Tags Posts tagged with "Security"

Security

0 114

Technology has put consumers are in the driver’s seat, demanding a seamless experience across all their devices.  The Internet of Things (connected living), Mobile Money, Video Streaming, Social Apps, VOIP and other OTT services are straining the network and operators’ ability to manage relationships with customers and partners in a profitable way.  With an increasingly convergent market as the background, Capgemini, one of the world’s largest consulting firms, has published its predictions of where the telecoms industry is heading by 2020.  Below is a summary of their top 5 predictions (in italics) with added insights from the industry:

Integration with content providers

The recent trend of telco’s acquiring or partnering with content providers (Comcast and NBC Universal, AT&T and Direct TV) may be overtaken by content providers predicted to be acquiring telecoms companies. Net Neutrality is increasingly at risk as content distribution and content providers join up and could control the content available to consumers.

Internet of Things: The next major trend that will impact is the explosion of connected devices

Also referred to as the rise of connected living, it’s predicted that IoT will drive data volumes into the realm of zetabytes per year. As Raj Talluri, a senior vice president of Qualcomm, has said

“I don’t think anyone really knows yet how big it’s going to get because the possibilities are really endless”

IoT is not just about connected devices, but about the analytics that makes sense of this tsunami of data. It is also the usefulness of the analytics that will drive the success of IoT devices.

IoT covers a range of different applications:

The Connected Home

For consumers IoT can help to save money by running homes more efficiently, improve security and provide entertainment. In an increasingly complex world IoT can help us to manage all the products and services we depend on by automating household administration and providing remote monitoring and control of devices.

Connected Health

Wearables are opening the door to great possibilities in health and fitness. While wearables have gained popularity amongst the health conscious, the potential of wearables is also being applied in assisting to provide essential monitoring and care for those in need.

The connected car

As cars are an extension of our homes so the connected car is, in part, an extension of our connected homes.  Cars now have entertainment systems that stream our favourite music, tracking systems so friends and relatives can know where we are and, of course, SatNav that knows current traffic and weather conditions. Connected cars can also provide automated diagnostics and reduce our insurance premiums through conscientious driving.

Gartner forecasts that 1 in 5 cars will be connected by 2020.

Mobility

While PC’s are still a popular choice for many tasks, the growth in mobility is being driven by the developing world, where mobile is often cheaper and more convenient than fixed line services.

Five big trends in mobility

  1. Wearables

According the Mashable 15 Mobile Trends to Watch the battleground for wearables has only just begun

  1. Mobile payments go big

Emarketer are predicting that in the US mobile payments will triple in 2016

  1. Security

Mobile and BYOD are major threats to enterprise security, so mobile apps need to ensure the highest levels of security are implemented.

  1. Mobilization of Enterprise Apps

As reported by 451 Research, 40% of companies are planning to prioritize development of business apps.  Many of these will be “companion apps” that augment, rather than replace, existing enterprise applications.

  1. Automotive and Transport will be a key vertical, according to Analysis Mason in the explosive IoT market for life automation

Market Saturation

A growing adoption of connected health and safety apps will ensure that even the latest of mobile adopters, the elderly, will eventually be getting connected, leaving that last remaining market saturated. This will drive the need for operators to differentiate themselves further through content.

Security

Beyond mobile device security, consumers are increasingly concerned about the security of their data held by enterprises, which will drive a demand for more secure systems and better data management processes.

The challenges faced by telecoms operators are immense. With such diverse forces pushing the market forward, operators need to adopt an efficient, robust and highly elastic enterprise architecture more than ever.  Managing different lines of business and marketing efforts with different departments is no longer an option, as customers expect companies to provide a seamless experience across multiple services.  Subex have specialised capabilities in helping telcos improve organisational efficiency for years, and now the latest version of the ROC product suite is more highly integrated than ever before, allowing it to deliver the insights and efficiencies that are essential for a telco to compete in today’s rapidly evolving market.

0 639

Signalling level risks, specially fraudulent accesses from connected SS7 networks, is one area which is making a lot of noise in the assurance and security functions of Telecom organizations today.
The focus on the matter is such that most of the industry conferences talking about the current and next gen threats have a lot of matter being presented and shared on this topic – both from the operators and vendors alike.

What is it ?
The signalling level risks generally refer to SS7 (2G/3G) and Diameter (4G) level vulnerabilities (inherent or configuration based) which exposes operators to hacks/frauds through signalling control commands specially in roaming and interconnect scenarios. The scenario becomes more risky considering a normally configured SS7 infrastructure of an operator is accessible to any other operator in this world, either directly or through certain number of hops.
Now, just consider a situation where a rogue operator exists or a group of hackers with a malicious intent have got access to SS7 signalling of any less-secure operator in this world.
The losses due to signalling risks, while are still quite speculative, are expected to run in billions every year. Artificial inflation of traffic (specially A2P & P2A SMSes), Spamming, Spoofing, Refiling, profile modification, unlawful tracking, unethical disruptive activities from competition etc. are examples of some risks which have been found to be existing NOW with an estimated 100% infection rate.

Why is it happening ?
The SS7 signalling based vulnerabilities have been existing since very long, but have become part of news headlines recently due to certain revelations made by famous ethical hackers at certain high profile security conferences.
Some industry pundits make a point, which most of my industry connections agree with, is that these risks exist mostly due to the fact that operators tend to create unreliable partnerships and configure unregulated access (like open GT access, acceptance of any signalling command etc.) which enables malicious parties to connect to operators networks and conduct fraudulent activities very easily.
There have also been discussions around existence of services exploiting these signalling level vulnerabilities being offered in the grey markets through rougue hacking communities for a price.

Can you eradicate these risks ?
Ideal Solution: Operators need to sanitize their access configuration on SS7. Rethink, Reidentify, Reevaluate and Reconfigure the access levels.
But this is really difficult or maybe nearly impossible to achieve due to some practical issues on the ground, such as:

  • Most of the SS7 networks were configured long time back – There is an expertise issue operators are facing wrt SS7 networks now which limits their capability in terms of reconfiguration of SS7 based networks
  • It is a time consuming activity, which, would also lead to a lot of efforts on re-testing connectivity with all the partners, attracting a lot of investment
  • It may lead to reconfiguration of the signalling level configuration at the network level, and in certain instances, would require network downtime – A complete NO-NO for a lot of players out there. Situation becomes even more problematic for countries where Telecom Networks are considered a National Infrastructure.
  • Lastly, not every operator will take up this activity for many different reasons including the reasons like operators not participating in the awareness meetings/conferences being organized around the world or even like some rogue operators participating in malicious activities deliberately.

The problem becomes much more trickier from the fact that even one infected, unsecure or rogue operator in the world will continue to pose a threat to everyone else. And sanitizing each operator against these threats is a feat which is very unlikely to be achieved.

It is now unanimously being accepted that SS7 signal based networks are here to stay (atleast 10 years in developed markets and 20-25 in developing or lesser developed countries) and even their vulnerabilities, which are expected to grow by huge amounts considering the limelight it has received recently.

The bigger problem which has started giving sleepless nights to the fraud & security functions in operators moving towards 4G and setting up their networks over diameter protocol (provides 4G signalling framework) does not have native security standards inbuilt, but requires security mechanisms to be implemented on top, a practice always found susceptible to gaps). Also, the access methods are similar to SS7, so it exposes 4G networks to similar signalling risks as SS7.

What can be done now ?
For now, an approach of detection would be ideal until the industry identifies a way to plug these vulnerabilities around the world, which is definitely a few years away with a lot of research hours of investment.
An approach of detecting malicious signalling requests in your network still has few complexities to manage:

  • High false positive rates – A lot of signalling requests appearing to be malicious come out as configuration issues from the partners. Hence, domain expertise is essential to filter out ‘needle from the haystack’.
  • Sheer size of signalling data to be analyzed – big data support is required.
  • Skill set – This activity will surely require a knowledge upscaling and may be difficult for the traditional teams like fraud and risk management to absorb. Even teams like security, with less focus on fraud domain know how, is expected to find it difficult to add this activity in their set of responsibilities.

I feel industry partnerships with vendors, possessing both the domain knowledge, right skill set and technology built on big data platform is the way to go.

