As malicious actors step up their attacks on mobile channels, James Moran, Head of Security outlines how the GSMA’s Working Groups are shoring up the industry’s defences.
Our growing reliance on smartphones for authentication, identification and payments has not escaped the attention of malicious actors. As mobile channels have become a major target for fraudsters, device-related scams are now rife.
Generative artificial intelligence (AI) tools, which accelerate the production of content and software code, are exacerbating this trend: So-called scam-as-a-service propositions are becoming increasingly commonplace.
Through the GSMA, mobile network operators are working on multiple fronts to counter these threats to their customers and to safeguard the integrity and resilience of mobile connectivity. In fact, the GSMA’s Fraud and Security Group has 26 active workstreams covering a range of topics and domains. These include identifying more than 700 baseline security controls that we recommend be deployed by operators. Implementing the measures set out in our Baseline Security Controls document will go a long way towards protecting both mobile networks and their users from fraud, data breaches, malware and other security and privacy threats. In a sense, it is an industry bible, as it contains everything you need to know about securing a mobile network.
The output from the GSMA’s various fraud and security workstreams can serve both to protect the mobile industry’s reputation and to address the growing needs of regulators. From a purely commercial perspective, mobile operators that suffer significant data breaches incur significant reputational damage and invariably lose customers, costing them revenues and market share. Meanwhile, regulators are becoming increasingly proactive. For example, in some judications, administrations are moving to make mobile operators partially liable for fraud that is instigated through their networks.
New technologies, new security controls
Unfortunately, security is never a done deal. Given the dynamic nature of mobile technologies and services, it is vital that the industry regularly reviews and updates its security posture. At the GSMA, we regard the Baseline Security Controls as a living document. For example, we have recently added 87 new controls specifically related to the implementation of Open RAN (radio access network) systems, which enable mobile operators to mix and match equipment from different vendors.
As the Baseline Security Controls expand and become more complex, we are developing a companion document that will advise mobile network operators on how to perform assessments that can verify the deployment or existence of these controls within their networks. We are also creating a framework that places the hundreds of controls in context and explains the relationships between them and the threats faced by mobile network operators.
Spotlight on the supply chain
For the Fraud and Security Group, another key area of focus right now is on supply chain security, as suppliers tend to be targeted as a “soft underbelly” that malicious actors can exploit to cause harm to mobile operators and their customers. Given the multiple actors involved in any supply chain, this is a complex, but important field.
The GSMA has developed the Security Assurance Scheme that applies to SIM cards and SIM card production, the eUICC Security Assurance scheme that covers eUICC software security and the Network Equipment Security Assurance Scheme. Furthermore, we are just about to conclude a timely review of the shifting regulatory landscape with respect to software bill of materials (SBOM), which lists all components, libraries and modules in a software product in a machine-readable format that can be used to identify vulnerabilities and mitigate security risks across the supply chain. After we publish that report, we will assess the next steps, which could include the identification of SBOM requirements for our industry and potentially pre-empt further regulation in this field.
The Fraud and Security group is also helping the industry to enhance the transparency of mobile device security. For example, we have developed a set of enablers to establish a mobile device security certification scheme, which has since been implemented by TrustCB. After assessing a device’s compliance to a set of security requirements defined by the European Telecommunications Standards Institute (ETSI), the scheme certifies the device’s security capabilities and the degree to which a device has been securely tested and certified. Google, in particular, has championed the need for greater transparency to allow security-conscious users to make informed device purchasing decisions and it is keen to see the security certification scheme adopted by devices running its Android operating system.
Taking a systematic approach
More broadly, the GSMA maintains the Mobile Cybersecurity Knowledge Base (MCKB) – a comprehensive document library that can help stakeholders across the ecosystem (including mobile operators, equipment vendors, regulators, application developers and service providers) understand the security threats in a systematic and objective fashion. It covers risk mitigation strategies across three key domains – networks, devices and mobile operators’ partners.
As the mobile industry is now the digital frontline, the MKCB is a very valuable resource, from both a reputational and commercial perspective. Historically, device makers and mobile operators have not regarded security as a competitive differentiator, but that is now changing. Today, consumers and businesses (as well as regulators) are placing more and more value on security. If you haven’t already, now is the time to explore the output of the GSMA’s Fraud and Security group.
For more on the MCKB and other GSMA initiatives to counter fraud, cyber threats and scams, please see our recent LinkedIn Live event. Speakers from the GSMA, Orange and Google explored the evolving landscape of mobile device and network threats, examining how mobile technologies are used to deliver scam messages and calls to target devices to steal credentials and drain financial accounts, while also outlining the resources the GSMA has available to mitigate the risks.
Get involved
If you’re a GSMA Member and interested in collaborating on this topic, please join the Fraud and Security Group (FASG) on Member Gateway.
The GSMA’s Open Gateway initiative, which is coordinating the adoption of standardised application programming interfaces (APIs), is seeing particularly strong demand for APIs that can help banks and other financial services players reduce the opportunities for fraud.