Page 21 - Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
P. 21
12.2 Detecting and mitigating social engineering request, before authorizing it the DFS provider needs to
attacks with MT-USSD ascertain the following:
Once the attacker solicits the account number and PIN a) Check if the IMSI associated with the phone number
from the victim, they will attempt to use it with another has changed, this is an indication of SIM swap.
phone and register the new phone to the account in
order to transfer funds. Alternatively, use the account b) If there is an indication of a SIM swap, check the IMEI
number and PIN to withdraw funds at an ATM or conve- of the phone holding the SIM. If the IMEI has also
nience store or kiosk (e.g. 7-Eleven). changed, there is a high probability of SIM swap. In
Once the DFS Provider receives the transaction that case the DFS provider should block the account
request, before authorizing it the DFS provider needs to until performing account verification procedures, for
ascertain the following: example, via a voice call or an agent.
a) The location of the account holder’s phone is indeed c) Systems and procedures to detect suspicious SIM
near the ATM or kiosk where the transaction is taking swap behavior can be implemented. These rely on
place (if this is an ATM transaction). inter alia.
b) Provide the IMSI and IMEI of the phone preforming
the transaction in order to check with the cellular car- Regulatory rules on SIM swaps, including:
rier if the owner of the IMSI and phone is the account a) Standardization by regulators of SIM swap rules
holder. amongst MNOs/MVNOs by the regulator, including
c) Verify with 2-way SecureOTP to the original phone SIM swaps leading to porting of numbers to other
12
number to verify the legitimacy of the transaction. MNOs/MVNOs.
b) Identification to an MNO/MVNO or its agents of per-
12.3 Detecting and mitigating interception of sons requesting new SIMs including an affidavit signed
MO-USSD by the subscriber and a passport photograph of the
transactions subscriber where the replacement is to be done by a
Once the fraudster intercepts the account Number proxy.
13
and PIN from the victim they will attempt to use it. The
attacker has two main ways to use the intercepted cre- c) Where SIM replacement is carried out by proxy, the
dentials: MNO/MVNO or its agents must capture a facial image
of the proxy which must be kept for twelve (12)
a) During the MITM session, while the victim’s SIM is months.
14
cloned in the MITM system, the attacker can initiate
MO-USSD session from the MITM system. d) Rules that a SIM should be replaceable only if it is
faulty, damaged, stolen, lost, obsolete (but eligible
b) After the MITM session the attacker will attempt to for replacement or an upgrade), and any other rea-
use it with another phone and register the new phone sonable legitimate reason or condition necessitating
to the account in order to transfer funds (just like in a SIM replacement.
15
the scenario above).
16
We will detail how to detect the first scenario since the Internal rules on SIM swaps by MNOs/MVNOs including:
second is the same as above. Once the DFS Provider a) On request for a SIM swap, sending of notifications
receives the transaction request, before authorizing it via SMS, IVR or Push USSD of the SIM swap request
the DFS provider needs to ascertain the following: to the (current) SIM/phone number owner, in case
a) Check if the IMEI of the device performing the trans- the SIM is still live, and then waiting for a positive
action matches the IMEI of the account holder’s response from the owner for a certain time before
phone (an MITM system may clone the SIM with a undertaking the SIM swap.
different IMEI).
b) A general 2-4 hour holding time from the time of a
b) Compare the location of the phone preforming the SIM card request to providing the new SIM card to
current transaction to the last reported location of the requestor.
the phone (last in/out SMS or call), since once under c) Challenge questions posed to the SIM swap requestor,
the MITM system the attacked phone changes its net- including value of last prepaid voucher recharge and/
work location abruptly.
or numbers called regularly, or name of person who
paid the last bill if a post-paid account.
12.4 Detecting and mitigating unauthorized SIM card
swap d) Linking bank 2FA systems used by banks/PSPs for
Once the attacker is in possession of the new SIM, they undertaking (new) payment beneficiary verification
perform the transaction to reset the PIN code using OTP via SMS and/or push USSD OTP, to SIM/phone num-
SMS. Once the DFS provider receives the transaction ber databases housed at MNOs. Linking the two data-
Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions • 19