Messaging channels have always been a favorite of growth and customer experience teams due to their versatility in various use cases like activating dormant users, ensuring security through SMS-based two-factor authentication (2FA), and more. SMS and voice channels have been at the forefront of this trend across industries, as indicated by a study that projects continued heavy utilization of these channels.

However, as is often the case, where there is money involved, attackers tend to lurk. Telecom-based attacks such as SMS toll fraud and 2FA hijacking have become a growing concern for Chief Information Security Officers (CISOs), causing problems for enterprises like X and catching the attention of prominent figures like Elon Musk, who showcased the damaging effects of toll fraud on businesses.

The telecom infrastructure heavily relies on the Signaling System 7 (SS7) to facilitate communication between different networks, including messaging and voice calls. Despite advancements in zero-trust architecture, SS7 operates on a trust-based model, assuming the honesty and legitimacy of all participants, which attackers exploit by either taking over less secure operators or impersonating legitimate ones in the middle.

The decentralized and regional nature of networks leads to challenges in tracking the origin and termination of traffic, allowing attackers to create fake traffic with disguised details, impacting business revenues. While some networks are beginning to adopt SSE and IPSec protocols, these measures are not yet widely implemented, providing attackers with a gateway to exploit vulnerabilities in the infrastructure.

Telco-based attacks, while illegal, act as a burdensome tax on businesses, particularly affecting small to medium-scale enterprises who struggle with inflated bills and debts resulting from these attacks. In cases like SMS toll fraud, where calls are redirected to premium rate numbers without consent, businesses are left with complex contracts and limited recourse to rectify the fraudulent charges.

The impact of these attacks extends beyond financial burdens, leading to cybersecurity threats that compromise the integrity of communication channels. Increased phishing attempts, intercepted SMS 2FA, denial of service attacks on communication flows, and significant revenue losses are among the risks posed by these attacks, leading to disruptions in business operations and customer trust.

To combat these threats, businesses can implement proactive measures like moving away from SMS and voice channels, monitoring messaging channel bills, blocking premium rate number deliveries, and deploying bot defense measures. Long-term strategies involve lobbying network operators and government bodies to upgrade infrastructure, enforce stricter regulations, and adopt better fraud control measures to safeguard businesses against telco-driven attacks.

While some governments have begun taking action against network providers for failing to address these issues, a more comprehensive effort is needed to protect businesses’ interests and revenues. Until then, businesses must take the initiative to defend themselves against telecom-based attacks and ensure the security and integrity of their communication channels.

Source link