25. What we can do Policies, procedures, best practice. We can implement the system, with which the MNO will provide the third party companies with information that SIM card was reissued or forwarding service was activated by a call centre operator. The MNO is able to resell this information to the third party companies. Consulting Technical solution
- 26. TAD in SIM swap protection TAD Copy of signaling traffic Open API Bank Information requests Third party companies Information requests SIM change events Forwarding setup
- 27. What you receive SIM change and operator initiated call forwarding reaction in real time The system detects SIM change and operator initiated call forwarding with minimal delay (less than 1 sec) that is sufficient to withstand financial fraud. No insider influence on detection method SIM change and operator initiated call forwarding detection is based on technological data, CRM system is not involved in this procedure. That’s why an insider who has access to the CRM system cannot affect the detection mechanism. Clear business-case for the MNO Protected mobile operator is able to sell SIM change and operator initiated call forwarding information to the interested financial organizations.
- 28. positive-tech.com Takeaway points Process & Technical control improvement Tight communication Bank – MNO Common DB with API to suspend suspicious acting Monitoring & SIM Swap Detection by TAD
Notes de l'éditeur
- Welcome everyone, till most of registred atendees join this call, let us share the foreword. SP: Hope you have a great day which me and my colleage will try to enrich a bit yet. SP: Once again, a very pleasant day to everyone, it is our pleasure to welcome you here and we appreciate you booked your time for us. MB: Definitively, in return we‘d like to let you through our findings which might be very interesting. Before that, let me introduce us. (CLICK)
- I am Sergey – Telecom Security expert And my name‘s Milan – Telecom and SMS fraud expert MB: This was us, now what you can expect from today‘s call. (Click)
- SP: As the webinar announcement was promissing we try to meet your expectation, starting by A2P SMS termination MB: Then we touch OTP interception ... SP: also, we look at SIM swap MB: and at the end of this call, we‘d like to show you that there might exist ... A solution which helps operatiors to successfully combat above topics. SP: And Milan, one more thing MB: what is it? SP: The Q&A to let our valuable audience sharing their thoughts with us MB: Thats right Sergey, ladies and gentlemen, please have a pen and paper and make your notes, since this will be non-stop presentation, the end of it will be yours.
- MB: let us start with two opending slides and highlight our 1st telecom cybersecurity story SP: First and foremost Positive Technologies is a leading global provider of cybersecurity solutions for telecom & mobile operators, a pioneer in signaling security research, and active contributor to industry standards. We are the only company in the world with this kind of expertise, which comes from deep experience in cybersecurity, an understanding of MNOs from the inside, and telecom in general. The unique combination of these competencies gives us a special niche as the only company offering end-to-end services and products for securing telecom operators. MB: I only add that Over the years, we have contributed and continue to contribute to advancing the industry. As researchers, we actively work to develop industry best practices. Our research has laid the foundation for recommendations from the GSMA, ITU, and U.S. FCC. We never stop developing and researching. If we havent mentioned yet, our web site positive-tech.com can be use as a good source for your security queries.
- SP: Lets go quickly through this slide about our company. MB: Agree, let me jump directly at the end saying that during years 2019 and 2020, we expanded the portfolio to include 5G-tailored services and we have been ranked as Number 1 signalling firewall provider. +++++ Optional +++++ In 2002, we started as an enterprise security service company. In 2009, our portfolio expanded to include services for evaluating telecom security, and signaling networks in particular. We continued to explore this area and soon we introduced our first IDS product, which won recognition from Gartner. In 2018, we brought our signaling firewall onto the market and expanded our service portfolio. In 2019, Telecom Network Attack Discovery, our IP network traffic analysis solution, was added to our product line. A separate business entity based out of Europe was rolled out as well that year. And, of course, we are involved in the transition to a new generation of communications. During 2019 and 2020, we expanded the portfolio to include 5G-tailored services. In 2020, for the second time in a row, Positive Technologies has been ranked the #1 signaling firewall provider by independent market research. 1 https://www.gartner.com/en/documents/3327318/market-guide-for-operational-technology-security 2 https://www.roccoresearch.com/2018/12/11/the-leading-signalling-firewall-vendors-of-2018/ 3 https://positive-tech.com/about/news/positive-technologies-ranks-highest-in-the-rocco-signalling-firewall-vendor-performance-report-2020
- SP: Maybe before we open SIM Swap topic, let us share very interesting statistic with you. MB: Yes, this a very promissing indicator saying that also non-professionals positively react to the fact their MNO invest into the security. SP: Correct, this is a turnover from the past when people tend to omit or maybe ignore the security entirely.
- MB: I assume you know A2P messages and also the difference from P2P, both are the text message, both are being delivered to your phones. SP: But the most important fact and the reason why they are so interesting to the Fraudster is their price. MB: P2P messages we no longer notice is our mobile statements, since we get every mounth the unlimited packet of them, but once you want to use A2P channel you might be surprised how much you pay for your advertisement, notification or OTP for instance
- SP: This graph confims what Milan just said. On one side is Person to Person (P2P) messaging, a business badly tarnished and declining due to major competition From guys like Apple iMessage, WhatsApp, and several other OTT players offering free P2P alternatives. MB: But the flipside of SMS — Application to Person (A2P) SMS — glitters like gold thanks to global smartphone expansion. It’s a growing and profitable sector for mobile operators today because it’s used for all manner of enterprise-to-user communication. Banks, airlines, and on-line services (such as the Uber taxi) constantly use A2P to send notices, confirmations, or authentication messages to mobile subs. SP: So how big is this A2P market? The Global A2P & P2A Messaging Market is expected to grow from USD 55,481.26 Million in 2019 to USD 74,507.43 Million by the end of 2025
- MB: So we know how big the market is, now how such A2P architeture looks like. This is the example might be less or more coplex as per individual operater in given country. SP: As you can see the journey always starts by API which allows to submit messages. Saying by other words, there is a registration, agreement with any agregator to define the purpose, daily amount of traffic, notifiation, one directional or biderectional communication, etc. MB: sometime we can see MNO or Agregator already impleneted Spam Filter which together with Analytics part might help to reduce the illegiamte traffic. SP: And at the end of this journey there is SMS-center which is responsible to deliver the message to your phone.
- An A2P SMS gray route is a route that support SMS traffic but doesn’t generate revenue for telecoms. Event though a gray route is not properly monetized, the telecoms are still paying for signaling and network maintenance for this traffic. Telecoms cannot achieve their full revenue potential unless all grey routes are closed. MB: But not everyone is willing to pay for messages, so the people as used to be, trying to find ways how to avoid billing. Of course, the separate problem are OTT services, but these are out of scope for a moment. SP: Grey route 1 The most common type of grey route. It’s all about finding a way to terminate the traffic without reimbursing a mobile operator or do so paying local P2P rates. A long time ago, operators used to make direct contracts with each other allowing the traffic termination on partner’s networks for free. Today, this is very rare but some of the old agreements are still in play. So a “cunning partner” can use such contracts to terminate A2P messages. It disguises the international A2P traffic as P2P traffic, which is cheaper. As a subscriber, you might notice this when, say, requesting an authentication code to log into Facebook, and getting the code from a regular phone number of a local operator as if sent by another person, instead of a Facebook Sender ID. Learning: this is a very subtle scheme which many MNOs are unaware of, and which impacts their A2P volumes and revenue. We recommend checking all the zero rates contracts with local/roaming partners MB: Grey 2 - Blending A partner can start to sort the SMS traffic generated by a global enterprise to determine non-sensitive or urgent traffic (say ads rather than one-time passwords). To reduce costs and yet receive all profits, the partner can fake the delivery reports by not sending non-sensitive traffic to users. Learning: most services and mobile operators can’t catch on to the scheme. If tracking conversion rates, they can only see the decreasing, which could be caused by either technical issues or blending. In such cases, services usually warn their partners and change the routing scheme to ensure proper delivery. SP: Grey 3- Termination Internet An international partner approaches a local aggregator that terminates traffic generated by a local service (for instance, a delivery service). This local service has a registered Sender ID and national A2P rate which is lower than the international rate. The partner asks the aggregator to deliver its international A2P traffic under the guise of the local service, using the Sender ID of the local service. Kind of a win-win story. And the operator simply sees more “local delivery service messages” instead of international service traffic. Again, it is the mobile operator who loses. Learning: this scheme is also insidious, one way to catch it out would be to spot a rapid abnormal increase in the traffic volume of the local service and investigate it, which rarely happens. The best advice for an operator here is to examine the traffic terminated through its network and understand the traffic type, volume, seasonality. MB: Grey 4 – SIM Box This scheme is not so much a grey route, as a fraud. A SIM box is a hardware containing many SIM cards owned, housed, and stored by a third party but determined by MNO as simple mobile phones. What the fraudulent partner does, in this case, is it collaborates with the owner of this hardware (SIM “farm”) to terminate the traffic, literally cutting the operator out of the chain. This is a quick and easy and way for partners and SIM box owners to earn money on traffic termination. The operator isn’t being paid properly for the international traffic, as it is disguised as national P2P which is cheap or even free between local MNOs. Learning: MNOs wondering how to detect SIM box fraud have to make sure their SMS Firewalls are up to the challenge. Firewall solution is aimed at detecting and blocking some grey-route traffic. Another way to deal with SIM box is for example our solution we are going to introduce you in a minute.
