Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Telecom under attack: demo of fraud scenarios and countermeasures

Telecom fraud is booming at an alarming rate worldwide to become a major source of revenue loss for mobile operators. According to the CFSA, mobile operators lost $28 billion to fraud in 2019. SIM swapping has again become a hot-button topic in the telecom industry. This worrying trend is provoking disputes between banks and telecoms and causing harm all around.

Our security experts Sergey Puzankov and Milan Březina show how to perform and protect from different attacks in the telecom world, including:

- SIM swapping
- A2P SMS termination with security bypass
- OTP SMS interception

  • Be the first to comment

  • Be the first to like this

Telecom under attack: demo of fraud scenarios and countermeasures

  1. 1. Telecom under attack fraud cases and countermeasures demo
  2. 2. On call today Milan Březina Telecom and SMS fraud expert, Pre-Sales APAC, Sergey Puzankov Lead Security Researcher,
  3. 3. Agenda  A2P SMS termination with security bypass  OTP SMS interception  SIM swapping  Attack demonstration & countermeasure techniques
  4. 4. 18 years of experience in R&D for enterprise cybersecurity services and products 9 years of dedication to telecom cybersecurity 2 R&D centers in Europe 41countries where we have done projects 60 assessments per year are performed by our experts for telecom companies 5G cybersecurity leader Positive Technologies is a leading global provider of cybersecurity solutions for telecom & mobile operators, a pioneer in signaling security research and active contributor to industry standards. RESEARCH & CONFERENCES 1st Telecom Cybersecurity Vendor We are the only company in the world focused on end-to-end cybersecurity for mobile operators Company profile
  5. 5. Positive evolution PRODUCTS SERVICES 20212002 2019 2020 Started as enterprise cybersecurity services company Service portfolio extended with IoT security, anti-fraud, and monitoring offerings Telecom Network Attack Discovery 5G-ready IP-traffic analysis product released #1 Signaling Firewall Award 2016 Second R&D center opened in Brno Telecom Attack Discovery Included in market guide 2014 World’s first fundamental SS7 security research released Telecom Attack Discovery IDS Signaling IDS released Starting as a cybersecurity services company, PT has enhanced its service portfolio with products that help to continuously deliver expertise and intelligence to customers. A separate business entity based out of Europe is rolled out Portfolio extended with cutting-edge 5G services 2018 Telecom Attack Discovery NGFW Next Generation Signaling Firewall released #1 Signaling Firewall Award
  6. 6. 88% of consumers say their perception of a business is improved when a business invests in customer experience, namely security. Experian — Global Identity & Fraud Report, 2020
  7. 7. A2P SMS termination with security bypass
  8. 8. A2P Trend
  9. 9. A2P Architecture
  10. 10. Grey route methods  Termination through other MNOs  Blending  Termination through national aggregators  Sim Box fraud
  11. 11. International SMS A2P FROM:  Google  Facebook  YouTube  WhatsApp  Banks  etc Alphanumeric Originating Address (OA) Facebook Originating Address (OA) 39353535 AGGREGATOR AA.19: “Addendum to the International GSM Roaming Agreement: SMS Interworking Agreement” Home Signaling Network MNO-1 MNO-2 MNO-3AGGREGATOR SS7 + AA.19 SS7 Attempts to send SMS
  12. 12. Solution on signalling layer ATTACK NAME ATTACK DESCRIPTION 1 Inconsistent SMS source Sources of the SendRoutingInfoForSM and ForwardSM signaling messages related to the same short message are different. This indicates an attempt to bypass an inter-operator charging system. 2 ForwardSM to an open SMS-C A short message of an outbound roamer was sent to an open SMS-C instead of home one in order to bypass short message charging in roaming 3 ForwardSM with incorrect OA format A mobile originating SMS was sent with incorrect address format of the SMS-C or MSISDN parameters in order to fool an inter-operator charging system. 4 ForwardSM with home SMS-C spoofing A mobile terminating SMS was sent with a spoofed SMS-C address by an address from the System owner range in order to bypass an inter-operator charging system 5 ForwardSM with foreign SMS-C spoofing A mobile terminating SMS was sent with a spoofed SMS-C address by an address from foreign range in order to bypass an inter-operator charging system 6 A2P SMS termination A mobile terminating SMS from an external connection contains a TP-originating-address in Alphanumeric format in order to bypass charging of the A2P SMS traffic. 7 Spoofed MO SMS sender In MO-ForwardSM, the SCCP CgPA does not correspond to address of a node where the subscriber is registered. This can be an attempt to spoof the SMS sender address.
  13. 13. OTP SMS interception
  14. 14. General information Task to solve: User Authentication Process: OTP security tokens Validity: Up to 60s Medium: SMS, native application Motivation: Avoid common pitfall Avoid weak password Avoid sharing credentials Avoid reusing same password Usage: 2FA Google Authenticator Social media accounts Bank accounts Email accounts
  15. 15. Use case External SS7 Network MNO’s SS7 Network Malefactor HLR SMS-C 1. Registering the subscriber in a fake network 2. OK 4. Where is the subscriber? 5. Fake MSC/VLR 3. Subscriber is unable to receive SMS 6. SMS is sent to the attacker
  16. 16. Use case with security monitoring Malefactor Hacker GT International / National SS7 network Mobile Network Operator Bank 1. Register victim subscriber on a fake network with Hacker GT 4. OTP SMS redirected to the Hacker GT 3. OTP SMS IP network 2. Attack online bank on IP networks $$$ $$$
  17. 17. Use case with NG firewall Malefactor Hacker GT International / National SS7 network Mobile Network Operator Bank 1. Victim subscriber registration on a fake network is unsuccessful 3. OTP SMS IP network 2. Attack online bank on IP networks 4. OTP SMS delivered to the subscriber
  18. 18. TAD
  19. 19. Telecom Attack Discovery PT Telecom Attack Discovery (PT TAD) is a next- generation signaling security platform that empowers mobile network operators to secure core networks that use Signaling System 7 and the Diameter protocol, protect subscribers, and safeguard assets from hacker attacks. * Rated as the best signaling firewall platform two times in a row by independent market researchers  Ongoing automated TAD FW configuration via integration with TAD IDS  Blocking of malicious activity  5G-ready Next-Generation Signaling Security plattform  Passive monitoring  Retrospective analysis IDS FW
  20. 20. SIM swap
  21. 21. Shades of SIM swap SIM Swap Sim Jacker Sim cloning Fake owner Spoofed SMS
  22. 22. Newspaper fragments
  23. 23. SIM swap types An insider in the MNO helps to issue a SIM card illegally. An attacker convinces a call centre operator to set up unconditional call and SMS forwarding. Physical change Telephone call
  24. 24. Who is affected MNO Bank Money transfer SIM swap OTP The victim is a client of the third party companies, who is simultaneously is the MNO subscriber. $$$
  25. 25. What we can do Policies, procedures, best practice. We can implement the system, with which the MNO will provide the third party companies with information that SIM card was reissued or forwarding service was activated by a call centre operator. The MNO is able to resell this information to the third party companies. Consulting Technical solution
  26. 26. TAD in SIM swap protection TAD Copy of signaling traffic Open API Bank Information requests Third party companies Information requests SIM change events Forwarding setup
  27. 27. What you receive SIM change and operator initiated call forwarding reaction in real time The system detects SIM change and operator initiated call forwarding with minimal delay (less than 1 sec) that is sufficient to withstand financial fraud. No insider influence on detection method SIM change and operator initiated call forwarding detection is based on technological data, CRM system is not involved in this procedure. That’s why an insider who has access to the CRM system cannot affect the detection mechanism. Clear business-case for the MNO Protected mobile operator is able to sell SIM change and operator initiated call forwarding information to the interested financial organizations.
  28. 28. Takeaway points  Process & Technical control improvement  Tight communication Bank – MNO  Common DB with API to suspend suspicious acting  Monitoring & SIM Swap Detection by TAD
  29. 29. Thank you @positive-tech Positive Technologies