How Financial Fraudsters Break Telecom Network Security

Posted Sep 2014

Mobile phone networks face rising levels of fraud and network hacking. Various developments in the industry mean that it is now easier than ever for fraudsters to gain access to the network. This is a potential problem for the phone networks and for everyone that relies on them. This particularly includes banks and other institutions which use telecoms as a weapon in their battle against financial transaction fraud.

Fraud and the Web

In 1989 Tim Berners Lee and Robert Cailliau, at the CERN high energy physics laboratory in Geneva, developed the protocols that became the “world wide web”. Initially the system was used by trusted and respectable scientists to share research and other information.

In the early 90’s the development of the PC, and the introduction of browsers, such as the Netscape “Navigator”, made access and use of the Internet much easier. Hacking bulletin boards and web sites were established on the Internet helping fraudsters to share information. Shortly afterwards some high profile frauds started to appear. In 1995 an employee at Citibank used his laptop after hours to siphon off $10 Million and transfer it to bank accounts in Israel and Finland.

By 2000 Internet hacking and fraud have reached massive proportions. In that one year some of the world’s most popular websites, including Amazon, are closed down by denial of service attacks, the “ILOVEYOU” virus clogs computers world-wide, activists in the Middle East deface websites belonging to Indian and Israeli companies and Microsoft admits that its corporate network has been hacked and that source code for future products has been stolen.

What began as a “walled garden”, where use was restricted by access to suitable equipment and was operated by members of a trusted community, has now become something of a jungle where those who do not protect themselves, quickly get into serious trouble.

SS7 Network Defences Have Been Weakened

The SS7 network, that links telecom operators together, was also once considered a protected area which was insulated from the outside world and used solely by trusted members. However the barriers that protect this “safe area” have been eroded.

Changes in legislation, regulatory policies, and technology have lowered the barriers to entry for new telecom operators. Leasing of signalling access to enable services and generate revenue streams for operators has become commonplace. This has led to a rise in the number and types of organisations with access to the SS7 network. Access to an SS7 network can cost as little as $1000/month.

The move to IP (SIGTRAN initially) has enabled standard servers, Moore’s law reducing costs on high performance servers and open source stacks have together lowered the cost of technology by several orders of magnitude. Now a few hundred dollars is all that is required.

Of course hackers know IP very well indeed. Now that SS7 knowledge is also available to anyone, programming a PC to “speak SS7” requires relatively little effort. This means that hacker communities are now busy finding ways to gain network access. Sometimes their aim is purely to disrupt services “for fun”. Sometimes the intent is to defraud the network or its customers.

The Nature of the Threat

Many fraudsters are highly intelligent. They should not be underestimated. And they often approach their activities with a high level of dedication and effort. The high level of rewards that they can gain, also means that they are often well funded and highly organised.

They are also highly reactive. They learn how operators look for fraud. Then they adapt their methods to avoid detection. It is essentially an arms race. Actions are met with counter actions and these counter actions themselves being met with counter actions.

For example let’s look at the case of international revenue share fraud – calling premium rate numbers whilst roaming. You may look out for this type of fraud by looking for high roaming usage or calls to known premium rate numbers and then blocking off that phone. The fraudster learns how long they have before detection and adapts to maximise their fraud in the time window they have.

Financial Transactions and Telecom Based Validation

For most internet transactions it is assumed that the PC, tablet, smartphone involved will have been thoroughly compromised. It is assumed that key loggers and screen grabbers will have furnished the fraudster with account numbers, passwords and key memorable information for their intended victim. So, today, “out of band” methods are used to validate a transaction. Often these methods are used in combination to improve security.

From a customer ease of use point of view, telecom based “out of band” methods are amongst the best because they require the least involvement from the consumer. These methods include the sending of an additional code by automated phone call or SMS. They might also involve the sending of a text or phone call to confirm that a transaction will be finalised in the next hour or so, thereby giving the potential victim a chance to react and stop it going through.

Fraudsters now seek to intercept calls and messages used in this way. This gives them all that they need to complete a fraudulent transaction and keep the victim in the dark for long enough to get away with their crime.

Intercepting Phone Calls

There are a number of ways that fraudsters use to intercept phone calls and texts. Here is a selection of some of the main ones that we have seen:

“Engineer Fraud”

This fraud uses social engineering. A member of the fraudster team calls the victim and poses as an engineer for the victim’s phone company.

Sometimes, to build credibility and to “prove” their identity, they ask the victim to call their phone company and asked to be reconnected to them. The fraudster simply keeps the line open whilst the victim “hangs up”. Then, when the victim calls the phone company number, the fraudster plays them a believable set of audio effects including perhaps another member of the team posing as a telephone receptionist. Once they have established the trust of the victim, they then tell them:

  1. That there is a fault on their line
  2. That to help clear the fault, they need to enter a series of numbers into their phone Then they thank the victim and end the call.

What the victim does not realise of course is that they have just unconditionally forwarded all of their calls to another number. The fraudster’s team then executes a fraudulent transaction and picks up the phone message with the additional validation code.

SIM Swap Fraud

In this variant, usually a member of the fraudster’s team will first get hold of utility bill for their victim by either “door stopping” the postman, picking up mail from a shared hallway or by rummaging through the victim’s bins.

Then, when they are ready to execute the fraudulent transaction, they go to the mobile phone shop and, using the utility bill as “proof” of identity, request a new SIM card. Passwords and memorable information will already have been harvested from the victim’s PC. Sometimes this fraud is carried out remotely by a telephone call. This may feel safer for the fraudster as it removes the need for him to risk being caught in the act.

The SIM swap effectively locks out the victim’s phone. The phone call or text from the bank is then picked up and used to complete the transaction.

The victim will probably only realise that there is a problem when he either makes a phone call or wonders why he has not had any calls himself for a while.

SS7 Hacking

This variant requires the fraudster team to gain access to the SS7 network. Whilst today this is less common, as discussed above it is now cheap and simple and we expect to see a significant increase in this approach.

Once the network is hacked, this will allow the fraudster team to turn call and text forwarding on and off at will. This makes the fraud difficult to track down and identify. The fraudsters can simply switch on forwarding for a few minutes until the validating call or text comes through and then switch it off again.

The fraud can therefore be repeated many times with limited fear of detection and can be industrialised as it is far less time consuming. Hence this is useful for frauds where the fraudster team is transferring funds from one of the victims other accounts over a period e.g. from a mortgage draw down account.

Frauds in Operation

Banks are understandably reluctant to publicise the occurrence of fraud, especially of this type. Usually frauds are committed using the simplest method that works. Once that method has been blocked by one financial organisation, the fraudsters tend to move on to the next most vulnerable target. The most common form of fraud that we see today is SIM Swap fraud. Thousands of cases have been reported in South Africa with the largest loses approaching $500,000 for individual victims. Probably we have heard more about South Africa because there the banks are arguing that losses incurred this way are not their fault. Some blame the banks, some blame the telephone companies and the consumer is left in the middle facing a life changing financial loss.

In the UK SIM swap fraud is also common. We have supported the UK banks enabling both SIM swap fraud and call divert fraud to be progressively blocked. We therefore see a rise in the number of remote SS7 frauds and the use of mobile phone malware. As fraud is blocked at one bank, we see fraudsters moving on to the next bank.

Evolved Intelligence provide solutions to enterprises (eg: banks) to enable checks for call diverts etc and to mobile operators to protect themselves from SS7 attacks and for real time fraud protection.