Page 22 - Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
P. 22
bases will allow velocity checks to be undertaken by 12.7 Regulatory activities
the bank/PSP that will check and flag whether SIM Regulators with remit over DFS may establish proce-
swap request for a number linked to the true account dures and principles for detecting, preventing, report-
owner are suspiciously close in time to a request at ing, and mitigating SS7 and related attacks. They may
the bank/PSP for adding a new (possibly fraudulent) also establish procedures that licensees may need
payment beneficiary. implement to prevent SIM swaps.
Regulatory coordination between these regulators is
12.5 Detecting, preventing and mitigating SIM card key, so as to assign specific and joint roles and responsi-
recycle bilities. This should take the form of a Memorandum Of
Once there is inactivity in a DFS account, start monitor- Understanding (MOU) between the parties. An extract
ing the IMSI associated with the account phone number, from a model MOU between a telecommunications reg-
once the SIM is deactivated the mobile operator will not ulator and a central bank that contains language outlin-
reply correctly to these queries (one query a day is suf- ing these responsibilities is shown in Annex B.
ficient). The MOU includes inter alia the need to assign indi-
When the SIM is recycled, the mobile operator will vidual and shared technical responsibilities relating
report a new IMSI for the account phone number, the to infrastructure and related security issues that may
DFS provider should block the account until the identity impact the DFS ecosystem to each of these regulators,
if the new person holding the SIM card is verified as the including reporting lines and actions relating to intru-
account holder. sions. The telecommunications regulator in particular
should also undertake continuous testing in conjunction
12.6 Embedding data within the user’s phone for with its licensees to detect IMSI catchers. A joint work-
authentication ing committee between these two regulators that meets
DFS providers can work with device manufacturers and monthly to discuss DFS-related issues and any security
MNOs to embed a hard to spoof identifier within the threats or incidents is also envisaged in the MOU.
device software, this identifier (which should be crypto- An IMSI validation gateway can be used to validate
graphic to prevent spoofing) needs to be integrated in to DFSPs and banks that the real, registered customer is
all communications between the DFS provider and the using the system via USSD.
user’s phone to authenticate the user and phone.
FIGURE 12: An IMSI validation gateway
SIM and PhonePhoneMand PPhone
validation
VLR USSD Gateway
MSC SMSC
WAP Gateway
BSS Customer Validation
Local Cell Tower
HLR Gateway
AuC
IMEI
Encrypted
channel
Subscriber validated to
be on-net and valid
Mobile Banking
Customer validated
Telecom Operator
20 • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
