Gabriele Lieser

CUSTOMER SUCCESS MANAGER

Summary

As mobile communication determines our lives to a large extent already, attacks on mobile networks can have worse repercussions than ever before. Attacks on core network infrastructures can affect millions of subscribers. Correct data is key to verifying that the message is of trustworthy origin to handle signaling attacks. Especially the roaming industry is in charge of ensuring the validation and updating of data because roaming partner configurations change over time. Already today, our tools simplify to a crucial extent the initial and ongoing correct configuration of every roaming relevant network element to help MNOs block any unwanted or unauthorized traffic.

In RoamsysNext Insights our experts share their views on extensive industry topics and possible solutions we can offer.

Do you remember the “olden times”, before the use of mobile phones and, later on, smartphones became common practice? It seems hard to imagine life without telecommunications. We are long used to engaging in e-banking, online-shopping, e-government, etc. and we are also used to onetime passwords over SMS for transaction confirmation that regulate access to the required networks. As mobile communication determines the functionality of our lives to an ever-increasing extent, attacks on mobile networks can have severe consequences. Upsetting subscribers and causing churn may be one of the more benign disturbances unlike dire effects on national critical infrastructure (civil, energy, agricultural, healthcare..) and wider industrial processes. Criminals can reap huge benefits from exploiting network vulnerabilities through signaling attacks.

The SS7 (Signaling System 7) network exchanges data between devices and telecommunications networks. This is what allows mobility, roaming, SMS, voice calls and all the services provided by a mobile network to its subscribers.

What are signaling attacks?

It was originally developed decades ago when only ‘trusted’ fixed-line operators were interconnected (a so-called walled garden), so security in the protocols was of little importance. For newer 4G networks, the Diameter protocol replaces SS7, however it contains many of the same vulnerabilities. Signaling is again being updated in upcoming 5G networks, however mobile operators will have to support legacy (2G/3G/4G) networks for some time to come.
The use of legacy SS7 and newer Diameter protocols for attacks has been documented for some time and is quite prevalent globally. Effectively, an attacker gains access to the SS7/Diameter interconnect network and can perpetrate an attack against any mobile network and subscriber in the world if their home network does not provide protection. These attacks range from privacy violations (location tracking, intercepting calls and SMS messages) to fraud, to outright denial of service attacks on core network infrastructure, affecting millions of subscribers.

Two Factor Authentication Fraud

SMS is a widely used method for two factor authentication (2FA), especially for financial institutions. One example of a signaling attack involved criminals gaining access to an online bank account, then intercepting the 2FA SMS message being sent to the mobile phone of account owner, subsequently stealing hundreds of thousands of Euro from this account.
This is a double blow to mobile operators as subscriber trust is eroded but so is industry trust in SMS, out of which many mobile operators make large revenues from A2P SMS messaging. Controlling the SMS messaging arriving into an operator’s network from international, national and business includes knowing exactly which source numbers are associated with which countries, networks, hubs and businesses.

Location tracking

Whether the mobile phone is the latest state-of-the-art smart phone with GPS or an ancient brick with a battery that can last several years, signaling attacks can track any mobile subscriber’s location globally from the comfort of their own hideout. This type of tracking can be used for multiple purposes, such as espionage, but also for determining the location of high profile individuals to gain knowledge of whereabouts (e.g. if they were meeting specific other individuals or companies). Furthermore, the criminals advertise this location tracking ability for anyone to use on the dark web, thus allowing this information to be determined by anyone with the funds for any targeted mobile subscriber.

Protection against Signaling Attacks

Protection and investigation of attacks relies on ensuring the network has enforced the correct configurations for interconnecting with other networks. It goes without saying that operators will have deployed countermeasures to filter traffic from unknown and unwanted sources and take the latest intelligence and updates from acknowledged signaling security experts to continually keep on top of new attack vectors.
Scary though, how quickly misconfigurations are discovered by attackers and exploited to their benefit, which is why this is the first port of call for the network and security team. As roaming partner configurations change over time, the validation and updates of these configurations is key to ensuring the doors and windows to your network are closed.

prison-fence

A stitch in time saves nine

As you can see, monitoring and preventing attacks using network nodes and signaling firewalls is highly recommended. Operators need an approach at multiple levels: key to their effectiveness is valid, up-to-date industry data regarding roaming partners, number ranges, contact details and other intelligence regarding sources of attacks.
Fraudsters take their jobs as seriously as we do, and they are as innovative on a permanent basis. Time to put a stop to the craft, there is no time to lose. Increasing challenges due to global developments, rising costs and competitive surroundings call for more strategic and proactive leadership against fraud.

Already today, our tools simplify to an extraordinary extent the initial and ongoing correct configuration of every roaming relevant network element. This helps MNOs to block any unwanted or unauthorized traffic with very little effort. It certainly is an easy-to-use application to increase efficiency, transparency, and enhance resource management, and we continuously optimize our applications to serve our customers even better. Likewise, we are increasingly keeping an eye on upgrading security aspects. Since we are experienced in developing the InfoCentre RAEX Tools application on behalf of the GSMA, our tools are fully compliant and can be most easily implemented and aligned to your specific requirements. Talk to us, we will listen to you.

Gabriele Lieser joined RoamsysNext in 2020 as Customer Success Manager to strengthen the bonds with our increasing number of customers and to support the marketing team. Gabriele has a strong background in corporate sales. She studied at the Universities of Trier (Germany) and Manitoba (Canada) and is incorporated in the RoamsysNext Client Service Team.

Two-Factor Authentication rules!

For some time now, we have introduced 2FA and have contributed our share to provide more secure access to our tools. Nobert Becker, Head of Software Development, picks up the thread and provides engaging insights into his area of responsibility.

  • RoamsysNext Insights - Wholesale Roaming Manager

Introducing: The RoamsysNext Wholesale Roaming Manager

The RoamsysNext Wholesale Roaming Manager provides powerful collaboration and reporting tools for all roaming partner relationships by converging everything from service openings to the user’s roaming footprint, test SIM cards and tariffs, document and contact management.

We’re in this together

In the second part of our interview with Alexandre De Oliveira, POST Luxembourg Cyberforce, he highlights major pain points in fraud detection and stresses the importance of global information sharing via the GSMA T-ISAC initiative.

Mastering today’s Fraud Landscape

Learn how Alexandre De Oliveira’s team at POST Luxembourg Cyberforce is mastering today’s fraud landscape with penetration tests, security assessments, the Telecom Intrusion Detection System (TIDS) and the Telecom Security Scanner (TSS).

How to avoid configuration errors

Hardening the network is a good way to get configuration errors under control. Introducing smart firewall rules and consistently updating these rules can be very time-consuming, but it’s a crucial measure to be taken.

  • RoamsysNext Insights 9: Interview with Hendrik Hoehndorf

Making a Stand against Fraud

In an insightful interview, our CTO, Hendrik Hoehndorf, speaks about further GSMA initiatives on fraud detection and prevention such as the MISP (Malware Information Sharing Platform) and T-ISAC (Telecommunication Information Sharing and Analysis Centre).

  • RoamsysNext Insights

Let’s talk about data quality

Most fraud and security issues are caused by misconfigured network nodes. This article shows, how RoamsysNext treats this problem on their quest for data quality.