The problem with having mobile carriers in the digital security chain

Entersekt Editor|13 June 2018
The problem with having mobile carriers in the digital security chain

A year ago this time, a fraudulent attack on German telecom O2-Telefonica shone the security spotlight on Signaling System 7 (SS7) – also called Common Channel Signaling System 7 (CCSS7) – the international telecommunications standard that enables mobile carrier (mobile network) interoperability. Without carrier interoperability, it would be impossible to transmit calls or text messages between mobile phones on different networks, making SS7 a key component of the global communication ecosystem.

However, as we argued in this blog post, the openness that makes SS7 what it is, is also what allows fraudsters with access to one mobile carrier’s backend system to also access any other carrier’s backend system, including information transmitted from there, such as SMS one-time passwords (OTPs). And it can be alarmingly easy for fraudsters to buy access to a backend system from the dark web.

To gain access to the bank account of an online banking user who has SMS two-factor authentication in place, a fraudster needs both the banking password and the OTP that the user receives on their mobile phone when they log in. Passwords are stolen easily and en masse every day through spyware that sneaks along onto users’ personal computers when they download files from illicit websites. But it is the ability to intercept the SMS OTP by exploiting SS7 that gets the fraudster over that second hurdle and into the user’s bank account.

Could the O2-Telefonica attack happen elsewhere? Unfortunately, the answer is yes. While the GSMA (the Global System for Mobile Communications Association) is, with the increased awareness of the vulnerability of SS7 and its successor Diameter, monitoring these systems for intrusions, the risks are ongoing. In one attempt to address these risks, some mobile carriers have started contracting white-hat hackers to check for security issues.

Yet banks and service providers that use SMS OTP are still dependent on these carriers’ networks for their authentication protocols. The only solution is for organizations to start looking at alternative authentication methods for digital banking and payments.

About the author

Entersekt Editor

Entersekt Editor

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.