The transition to 5G does not override the fundamental rule of telecom security: trust between networks must be verifiable, not assumed. For CTOs and security executives, the key risk today lies not only in new services but also in the combination of legacy signaling protocols, subscriber identifier spoofing, and insufficiently formalized anti-fraud processes.
According to the CFCA Global Fraud Loss Survey 2025, global losses from telecom fraud in 2025 are estimated at approximately $41.82 billion, compared to $38.95 billion in 2023. This is not evidence of the failure of any single technology, but a clear signal to operators: perimeter defense must be supplemented by signaling traffic control, cryptographic call authentication, and fraud detection processes at the operational model level.
Global threat analysis: why SS7 and Diameter remain at risk
The ENISA Threat Landscape 2025, which analyzed 4,875 incidents between July 1, 2024, and June 30, 2025, confirms that the exploitation of legacy signaling protocols SS7 and Diameter remains a relevant risk for mobile networks.
For operators, this means that a security program cannot be limited to protecting new 5G components. It is necessary to regularly audit signaling interfaces, partner interaction policies, routing rules, and anomalous request controls. It is particularly important not to view SS7 and Diameter as purely legacy infrastructure that does not affect the current risk profile: according to ENISA, these protocols remain part of the current threat landscape.
Cryptographic call protection: RFC 8224 and STIR/SHAKEN
A separate area of protection is combating caller ID spoofing. For IP voice, the STIR/SHAKEN approach plays a vital role, relying on cryptographic authentication of call identity.
The technical foundation is described in RFC 8224: the standard defines the use of the SIP Identity header to carry cryptographically signed information about the call's origin. In the practical STIR/SHAKEN architecture described by the FCC, the Identity header is used in the SIP INVITE, and verification is performed using a public key.
The FCC highlights two key components of STIR/SHAKEN:
- Authentication/Verification Caller ID: A technical process in which call identity information is signed and verified by the receiving party.
- Certificate governance: Certificate management that maintains trust in the keys used for Caller ID authentication.
It is important not to overestimate this mechanism. STIR/SHAKEN helps verify the authenticity of the Caller ID but does not replace all policies for handling risky calls and does not eliminate all types of telecom fraud. Operators still require response rules, suspicious activity analytics, and coordinated procedures between network, anti-fraud, and SOC teams.
Combating subscription and identity fraud in practice
Subscription fraud and identity abuse should be considered separately from purely signaling attacks, but within a unified risk management program. The CFCA includes subscription fraud among the types of telecom fraud, and the total estimate of global losses in 2025 shows that the problem has a significant financial scale.
A practical minimum for an operator is to formalize control points throughout the entire customer connection lifecycle: verifying the application source, restricting access to documents, recording changes, auditing employee actions, and transferring suspicious cases to the anti-fraud process. Such measures do not replace network monitoring, but they reduce operational gaps through which fraud can remain undetected.
Integrating signaling traffic monitoring into operational processes
Signaling traffic monitoring should not be a standalone technical project, but part of the operational security model. To achieve this, it is advisable for an operator to combine data from network systems, call authentication mechanisms, anti-fraud tools, and SOC processes.
A practical approach includes four levels. First, inventorying signaling interfaces and areas of responsibility. Second, regularly checking SS7 and Diameter risks, as ENISA confirms the relevance of their exploitation. Third, implementing SIP Identity header verification according to RFC 8224 where the operator handles SIP calls. Fourth, operational rules: who receives alerts, which events are blocked, which are only flagged, how exceptions are documented, and how investigation results are fed back into security policies.
If an operator is simultaneously updating back-office processes, it is important to separate network anti-fraud from document management and BPM systems. In this second loop, products such as Megapolis.DocNet or Scriptum.DMS, built on the low-code platform UnityBase by InBase, can be used. The UnityBase platform supports role-based security, row-level security, audit trails, qualified RSA/PDF/DSTU signatures, and integrations with Active Directory, Oracle, and Microsoft SQL Server. This does not protect SS7 or SIP in itself, but it can be useful for controlled document management, access auditing, and preserving investigation materials.
Telecom operator readiness checklist for signaling traffic protection
- SS7 and Diameter audit: Identify all signaling interfaces, verify partner interaction rules, and designate those responsible for regular risk reviews.
- Support for SIP Identity header per RFC 8224: Verify that network components handling SIP calls can transmit and verify cryptographically signed information about the call's origin.
- Certificate governance within STIR/SHAKEN: Describe the certificate and key management processes that ensure trust in Caller ID authentication.
- Risky call handling process: Define which events are blocked, which are marked as suspicious, and which are forwarded for additional analysis.
- Subscription fraud control: Integrate customer document verification, employee action auditing, and suspicious application escalation rules into a unified anti-fraud process.
- Connection with SOC and anti-fraud team: Ensure that the results of network monitoring, Caller ID verification, and fraud investigations influence the updating of security policies.
The main takeaway for a telecom operator: 5G does not automatically eliminate old signaling risks. An effective strategy must combine SS7 and Diameter auditing, cryptographic authentication of SIP calls via RFC 8224 and STIR/SHAKEN, and operational processes that allow for the rapid detection, documentation, and handling of fraud.
FAQ
What are the main financial threats posed by the use of legacy SS7 protocols?
According to ENISA, the exploitation of legacy signaling protocols SS7 and Diameter remains a relevant risk for mobile networks. In financial terms, this increases the operator's overall exposure to telecom fraud, for which the CFCA estimates global losses at approximately $41.82 billion in 2025.
How does the STIR/SHAKEN standard help combat caller ID spoofing?
STIR/SHAKEN uses cryptographic Caller ID authentication. According to the FCC, the approach relies on the Identity header in the SIP INVITE and verification using a public key. This helps the receiving party assess the authenticity of the call's identity, but it does not replace all anti-fraud policies.
What is the role of cryptographic keys in verifying SIP calls?
Keys provide verifiable trust between parties handling a SIP call. Information about the call's origin is carried in the SIP Identity header in a cryptographically signed format, and the receiving party verifies it using a public key. Certificate governance in STIR/SHAKEN maintains trust in such keys.