Telecom fraud is booming at an alarming rate worldwide to become a major source of revenue loss for mobile operators. According to the CFSA, mobile operators lost $28 billion to fraud in 2019. SIM swapping has again become a hot-button topic in the telecom industry. This worrying trend is provoking disputes between banks and telecoms and causing harm all around.
Our security experts Sergey Puzankov and Milan Březina show how to perform and protect from different attacks in the telecom world, including:
- SIM swapping
- A2P SMS termination with security bypass
- OTP SMS interception
2. On call today
Milan Březina
Telecom and SMS fraud expert,
Pre-Sales APAC,
milan.brezina@positive-tech.com
Sergey Puzankov
Lead Security Researcher,
sergey.puzankov@positive-tech.com
4. 18 years
of experience
in R&D for enterprise
cybersecurity services and
products
9 years
of dedication to telecom
cybersecurity
2 R&D
centers in Europe
41countries
where we have done projects
60 assessments
per year
are performed by our experts
for telecom companies
5G
cybersecurity
leader
Positive Technologies is a leading global provider of
cybersecurity solutions for telecom & mobile operators,
a pioneer in signaling security research and active contributor
to industry standards.
RESEARCH & CONFERENCES
1st
Telecom Cybersecurity Vendor
We are the only company in the world focused on
end-to-end cybersecurity for mobile operators
Company profile
5. Positive
evolution
PRODUCTS
SERVICES
20212002 2019 2020
Started as
enterprise
cybersecurity
services company
Service portfolio extended
with IoT security, anti-fraud,
and monitoring offerings
Telecom
Network Attack
Discovery
5G-ready
IP-traffic analysis
product released
#1 Signaling
Firewall Award
2016
Second
R&D
center
opened
in Brno
Telecom
Attack Discovery
Included in
market guide
2014
World’s first fundamental
SS7 security research
released
Telecom
Attack Discovery IDS
Signaling IDS released
Starting as a cybersecurity services company,
PT has enhanced its service portfolio with
products that help to continuously deliver
expertise and intelligence to customers.
A separate business
entity based out of
Europe is rolled out
Portfolio extended
with cutting-edge
5G services
2018
Telecom
Attack Discovery
NGFW
Next Generation
Signaling Firewall
released
#1 Signaling
Firewall Award
6. 88% of consumers say their perception of
a business is improved when a business invests
in customer experience, namely security.
Experian — Global Identity & Fraud Report, 2020
11. International SMS A2P
FROM:
Google
Facebook
YouTube
WhatsApp
Banks
etc
Alphanumeric
Originating
Address (OA)
Facebook
Originating
Address (OA)
39353535
AGGREGATOR
AA.19: “Addendum
to the International GSM
Roaming Agreement:
SMS Interworking
Agreement”
Home
Signaling
Network
MNO-1
MNO-2
MNO-3AGGREGATOR
SS7 +
AA.19
SS7 Attempts
to send SMS
12. Solution on signalling layer
ATTACK NAME ATTACK DESCRIPTION
1
Inconsistent
SMS source
Sources of the SendRoutingInfoForSM and ForwardSM signaling messages related to the same short
message are different. This indicates an attempt to bypass an inter-operator charging system.
2
ForwardSM to an
open SMS-C
A short message of an outbound roamer was sent to an open SMS-C instead of home one in order to
bypass short message charging in roaming
3
ForwardSM with
incorrect OA format
A mobile originating SMS was sent with incorrect address format of the SMS-C or MSISDN
parameters in order to fool an inter-operator charging system.
4
ForwardSM with
home SMS-C spoofing
A mobile terminating SMS was sent with a spoofed SMS-C address by an address from the System
owner range in order to bypass an inter-operator charging system
5
ForwardSM with
foreign SMS-C spoofing
A mobile terminating SMS was sent with a spoofed SMS-C address by an address from foreign range
in order to bypass an inter-operator charging system
6
A2P SMS
termination
A mobile terminating SMS from an external connection contains a TP-originating-address in
Alphanumeric format in order to bypass charging of the A2P SMS traffic.
7
Spoofed MO
SMS sender
In MO-ForwardSM, the SCCP CgPA does not correspond to address of a node where the subscriber
is registered. This can be an attempt to spoof the SMS sender address.
