May 4, 2016
In another sign of the new enabling technologies in FinTech going mainstream, CBS' 60 Minutes released a special last week called Hacking Your Phone in which the vulnerabilities of mobile phones were explained and exposed. With mobility being an integral component of almost every new FinTech proposition, this can be a scary phenomenon. In fact, the acclaimed TV segment ended with an ominous: "We live in a world where we cannot trust the technology that we use."
So, should we be concerned? How concerned? How bad is this for consumers and especially for consumers who are increasingly looking forward to the new FinTech becoming an integral part of their lives? The show referred to the SS7 technology, which is the shared protocol for mobile phone networks to signal information back and forth with one another. While this technology has been an important component of the ease of interoperability between wireless carriers, could that same protocol now be a source of attacks if exploited by hackers?
To answer these questions, we turned to one of the most knowledgeable innovators in the industry, who has built a career (and a company) working with mobile operators around the world and understands the SS7 protocol specifically as it relates to how it can be securely harnessed for financial transactions.
In a Let’s Talk Payments exclusive, we speak with Payfone CEO Rodger Desai about why consumers should know about the vulnerabilities of the mobile phone networks and how banks are working with Payfone to protect them against these vulnerabilities.
LTP: What was the CBS 60 Minutes special about?
Rodger R. Desai: The 60 Minutes special explains how an exploit can be used to eavesdrop on mobile communication. This exploit makes use of the SS7 network, a global system used to route call and billing information between mobile network operators. While the system is highly secured from non-mobile network operator parties accessing it, it is only as secure as the weakest link in the chain. In other words, if one of the telcos with access is hacked, then the system is compromised. In the 60 Minutes case, the hackers were granted access via a mobile network operator to perform testing. Given the global scope of this system, one should expect that other non-MNO parties have or could be granted access to this system.
Once granted access, the hackers were able to access a US mobile network operator’s HLR (home location register, the database in GSM systems where subscriber information is stored) and eavesdrop on calls and text messages sent simply by monitoring a specific phone number.
LTP: Beyond the obvious consumer privacy concerns, what damage could hackers do by accessing this information?
RD: This information is generally used to perform an attack called a "man-in-the-middle attack" in which a fraudster records the interaction between a consumer and their bank, and takes note of the information for subsequent use (also referred to as a replay attack). In the case of a one-time passcode being sent, this technique would allow the interception of the passcode. In the case of voice interaction between a consumer and a bank’s call center, this technique would allow the PAN and KBA interactions to be compromised.
The core issue is that banks and enterprises are using a layer of the telecom system (voice and data communication layer) that was not designed to be secure; and for several reasons, will never be secure. Applications like WhatsApp can encrypt their commutations since they control both endpoints.
LTP: So what can consumers or businesses do to protect themselves against the risk of replay attacks using this method?
RD: There is a layer beneath the communication layer that is the proper layer for banks to use. The authentication layer that the mobile network operators themselves use to secure their networks is very sophisticated and designed to keep their networks and consumers safe. If you think about it, when you want to make a phone call, you don’t need to login into your phone company. They know it’s your phone since your SIM card signs in for you. In fact, every interaction you have with your mobile network operator is signed by your SIM – every call, very text, every time you access the Web from a browser or use mobile apps. Another way to look at this: of all the types of mobile attacks that have been discovered, there has still not been one case of a hacker making a call and billing it to someone’s else SIM card.
At a high level, each SIM has a globally unique cryptogram within it, which is referred to as the Ki value. This cryptogram is validated each time your SIM signs an interaction by a series of mathematical challenges between the mobile network and your SIM card. These mathematical challenges ensure that the Ki value is never passed over the air. As such, a man in the middle wouldn’t be able to intercept it. At Payfone, our authentication products leverage SIM signing and therefore, man-in-the-middle and replay attacks would be thwarted as the hacker would not have your secret Ki value.
LTP: Are there other vulnerabilities of SS7 of which consumers should be aware?
RD: Yes, there is another way to exploit SS7. Hackers can use a device called an IMSI catcher to intercept your calls and texts.
For background, SS7 allows for a seamless call hand-off between cell towers when we are in a moving car, and also allows for mobile devices to "roam" in other countries. So, mobile devices are always on the search for new cell towers and access points to connect to in case they need to hand-off. Because of this, a hacked femtocell/base station can be used for a man-in-the-middle attack by forcing mobile devices to connect to it. Once connected, the hack can copy and store the traffic that goes through it. And since Base Stations tell the mobile device what encryption to use, if any, this means a lot can be intercepted—for example, twp-factor SMS passcodes from banks to their customers. Here’s an article about this type of attacks in the Washington Post.
As with the previous attack, Payfone’s use of SIM signing thwarts this type of attack.
LTP does not believe that the conclusion reached by CBS is justified. In fact, we also spoke with Aditya Khurjekar, CEO and Co-founder of LTP, about this topic, who led the due diligence when Payfone technology for secure mobile payments was first introduced to mobile operators and banks by the company in 2009. "Payfone has a deep understanding of the very complex security protocols used by MNOs (mobile network operators). Their ability to derive scalable secure authentication for payments transactions for their bank partners using the myriad mobile technologies, not only in the device but also in the network, is exactly what sets them apart."
Background on Payfone
Payfone is a leader in mobile identity authentication. Payfone’s suite of network authentication services provides unparalleled mobile security while eliminating friction from the customer experience. The company is backed by leading venture firms, financial institutions, mobile network operators, and Early Warning and is based in New York. Follow Payfone on Twitter @payfone.