Tags Posts tagged with "risk"

risk

0 627

Signalling level risks, specially fraudulent accesses from connected SS7 networks, is one area which is making a lot of noise in the assurance and security functions of Telecom organizations today.
The focus on the matter is such that most of the industry conferences talking about the current and next gen threats have a lot of matter being presented and shared on this topic – both from the operators and vendors alike.

What is it ?
The signalling level risks generally refer to SS7 (2G/3G) and Diameter (4G) level vulnerabilities (inherent or configuration based) which exposes operators to hacks/frauds through signalling control commands specially in roaming and interconnect scenarios. The scenario becomes more risky considering a normally configured SS7 infrastructure of an operator is accessible to any other operator in this world, either directly or through certain number of hops.
Now, just consider a situation where a rogue operator exists or a group of hackers with a malicious intent have got access to SS7 signalling of any less-secure operator in this world.
The losses due to signalling risks, while are still quite speculative, are expected to run in billions every year. Artificial inflation of traffic (specially A2P & P2A SMSes), Spamming, Spoofing, Refiling, profile modification, unlawful tracking, unethical disruptive activities from competition etc. are examples of some risks which have been found to be existing NOW with an estimated 100% infection rate.

Why is it happening ?
The SS7 signalling based vulnerabilities have been existing since very long, but have become part of news headlines recently due to certain revelations made by famous ethical hackers at certain high profile security conferences.
Some industry pundits make a point, which most of my industry connections agree with, is that these risks exist mostly due to the fact that operators tend to create unreliable partnerships and configure unregulated access (like open GT access, acceptance of any signalling command etc.) which enables malicious parties to connect to operators networks and conduct fraudulent activities very easily.
There have also been discussions around existence of services exploiting these signalling level vulnerabilities being offered in the grey markets through rougue hacking communities for a price.

Can you eradicate these risks ?
Ideal Solution: Operators need to sanitize their access configuration on SS7. Rethink, Reidentify, Reevaluate and Reconfigure the access levels.
But this is really difficult or maybe nearly impossible to achieve due to some practical issues on the ground, such as:

  • Most of the SS7 networks were configured long time back – There is an expertise issue operators are facing wrt SS7 networks now which limits their capability in terms of reconfiguration of SS7 based networks
  • It is a time consuming activity, which, would also lead to a lot of efforts on re-testing connectivity with all the partners, attracting a lot of investment
  • It may lead to reconfiguration of the signalling level configuration at the network level, and in certain instances, would require network downtime – A complete NO-NO for a lot of players out there. Situation becomes even more problematic for countries where Telecom Networks are considered a National Infrastructure.
  • Lastly, not every operator will take up this activity for many different reasons including the reasons like operators not participating in the awareness meetings/conferences being organized around the world or even like some rogue operators participating in malicious activities deliberately.

The problem becomes much more trickier from the fact that even one infected, unsecure or rogue operator in the world will continue to pose a threat to everyone else. And sanitizing each operator against these threats is a feat which is very unlikely to be achieved.

It is now unanimously being accepted that SS7 signal based networks are here to stay (atleast 10 years in developed markets and 20-25 in developing or lesser developed countries) and even their vulnerabilities, which are expected to grow by huge amounts considering the limelight it has received recently.

The bigger problem which has started giving sleepless nights to the fraud & security functions in operators moving towards 4G and setting up their networks over diameter protocol (provides 4G signalling framework) does not have native security standards inbuilt, but requires security mechanisms to be implemented on top, a practice always found susceptible to gaps). Also, the access methods are similar to SS7, so it exposes 4G networks to similar signalling risks as SS7.

What can be done now ?
For now, an approach of detection would be ideal until the industry identifies a way to plug these vulnerabilities around the world, which is definitely a few years away with a lot of research hours of investment.
An approach of detecting malicious signalling requests in your network still has few complexities to manage:

  • High false positive rates – A lot of signalling requests appearing to be malicious come out as configuration issues from the partners. Hence, domain expertise is essential to filter out ‘needle from the haystack’.
  • Sheer size of signalling data to be analyzed – big data support is required.
  • Skill set – This activity will surely require a knowledge upscaling and may be difficult for the traditional teams like fraud and risk management to absorb. Even teams like security, with less focus on fraud domain know how, is expected to find it difficult to add this activity in their set of responsibilities.

I feel industry partnerships with vendors, possessing both the domain knowledge, right skill set and technology built on big data platform is the way to go.

These partnerships, considering no-one has a complete answer to this rampant problem of signalling vulnerabilities as of now, need to be built on solid vendor capabilities, while being both liberal and experimental to give room for exploration.

0 58

History tells us that safety and security are afterthoughts. From the Gold Rush at the end of the 19th century to the technology Gold Rush at the end of the 20th, the rush for riches was so great that the idea of security was thrown to the wind. Revenue assurance only came to the Mobile table once the rush for customers had subsided and the focus moved from top line revenue to bottom line margin.

It is happening again. As the rush for market share of the payments market heats up, companies large and small are inventing new ways of transferring funds – paying people – easily. This aim for easy to use, attractive products creates a potential nightmare for consumers; easy is seldom secure. The whole concept of mobile wallets, while attractive, means that when someone steals your phone, they steal your wallet too – worse, you can’t phone for help! It is not just NFC that is at ‘fault’ here, although it is an obvious example. If you have your credit card or bank details stored in a mobile phone you have a monetary instrument and that is attractive to Bad Guys.

The potential of NFC is enormous. It will enrich and enable the whole shopping/living experience of millions of people and will create opportunities for operators and third parties that we can only imagine. It is the difference between shopping in a warehouse and walking the aisles of Macy’s or Harrods.

For a moment, though, let us step to the Dark Side. As you walk into the store, your phone lets the store system to pick up your details as you walk inside its co-ordinate boundaries. Google have quietly patented a face recognition technology that enhances this ability. No records exist, until a transaction takes place, but when you walk through the door into the store, you have opened the door into your phone. This means that your phone, and therefore your wallet, can be cloned. A Disgruntled Shop Assistant could potentially steal your details or there may be a Bad Guy in the store with you, and it is possible for him to clone your phone while simply standing close to you.

Another threat is the excellent concept of the QR code or NFC tag. Again, they are easy to produce – three clicks and the means to produce are in front of you. Point your phone at a QR code or NFC tag and it is possible, easy in fact, for someone to take control of what happens next. They could have designed the code so that you are re-directed to a site that is fizzing with malware, that can empty your phone of all its information, sends this to a clearing house and on to other Bad Guys. The very ‘connectedness’ of the ubiquitous mobile device could potentially be harnessed to launch Distributed Denial of Service attacks of unprecedented scale. Unlike having your ‘wallet’ stolen it is likely that you will not even know that it has happened. And this gives the Bad Guys a real head start. You will not know when it happened, who did it, and, frankly by the time the authorities are involved the ‘who, when and where’ will be entirely academic

As with the new acknowledgement that people need educating about online security, it is time that we take a very serious look at the security of new technologies that are making payments easier. There need to be standards and accountability, as there are in the credit card industry.  If your credit card is stolen the liability lies with the credit card company – as long as you report its loss in a timely manner. Not so, yet, with the phone company – or if so, accountability is patchy at best. If your phone is stolen and you receive a huge phone bill as a result of someone else’s online shopping spree, the phone company has no liability and it is their discretion alone that will let you off or not.

There are some ideas emerging. Many of them revolve around a second stage authentication and one of the most promising is that when you use your phone to pay, a photo of you will appear on the terminal in the store. This works fine as long as a) there is a photo of you on your phone and b) your kids have not borrowed your phone!

As with any Gold Rush that can create riches and a better life for consumers, security is likely to remain an afterthought. But in this connected world, where one person can steal the identities of 100 million others, this is no longer acceptable. There are too many people, too much money at risk. We need to have security built in.

0 149

The revenue

The statistics are astounding. The predictions for future adoption and revenues from machine to machine (M2M) technology nearly boggle the mind. Devices in the billions, revenues in the hundreds of billions. No matter how you define M2M, the uptake and revenues look very promising.

