The security world is looking at vulnerabilities in Signaling System 7 (SS7), with financial institutions and telcos alike expressing concern that mobile banking is increasingly vulnerable to hackers and fraudsters.
The vulnerability is not a new one, however. What is new is the rate at which cybercrime and digital fraud is proliferating. SS7 is not to blame: networks were designed to communicate in a very much standardised way, using common standards to allow partners to roam into each other’s networks. In this standardised environment it is not surprising that criminals are manipulating what they know about how SS7 works, along with what they know about banks’ processes for authenticating financial transactions, to defraud banking customers of their savings.
While passwords and one-time PINs have sufficed as mobile banking security measures for years, times have changed. Banks can no longer trust the one-time PINs and SMSed passwords as an authentication mechanism, because it has become too easy for criminals to divert these messages.
Compounding the problem is the fact that human behaviour will always inject an element of risk into any authentication process, and this is unlikely to change.
While there is clearly risk in using the SS7 network for authenticating financial service transactions, as this recent attack shows, network operators are well placed to play an important role in the security and authentication ecosystem. Using networks for authentication services provides financial service institutions with ubiquitous access to their customers via their mobile devices. Banks and network operators need to start working collaboratively to facilitate more secure authentication services.
To reduce risk around mobile transactions and overcome the ‘human element’, financial institutions need to take a new approach to authenticating customers and flagging potential fraud.
The time has come to reconsider the ways in banks ask questions of their customers to ensure that user authentication is genuine. One simple measure is to embrace USSD authentication, in which no persistent data is held with any third party and the risk of SIM-swap fraud is reduced.
Analytics for Fraud Prevention
In the longer term, banks need more data, which in the case of digital transaction such as mobile banking, resides with the telcos. The rich data around who each user is, where they are, time stamps and usage patterns within telcos’ repositories could significantly strengthen the banks’ own data to support transactional analysis that could help flag attempts at fraud.
The recent hack in which fraudsters exploited SS7 vulnerabilities to sidestep two-factor authentication and drain German victims’ bank accounts, for example, was carried out from a mobile network in central Asia. Armed with this information and transactional analytics tools, the banks concerned would have been better placed to flag the transactions and make decisions on whether to authorise them or not.
In numerous meetings with financial services organisations in South Africa and abroad, we have seen a surge of interest in the potential for collaboration and shared data across financial services and telcos, which could benefit all stakeholders.
Not only could this shared data be analysed to better mitigate risk, it also has the potential to help both financial services and telcos innovate and improve services to their customers. The questions around how collaboration should be formalised, and through what forums, would have to be addressed before both sectors could start the process of data sharing and begin benefiting from enhanced transactional analytics for next generation risk mitigation.