14. General information
Task to solve: User Authentication
Process: OTP security tokens
Validity: Up to 60s
Medium: SMS, native application
Motivation: Avoid common pitfall
Avoid weak password
Avoid sharing credentials
Avoid reusing same password
Usage: 2FA
Google Authenticator
Social media accounts
Bank accounts
Email accounts
15. Use case
External
SS7
Network
MNO’s
SS7 Network
Malefactor HLR SMS-C
1. Registering the subscriber
in a fake network
2. OK
4. Where is the
subscriber?
5. Fake MSC/VLR
3. Subscriber is unable
to receive SMS
6. SMS is sent to the attacker
16. Use case with security monitoring
Malefactor Hacker GT International /
National
SS7 network
Mobile
Network
Operator
Bank
1. Register victim subscriber on a
fake network with Hacker GT
4. OTP SMS redirected
to the Hacker GT
3. OTP SMS
IP network
2. Attack online bank on IP networks $$$
$$$
17. Use case with NG firewall
Malefactor Hacker GT International /
National
SS7 network
Mobile
Network
Operator
Bank
1. Victim subscriber registration
on a fake network is unsuccessful
3. OTP SMS
IP network
2. Attack online bank on IP networks
4. OTP SMS delivered to the subscriber
19. Telecom Attack Discovery
PT Telecom Attack Discovery (PT TAD) is a next-
generation signaling security platform that empowers
mobile network operators to secure core networks that
use Signaling System 7 and the Diameter protocol, protect
subscribers, and safeguard assets from hacker attacks.
* Rated as the best signaling firewall platform two times in a row by independent market researchers
Ongoing automated TAD FW
configuration via integration with TAD IDS
Blocking of malicious activity
5G-ready
Next-Generation
Signaling Security
plattform
Passive monitoring
Retrospective analysis
IDS
FW
23. SIM swap types
An insider in the MNO
helps to issue a SIM
card illegally.
An attacker convinces a call
centre operator to set up
unconditional call and SMS
forwarding.
Physical change Telephone call
24. Who is affected
MNO Bank
Money transfer
SIM swap
OTP
The victim is a client of the third party companies,
who is simultaneously is the MNO subscriber.
$$$
25. What we can do
Policies,
procedures,
best practice.
We can implement the system, with which the
MNO will provide the third party companies
with information that SIM card was reissued
or forwarding service was activated by a call
centre operator. The MNO is able to resell
this information to the third party companies.
Consulting Technical solution
26. TAD in SIM swap protection
TAD
Copy of
signaling
traffic
Open API Bank
Information
requests
Third party
companies
Information
requests
SIM change events
Forwarding setup
27. What you receive
SIM change and operator
initiated call forwarding
reaction in real time
The system detects SIM change
and operator initiated call
forwarding with minimal delay
(less than 1 sec) that is sufficient
to withstand financial fraud.
No insider
influence on
detection method
SIM change and operator initiated
call forwarding detection is based
on technological data, CRM system
is not involved in this procedure.
That’s why an insider who has
access to the CRM system cannot
affect the detection mechanism.
Clear
business-case
for the MNO
Protected mobile operator
is able to sell SIM change
and operator initiated call
forwarding information to
the interested financial
organizations.
28. positive-tech.com
Takeaway points
Process & Technical control improvement
Tight communication Bank – MNO
Common DB with API to suspend suspicious acting
Monitoring & SIM Swap Detection by TAD
Welcome everyone, till most of registred atendees join this call, let us share the foreword.
SP: Hope you have a great day which me and my colleage will try to enrich a bit yet.
SP: Once again, a very pleasant day to everyone, it is our pleasure to welcome you here and we appreciate you booked your time for us.
MB: Definitively, in return we‘d like to let you through our findings which might be very interesting. Before that, let me introduce us. (CLICK)
I am Sergey – Telecom Security expert
And my name‘s Milan – Telecom and SMS fraud expert
MB: This was us, now what you can expect from today‘s call. (Click)
SP: As the webinar announcement was promissing we try to meet your expectation, starting by A2P SMS termination
MB: Then we touch OTP interception ...
SP: also, we look at SIM swap
MB: and at the end of this call, we‘d like to show you that there might exist ... A solution which helps operatiors to successfully combat above topics.
