|
Work item:
|
TR-SS7-DFS
|
|
Subject/title:
|
SS7 vulnerabilities and mitigation measures for digital financial services transactions
|
|
Status:
|
Agreed on 2019-10-25
|
|
Approval process:
|
Agreement
|
|
Type of work item:
|
Technical report
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
-
|
|
Liaison:
|
3GPP
|
|
Supporting members:
|
Vaulto Technologies
|
|
Summary:
|
The world of digital financial services (DFS) relies heavily on the underlying telecommunications infrastructure to enable users send and receive money. In most developing countries where DFS is popular, most of the end-users do not have reliable and accessible means to connect to Internet and thus rely heavily on the mobile communications infrastructure. The communication channels in which the end-user communicates with the DFS provider are mostly Unstructured Supplementary Service Data (USSD), Short Messaging Service (SMS). USSD and SMS have long been known as "broken" and have many published vulnerabilities, some over 20 years old, which enables attackers to commit fraud and steal funds.
The core issue that inhibits the mitigation of these vulnerabilities is a misalignment of interests and misplaced liability between the telecom and the financial regulators. ITU and GSMA have long ago published guidelines and advisories to telcos on how to mitigate many of these vulnerabilities; however, the implementation rate of these mitigation measures is extremely low. According to surveys performed by this working group and the European Union Agency for Network and Information Security (ENISA), less than 30% of the telcos in the European Union (EU) and less than 0.5% of telcos in developing countries have implemented these mitigation strategies. This low rate of implementation is attributed to lack of awareness to the existence of these vulnerabilities and the prohibitive cost set on the telcos to implement mitigation measures. Since the telcos are not liable in cases of DFS fraud, there is no financial incentive for the telcos to mitigate these telecom vulnerabilities.
In order to advance the issue and mitigate many of these vulnerabilities, the working group recommends the following:
1. Educate telecom and financial services regulators on the vulnerabilities that plague the "DFS over telecom" ecosystem;
2. Telecom and financial services regulators should implement regulation that puts the liability where it should be and forces the telcos to put mitigation measures in place;
3. Telecom and financial services regulators should ensure signalling security is covered in the legal framework in terms of reporting incidents and adopting minimum security requirements;
4. Telecom regulators are encouraged to establish baseline security measures for each category (3G/4G/5G) which should be implemented by telecom operators to ensure a more secure interconnection environment. ITU-T Study Group 11 could develop technical guidelines for the baseline security measures;
5. Create dialogue between the DFS providers and telecom regulators with the telecom security industry, by means of round tables to expose the DFS providers and regulators to the existing mitigation solutions already in the market and create an incentive for the industry to develop more solutions;
6. Incentivize both the telcos, DFS providers and industry to work together and implement solutions, by either levying fines or providing grants, to build a more secure DFS ecosystem.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2019-06-26 14:11:33
|
|
Last update:
2020-06-08 16:38:30
|