The risks

Any service that expands quickly will have growing pains and certain functions will need to play catch up. Small issues that while manageable on a small scale tend to break down when the scale is increased. M2M and fraudsters are most likely in this category. Devices that are physically removed from constant human presence and are in unsecured locations provide fraudsters with an opportunity for acquisition. In addition, these devices being part of a network provide additional opportunities for fraudsters. Many of the fraud cases to date have been with the stealing of Subscriber Identity Module (SIM) cards from unattended devices, plugging them into devices that allow the fraudster to make calls. Cases, such as fleet monitoring devices, traffic lights, vending machines and others have fallen prey to this. The only key is that fraudsters figure out where they are and have the tools required to gain access to the SIMs. Although network providers often have the ability to limit SIMs to only make calls, and not send text messages or use data access, they are often not able to prevent calls from happening when plugged into a device. This provides fraudsters a way to make calls by simply using a screwdriver at the correct target.

Other types of fraud are likely to become more relevant. Downloading malware onto a device either via direct physical connection or through the network that an M2M device is connected to will enable the fraudster to take over the device. This could enable the fraudster to change the behavior of the device. Imagine a security system that suppresses notification of intrusion or a traffic light that changes based on the desire of the fraudster, which could either create traffic jams or a dangerous free for all. An M2M device could also be used for its Internet connectivity to launch Denial of Service (DoS) attacks and try to hack into Internet sites with no tie back to the actual fraudsters.

Internal fraud is also a large worry about M2M services and devices. Employees have access to generate orders and employees and in some cases third parties have access to the devices and SIMs cards and may steal or route them to fraudsters. Once SIM cards have been acquired, then they can be used for similar purposes as described above.

The response

A comprehensive strategy to prevent fraud in M2M services has three main facets. The first facet in limiting fraud is to put the appropriate internal controls around ordering, fulfillment and distribution of devices, including channels. These controls need to limit or eliminate the possibility that fraudsters will gain access to devices without them being deployed for their specific purpose. The second facet is to restrict as much as possible the activities that a device is able to perform. Some networks do not allow for voice calls to be prevented, but certainly international calls can be disabled. Also, data access is a required service for M2M, but restricting data to certain bandwidths or URLs can be effective at preventing fraud. The final facet is setting up a monitoring system to look for activity beyond the norm for a device, variation from historical patterns or activity that is similar to prior frauds that have been detected.

3 103

It’s clear to all that the advance of mobile money and NFC services has become an unstoppable force, with the latest estimates putting global NFC m-payment transactions at US$50 billion by 2014. For the Fraud & Security teams in mobile operators this heralds arguably the single biggest change in the risk landscape since the original proliferation of mobile services back in the late 90s and early 00s.

Where there is money, there is fraud. It was therefore inevitable that when mobile phones became a financial instrument, they would immediately become a target for fraud. Mobile phones were already a very popular target for fraudsters and the combining of the 2 is simply irresistible. This has presented Fraud & Security teams with a fresh sets of challenges and opportunities, the first of which is how they are going to monitor the new services.

Many operators are looking to the financial services industry for best practice and whilst this certainly makes sense, I’m not so sure that the purchase of monitoring tools from the financial services environment is as wise. By buying in such systems, mobile operators run the risk of creating a siloed view of their customers, with one system looking at mobile money usage and others looking at calls, SMS etc. Surely the most effective way forward is to have a single view of every customer, assessing risk across all services.

Almost all operators have some form of Fraud Management System (FMS), monitoring their customers’ calls, SMS and data traffic. Mobile money services are relatively simple when compared to those offered by banks and insurers and the same is true of the data that they produce. It is therefore well within the capability of an FMS to take in mobile money and NFC transaction data and present it alongside the calls, SMS and data usage.

To avoid unnecessary expenditure and inefficient use of resource, my advice to mobile operators is to challenge your FMS supplier to provide you with a solution for monitoring your mobile money services. Only if their answer is ‘no can do’ should you be looking elsewhere!!

Follow Us