SP: And Milan, one more thing
MB: what is it?
SP: The Q&A to let our valuable audience sharing their thoughts with us
MB: Thats right Sergey, ladies and gentlemen, please have a pen and paper and make your notes, since this will be non-stop presentation, the end of it will be yours.
MB: let us start with two opending slides and highlight our 1st telecom cybersecurity story
SP: First and foremost Positive Technologies is a leading global provider of cybersecurity solutions for telecom & mobile operators, a pioneer in signaling security research, and active contributor to industry standards.
We are the only company in the world with this kind of expertise, which comes from deep experience in cybersecurity, an understanding of MNOs from the inside, and telecom in general. The unique combination of these competencies gives us a special niche as the only company offering end-to-end services and products for securing telecom operators.MB: I only add that Over the years, we have contributed and continue to contribute to advancing the industry. As researchers, we actively work to develop industry best practices. Our research has laid the foundation for recommendations from the GSMA, ITU, and U.S. FCC.
We never stop developing and researching. If we havent mentioned yet, our web site positive-tech.com
can be use as a good source for your security queries.
SP: Lets go quickly through this slide about our company.
MB: Agree, let me jump directly at the end saying that during years 2019 and 2020, we expanded the portfolio to include 5G-tailored services and we have been ranked as Number 1 signalling firewall provider.
+++++ Optional +++++
In 2002, we started as an enterprise security service company. In 2009, our portfolio expanded to include services for evaluating telecom security, and signaling networks in particular. We continued to explore this area and soon we introduced our first IDS product, which won recognition from Gartner. In 2018, we brought our signaling firewall onto the market and expanded our service portfolio.
In 2019, Telecom Network Attack Discovery, our IP network traffic analysis solution, was added to our product line. A separate business entity based out of Europe was rolled out as well that year.
And, of course, we are involved in the transition to a new generation of communications. During 2019 and 2020, we expanded the portfolio to include 5G-tailored services.
In 2020, for the second time in a row, Positive Technologies has been ranked the #1 signaling firewall provider by independent market research.
1 https://www.gartner.com/en/documents/3327318/market-guide-for-operational-technology-security
2 https://www.roccoresearch.com/2018/12/11/the-leading-signalling-firewall-vendors-of-2018/
3 https://positive-tech.com/about/news/positive-technologies-ranks-highest-in-the-rocco-signalling-firewall-vendor-performance-report-2020
SP: Maybe before we open SIM Swap topic, let us share very interesting statistic with you.
MB: Yes, this a very promissing indicator saying that also non-professionals positively react to the fact their MNO invest into the security.
SP: Correct, this is a turnover from the past when people tend to omit or maybe ignore the security entirely.
MB: I assume you know A2P messages and also the difference from P2P, both are the text message, both are being delivered to your phones.
SP: But the most important fact and the reason why they are so interesting to the Fraudster is their price.
MB: P2P messages we no longer notice is our mobile statements, since we get every mounth the unlimited packet of them, but once you want to use A2P channel you might be surprised how much you pay for your advertisement, notification or OTP for instance
SP: This graph confims what Milan just said.
On one side is Person to Person (P2P) messaging, a business badly tarnished and declining due to major competition
From guys like Apple iMessage, WhatsApp, and several other OTT players offering free P2P alternatives.
MB:
But the flipside of SMS — Application to Person (A2P) SMS — glitters like gold thanks to global smartphone expansion. It’s a growing and profitable sector for mobile operators today because it’s used for all manner of enterprise-to-user communication.
Banks, airlines, and on-line services (such as the Uber taxi) constantly use A2P to send notices, confirmations, or authentication messages to mobile subs.
SP: So how big is this A2P market?
The Global A2P & P2A Messaging Market is expected to grow from USD 55,481.26 Million in 2019 to USD 74,507.43 Million by the end of 2025
MB: So we know how big the market is, now how such A2P architeture looks like.
This is the example might be less or more coplex as per individual operater in given country.
SP: As you can see the journey always starts by API which allows to submit messages. Saying by other words, there is a registration, agreement with any agregator to define the purpose, daily amount of traffic, notifiation, one directional or biderectional communication, etc.
MB: sometime we can see MNO or Agregator already impleneted Spam Filter which together with Analytics part might help to reduce the illegiamte traffic.
SP: And at the end of this journey there is SMS-center which is responsible to deliver the message to your phone.
An A2P SMS gray route is a route that support SMS traffic but doesn’t generate revenue for telecoms.
Event though a gray route is not properly monetized, the telecoms are still paying for signaling and network maintenance for this traffic.
Telecoms cannot achieve their full revenue potential unless all grey routes are closed.
MB: But not everyone is willing to pay for messages, so the people as used to be, trying to find ways how to avoid billing. Of course, the separate problem are OTT services, but these are out of scope for a moment.
SP: Grey route 1
The most common type of grey route. It’s all about finding a way to terminate the traffic without reimbursing a mobile operator or do so paying local P2P rates. A long time ago, operators used to make direct contracts with each other allowing the traffic termination on partner’s networks for free. Today, this is very rare but some of the old agreements are still in play.
So a “cunning partner” can use such contracts to terminate A2P messages. It disguises the international A2P traffic as P2P traffic, which is cheaper. As a subscriber, you might notice this when, say, requesting an authentication code to log into Facebook, and getting the code from a regular phone number of a local operator as if sent by another person, instead of a Facebook Sender ID.
Learning: this is a very subtle scheme which many MNOs are unaware of, and which impacts their A2P volumes and revenue. We recommend checking all the zero rates contracts with local/roaming partners
MB: Grey 2 - Blending
A partner can start to sort the SMS traffic generated by a global enterprise to determine non-sensitive or urgent traffic (say ads rather than one-time passwords). To reduce costs and yet receive all profits, the partner can fake the delivery reports by not sending non-sensitive traffic to users.
Learning: most services and mobile operators can’t catch on to the scheme. If tracking conversion rates, they can only see the decreasing, which could be caused by either technical issues or blending. In such cases, services usually warn their partners and change the routing scheme to ensure proper delivery.
SP: Grey 3- Termination Internet
An international partner approaches a local aggregator that terminates traffic generated by a local service (for instance, a delivery service). This local service has a registered Sender ID and national A2P rate which is lower than the international rate. The partner asks the aggregator to deliver its international A2P traffic under the guise of the local service, using the Sender ID of the local service. Kind of a win-win story. And the operator simply sees more “local delivery service messages” instead of international service traffic. Again, it is the mobile operator who loses.
Learning: this scheme is also insidious, one way to catch it out would be to spot a rapid abnormal increase in the traffic volume of the local service and investigate it, which rarely happens. The best advice for an operator here is to examine the traffic terminated through its network and understand the traffic type, volume, seasonality.
MB: Grey 4 – SIM Box
This scheme is not so much a grey route, as a fraud. A SIM box is a hardware containing many SIM cards owned, housed, and stored by a third party but determined by MNO as simple mobile phones.
What the fraudulent partner does, in this case, is it collaborates with the owner of this hardware (SIM “farm”) to terminate the traffic, literally cutting the operator out of the chain. This is a quick and easy and way for partners and SIM box owners to earn money on traffic termination. The operator isn’t being paid properly for the international traffic, as it is disguised as national P2P which is cheap or even free between local MNOs.
Learning: MNOs wondering how to detect SIM box fraud have to make sure their SMS Firewalls are up to the challenge. Firewall solution is aimed at detecting and blocking some grey-route traffic. Another way to deal with SIM box is for example our solution we are going to introduce you in a minute.
SP: Here is the how the international traffic might be disguised to avoid internation charging rates.
MB: As was said there are many ways how you can protect netowok against such a fruadlent behaviour.
There are SMS FW, or Spam filters but all has one in common, they work on SMS layer, this might be Already mentioned SMPP or Web protocols .
But there is also one other way, maybe still overlooking by others . .... and this is signalling layer. Already here we can recognize when A2P traffic is going to bypass charging.
I let now Sergey to describe one example of such A2P detection on the video we prepared for this demonstration.
SP: SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing and other attacks against Internet services such as online banking.
Today, SMS OTPs are commonly used for authentication and authorization for many different applications.
