Telecom operators use application programming interfaces (APIs) for their web and mobile applications to ensure an engaging customer experience, with the API coordinating different data sources to add value. APIs can enable location-based services through GPS information, payment integration, voice, messaging and video capabilities, SMS and WebRTC-based features and more. But those same APIs provide attackers with a convenient target to manipulate processes and access sensitive data.
Telcos' infrastructure is highly complex, with numerous legacy systems, making it difficult to manage and defend, and it's in a constant state of flux due to M&A activity, changes in technology and the rollout of new services. Dependencies on the customer base to help ensure devices and applications remain secure can introduce further weakness. And the global reach and interconnectivity of the players makes it easy for adversaries to attack the infrastructure from anywhere in the world.
Defending this estate is challenging and given the scale of the API footprint and the fact that many of these attacks are volumetric in nature, there’s a tendency for operators to focus on establishing tolerance thresholds and throttling or blocking attacks that exceed these. But there’s no real consensus on where that line should be drawn or even if it should be drawn at all.
Key attack methods
Research conducted by Cequence from Q1 to Q3 2023 found that 64 per cent of attacks against APIs in the telecom vertical were focused on scraping data from websites. Some providers will tolerate data scraping attacks providing the number of requests doesn't exceed that threshold. The problem is that data scraping attacks even at a low level could result in the compromise of data held on back-office applications and will impact the customer experience by monopolising bandwidth and creating a lag in service delivery. Waiting until the attack scales is therefore a strangely arbitrary way to protect that data.
The next most significant attack vector revealed in the research was probing APIs, a technique used during the reconnaissance phase of an attack to determine API functions, which accounted for 14 per cent of blocked activities. While probing won't necessarily result in an attack it makes sense to stymie such API activity as a preventative measure. This was followed by account take over (ATO) fraud at 9 per cent, whereby the attacker gains unauthorised access to a user’s account usually through compromised credentials i.e. usernames and passwords that have been exposed in a data leak.
Token Farming was responsible for 8 per cent of API requests - significantly less than the scraping activity. but it's far more damaging as it results in the attacker exploiting vulnerabilities in an authentication or authorisation system to obtain access tokens. The captured data is then replayed to the authentication system, tricking it into granting access, giving the attacker direct control over the system.
There were also other attacks detected at much lower levels. These low and slow sophisticated attacks are designed to avoid triggering defences and may barely register on the radar of the operator, but they can often be far more devastating because they leverage much higher value assets.
Porting the Mobile Station International Subscriber Directory Number (MSISDN), for example, accounted for just 1.5 per cent of attacks, while MSISDN enumeration was at just 1.3 per cent. MSISDN fraud can result in large financial losses. One common example is for new prepaid phone lines to be released at a measured pace and sold on by third parties to users at a higher cost. Activation code enumeration on these prepaid lines grants customers a fixed talk time and data allocation without the necessity of purchasing the prepaid card, resulting in a major loss of revenue for the operator.
Reserve eSIM compromise accounted for just 0.7 per cent of API assaults. Validation fraud involves the unauthorised activation, manipulation of eSIM profiles, or compromising the integrity of eSIM-based authentication, which is achieved by exploiting weaknesses in the activation process or using stolen credentials etc. It can lead to identity spoofing, where attackers attempt to impersonate the user before associating it with a different user's identity. Or the compromised eSIM can be used to intercept communications, to gain unauthorised access to accounts linked to the compromised eSIM or alter the subscriber's service parameters. This manipulation can result in fraudulent use of mobile services, unauthorised access to network features or malicious over-the-air eSIM updates to load unauthorised profiles, manipulate existing profiles or access the wider mobile network.
Tackling the problem
The survey reveals that the biggest numbers and noisiest attacks don't always result in the most damage. Of course, high volume attacks do need to be kept in check, but focusing on the most dominant attack types can skew the operator’s perception of risk and result in security resource being applied disproportionately. Key to properly understanding risk is being able to detect, monitor and mitigate both high- and low-level attack methods.
Detection via an API security solution needs to be multi-faceted and seek to gather intelligence on tools, infrastructure, credentials and behaviour. This can then be used to build an accurate confidence score to identify attackers hiding in plain sight and to coordinate a defence. In the case of ATO, for example, where blocked attacks result in the attacker regrouping, the idea is to make it economically unviable for them to persist by deflecting the attack with a fake response.
Attackers are highly adept at evading detection, as demonstrated in scraping activities. These can constantly revolve through network elements, such as IP, ASN or application layer parameters. Fingerprinting technology can help here, using a map of tactics, techniques and procedures to identify and mitigate scraping attempts.
With respect to token farming and eSIM fraud, detection should focus on data extraction and programmable pivots, and look for custom values from HTTP headers and bodies which can be aggregated with IPs and session IDs. Counting the unique occurrences of tokens originating from a single IP or session within different time windows can then reveal patterns that indicate abnormal token behaviour, token rotation or reuse attacks.
Usage patterns can also be used to spot MSISDN fraud. Each MSISDN and activation code enumerated by a third-party can be automatically aggregated against various parameters, including IPs, fingerprints, session IDs, postcodes and PINs to discern patterns indicative of replay or enumeration attempts. Moreover, any abrupt surge in success or failure rates on these APIs can be promptly identified and flagged through such monitoring.
Adopting more proactive approaches to detection that use machine learning, fingerprinting and analysis means telecom operators no longer need to rely on rudimentary attack statistics. Instead, they can leverage their API security to counter both the most visible attacks and those highly damaging low-level assaults that will no longer be able to slip under the radar.