Ofcom Propose New Ban to Tackle Abuse of UK Mobile Networks

Market regulator Ofcom has proposed to ban UK telecoms operators from leasing Global Titles – numbers like +44 (for the United Kingdom) that support mobile services – to third parties. This is because such leasing can be misused to try and intercept messages and calls, disrupt the operation of networks and track the location of users of other networks.

According to the regulator, a small number of operators have been leasing their Global Title numbers to third parties, which can be done to facilitate the provision of legitimate mobile services. But Ofcom also found that this can make it easier for “bad actors” to abuse the system. As a result, +44 Global Titles are “one of the most significant and persistent sources of malicious signalling traffic affecting mobile networks globally“.

The National Cyber Security Centre (NCSC) is also aware that +44 Global Titles have been exploited for malicious purposes, such as location tracking and the interception of SMS (text messages) used for 2-step verification (2SV) to target both UK residents and populations globally. Suffice to say that the regulator is aware of how this “gives rise to reputational risk to the UK as these harms have regularly been facilitated by the misuse of UK mobile numbers.”

Ofcom added that the current measures, such as the GSMA Global Title Leasing Code of Conduct and controls implemented by some Global Title lessors (e.g. signalling firewalls which block unauthorised message types and monitoring tools), have “not been effective at preventing malicious signalling“. As a result, they believe that intervention is now both “necessary and proportionate“.

Ofcom’s Proposal

We are proposing to strengthen our existing rules and introduce new rules to tackle misuse of Global Titles, in particular by:

• banning leasing of Global Titles to third parties by operators that hold UK mobile numbers;

• banning the creation of Global Titles from sub-allocated numbers by third parties;

• strengthening our rules to prohibit the misuse of Global Titles by operators that hold UK mobile numbers; and

• strengthening our rules to prohibit the creation of Global Titles from numbers not allocated for use.

Taken together, these proposals should significantly reduce malicious signalling from UK Global Titles, thereby providing material benefits to UK and international citizens. They should also enhance the transparency and accountability of operators that use Global Titles.

We consider that these proposals are appropriate and proportionate. They will result in a significant reduction in harm to UK and international citizens which we consider outweighs the adverse impacts on lessors and lessees that we have identified. Our assessment suggests that any adverse impacts are likely to be limited, in particular due to the availability of alternative ways of providing legitimate mobile services that are currently facilitated by the leasing of Global Titles.

We propose that the rules to prohibit misuse of Global Tiles by operators that hold UK mobile numbers and the rules to prohibit the creation of Global Titles from numbers not allocated for use should come into force immediately after the publication of our final decision.

Ofcom’s consultation on all this will remain open for feedback until 15th October 2024 and they’ve also provisionally proposed that the ban on leasing, alongside the ban on creating Global Titles from sub-allocated numbers, should then come into force from 1st January 2026. “This should provide the relevant parties with sufficient time to migrate to alternative solutions and dissolve legacy arrangements,” added the regulator.

Just to get a bit technical. The issue above specifically relates to the Signalling System No. 7 (SS7) protocol suite, which is used by 2G and 3G mobile networks (not 4G, which uses the Diameter protocol) to facilitate the provision of mobile services (e.g. authenticating handsets to the network, setting up and terminating calls, sending SMS messages, subscriber profile management and to facilitate roaming).

The above consultation is thus about the security risks arising from SS7 signalling associated with GTs formed from +44 mobile numbers. But users of 4G and 5G networks can also be affected by malicious SS7 signalling because 2G and 3G networks operate alongside 4G and 5G networks, providing fallback coverage in areas where 4G or 5G coverage is not yet available.