On September 19th, 2017 WikiLeaks (https://wikileaks.org) published a set of documents which are titled “Spy Files Russia” (https://wikileaks.org/spyfiles/russia/). This release includes 209 documents (34 base documents in different versions) dated between 2007 and 2015.
Without going into too many details, these documents essentially reveal how certain procedures in Russia were organized with the goal to implement tools of mass surveillance.
Most of the documents are dated 2013, just a few months after Edward Snowden disclosed the NSA mass surveillance program and its cooperation with private U.S. IT-corporations such as Google and Facebook. The presentation offers law enforcement, intelligence and other interested parties, to join an alliance in order to establish equivalent data-mining operations in Russia.
Since his foundation in 2006, Julian Assange’s organization has never published a full set of documents revealing something as disturbing as these details about Putin’s regime in the “Spy Files Russia”.
One interesting aspect, beside the plans revealed by those documents and the clear attempt (now failed) to keep these aspects concealed from the masses, is the security breach related the so-called SS7 protocol (https://wikileaks.org/spyfiles/russia/document/SSP-COMMON-DOC_SSP-DOC-G3_RUS-17_0-02).
SS7 it is a signalling protocol used in several applications, among which sending SMS to mobile phones. A security breach of this protocol implies the access to transmitted data by third parties which should not be involved in the communication.
In April 2016 there have been public reports (https://meduza.io/news/2016/04/29/mts-otklyuchil-oppozitsioneram-sms-servis-vo-vremya-vzloma-ih-telegram) about a hacking case against two Russian politicians named Alburov and Kozlovsky, which resulted in a severe security breach.
Their Telegram accounts have been hacked exploiting a known weakness in the SS7 protocol which allowed the hackers to intercept the SMS sent back from Telegram servers and use them to impersonate the two men.
Additionally, it has been proven (https://meduza.io/news/2016/05/04/oppozitsionery-predstavili-dokazatelstva-otklyucheniya-sms-pri-vzlome-ih-telegram) that someone has been purposely switched off the SMS service for a few hours during the hacking period thus not allowing the legit owners of the accounts to receive those SMS. It is quite obvious that such events cannot be executed without direct access or help from the mobile operator (MTS), casting a long dark shadow on the real identity of the hackers.
Who would be able to force or access a national telecom operator and demand such action?
While “Spy Files Russia” is the tip of an iceberg, it is evident that authentication protocols based on protocols like the SS7 are not secure.
In all the cases where security is a concern (i.e. protecting sensitive information, conversations and data while sending them across the Internet), one should not use any service which adopts the mobile number as a mean of identification.
Of course, protocols should also be used which have no known weaknesses and can be trusted as fully secure.
Perhaps, in the long run, no such protocol exists as every complex system can ultimately be hacked. However, entrusting sensitive information to a network specially created for this purpose can effectively guarantee a better degree of protection.
In fact, while public and widely used systems, transaction tools (like the SS7 protocol) and applications make use of generic protocols, dedicated systems can adopt more sophisticated algorithms and those protocols are timely updated every time a weakness is found.
The lean implementation of fixes (which is not possible on wide-spread systems and protocols) guarantees better security and better data and privacy protection.
In any case, we recommend that your digital identity should not be linked to your mobile number or anything else which is connected to your real identity.
We suggest that your digital identity should be linked to something physical that you carry with you and you use to log-in into your service. This allows a 2FA (Two Factor Authentication) procedure while effectively protecting your identity.