Technical report on SS7 vulnerabilities


                                                 and mitigation measures for

                              digital financial services transactions











           1 INTRODUCTION

           The world of Digital Financial Services (DFS) is based   document helps DFS providers understand the telecom
           mostly on telecom, since in most countries where DFS is   vulnerability situation and create mitigation strategies
           popular, most of the end-users do not have reliable and   to safeguard their clients.
           accessible means to connect to the internet, DFS has
           adopted telecom as its main bearer. Due to the dom-
           inance of feature phones among users in developing   2  IMPACT OF TELECOM VULNERABILITIES
           economies, which comprise the majority of DFS end-   ON DFS
           users, the communication channels in which the end-
           user communicates with the DFS provider are mostly   Telecom vulnerabilities enable criminals to perform var-
           Unstructured Supplementary Service Data (USSD),    ious attacks that result in fraud to steal digital money;
           Short Messaging Service (SMS) and Sim Tool Kit (STK).   many of these attacks involve the attacker masquerad-
           Moreover, today the signalling network is not isolated,   ing as the DFS provider to fraud the end-user or the
           and this allows an intruder to exploit its flaws and inter-  attacker masquerading as the end-user to fraud the
           cept calls and SMSs, bypass billing, steal money from   DFS provider. In all these cases, the attacker uses tele-
           mobile accounts, or affect mobile network communica-  com vulnerabilities to pass authentication and perform
           tions even in developed countries.                 actions on compromised accounts. For example:
             USSD and SMS as means of communication have
           long been known as susceptible to attack and have   2.1 Over the counter cash fraud
           many published vulnerabilities. Exploiting these vul-  In  this  example,  a fraudster  walks  up to a  DFS  agent
           nerabilities enables attackers to commit fraud and   (for example a seven-eleven branch) and requests cash
           steal funds from unsuspecting victims, who in in most   withdrawal from his account. The fraudster provides the
           cases are unaware their account is being compromised   victim’s account number to the agent, when the agent
           or hacked.                                         initiates the transaction, an SMS verification code is sent
             This document surveys telecom vulnerabilities and   to the victim, however, this verification SMS is inter-
           their impact on digital financial services, both on the   cepted by the fraudster, and used to complete the fraud
           end user’s side and the service provider’s side. This   and steal the money.




                                            Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions • 9