78 percent of networks are vulnerable to fraud
The percentage of successful attacks is high due to the lack of a subscriber actual
location check� To reduce the possibility of attacks using these methods, contin-
uous monitoring of signaling traffic and illegitimate activity is required to identify
suspicious hosts, build lists of trusted networks, and immediately block requests
from banned sources�
Originating calls are tapped by using a similar pattern: the message
InsertSubscriberData replaces the address of the billing platform in the subscriber's
profile stored in the VLR database� When a request is sent to the changed address,
the attacker first redirects the originating call to his or her equipment, and then
redirects it to the called subscriber� So the attacker can tap any conversation of the
subscriber�
Fraud
There is a wide range of methods that can be used by criminals to gain financial
benefit from the operator or subscribers� These methods can be divided into four
categories:
+ Illegitimate redirection of terminating or originating calls
+ USSD request manipulation
+ SMS message manipulation
+ Subscriber profile changing
Illegitimate redirection of terminating or originating calls
An attacker can redirect voice calls of subscribers to premium-rate numbers or to
a third-party number� The call will be paid by the subscriber in case of establishing
unconditional redirection, or by the operator in case the subscriber is registered in
a fake network and his or her roaming number is spoofed�
Call redirection also helps to implement other fraudulent schemes� For example,
if a subscriber makes a call to a bank, an intruder can redirect it to his or her own
number impersonating a bank employee, and thus obtain confidential information,
such as passport data and a codeword� Another method is redirecting terminating
calls and impersonating a subscriber to confirm banking transactions�
Figure 12� Forwarding a subscriber's voice calls (percentage of successful attacks)
2015
2017
2016
0%
Originating call redirection
Control of unconditional forwarding
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
45%
47%
17%
92%
76%
65%
Terminating call redirection
94%
69%
76%
Calls are redirected by using UpdateLocation, RegisterSS, InsertSubscriberData list-
ed above, as well as by using AnyTimeModification that allows making changes to
a subscriber's profile (note that no attack attempt using the AnyTimeModification
was successful)�
Attacker can obtain passport
data and a codeword
impersonating a bank
employee
13
USSD request manipulation
An attacker can transfer money from the account of a subscriber or an operator's