Since there is no identification in the USSD message,   The SIM recycle scenario is as follows:
           and the user is used to having these messages from the   •  Person A is issued a prepaid SIM card and opens a
           network, trust is achieved, and the user divulges their   DFS account using the associated phone number.
           account number and PIN. From there on, the attacker
           logs into the account and transfers the funds out.  •  After a few months of usage, Person A stops top-
                                                                ping-up the prepaid SIM card, meanwhile, Person A
           9.3 Denial of service attacks                        still has a positive balance on this DFS account asso-
           Using SS7 an attacker can cause Denial of Service (DoS)   ciated with the phone number.
           for selected subscribers or cause a network wide out-  •  After a dormancy period usually (1-6 months) of no
           age. There are various ways to create a DoS attack, for   usage and topping-up the SIM, the network operator
           example: sending an Update Location message with an   cancels the SIM and will no longer be active, effec-
           out-of-network serving address will block all incoming   tively disconnecting Person A from the DFS account
           calls and SMS from reaching the subscriber; deleting a   (which may still have funds).
           subscriber  record  from  the  serving  VLR   will  cause  a
                                               8
           DoS for a given subscriber until the record is re-inserted   •  Person B is issued a new prepaid SIM card by the net-
           to the VLR. Performing each attack in scale (automat-  work operator which has Person A’s phone number
           ically for a range of IMSIs) can cause a network wide   (that’s the recycle action)
           outage. However, in most cases, since these SS7 DoS   •  Person B can now access Person A’s DFS account
           attacks are not affecting the radio network, performing   and use whichever funds remained in the A’s account.
           an outgoing transaction such as placing a call or send-
           ing an SMS will reverse the effects of the DoS almost
           immediately.
                                                              10  MITIGATION STRATEGIES FOR MOBILE
                                                                 OPERATORS
           9.4 SIM card swap
           Another way to takeover accounts is by performing a   The SS7 attack surface is the domain of the mobile
           “SIM swap”.  An example of this attack is the case that   operator, global telecom organizations such as ITU and
           the attacker social engineers the mobile carrier to issue   GSMA have noticed the problem and issued guidelines
           them a SIM card belonging to the victim, by imper-  for mobile operators to mitigate these attacks, these
           sonating the victim at a point of service, and claiming   guidelines are covered in several documents. The GSMA
           that they have lost the original SIM card. If successful,   RIFS sub-group authored a range of SS7 and Diameter
           they have obtained a cloned SIM. Once in possession   signalling security related documents in response to the
           of the cloned SIM, the attacker accesses the DFS pro-  attacks described above, which tackle different aspects
           vider’s USSD menu and resets the PIN of the account.   of the signalling security problem. Those documents are
           The attacker uses the cloned SIM to receive the OTP   GSMA internal and accessible to members only, there-
           SMS and confirms the new PIN. From there the attacker   fore, no exact reference is given and companies that
           has essentially taken over, can log in to the account and   have access can find those documents in the GSMA
           transfers the funds out.
                                                              internal  tool  easily  with  the  given  information  below.
           For Example: Airtel Money account wiped clean by the   We will provide here a snapshot on what industrial stan-
           same tricksters.  They called him on the pretext that   dards exist and describe on high-level what they offer in
                         9
           they wanted to assist him with sim card registration and   form of practical mitigation.
           upgrade to fourth generation (4G) technology. In the   GSMA members can access these documents here:
           course of the conversation, they asked him to dial *102#,   https://www.gsma.com/newsroom/gsmadocuments/
           the sim swap code. The next thing he realized he could   technical-documents/
           not receive or make calls and his Airtel Money account
           was drained.                                       10.1 FS.11: SS7 interconnect security monitoring
                                                              guidelines
           9.5 SIM card recycle                               This document describes how to monitor SS7 traffic for
           SIM card recycle is not an SS7 attack, but rather a lack   potential attacks. The first step in improving signalling
           of due care and due diligence by the DFS provider that   related security is to evaluate, what state the network
           gives an unauthorized person access to funds belong-  is in. The main question is, is it under attack, what kind
           ing to other people.                               of attacks. In this document, mobile operators can find
                                                              strategies on how to effectively monitor traffic, how
                                                              long, how to classify incoming MAP messages that are
                                                              arriving on the interconnection interface. It lists mitiga-









           16 • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions