Network operators such as Vodacom, MTN, Cell C, and Telkom can and will be hacked, Myriad Connect vice-president of business development Paul Kingsbury told MyBroadband.
This is a reality that security system designers and information security officers need to accept, he said.
“I don’t think people really get that. They don’t understand the magnitude of the issue. We must do what we can to secure our networks, but accept that there are vulnerabilities,” said Kingsbury.
Kingsbury’s comments come after a security vulnerability in Signaling System 7 (SS7) made it possible for hackers to intercept phone calls, read text messages, and determine user movements.
SS7 is an international telecommunications standard in mobile networks that was developed to manage call set-up, management, and tear down.
Kingsbury said networks were designed to communicate using these common standards, the inner workings of which are readily available.
“In this standardised environment, it is not surprising that criminals are manipulating what they know about how SS7 works, along with what they know about banks’ processes for authenticating financial transactions, to defraud banking customers of their savings.”
SMS no longer safe
Kingsbury said the trade-off is that mobile operators offer wide-area networks that reach just about every person, and provide a lot of value for authentication services.
“While there is clearly risk in using the SS7 network for authenticating financial service transactions, as this recent attack shows, network operators are well placed to play an important role in the security and authentication ecosystem,” said Kingsbury.
Banks and network operators need to start working collaboratively to facilitate more secure authentication services.
Two-factor authentication using one-time-passwords delivered over SMS was fine as a banking security measure for years, but now it needs to evolve.
“The real-time data at the disposal of mobile operators, for example, provides an invaluable level of support for the real-time decision making for banks when determining risk within a transaction,” said Kingsbury.