Many of us now refuse to answer telephone calls from an unknown number, for fear that it could be a scam. And we dread receiving a text message, purportedly from our bank or a delivery firm, again due to concerns that it might be from fraudsters. A recent report suggests that we are right to be cautious. In the 12 months to March 2021, phone call and text message fraud across England, Wales, and Northern Ireland were up 83% from the previous year, according to the consumer group. Which? analyzed data from Action Fraud, the UK’s national reporting center for fraud and cybercrime, and says this was the biggest rise across all types of fraudulent attacks.
It adds that the jump was fuelled by more people getting things delivered during the pandemic, which led to a corresponding huge rise in fake parcel delivery text notifications.
In these “smishing” attacks, fraudsters send a person a message, seemingly from a legitimate number, to claim that a small payment is needed before a package can be delivered. Then when you click on the link they try to steal your banking details. But how exactly are the fraudsters able to do this, and why is it so difficult for telecoms firms and authorities to tackle the problem? Matthew Gribben, a cyber security expert, says that criminals are able to make it look like their phone call or text is coming from the real telephone number of a bank or delivery firm, due to continuing vulnerabilities in the UK (and other countries’) telephone network systems.
“There’s no way for the current UK phone network to guarantee 100% that the presentation number it is being told is the actual originating number – it has to take your word for it,” says Mr. Gribben, who is a former consultant to GCHQ, the UK government intelligence agency. The core of the problem is a telephone identification protocol called SS7, which dates back to 1975. It is a little complicated but bears with us. SS7 tells the telephone network what number a user is calling or texting from, known as the “presentation number”. This is crucial so that calls can be connected from one to another. The problem is that fraudsters can steal a presentation number, and then link it to their own number.
The issue affects both landlines and mobile phones, with SS7 still central to the 2G and 3G parts of mobile phone networks that continue to carry our voice calls and text messages – even if you have a 5G-enabled handset. One theory is that the vulnerabilities of SS7 cannot be fixed because the telecoms firms need to give national security agencies access to their networks, but Mr. Gribben says GCHQ (Britain’s intelligence agency) can monitor communications without using SS7 loopholes. The problem, he says, is that SS7 is still used in telecoms networks globally. And it needs to be replaced rather than patched up.
“SS7 was developed assuming there would always be legitimate activity [and] goodwill around the use of it,” explains Katia Gonzalez, head of fraud prevention and security at BICS, a Brussels-based telecoms firm that connects and protects mobile phone networks.
“There’s too much legacy technology [reliant upon it] that we can’t move away from – we’re going to have these SS7 2G/3G networks for at least another 10 years.”
Jon France, head of industry security at the GSMA, the trade organization that represents mobile network providers around the world, says that “a lot of these problems will disappear” after 5G networks have been fully rolled out. This will mean that SS7 – and 2G and 3G – can be totally replaced. Ms. Gonzalez agrees: “It took some time to understand these flows, and how they were exploited. Now with 5G, there will be security from [the center] of it.”
However, Mr. Gribben cautions that even when SS7 is replaced by something “entirely brand new and sparkling, there will still be other vulnerabilities [that fraudsters can exploit]”. The GSMA says that telecoms firms are putting “a large amount of effort and investment” into tackling scams. For its part, BICS is using artificial intelligence systems to try to detect and block incoming fraudulent calls and texts. Ms. Gonzalez adds the only way to prevent text message scams is to enable telecoms firms to use AI to scan texts for links to fake websites before they are sent. Yet privacy regulators are unlikely to ever agree to that. So instead BICS is calling for “greater collaboration between telecoms firms and governments, better relations between countries, and more effort from the companies on sharing information on the latest vulnerabilities”. The GSMA says that telecoms firms are putting “a large amount of effort and investment” into tackling scams.
For its part, BICS is using artificial intelligence systems to try to detect and block incoming fraudulent calls and texts. Ms. Gonzalez adds the only way to prevent text message scams is to enable telecoms firms to use AI to scan texts for links to fake websites before they are sent. Yet privacy regulators are unlikely to ever agree to that. So instead BICS is calling for “greater collaboration between telecoms firms and governments, better relations between countries, and more effort from the companies on sharing information on the latest vulnerabilities”. As phone and text scams are not going away anytime soon, Amanda Finch, chief executive of the professional body, Chartered Institute of Information Security, says: “There’s always more that telecoms firms could do”. “But, security is a continually moving target… basically everyone has to be vigilant,” she adds. Meanwhile, Robert Blumofe, chief technology officer of cloud security firm Akamai, says: “I don’t think there’s a world anytime soon where we can train people not to be fooled, so the solution has to include a way to block the response the text messages are trying to elicit.”News Source: BBC