13 CONCLUSIONS AND RECOMMENDATIONS                   aware  that  there  are  available  solutions  to  mitigate
                                                                these risks.
           It can be concluded that:
                                                              b.  Regulation and legal framework to include mea-
           a.  The DFS providers, telecom operators and the tele-  sures  for signalling security and reporting of such
             com regulators are mostly unaware of the mitigation   incidents—work towards financial and telecom reg-
             strategies that they can employ to detect and pre-  ulators passing regulation to make it mandatory for
             vent SS7 attacks.                                  DFS providers and telcos to implement countermea-
                                                                sures and to provide reports on any security-related
           b.  The  implementation  of mitigation  measures  is low   breaches and incidents.
             mainly due lack of adequate regulation and prohibi-
             tive cost (on the telecom side).                 c.  Telecom regulators to establish baseline security
                                                                measures for each category (3G/4G/5G)—Telecom
           c.  Attacks exploiting SS7 vulnerabilities to steal funds   regulators are encouraged to establish baseline secu-
             are easy to perform and not the sole property of gov-  rity measures for each category (3G/4G/5G) which
             ernment agencies.
                                                                should be implemented by telecom operators to
           d. Mitigation countermeasures both for DFS providers   ensure  a more secure interconnection environment.
             and for mobile operators are readily available com-  d.  Regulatory coordination—A bilateral Memorandum
             mercial  products;  given  the  proper  regulation,  the   of Understanding (MOU) related DFS should be in
             DFS  providers  and  telecoms  can  implement  such   place between the telecommunications regulator and
             mitigation countermeasures.
                                                                the central bank. The MOU should include modalities
           e.  Because DFS contracts today place all the respon-  around the creation of a Joint Working Committee on
             sibility for fraud on the end-user, and the DFS pro-  DFS security and risk-related matters. A sample MOU
             viders are not required to indemnify the end-users in   is included at Annex B as a template that can be con-
             case of fraud, there is no incentive for DFS providers   sidered.
             to invest any resources into solving this problem.
                                                              e.  Industry-regulator  coordination—Forums should
           f.  The same apply for telecom operators, since the   be created where all commercial actors in the DFS
             financial damage due to financial fraud stops at the   ecosystem meet or interact regularly in a neutral
             DFS provider, the telecom is not liable for any dam-  environment with DFS-focused regulators where
             age, thus suffers no losses. Hence has no incentive to   security-related issues can be freely discussed with-
             invest resources to solve this problem.            out providing any sensitive or competitive informa-
                                                                tion.
           g. Telecommunication authorities and central banks
             generally do not meet or interact regularly enough,   f.  Intra-Industry coordination—Forums should be
             or at all, to have contemporaneous insights into   created where all commercial  actors in the  DFS
             DFS-related security threats and intrusions.       ecosystem meet or interact regularly in a neutral
                                                                environment where security-related issues can be
           h.  DFS ecosystem participants and regulators do not   freely discussed without providing any sensitive or
             meet or interact regularly enough, or at all, in a neu-  competitive  information  or undertaking potentially
             tral, collegial environment to be able to share and   collusive actions.
             have  contemporaneous insights into DFS-related
             security threats and intrusions.                 g.  Incentivize the industry—create incentive programs
                                                                with industry to promote the development of
           In order to address the above-mentioned issues, the   countermeasures in the telco-DFS anti-fraud field.
           Working Group recommends the following measures:
                                                              h.  Incentivize the operators and providers—create reg-
           a.  Education for telecom and financial services regula-  ulation that passes the financial damage from DFS
             tors on SS7 vulnerabilities and impact to DFS—tele-  fraud to the DFS providers and to the telcos, creating
             com and financial regulators around the world needs   a financial incentive for action on their part.
             to be aware of these risks and most importantly be


















                                           Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions • 21