MB: Despite SMS OTPs have come under heavy attack, especially by smartphone --- guys like Trojans, One-Time Passwords. (OTP) are utilized as an additional factor in multi-factor authorization/authentication applications. They are only valid for exactly one request. To avoid password lists, a convenient way to provide the user with an OTP is to send it via SMS. The phone number of the user must be registered for the service that provides SMS OTPs for authentication or authorization.
You see how OTPs are quite popular as an additional authorization or authentication factor in web-based services for exmple
Milan to describes
SP: How does the activty look like, Sending the UpdateLocation message using IMSI of a target subscriber and Hacker GT as a new MSC and VLR, the hacker is able to disturb voice call and SMS services for the subscriber, intercept incoming SMS messages, and redirect incoming voice calls.
Input data: IMSI identity.
MB: We have got a typical situation where a person is simultaneously a mobile subscriber and bank client. Also, this person uses online and mobile banking services.
An intruder is an experienced hacker who has access to the SS7 network and they possessed their own GT address.
An important note, the Mobile network operator has implemented the Intrusion detection system PT TAD.
The hacker starts the attack. On the first step they register a victim subscriber on a fake network with their own GT address.
Now the hacker attacks the e-banking system on IP network. The bank sends a one-time password in a SMS. The most of intruders would be failed on this step, but as we remember our hacker has registered the subscriber on the fake network, that’s why the OTP SMS is delivered to the hacker’ equipment.
Victim’s banking account is withdrawn.
If the mobile operator have implemented TAD as an Intrusion detection system, the TAD watches all signaling traffic and able to detect the hacker’s activity. Let’s see how it looks like.
MB: We have got a typical situation where a person is simultaneously a mobile subscriber and bank client. Also, this person uses online and mobile banking services.
An intruder is an experienced hacker who has access to the SS7 network and they possessed their own GT address.
An important note, the Mobile network operator has implemented the Intrusion detection system PT TAD.
The hacker starts the attack. On the first step they register a victim subscriber on a fake network with their own GT address.
Now the hacker attacks the e-banking system on IP network. The bank sends a one-time password in a SMS. The most of intruders would be failed on this step, but as we remember our hacker has registered the subscriber on the fake network, that’s why the OTP SMS is delivered to the hacker’ equipment.
Victim’s banking account is withdrawn.
If the mobile operator have implemented TAD as an Intrusion detection system, the TAD watches all signaling traffic and able to detect the hacker’s activity. Let’s see how it looks like.
MB: We again have got a typical situation where a person is simultaneously a mobile subscriber and bank client. Also, this person uses online and mobile banking services.
And again, the intruder is an experienced hacker who has access to the SS7 network and they possessed their own GT address.
In this case the Mobile network operator has implemented the PT NG Signaling Firewall TAD.
SP: When the intruder starts the attack with the subscriber registration on a fake network, the illegitimate request comes to the NG FW, which block the attack. The subscriber is not registered on the fake network and not affected.
Even if the intruder proceed with the attack on e-banking system, the OTP SMS will be initiated by the bank and delivered to the subscriber. So, the hacker will not achieve their goal.
Let’s see how it looks in the TAD system.
Today We dont have a enough time for TAD demonstration in its full scope
We are in love with our product, for those who havent experienced it yet, we look forward to meeting you on personal session.
You can find the link in upcoming email with this webinar recording.
Telecom cybersecurity monitoring 24x7
Automatic protection against cyberattacks
Non-stop verification of security integrity
Tight integration with virtual team services
MB: PT TAD signaling IDS module provides full visibility and control over SS7, Diameter, and GTP core networks. It flags malicious traffic and helps to focus on security flaws as they are exploited in real time. Always be aware of new breaches and threats. Hunt for attackers with the most accurate and up-to-date intrusion detection system, powered by the industry-leading knowledge base.
SP: PT TAD can analyze SS7, Diameter, and GTP traffic simultaneously to detect cross-protocol attacks, a new class of threats targeting all protocols in tandem.
Only a copy of signalling traffic is needed for PT TAD to perform analysis and keep core networks and subscribers’ data safe.
Analysis runs in the background, scrutinizing both incoming and outgoing traffic flows while maintaining full performance of all infrastructure and services.
MB: PT TAD delivers robust active protection for SS7 and Diameter signalling networks with full performance and redundancy intact. Incoming STP traffic is checked for malicious attack patterns. Verified messages are looped back and passed on to the MNO signalling network.