- SP: Here is the how the international traffic might be disguised to avoid internation charging rates.
- MB: As was said there are many ways how you can protect netowok against such a fruadlent behaviour. There are SMS FW, or Spam filters but all has one in common, they work on SMS layer, this might be Already mentioned SMPP or Web protocols . But there is also one other way, maybe still overlooking by others . .... and this is signalling layer. Already here we can recognize when A2P traffic is going to bypass charging. I let now Sergey to describe one example of such A2P detection on the video we prepared for this demonstration.
- SP: SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing and other attacks against Internet services such as online banking. Today, SMS OTPs are commonly used for authentication and authorization for many different applications.
- MB: Despite SMS OTPs have come under heavy attack, especially by smartphone --- guys like Trojans, One-Time Passwords. (OTP) are utilized as an additional factor in multi-factor authorization/authentication applications. They are only valid for exactly one request. To avoid password lists, a convenient way to provide the user with an OTP is to send it via SMS. The phone number of the user must be registered for the service that provides SMS OTPs for authentication or authorization. You see how OTPs are quite popular as an additional authorization or authentication factor in web-based services for exmple Milan to describes
- SP: How does the activty look like, Sending the UpdateLocation message using IMSI of a target subscriber and Hacker GT as a new MSC and VLR, the hacker is able to disturb voice call and SMS services for the subscriber, intercept incoming SMS messages, and redirect incoming voice calls. Input data: IMSI identity. MB: We have got a typical situation where a person is simultaneously a mobile subscriber and bank client. Also, this person uses online and mobile banking services. An intruder is an experienced hacker who has access to the SS7 network and they possessed their own GT address. An important note, the Mobile network operator has implemented the Intrusion detection system PT TAD. The hacker starts the attack. On the first step they register a victim subscriber on a fake network with their own GT address. Now the hacker attacks the e-banking system on IP network. The bank sends a one-time password in a SMS. The most of intruders would be failed on this step, but as we remember our hacker has registered the subscriber on the fake network, that’s why the OTP SMS is delivered to the hacker’ equipment. Victim’s banking account is withdrawn. If the mobile operator have implemented TAD as an Intrusion detection system, the TAD watches all signaling traffic and able to detect the hacker’s activity. Let’s see how it looks like.
- MB: We have got a typical situation where a person is simultaneously a mobile subscriber and bank client. Also, this person uses online and mobile banking services. An intruder is an experienced hacker who has access to the SS7 network and they possessed their own GT address. An important note, the Mobile network operator has implemented the Intrusion detection system PT TAD. The hacker starts the attack. On the first step they register a victim subscriber on a fake network with their own GT address. Now the hacker attacks the e-banking system on IP network. The bank sends a one-time password in a SMS. The most of intruders would be failed on this step, but as we remember our hacker has registered the subscriber on the fake network, that’s why the OTP SMS is delivered to the hacker’ equipment. Victim’s banking account is withdrawn. If the mobile operator have implemented TAD as an Intrusion detection system, the TAD watches all signaling traffic and able to detect the hacker’s activity. Let’s see how it looks like.
- MB: We again have got a typical situation where a person is simultaneously a mobile subscriber and bank client. Also, this person uses online and mobile banking services. And again, the intruder is an experienced hacker who has access to the SS7 network and they possessed their own GT address. In this case the Mobile network operator has implemented the PT NG Signaling Firewall TAD. SP: When the intruder starts the attack with the subscriber registration on a fake network, the illegitimate request comes to the NG FW, which block the attack. The subscriber is not registered on the fake network and not affected. Even if the intruder proceed with the attack on e-banking system, the OTP SMS will be initiated by the bank and delivered to the subscriber. So, the hacker will not achieve their goal. Let’s see how it looks in the TAD system.
- Today We dont have a enough time for TAD demonstration in its full scope We are in love with our product, for those who havent experienced it yet, we look forward to meeting you on personal session. You can find the link in upcoming email with this webinar recording.
