20.5k unique visitors in the last 3 days

Only 1 in 5 Mobile Operators Believe GSMA/3GPP Security Guidelines Cover All Signaling Threats

The Cellusys-Kaleido signaling security survey contains many other statistics that will trouble risk managers and ordinary phone users.

Firms that sell security already know about the typical weaknesses of their customers but it helps to commission independent research to convince everyone of the need to close gaps in their defenses. That was why network security business Cellusys engaged Kaleido Intelligence to survey mobile operators about signaling security, and the results make uncomfortable reading for phone users concerned about privacy, although they would not have come as a surprise to Cellusys.

Perhaps the most damning finding for the telecoms industry is that mobile operators are largely unsure of how vulnerable they remain even after they follow the best security guidance the sector has produced. 62 percent of surveyed mobile operators said they were uncertain if adhering to GSMA/3GPP security guidelines is a comprehensive solution to signaling security threats, whilst 19 percent said the standards were definitely inadequate. At the same time, a third of mobile operators are not compliant with GSMA guidelines for SS7 monitoring, a third do not comply with the GSMA guidelines for Diameter interconnect security, and 17 percent admitted they do not comply with any of the key GSMA/3GPP signaling security guidelines. It is worth keeping in mind that a phone user can be put at risk by the vulnerabilities of any of the telcos that handle their call or message.

53 percent of mobile operators said SMS spam attacks were highly frequent or very highly frequent, suggesting that SMS spam is the most common signaling-related attack. Wangiri, IRSF and spoofing were also ranked amongst the most frequent forms of attack. The interception of communications and the tracking of users were perceived to be less common, but still frequent enough that no mobile operator is going to honestly tell customers how much they are at risk.

There remains a lot of ignorance of the consequences of signaling attacks within the mobile operators that suffer them. 44 percent stated they had no estimate of the financial cost of these attacks, suggesting that a significant source of leakage remains unappreciated. A quarter of respondents refused to share their estimates of the leakage caused; my experience is that nobody refuses to divulge leakage numbers when they are low. Of the minority of mobile operators that did answer this survey question, most said their losses to signaling attacks were below USD1mn per annum, but there were several who admitted leakages had cost them over USD3mn a year.

Many mobile operators were also unable to say how often their networks had been disrupted by signaling attacks. Over a third did not know, whilst a quarter declined to answer this question. Of the mobile operators that did give an answer, the majority said they suffered network disruption at least once a month, and a third said their networks were disrupted more than five times a month.

There are many more revealing statistics in the Cellusys-Kaleido signaling security report, so the best advice is to obtain a copy from here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email