You have been living under a rock for the last 18 months or so if you have not seen all the press about the scams that have defrauded everyday consumers of their life savings, through the abuse of Covid-19 regulations, delivery and courier cons, government tax demands, bank fraud alerts, etc. Have you even received a suspicious call yourself, an onerous text or even worse been an unsuspecting victim?
Not all of these scam stories in the press are down to naivety or abusing the vulnerable. Criminals can make it look like their phone call or text is originating from a legitimate telephone number, such as your bank, your phone service provider or delivery firm, with the receiving party none the wiser.
The proliferation of scams and sim swap attempts is down to ‘spoofing’ phone numbers. Organisations’ call centres can be targeted so as to facilitate social engineering, sim swaps and more. Consumers can be approached and duped into sharing sensitive information believing the calling number is a genuine phone number from a legitimate organisation.
Telephone network service providers cannot guarantee 100% that the number appearing on the receiver’s phone is the actual originating number. The crux of the problem: a telephone identification protocol nearly half a century old called SS7. Technology, security, and of course hackers and fraudsters have evolved and progressed since then. Sadly the SS7 protocol has not…
SS7 – a technology almost 50 years old
SS7 is a set of protocols that originated in the mid 1970’s allowing phone networks to exchange information required for passing calls and text messages between each other and to ensure correct billing. The SS7 protocol tells the telephone network what number a user is calling or texting from. This is crucial so that telephone calls can be connected to one another. The problem is that fraudsters and criminals can steal this presentation number, and then link it to their own number,thus ‘spoofing’ the number.
The issue affects both landlines and mobile phones, with SS7 still a fundamental enabler of 2G and 3G mobile phone networks that continue to carry voice calls and text messages. Text messages including one and two-factor authentication messages.
SS7 vulnerabilities have been known for some time. Workarounds and temporary solutions have been tried, but the technology’s inherent weakness means that until the day all such protocols are removed from our phone networks, this abuse will continue. With any legacy technology we are reliant on, moving away from it quickly or painlessly is challenging without legitimate alternatives being in place to avoid disruption.
SS7 will not be disappearing just yet
The stark facts are that SS7 will be around until all 2G/3G networks have completely disappeared from service providers’ technology portfolios which is unlikely for many years yet. With the inception and eventual saturation of 5G and IP based networks, SS7 and 2G/3G networks can be steadily replaced and decommissioned and we are already seeing operators decommissioning or announcing the imminent decommissioning of 2G/3G networks. But this will not occur overnight.
So what can one do in the meantime to attempt to mitigate the abuse?
It is not a problem that can be solved solely by software and automation, but deploying cost effective innovative technology to counteract old technology; the use of proven and dedicated configurations and modules to detect these possible abuses quickly should be considered. It does not need $million dollar budgets or 12-month project durations, it needs quick and efficient risk management systems, dynamic and responsive fraud management teams. And of course in the background, a collaborative approach between telecom service providers, financial organisations, regulators, industry organisations and fraud management vendors to proactively communicate and identify suspicious activity and stop it in its tracks.
Scam – a fraudulent or deceptive act or operation.
SIM swap – an account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message or call placed to a mobile telephone.
Spoofing – deliberately changing the telephone number and/or name relayed as the Caller ID information to try to mimic the number of a real legitimate company or person who has nothing to do with the actual caller.
Signalling System No. 7 (SS7) is a set of telephony signalling protocols developed in 1975, which is used to set up and tear down telephone calls in most parts of the world-wide public switched telephone network (PSTN). The protocol also performs number translation, local number portability, prepaid billing, Short Message Service (SMS), and other services.