Most of us would be surprised to learn that telephone networks – both mobile and fixed - were never designed to be secure. There are vulnerabilities in networks that allow hackers to read texts, listen to calls and track mobile phone users’ locations. For this reason, mobile operators and fraud management companies fight a never ending battle to minimize the impact of fraud – against themselves and their customers.
Even with these threats, we typically think that when communicating through encrypted services like WhatsApp, Viber, Facebook and others, our conversations will remain private and secure forever. But that’s not the case. In fact, someone could steal your mobile identity without your knowledge, and start impersonating you - messaging or calling people through these supposedly secure apps without your knowledge or consent. Or commandeering your Facebook page to make calls, comments and posts - posing as you.
Blame it on the 70’s
Lots of things can be blamed on the 70s; the global oil crisis, the Watergate scandal, disco, and now apparently, cybercrime. The problem, called SS7 spoofing, all stems from a security flaw in Signaling System 7 (SS7), an international standard that defines how network elements exchange information over a signaling network. It was developed way back in 1975, only two years after the very first mobile call was made. The problem is that it has never been updated to account for advancements in mobile technology or the rise of cyber-crime.
SS7 is used by over 800 network operators around the world. It allows them to exchange information needed for transmitting calls and text (SMS) messages between each other, and to ensure correct billing. It also allows users to roam internationally. It’s a critical technology for keeping the world connected, but it has its flaws.
How does SS7 Spoofing happen?
This type of fraud can take place from anywhere in the world. Recognized vulnerabilities of an SS7 network allow for an intruder without sophisticated equipment, a Linux-based computer and a publically available SDK for generating SS7 packets, to determine the subscriber’s location, tap into calls and gain personal data to take money and other valuable information, and disrupt communication services.
Because apps often use SMS authentication to identify users, fraudsters don’t bother trying to break the app's encryption, but instead use loopholes in the SS7 protocol which allows an attacker to intercept incoming SMS messages, used by the apps to identify users. To do this the fraudster simply uses SMS to request and create a 2nd ‘shadow’ user account without the owner’s knowledge. Once this is completed, they can impersonate the account holder - sending and intercepting messages without the owner’s knowledge.
These types of security holes within SS7 were first uncovered by researchers at a hacker conference in Hamburg, Germany in 2014. The continuing use of the SS7 system in government and criminal snooping, both on users and mobile phone operators, continues today. While SS7 spoofing may be seen as an intrusion or inconvenience for most of us, it is a real threat to government officials, public figures, business executives, and certainly victims of stalking or domestic abuse.
How do we stop it?
The best way to protect against these threats and stop SS7 attacks and signaling flaws is to for network operators to continue their efforts in protecting their customers by constantly looking for real time fraud scenarios. This includes fraud management systems that can monitor combined SS7 and other fraud attacks. Forward thinking mobile operators have already deployed these methods to protect their subscribers from this and other types of SS7 fraud.
If you suspect your network is still vulnerable, contact WeDo Technologies to learn how you can protect your subscribers and your network from this and many other types of fraud.