18-08-2017 | | By Paul Whytock
Some of you film buffs out there may remember Laurence Olivier asking Dustin Hoffman that same question in the film Marathon Man. Now whereas the wrong answer from Hoffman resulted in considerable pain at the hands of Olivier’s mad dentist character, users of the smart phones for personal banking could find it an equally painful experience of a financial nature because of 4G security loopholes.
An interesting report about this landed on my desk which says 4G networks still retain some worrying vulnerabilities despite all the investment poured into implementing the Diameter communications security protocol which replaced the weaker RADIUS protocol. What this means in simple terms is hackers can intercept and divert SMS messages, eavesdrop on conversations and locate users via GPS. It could even help DoS attacks on operator equipment that would case network failures.
And when it comes to your money, one incidence that demonstrates this 4G cyber weakness was when money was stolen from bank accounts by hackers redirecting One Time Pass codes that had actually been sent out by the banks as text messages.
The report goes into some detail explaining the network vulnerabilities and was researched and produced by Positive Technologies, specialists in communication security.
One of the important aspects of 4G vulnerability pointed out by Positive Technologies at the start of its investigative report may surprise a lot of 4G smart phone owners who think theirs is a state-of-the-art-gizmo. In most respects they are right, but what many don’t know is their snazzy 4G handsets also use old-generation networks as well. It’s called CSF, (circuit-switched fallback). Here’s how that happens. While some mobile operators can provide data transfer over LTE, making phone calls and exchanging SMS messages may require a temporarily fall back to older networks, hence the term CSF.
What this means is 4G subscribers are still susceptible to tried-and-tested hacks associated with older generation networks.
The Positive Technology report goes into considerable detail regarding the fraudulent vulnerabilities of SMS messaging, particularly when it comes to financial transactions and also how fraudulent attacks can be made that facilitate the redirection of billing information to already hacked billing services.
So what can owners of 4G handsets do about all this? Well there are some strategies that can help.
But what about the mobile operatoring companies? How do they cut communication security risks? The Positive Technologies report came up with some straightforward suggestions for the industry.
Mobile operators should transition into an increasingly IP-based world in a way that is fitting of the medium. This means regularly performing security testing of their signalling network in a way similar to that of IT networks the world over.
Since introduction of new equipment or configuration changes to existing equipment may affect network security, this testing should take place at least every three months. To minimise threats and keep security settings up to date, telecom operators must also consistently monitor, test and filter the messages that cross their network boundaries. These tasks can be handled by specially designed attack detection systems and equipment with firewall functionality for signalling traffic.