International Telecommunication Union FINANCIAL INCLUSION GLOBAL INITIATIVE (FIGI) TELECOMMUNICATION (05/2019) STANDARDIZATION SECTOR OF ITU Security, Infrastructure and Trust Working Group Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions Report of Security Workstream FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. A new global program to advance research in digital finance and accelerate digital financial inclusion in developing countries, the Financial Inclusion Global Initiative (FIGI), was launched by the World Bank Group, the International Telecommunication Union (ITU) and the Committee on Payments and Market Infrastructures (CPMI), with support from the Bill & Melinda Gates Foundation. The Security, Infrastructure and Trust Working Group is one of the three working groups, which has been established under FIGI and is led by the ITU. The other two working groups are the Digital Identity and Electronic Payments Acceptance Working Groups and are led by the World Bank Group. © ITU 2019 This work is licensed to the public through a Creative Commons Attribution-Non-Commercial-Share Alike 4.0 International license (CC BY-NC-SA 4.0). For more information visit https://creativecommons.org/licenses/by-nc-sa/4.0/ Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions Security Workstream ii About this report This report was written by Assaf Klinger with special thanks to Dr. Leon Perlman for his helpful support and contribution and the members of the Security, Infrastructure and Trust Working Group for their comments and feedback. Vijay Mauree, ITU provided overall guidance for this report. For queries regarding the report, please contact, Vijay Mauree at ITU (email: [email protected]) iii Table of Contents Page Executive Summary ............................................................................................................................................. 1 Abbreviations and acronyms ............................................................................................................................... 2 1 Introduction ............................................................................................................................................ 3 2 Impact of Telecom vulnerabilities on DFS ............................................................................................ 3 2.1 Over the counter cash fraud .............................................................................................................. 3 2.2 Account takeover .............................................................................................................................. 3 2.3 Social engineering ............................................................................................................................ 3 3 Telecom vulnerabilities and attack surfaces ........................................................................................... 3 4 Common types of telecom attacks .......................................................................................................... 4 5 The commonality of Telecom attacks .................................................................................................... 6 6 The Challenge ........................................................................................................................................ 7 7 Misconception: Isn’t it hard to attack the telco? Governments do that ................................................. 7 8 The Cellular attack kill chain ................................................................................................................. 8 9 Examples of attacks on DFS infrastructure ............................................................................................ 10 9.1 SMS OTP interception...................................................................................................................... 10 9.2 Social engineering of sensitive credentials using USSD .................................................................. 11 9.3 Denial of service attacks ................................................................................................................... 12 9.4 SIM card swap .................................................................................................................................. 12 9.5 SIM card recycle ............................................................................................................................... 12 10 Mitigation strategies for mobile operators ............................................................................................. 13 10.1 FS.11: SS7 Interconnect Security Monitoring Guidelines..................................................... 13 10.2 FS.07 SS7 and SIGTRAN Network Security ........................................................................ 13 10.3 IR.82 Security SS7 implementation on SS7 network guidelines ........................................... 13 10.4 IR.88 LTE and EPC Roaming Guidelines ............................................................................. 13 10.5 Mitigations in GSMA documents vs common telecom attacks ............................................. 14 11 Implementation of mitigation among mobile operators ......................................................................... 15 12 Mitigation strategies for DFS providers ................................................................................................. 16 12.1 Detecting and mitigating account take over using intercepted OTP SMS ............................. 17 12.2 Detecting and mitigating social engineering attacks with MT-USSD ................................... 17 12.3 Detecting and mitigating interception of MO-USSD transactions ........................................ 17 12.4 Detecting and mitigating unauthorized SIM card swap......................................................... 18 12.5 Detecting, preventing and mitigating SIM card recycle ........................................................ 19 12.6 Embedding data within the user’s phone for authentication .................................................. 19 12.7 Regulatory Activities ............................................................................................................. 19 13 Conclusions and recommendations ........................................................................................................ 21 13.1 Conclusions ........................................................................................................................... Error! Bookmark not defined. iv 13.2 Recommendations ................................................................................................................. Error! Bookmark not defined. Annex A Technical description of SS7 and Diameter ........................................................................................ 23 A.1 The SS7 Protocol stack.......................................................................................................... 23 A.2 The Diameter protocol stack ................................................................................................. 24 A.3 EPC protocol stack ................................................................................................................ 24 A.4 Support of voice services and SMS ....................................................................................... 25 Annex B Template for a Model MOU between a Telecommunications Regulator and Central Bank related to DFS Security .......................................................................................................................................... 27 v Executive Summary The world of digital financial services (DFS) relies heavily on the underlying telecommunications infrastructure to enable users send and receive money. In most developing countries where DFS is popular, most of the end-users do not have reliable and accessible means to connect to Internet and thus rely heavily on the mobile communications infrastructure. The communication channels in which the end-user communicates with the DFS provider are mostly Unstructured Supplementary Service Data (USSD), Short Messaging Service (SMS). USSD and SMS have long been known as “broken” and have many published vulnerabilities, some over 20 years old, which enables attackers to commit fraud and steal funds. The core issue that inhibits the mitigation of these vulnerabilities is a misalignment of interests and misplaced liability between the telecom and the financial regulators. ITU and GSMA have long ago published guidelines and advisories to telcos on how to mitigate many of these vulnerabilities; however, the implementation rate of these mitigation measures is extremely low. According to surveys performed by this working group and the European Union Agency for Network and Information Security (ENISA), less than 30% of the telcos in the European Union (EU) and less than 0.5% of telcos in developing countries
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages38 Page
-
File Size-