20.5k unique visitors in the last 3 days

Researchers Use Leaked Data to Demonstrate SMS Fraud and SS7 Surveillance

Gabriel Geiger and Crofton Black are proving the existence of vulnerabilities that many comms industry insiders consciously choose to ignore.

In a new article published via Medium, Gabriel Geiger and Crofton Black of Lighthouse Reports have elaborated on their recent research into the murky world of telecoms intermediaries. Their analysis is based on 100 million packets of SS7 signaling data leaked from Fink Telecom Services (FTS), a comms provider associated with surveillance services. The data represented traffic conveyed over the course of a single week. Geiger and Black discovered the following about the SMS messages included within the leaked data.

  • There was extensive use of malformed packets that were presumably intended to slip through firewalls and thus deliver an SMS message without incurring a charge.
  • Such malformed packets were used for SMS messages from some of the world’s best-known online brands, including Google, TikTok, Signal and WhatsApp.
  • A European surveillance business routinely used unencrypted SMS messages to communicate updates about the movements of people they were tracking.

The leaked data also included about 150 attempts to determine the location of specific phone users by pinging the user’s Cell ID. Some of these packets were also malformed; it is safe to assume this was also motivated by a desire to defeat firewalls implemented by telcos. One of the people whose location was determined using this method is an employee of a business that sells the ability to locate phone users using SS7. That might have been an instance of the business verifying that their surveillance technique delivers accurate results.

More naive readers of Commsrisk may be shocked at the extent to which the world’s richest companies rely on dodgy providers of comms services; other readers will be pleased that the truth is finally being made public through research like this. The data included in this analysis covered several hundred thousand SMS messages sent for two-factor authentication (2FA). Per the Sender IDs used for these messages:

  • 100,000 SMS messages went sent by Google to communicate 2FA codes and password reset notifications. These were sent to phone users across 80 countries.
  • 50,000 2FA messages were sent for Meta’s Facebook, Instagram and WhatsApp services. These were sent to phone users across 90 countries.
  • 40,000 2FA messages were sent by Tinder to users across 90 countries.
  • There were also many thousands of 2FA codes for LinkedIn, Uber, Signal, TikTok and Revolut.
  • In addition to the 2FA codes, other SMS messages included the details of bank transfers and online purchases.

Industry insiders know that many of the businesses which send large volumes of SMS messages are so fixated on getting the cheapest possible price that they absolve themselves of responsibility when corners are cut by the comms providers they use. It does not help that industry self-regulation of bulk SMS messaging has been such a conspicuous sham. It will be up to big businesses to drive change by being more selective when choosing who will provide them with comms services. For example, Meta told Geiger and Black that they “had reminded partners of contractual obligations to ensure privacy and security when delivering SMS messages to Meta users” and they “had notified its partners they shouldn’t subcontract or otherwise engage with Fink Telecom when providing services to Meta or any of its affiliates”. The authors are too polite to make the observation, but the silence from Google was deafening, not least because Google was sending twice as many messages via FTS than Meta.

“Using leaked data to examine vulnerabilities in SMS routing and SS7 signalling” By Gabriel Geiger and Crofton Black is available here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email