How Telecom Vulnerabilities Can Be a Threat to Cybersecurity Posture

Telecom-based attacks such as SMS toll fraud and 2FA hijacking have evolved into a mainstream concern for CISOs.

Ayan Halder, Principal Product Manager, Traceable

August 29, 2024

5 Min Read
Person holding a cellphone; black background
Source: Tero Vesalainen via Alamy Stock Photo

COMMENTARY

Messaging channels have long been the darling of growth and customer experience teams. They unlock a range of use cases: activating dormant users, allowing users to safeguard their accounts using a SMS-based two-factor authentication (2FA), and more. SMS and voice channels have been leading the charter across industries and, according to one study, these channels have been and will continue to be heavily leveraged.

However, attackers follow money. Telecom-based attacks such as SMS toll fraud and 2FA hijacking have evolved into a mainstream concern for chief information security officers (CISOs), and have already affected the likes of X and many other enterprises. Elon Musk was the first prominent personality to show the damage that toll fraud brings to business.

The Perils of an Invisible Chain and Trust-Based Architecture

Signaling System 7 (SS7), a critical component of the global telecommunications infrastructure allowing different networks to interoperate, is responsible for services such as messaging and voice calls. However, in the world of zero-trust architecture, SS7 still relies on the archaic trust-based architecture. Inherently, a trust-based architecture assumes that all participants are honest and legitimate, which the attackers exploit. They either take over a legitimate but less secure operator or pose as a legitimate operator in the middle.

Given the decentralized nature and regional scope of networks, operators lack complete visibility on the origination and termination of traffic. Attackers leverage this shortcoming to generate fake traffic with spoofed origination details, making it look legit. Such acts damage revenues for businesses as well.

Some networks have started to leverage SSE and IPSec protocols, but those are far from mainstream adoption, giving attackers a key entry point to the infrastructure.

An Illegal Tax for Businesses

Telco-driven attacks are a tax for businesses, albeit illegal. Given the complexity and opacity of the chain, businesses don't have visibility and are often forced to pay for services they never requested. In the case of SMS toll fraud, the redirections to premium rate numbers are nonconsensual. Network operators often create complicated contracts to account for these charges, with little recourse for businesses once the fraud has happened.

Moreover, such attacks affect small and medium-scale businesses disproportionately. They often incur large debt to pay these charges and end up shutting operations or filing bankruptcy.

Given the disproportionate hit businesses take, they should adopt proactive and long-term measures to defend themselves.

Threats to Cybersecurity Posture

Telco-driven attacks do more than inflate bills payable. The cascading effects span across teams and to the businesses' customers. 

  • Increased phishing attempts: Given the vulnerability, attackers can change the destination of these spoofed messages to the businesses' customers instead of a PRN, with a modified message body. Unsuspecting customers, such as those of financial services, might share more than expected and be a victim of phishing.

  • Intercepted SMS 2FA: The vulnerability can be abused to intercept 2FA messages while in transit to the intended recipient. This leads to account compromise due to no fault of the consumers.

  • Denial of service on communication flows: While Web application firewalls (WAFs) protect against overall DDoS, sophisticated attacks to communication flows often go unnoticed, given their ability to hide under regular traffic, often leading to unavailability of such services to intended consumers.

  • Massive loss of revenue: Communication services are expensive. Any attack on such channels cost dearly to the businesses, leading to massive profit contraction, layoffs, etc.

  • Expanded attack surface: While endpoint security solutions offer protection against malicious URLs and phishing attempts, the vulnerability allows attackers to "infuse" trust in messages by spoofing sender and body, leaving a huge potential to social-engineering-driven attacks.

Measures to Avoid Attacks on Communication Channels

Businesses can adopt two-prong measures to fight against this crime — proactive measures that they can implement internally and long-term measures that need lobbying and union.

Businesses can take the following proactive measures: 

  • Move away from SMS and voice messaging channels: This would be ideal if achieved. Replace SMS and voice channels with push notifications, emails, in-app chats, and authenticators for 2FA as much as possible.

  • Keeping a tab on the messaging channel bills: Ask your provider to provide real-time updates to billing and flag/dispute bills when unit cost goes beyond a cost threshold of regular messaging or calls. Turn off SMS and voice channels once an aggregate cost threshold is hit.

  • Block PRN deliveries: Insist on not paying for calls or messages sent to premium rate numbers. Structure the contract that way to avoid high bills. This will provide respite against SMS toll fraud.

  • Adopt bot defense measures on messaging channels: This is a path-tape measure, but if these channels are absolutely necessary, adopt bot defense on those flows. Attackers typically use bots to scale these attacks. Bot defense platforms may not eradicate the problem but can help with controlling the bills.

  • Apply geofencing: Apply geofencing on the digital flows that involve message or voice call triggers. Typically, these attacks come from outside the home country to avoid getting sued.

Following long-term measures can help businesses drastically:

  • Coalition to lobby network operators: Businesses can unite to negotiate with network operators and telephony software-as-a-service (SaaS) providers to upgrade infrastructure and adopt better fraud controls, respectively. Unless forced, network providers have little incentive to cut down the revenue generated through the toll fraud.

  • Coalition to lobby government bodies: Businesses can form a coalition to lobby government bodies to deal with network operators strictly, especially the ones most abused by the attackers. Government bodies can force the network operators to upgrade their infrastructure and adopt zero-trust measures more proactively. Similarly, telephony SaaS providers should be on the hook to adopt better fraud control measures.

While the fraud has taken a "toll" on several businesses, some governments have started to take action against network providers that fail to take action and protect businesses' interests. The Australian Communications and Media Authority (ACMA), for example, is setting up strict policies and penalizing network operators for breaching them. But a wider government push is yet to happen. Until then, businesses are on their own to protect their revenue.

About the Author

Ayan Halder

Principal Product Manager, Traceable

As the principal product manager at Traceable, Ayan Halder leads the bot and fraud protection business line. Ayan has over 10 years of professional experience across several domains and over six years exclusively in the bot and fraud detection space. He has a deep interest and domain expertise in the fraud detection space and actively writes about the opportunities and challenges of this growing space.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights