Page 32 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 32
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
Data integrity
As described above, communication between the base station and the provider network may occur without
any cryptographic protections. In this situation, there are no integrity guarantees for data that is transmitted in
SMS and USSD-based systems. Additionally, MNO customers can fall victim to trusted phone number spoofing,
otherwise known as fake caller line ID (CLI) attacks that can be the starting point of SIM swap attacks or other
activities to compromise user accounts.
Privacy
As described above in the communication security section, there are substantial issues with SS7 network
security that can compromise user privacy.
Recommendations for mitigation
R12 – MNOs should implement the security policies that maintain the integrity of their networks and
prevent unauthorized access to customer accounts. This includes logical and physical access controls,
including ensuring there is no unauthorized access to and any use of SS7 core components of the MNO’s
infrastructure, as well as the use of SS7 components of the MNO’s infrastructure by any parties that may be
undertaking unauthorized or fraudulent activities. Controls against SIM swaps should also be implemented.
R13 – The integrity of backend DFS systems must also be maintained through continuous testing, intrusion
filtering, and monitoring of networks and infrastructure.
Tests and monitoring shall include, but not be limited to, those for:
• Unauthorized access to and use of any SS7 core components of the MNO’s infrastructure;
• Use of any SS7 components of the MNO’s infrastructure by any parties where that use may be designed
to undertake unauthorized or fraudulent activities.
• Detection, as far as may be technically possible, of unauthorized radio frequency devices operated
by unauthorized parties that may be designed to disrupt the MNO’s licensed activities and/or to gain
unauthorized access to customer handsets, customer access rights to MNO and MFS facilities, and
customer data.
• Expeditiously provide to the telecommunications regulator reports on penetration tests that relate to
the security of their systems. These reports must include any remedial action taken, if applicable.
• Expeditiously provide to the telecommunications regulator reports on incidents that relate to authorized
access to their systems and data. These reports must include any actual and potential data losses and
breaches of consumer data protection measures, and any remedial action taken.
R14 – MNOs and regulators should undertake active customer awareness campaigns to educate consumers
about malicious messages, phishing, and spoofing attacks. MNOs and regulators should undertake active
customer awareness campaigns to educate consumers about malicious messages, phishing, and spoofing
attacks.
R15 – MNOs should monitor incoming calls from interconnect carriers and undertake fake CLI analysis, and
implement a black or white list of CLIs, as well as other security mechanisms, associated with attempts to
steal customer credentials.
18