These partnerships, considering no-one has a complete answer to this rampant problem of signalling vulnerabilities as of now, need to be built on solid vendor capabilities, while being both liberal and experimental to give room for exploration.

0 375

Operators and global industry forums continue to wrestle with the question of whether or not to merge their fraud and security teams/work-groups to cope better with criminals who are breaking in through IP-based networks in order to derive profit for themselves (or their causes), or just to wreak havoc and disruption on their “enemies”.  Fraudsters are not just partaking in the traditional crimes of bypass fraud, roaming, Dial Through, AIT/PRS, Call Selling fraud etc., but also the exciting new stuff…. Phishing, malware, spoofing, DDoS, Trojans etc.

One can be forgiven for thinking that fostering closer links between fraud and security domains is breaking new ground in terms of responding to the threats posed by 4G/LTE, NextGen, the continued growth of e/m-commerce and the proliferation of data passing over networks.   I guess it is a sign of my advancing years that I can’t help feeling that we have been here before…

15 years ago, when I was prepping for an interview for my first job in the fraud management arena, I was listening open-mouthed as a fraud expert was explaining to me the finer points of PBX Hacking.  Thinking back, two things were very clear:-

  1. The Operator in the UK already had a merged fraud and security group (which they later separated out, then subsequently re-merged again, by the way).
  2. The main advice to combat PBX Hacking was prevention, not detection… and that meant security prevention. The operator was keen to tell its business customers that they needed to physically lock away their PBX equipment, protect their passwords, switch off unnecessary/vulnerable services such as DISA/Voicemail, carry out security awareness training for switchboard operators, support staff, suppliers, use barring at switch or extension level, keep PBX call logging records to see hacking attempts before they succeed, shred old copies of internal directories, vet their security/cleaning staff, etc. etc.   The FMS only stepped in when all the prevention activities failed and the PBX was breached.  By the time that happened, operators were already losing money directly, if they were responsible for the switch, or indirectly if their customers were liable.  Customers may have been unwittingly facilitating the fraud by their lack of security awareness etc. but even so, if a small business – used to paying perhaps $1000 a month for calls, suddenly gets a bill for $20000, they are going to fight it, refuse to pay it or be unable to pay it.  The indirect cost to the operator of customer complaints, disputes, potential court cases, damage to the brand, bad publicity, negotiated settlements, debt write-off and churn etc. can cost far more than the original bill.  It was a lose/lose situation… unless you were the fraudster.

These days, with the emergence of 4G/LTE, IP-based Networks, perpetrators are still committing the same underlying crime for the same motives as before, but now they are breaking in through a host of different entry points, wearing better disguises, carrying bigger SWAG bags and using faster getaway vehicles.  In truth, many operators are struggling to keep up with the high number and seemingly unpredictable nature of these attacks.

Security teams are traditionally very good at preventing access to networks, but they are not perfect.  The pace at which network elements, components, interfaces and transactions are increasing is making it impossible for all the preventative measures to be in-situ from day one.  Not to mention the surfeit of off-the shelf tools that fraudsters can use to break in to more and more lucrative areas of daily commerce.

In practice, Prevention alone cannot succeed.  Detection, Analysis and Response are also essential elements of the fraud management cycle.

Cycle

 

So, my point is this…. security and fraud teams cannot operate in silos.  Security teams must continue to try and prevent malicious intrusion as much as possible.  That requires taking in a lot of real-time data from the access points, identifying the nature of the content and the data patterns and quickly blocking anything that looks dubious.  But when the intruder gets in (and they do in their numbers), that is when the fraud team can also play their part.

Whilst the security team controls corporate IT networks, how well can they police the mobile workers and the homeworkers, the tablet users, the App Store/Android Users etc.?  And if you think that profiling subscribers was difficult historically, how much harder is it when you can’t even define what a subscriber is, let alone track their behaviour.  In the new world, the relationship between account holder, subscriber and product/service is not always obvious.  Also, the billing relationships for transactions can be mind-boggling.  Couple this with the speed at which these transactions are taking place and the value of services and content being passed across a proliferation of bearers, and you have a minefield to negotiate.

