The hidden security risks for MVNOs in a 5G world

Dmitry Kurbatov, CTO, Positive Technologies.
(Image credit: Future)

According to estimates from Transparency Market Research, the mobile virtual network operator (MVNO) market will exceed $98.4 billion worldwide by 2026, with an average annual growth of 8.6 percent. 

The main drivers of such rapid MVNO (Mobile Virtual Network Operators) growth are 5G and changing needs - based on market demand shifting in favor of mobile Internet services and customer preferences for obtaining products and services via convenient digital channels.

In response, technology companies and telecom operators have begun to cultivate their own ecosystems by offering users integrated products and services across industries such as Finance, Media, and Health. put simply, if mobile operators can act like a bank, banks are now beginning to see the benefits of delivering mobile services, and with banks eager to keep clients within their ecosystem, some have expanded their proposition by creating their own MVNOs. In turn, telecom operators have started to acquire companies in other industries (or create their own from scratch) as they transform into one-stop digital companies.

By stepping into one of these ecosystems, clients receive an "all-in" solution. But there's a downside, too. Converging technologies bring serious risks to information security. In this article, we will review the security issues that may affect companies building an MVNO, how attackers strike, and most importantly, what to do to stay safe.

How MVNOs get attacked

What does an ecosystem mean in this context? Clients receive a comprehensive offering thanks to use of digital platforms and fully paperless onboarding and account servicing. They log in with single sign-on: logging in once is enough to use all of the platform's services. The boundaries between "banking" and "non-banking" become fuzzier: money credited to a mobile subscriber account can be used not only to pay for a phone plan, but for other services as well.

This is convenient for clients. They tend to place high trust in companies and are ready to provide access to their personal data and bank accounts in return for relevant product suggestions and personalised communication.

"This is why it's so beneficial to have a virtual operator as part of an ecosystem: the very same 5G network has a service-oriented architecture."

Dmitry Kurbatov, Positive Technologies.

This is why it's so beneficial to have a virtual operator as part of an ecosystem: the very same 5G network has a service-oriented architecture for seamless integration of both internal technologies, and partner-provided ones. The security of all these technologies directly depends on the security of the underlying telecom systems.

Although companies sell MVNO services under their own brand, they usually use the existing infrastructure of other operators. This is a major contributor to security risks. Telecom networks harbor serious architectural flaws relating to previous generation networks that enable attacks on operators and subscribers.

Exploiting MVNO vulnerabilities

As shown by our research, exploitation of vulnerabilities in 2G/3G/4G/5G networks can lead to disruption of subscriber service, disclosure of subscriber location and connection information, disclosure of subscriber profile and encryption keys, identity theft, sender spoofing, call eavesdropping, SMS interception, billing bypass, and fraud by charging services to other subscribers.

What are some of the other issues threatening technology companies that decide to add an MVNO to their ecosystem?

1.  Account compromise. Single sign-on, despite its benefits, can amplify the effects of breaches. An attacker can leverage vulnerabilities in telecom networks to obtain access to users' digital lives and impersonate them.

2.  Theft of funds. Vulnerabilities in 2G/3G, for example, can be used by criminals to access subscribers' bank accounts. In one case, attackers struck subscribers of German operator O2-Telefonica, making off with money from their accounts. The attackers were able to intercept two-factor authentication codes due to a vulnerability in the SS7 signalling protocol. In a similar incident with U.K.-based Metro Bank in 2019, attackers also exploited SS7 vulnerabilities to intercept two-factor authentication codes. 

3.  Social engineering. Telecom vulnerabilities can help to enable social engineering attacks. A variety of attack scenarios are possible, from imitating a bank over the phone to spoofing of SMS messages and malware infection of user devices. One popular method is SIM swapping, when an attacker with knowledge of the subscriber's personal information reissues the subscriber's SIM card or ports the subscriber's phone number to their own SIM card. Consequences of such social engineering attacks can include compromise of payment card details, theft of funds via SMS banking, theft of credentials, and redirection of calls and SMS messages intended for the victim to the attacker.

Whenever a bank decides to build an ecosystem with an MVNO inside it, the security team needs to take the security of telecom infrastructure seriously. Banks already have plenty of experience with securing banking infrastructure and can draw upon industry standards and regulatory requirements. But information security for telecom networks is a bit more mysterious: companies are already getting attacked, but often do not understand how to respond.

Three step approach

"We recommend a tried-and-tested three-stage approach to security: network evaluation, monitoring, and protection."

Dmitry Kurbatov, Positive Technologies.

We recommend a tried-and-tested three-stage approach to security: network evaluation, monitoring, and protection. Companies start off by getting the lay of the land, making an attacker model, and then deploying defences—most likely including an IDS (Intrusion Detection System), in order to spot suspicious activity, as well as a signalling firewall for blocking attacks.

Banks and digital companies have deep expertise in general enterprise security, but telecom network security still remains underserved. This works to the advantage of attackers, who can exploit this vector against the target's entire infrastructure while in-house security teams are stuck playing catch-up, refining their knowledge and skillsets.

The MVNO market is set to take off. The number of companies committed to creating their own MVNO will only increase. Some MVNOs promise that beyond just using a single network, subscribers will be automatically switched between different networks. Since plastic SIM cards are on the way out, switching operators could become as easy as tapping a button in an app.

This lack of friction is sure to increase the competitive heat between operators. In the old days, operators could get by offering communications that were reliable ("five nines") and of high quality. But now, security will become a decisive factor. The approach taken by banks and technology companies to securing their telecom infrastructure could become a significant competitive differentiator.

Dmitry Kurbatov

Dmitry Kurbatov holds a degree in information security of telecommunications systems from Moscow Technological University (MIREA). He worked as a network engineer for system integrators from 2006 and joined Joined Positive Technologies in 2010.  After developing an automated security analysis system, he switched to telecom security, researching a range of vulnerabilities in network equipment, including errors in data transfer network design, protection of signalling protocols (SS7, Diameter, GTP), through to IoT security. Since 2014, he has been Director of Telecom Security at Positive Technologies.