With regular updates from our research team, this mode is a powerful way to prevent current and emerging threats from reaching your core infrastructure, assets, and subscribers.
Here you can see how large the the attack surface from MNOpoint of view:
No telecom infrastructure is an island.
The core business of an MNO is to closely interface with external consumers, organizations, and digital systems.
This creates an enormous attack surface and plenty of opportunities for attackers to choose targets and methods.
SP: We tendto say the Independent security is
We believe – that The combination of our expertise in telecoms and your managed services solution, means we could jointly offer operators and enterprises e2e security. If I look at your market-leading solution providing end-to-end telecom security,
I would say our portfolio perfectly fits into it - not as a competing but rather as a complement part. I would highlight this word.
With our unique telco experience - we could enrich your managed security services
For instance, our threat intelligence is optimized for the 5G networks, IoT, cloud solutions as well as the NFV infrastructure.
All this using – Intrusion detection, Vulnerability Scanning and Various kind of audit.
----
We are ready to address cyber-attacks targeting the Remote control and monitoring --- of industrial systems and self-driving vehicles for instance.
MB: SIM swap is probably the most known attack, but you will see, this is not only about SIM swap,
There are swap shades, as
There a few others such as:
-Sim Jacker, you should probalby heard about it
-Sim clonning this has very close to SIM swap if not the same
-Fake owner is also method - using which - you can fool the authority
-Spoofed SMS, excellent idea belonging to social engineering,
SP: There are also a few sophisticatd methods such as
Knowing IMSI + Ki values
Direct access to HLR/HSS
Through customer care, this also has somehting to do with social engineering and
Abusing Mobile Number Portability
SP: One of the most recent tactic is - to request a porting authorisation code [PAC] to port the victim’s number to a different network
Once criminals own the victim’s number, they are able to intercept bank authorisations sent via SMS – or other OTP related services
MB: Variously called sim splitting, simjacking, sim hijacking and port-out scamming, the fraud focuses on moving control of your phone account from through sim card to one controlled by the criminal.
MB: I wanted to to say is - if you know how, you might get some money, but if you take it from the dark side, possibly you might end up in jail.
SP: These are only few from any articles which have been recently released.
MB: We can say, that although mobile phones and general security measures have changed over the five years, the way or the tactic - this fraud might work has remained unchanged.
SP: The criminals obtain a victim’s personal information which might be bank details, address and many others – by seeking social networks or by mining data stolen during the breach of an online company’s systems.
MB: What typically results in contacting the victim’s mobile phone provider, pretending to be the victim, and requesting a NEW sim
SP: Generally all parties, Victim subscriber, Reputation of Service Provide and complaint to MNO
MB: The problem is that Banks as well as MNO longer ignored this risk and didnt pay attention much.
Nowaday it is different, they are blaming each other, disussing responsiblity but many realized there is a need to find the common ground and devise the solution,.
SP: There are ways to mitigate the problem:
Usually someone first becomes aware that they have fallen victim to a sim-swap scam when their phone stops working or they discover they are unable to access bank and credit card accounts. Or they may get a text message or an email prior to the swap taking place.
MB: As with many frauds around bank security, there are simple ways for consumers to avoid being scammed:
Don’t respond to unsolicited emails, texts or phone calls. These may allow attackers to access personal data which can then be used to convince the bank that they are you.
Don’t overshare personal details on social networks. Avoid putting your birth date, that of children or relatives, the name of your first pet or school, as these are all frequently used as the answers to questions that banks ask.
If your phone stops working normally, inform both your bank and your mobile phone provider.
Try and use an app such as Google Authenticator for one-time passcodes.
Use passwords that only you will know and which are unique.
MB: To be more contrete, we can apply a robust solution and a mediator (usingOpen API
And this is how it would work -once you implement that.
Procedure:
TAD indentifies valid or illegimite SIM card change or forwarding setup - in the mobile phone
Informs DB
3rd party raises information request
OR
Bank might do the same
If all validation process is correct the requested , transation will proceed.
If not, it can supress, postpone, declined. Etc...
SIM change and operator initiated call forwarding reaction in real time
No insider influence on detection method
Clear business-case for the MNO
not OTP, but suspend account temporarilly. another procedure.