This is where a good Fraud Management System can supplement an operator’s security tools.  An FMS must now be equipped to take in much larger volumes of data than before, in many different forms and process it much quicker.   Any reputable FMS vendor will now be offering solutions with large scale, flexible data handling tools (including probe / deep packet inspection events), internal/sales partner audit logs/feeds, inline service/transaction monitoring, exhaustive rules engines (real-time, in-line and statistical), subscriber grouping & profiling features, reference data including Hotlists/Blacklists, fraud and device “fingerprinting” capabilities, ID verification, alarm prioritisation and established, flexible workflows, with a range of analytics tools and visualisation features.  All these components – in the hands of an experienced and well-managed fraud operations outfit – will help to choke fraudsters and drive them out to look for easier targets.

So, in summary, don’t let the security guys take all the strain at the prevention stage.  Share the data, share the knowledge and spread the load to the fraud team for a more comprehensive response.

To get more information about Subex Fraud products please click here.

0 59

History tells us that safety and security are afterthoughts. From the Gold Rush at the end of the 19th century to the technology Gold Rush at the end of the 20th, the rush for riches was so great that the idea of security was thrown to the wind. Revenue assurance only came to the Mobile table once the rush for customers had subsided and the focus moved from top line revenue to bottom line margin.

It is happening again. As the rush for market share of the payments market heats up, companies large and small are inventing new ways of transferring funds – paying people – easily. This aim for easy to use, attractive products creates a potential nightmare for consumers; easy is seldom secure. The whole concept of mobile wallets, while attractive, means that when someone steals your phone, they steal your wallet too – worse, you can’t phone for help! It is not just NFC that is at ‘fault’ here, although it is an obvious example. If you have your credit card or bank details stored in a mobile phone you have a monetary instrument and that is attractive to Bad Guys.

The potential of NFC is enormous. It will enrich and enable the whole shopping/living experience of millions of people and will create opportunities for operators and third parties that we can only imagine. It is the difference between shopping in a warehouse and walking the aisles of Macy’s or Harrods.

For a moment, though, let us step to the Dark Side. As you walk into the store, your phone lets the store system to pick up your details as you walk inside its co-ordinate boundaries. Google have quietly patented a face recognition technology that enhances this ability. No records exist, until a transaction takes place, but when you walk through the door into the store, you have opened the door into your phone. This means that your phone, and therefore your wallet, can be cloned. A Disgruntled Shop Assistant could potentially steal your details or there may be a Bad Guy in the store with you, and it is possible for him to clone your phone while simply standing close to you.

Another threat is the excellent concept of the QR code or NFC tag. Again, they are easy to produce – three clicks and the means to produce are in front of you. Point your phone at a QR code or NFC tag and it is possible, easy in fact, for someone to take control of what happens next. They could have designed the code so that you are re-directed to a site that is fizzing with malware, that can empty your phone of all its information, sends this to a clearing house and on to other Bad Guys. The very ‘connectedness’ of the ubiquitous mobile device could potentially be harnessed to launch Distributed Denial of Service attacks of unprecedented scale. Unlike having your ‘wallet’ stolen it is likely that you will not even know that it has happened. And this gives the Bad Guys a real head start. You will not know when it happened, who did it, and, frankly by the time the authorities are involved the ‘who, when and where’ will be entirely academic

As with the new acknowledgement that people need educating about online security, it is time that we take a very serious look at the security of new technologies that are making payments easier. There need to be standards and accountability, as there are in the credit card industry.  If your credit card is stolen the liability lies with the credit card company – as long as you report its loss in a timely manner. Not so, yet, with the phone company – or if so, accountability is patchy at best. If your phone is stolen and you receive a huge phone bill as a result of someone else’s online shopping spree, the phone company has no liability and it is their discretion alone that will let you off or not.

There are some ideas emerging. Many of them revolve around a second stage authentication and one of the most promising is that when you use your phone to pay, a photo of you will appear on the terminal in the store. This works fine as long as a) there is a photo of you on your phone and b) your kids have not borrowed your phone!

As with any Gold Rush that can create riches and a better life for consumers, security is likely to remain an afterthought. But in this connected world, where one person can steal the identities of 100 million others, this is no longer acceptable. There are too many people, too much money at risk. We need to have security built in.

