Page 12 - Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
P. 12

2.2 Account takeover                               3  TELECOM VULNERABILITIES AND ATTACK
           In this example, a fraudster uses USSD to takeover an   SURFACES
           account that does not belong to him. To perform this
           attack, the fraudster first needs to spoof his victim’s   Telecom vulnerabilities can be exploited through two
           phone number and dial the USSD code (this can be   attack surfaces, the SS7 network and the cellular air
           done by over the air interception, explained further in   interface:
           Section 7). Once the fraudster initiates the USSD ses-
           sion with the DFS provider spoofing the victim’s phone   •   The SS7 network is a legacy signalling network inter-
           number they can change the PIN code and add another   connecting  all  cellular  operators  in  the  world,  the
                                                                            1
           phone number to the account. Once done, the fraud-   SS7 protocol  that is used for signalling has been
           ster performs another USSD session, this time with the   around since the 1980’s, and the latest move to Diam-
                                                                            2
           new phone number they added and uses the new PIN to   eter protocol  (for 4G-LTE networks) did not solve
           login to the account and transfer the money out.     any of the basic vulnerabilities found in SS7.
                                                              •   The cellular air interface (the radio frequency com-
           2.3 Social engineering                               munication between the cell phone and the cellular
           There are many ways of social engineering, in this exam-  network) has been a major attack surface since the
           ple; the fraudster uses USSD to perform social engineer-  inception  of  cellular communications.  Interception
           ing that misleads the victim to give away the account   of these radio communications enable intelligence
           number and PIN. To perform this attack, the fraudster   collection and espionage capabilities without the
           impersonates the DFS provider and sends a USSD mes-  requirement that the perpetrator have access to the
           sage to the victim telling him that there is a pending   cellular network. Despite the evolution to newer gen-
           money transfer for his account, and in order to receive   erations of cellular networks (3G/4G) with stronger
           it the victim enters his account number and PIN in the   security measures, most off-the-air interception sys-
           USSD dialog. Once done, the attacker now has the vic-  tems have successfully overcome these measures.
           tim’s account number and PIN and can take over the   Furthermore, even when 2G air interface encryption
           victim’s account.                                    is easily decrypted and open-source software to
                                                                crack the encryption is available; many 2G networks
                                                                remain active.
















































           10 • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
   7   8   9   10   11   12   13   14   15   16   17