- Telecom cybersecurity monitoring 24x7 Automatic protection against cyberattacks Non-stop verification of security integrity Tight integration with virtual team services MB: PT TAD signaling IDS module provides full visibility and control over SS7, Diameter, and GTP core networks. It flags malicious traffic and helps to focus on security flaws as they are exploited in real time. Always be aware of new breaches and threats. Hunt for attackers with the most accurate and up-to-date intrusion detection system, powered by the industry-leading knowledge base. SP: PT TAD can analyze SS7, Diameter, and GTP traffic simultaneously to detect cross-protocol attacks, a new class of threats targeting all protocols in tandem. Only a copy of signalling traffic is needed for PT TAD to perform analysis and keep core networks and subscribers’ data safe. Analysis runs in the background, scrutinizing both incoming and outgoing traffic flows while maintaining full performance of all infrastructure and services. MB: PT TAD delivers robust active protection for SS7 and Diameter signalling networks with full performance and redundancy intact. Incoming STP traffic is checked for malicious attack patterns. Verified messages are looped back and passed on to the MNO signalling network. With regular updates from our research team, this mode is a powerful way to prevent current and emerging threats from reaching your core infrastructure, assets, and subscribers.
- Here you can see how large the the attack surface from MNOpoint of view: No telecom infrastructure is an island. The core business of an MNO is to closely interface with external consumers, organizations, and digital systems. This creates an enormous attack surface and plenty of opportunities for attackers to choose targets and methods.
- SP: We tendto say the Independent security is We believe – that The combination of our expertise in telecoms and your managed services solution, means we could jointly offer operators and enterprises e2e security. If I look at your market-leading solution providing end-to-end telecom security, I would say our portfolio perfectly fits into it - not as a competing but rather as a complement part. I would highlight this word. With our unique telco experience - we could enrich your managed security services For instance, our threat intelligence is optimized for the 5G networks, IoT, cloud solutions as well as the NFV infrastructure. All this using – Intrusion detection, Vulnerability Scanning and Various kind of audit. ---- We are ready to address cyber-attacks targeting the Remote control and monitoring --- of industrial systems and self-driving vehicles for instance.
- MB: SIM swap is probably the most known attack, but you will see, this is not only about SIM swap, There are swap shades, as
- There a few others such as: -Sim Jacker, you should probalby heard about it -Sim clonning this has very close to SIM swap if not the same -Fake owner is also method - using which - you can fool the authority -Spoofed SMS, excellent idea belonging to social engineering, SP: There are also a few sophisticatd methods such as Knowing IMSI + Ki values Direct access to HLR/HSS Through customer care, this also has somehting to do with social engineering and Abusing Mobile Number Portability SP: One of the most recent tactic is - to request a porting authorisation code [PAC] to port the victim’s number to a different network Once criminals own the victim’s number, they are able to intercept bank authorisations sent via SMS – or other OTP related services MB: Variously called sim splitting, simjacking, sim hijacking and port-out scamming, the fraud focuses on moving control of your phone account from through sim card to one controlled by the criminal.
- MB: I wanted to to say is - if you know how, you might get some money, but if you take it from the dark side, possibly you might end up in jail. SP: These are only few from any articles which have been recently released.
- MB: We can say, that although mobile phones and general security measures have changed over the five years, the way or the tactic - this fraud might work has remained unchanged. SP: The criminals obtain a victim’s personal information which might be bank details, address and many others – by seeking social networks or by mining data stolen during the breach of an online company’s systems. MB: What typically results in contacting the victim’s mobile phone provider, pretending to be the victim, and requesting a NEW sim
- SP: Generally all parties, Victim subscriber, Reputation of Service Provide and complaint to MNO MB: The problem is that Banks as well as MNO longer ignored this risk and didnt pay attention much. Nowaday it is different, they are blaming each other, disussing responsiblity but many realized there is a need to find the common ground and devise the solution,.
- SP: There are ways to mitigate the problem: Usually someone first becomes aware that they have fallen victim to a sim-swap scam when their phone stops working or they discover they are unable to access bank and credit card accounts. Or they may get a text message or an email prior to the swap taking place. MB: As with many frauds around bank security, there are simple ways for consumers to avoid being scammed: Don’t respond to unsolicited emails, texts or phone calls. These may allow attackers to access personal data which can then be used to convince the bank that they are you. Don’t overshare personal details on social networks. Avoid putting your birth date, that of children or relatives, the name of your first pet or school, as these are all frequently used as the answers to questions that banks ask. If your phone stops working normally, inform both your bank and your mobile phone provider. Try and use an app such as Google Authenticator for one-time passcodes. Use passwords that only you will know and which are unique.
- MB: To be more contrete, we can apply a robust solution and a mediator (usingOpen API And this is how it would work -once you implement that. Procedure: TAD indentifies valid or illegimite SIM card change or forwarding setup - in the mobile phone Informs DB 3rd party raises information request OR Bank might do the same If all validation process is correct the requested , transation will proceed. If not, it can supress, postpone, declined. Etc...
- SIM change and operator initiated call forwarding reaction in real time No insider influence on detection method Clear business-case for the MNO
- not OTP, but suspend account temporarilly. another procedure.