0 149

The revenue

The statistics are astounding. The predictions for future adoption and revenues from machine to machine (M2M) technology nearly boggle the mind. Devices in the billions, revenues in the hundreds of billions. No matter how you define M2M, the uptake and revenues look very promising.

The risks

Any service that expands quickly will have growing pains and certain functions will need to play catch up. Small issues that while manageable on a small scale tend to break down when the scale is increased. M2M and fraudsters are most likely in this category. Devices that are physically removed from constant human presence and are in unsecured locations provide fraudsters with an opportunity for acquisition. In addition, these devices being part of a network provide additional opportunities for fraudsters. Many of the fraud cases to date have been with the stealing of Subscriber Identity Module (SIM) cards from unattended devices, plugging them into devices that allow the fraudster to make calls. Cases, such as fleet monitoring devices, traffic lights, vending machines and others have fallen prey to this. The only key is that fraudsters figure out where they are and have the tools required to gain access to the SIMs. Although network providers often have the ability to limit SIMs to only make calls, and not send text messages or use data access, they are often not able to prevent calls from happening when plugged into a device. This provides fraudsters a way to make calls by simply using a screwdriver at the correct target.

Other types of fraud are likely to become more relevant. Downloading malware onto a device either via direct physical connection or through the network that an M2M device is connected to will enable the fraudster to take over the device. This could enable the fraudster to change the behavior of the device. Imagine a security system that suppresses notification of intrusion or a traffic light that changes based on the desire of the fraudster, which could either create traffic jams or a dangerous free for all. An M2M device could also be used for its Internet connectivity to launch Denial of Service (DoS) attacks and try to hack into Internet sites with no tie back to the actual fraudsters.

Internal fraud is also a large worry about M2M services and devices. Employees have access to generate orders and employees and in some cases third parties have access to the devices and SIMs cards and may steal or route them to fraudsters. Once SIM cards have been acquired, then they can be used for similar purposes as described above.

The response

A comprehensive strategy to prevent fraud in M2M services has three main facets. The first facet in limiting fraud is to put the appropriate internal controls around ordering, fulfillment and distribution of devices, including channels. These controls need to limit or eliminate the possibility that fraudsters will gain access to devices without them being deployed for their specific purpose. The second facet is to restrict as much as possible the activities that a device is able to perform. Some networks do not allow for voice calls to be prevented, but certainly international calls can be disabled. Also, data access is a required service for M2M, but restricting data to certain bandwidths or URLs can be effective at preventing fraud. The final facet is setting up a monitoring system to look for activity beyond the norm for a device, variation from historical patterns or activity that is similar to prior frauds that have been detected.

0 119

KARIBU !!!

‘ M-Pesa’  has been leading the revolution of mobile wallets across the globe. Over 50% of the adult population in Kenya today use M-Pesa service to send money to far-flung relatives, to pay for shopping, utility bills or taxi ride home. While East Africa has been dominating the numbers in the past few years other regions including APAC, EMEA, Europe and Americas are about to explode sooner or later with their own models – NFC, Google Wallets, Mwallets, Apple Passbook,etc

More operators are walking down the path of offering Mobile Banking services in some form or the other every year. These players might get caught off-guard & face what a leading operator in Uganda recent got  hit with– a million dollar mobile money fraud loss !! News articles indicate that a recent internal fraud in a leading operator in Uganda lead to 3.5 Million Dollar loss, Mobile Money boss losing his job & 8 other employees getting fired. Operator also received reprimands from the regulator and had significant dent to its brand image. This mess also opened up competition for other players in the country.  Regaining confidence of customers and regulators will not be an easy job for such operators. They will be looking to enhance security within their mobile money offerings.  It might be a differentiator and lead to uplift in adoption.

This incedence clearly presents a learning for other operators about to offer Mobile Money services. Moving forward, one of the key areas of focus for operators will be to provide a secure mobile money platform to users and manage frauds beyond the traditional regulatory requirements. Below infographic highlights some variants of Mobile Money frauds already rampant within operations and potential damage they might cause.

Mobile Money Risks – Infographic

Kindly follow the link for more information.

Follow Us