You may not have heard of SS7 but it is the latest weakness in SMS / call verification to be exploited.
We all know the drill: you are signing into your online bank account and for some reason or another, the bank fails to recognize who you are – perhaps you are signing in from new device, or you can’t remember your password. The bank then sends you an SMS or calls an already provided telephone number to share an authorization code to input into the app or platform as a means of validating your identity. But it’s not just banks, lots of companies are using this type of SMS or outbound calling method as a second step of authentication, which makes them an easy target for fraudsters.
As with most single or two-factor authentication methods, the bad guys will always find a way to get around them - whether it’s social engineering, malware or SS7 hacks. The latter may not be something you are aware of, but SS7 is the latest weakness in SMS / call verification methods that fraudsters are able to exploit. With banks starting to see the consequences of SS7 attacks, it’s not long before other sectors will start to feel the repercussions.
What is SS7?
SS7 is an international telecommunications standard used by mobile network operators (MNOs) to exchange information when passing calls and text messages between each other, such as when you are roaming. The standard will celebrate its 50th birthday in 2020 and it’s starting to show its age. When first implemented in the 1970s, there were only a few telephony networks, and they all operated on trust. Fast forward to today and with an increasing number of global network providers, it’s more and more difficult to verify where SS7 messages originate from and, whether they are from legitimate sources.
SS7 and authentication
So, what does this mean for authentication? Once a fraudster has a customer’s credentials and has attempted to login to their target’s account, SMS or outbound calling authentication should, in theory, stop them in their tracks. However, fraudsters have found a way to intercept these messages with SS7 being the gateway. By accessing SS7, they are able to see the data being sent between networks, meaning they can simply get these messages and calls sent to a SIM of their choice by setting up a misdirection of the legitimate customer’s SMS or outbound verification call.
Whilst some effort has been made by the network operators to address the problem, some SS7 messages just cannot be filtered at the network boundaries. This is because there are some legitimate reasons to send cross-network messages e.g. to set up call roaming. Therefore, if an attacker can infiltrate any SS7 network, they can send certain SS7 messages to their fraud target’s home network. Call and SMS redirection can be set up using this mechanism from a remote location with no interaction from the MNO’s operating staff, nor the fraud target.
How can we solve the problems of SS7?
There isn’t a catch-all solution to the SS7 vulnerabilities, but by taking a pro-active approach to the below, organizations can look to mitigate the issues associated with SS7.
Stay ahead of the game
There is absolutely nothing wrong with using calls and SMS for authentication if the company is protecting itself and its customers against its drawbacks. We invest in in our research and development to not only keep track of new threats such as SS7, but to ensure that our customers are protected against them.
Keep on top of your security policies
A strong and agile governance process in terms of authentication policies is key. It’s crucial that organizations are mitigating against future scenarios that might not even be apparent at this stage, where SS7 might be compromised. They should also regularly review these policies so that they are fully up to date, and can adjust their authentication methods as required. Using a policy manager that can manage all authentication processes from one central location can help organizations understand what their policies are doing, and quickly adapt or change them as new threats appear.
Make data your friend
Fraudulent activity should be detected at the point of transaction, not after. The Callsign Intelligence Engine collects device, call divert, SIM swap, and roaming status data from MNOs and analyzes it alongside event, threat and behavioral analytics to deliver a real-time confidence score that the person making the transaction is, who they say they are.
Using this data, organizations can build dynamic policies that adapt according the confidence score delivered by the intelligence engine. Meaning, if a possible SS7 compromise has been detected, additional layers of authentication can be introduced. This could be a more rigorous behavioral authentication method or using a non-telephony-based validation method, for example a card reader.
The future of SS7
SS7 will eventually be replaced. However, this will take several years, so it is crucial that action is taken immediately before more cases of fraud are reported. It is critical that players in the sector embrace collaboration now and work together more proactively to ensure that future standards will not have the same flaws as SS7, and that they will provide the most appropriate approach for the long-term. For new protocols to be a success, the goal must be to create a secure communication system with minimal risk and maximum effectiveness. The key to achieving this is to think about potential misuse cases, as well as the normal usage scenarios, from the outset.