Ofcom Confirm Ban of Global Titles to Tackle Abuse of UK Mobile Networks
The national telecoms regulator, Ofcom, has today confirmed that it will ban UK phone operators from leasing Global Titles (GTs) – numbers like +44 (for the United Kingdom) that support mobile services – to third parties. Sadly, such leasing can be misused to try and intercept messages and calls, disrupt the operation of networks and track the location of users of other networks.
According to Ofcom, a small number of operators have been leasing their Global Title numbers to third parties, which can also be done to facilitate the provision of legitimate mobile services. But the regulator has previously found that this can make it easier for bad actors to abuse the system. As a result, +44 Global Titles are “one of the most significant and persistent sources of malicious signalling“ – an issue that affects mobile networks globally.
The National Cyber Security Centre (NCSC) is also aware that +44 Global Titles have been exploited for malicious purposes, such as location tracking and the interception of SMS (text messages) used for 2-step verification (2SV) to target both UK residents and populations globally.
Advertisement
The fact that those who intend to cause harm can lease, rather than own, these numbers mean that they can also hide their identities with greater ease, allowing them to “work in the shadow of legitimate communications networks“.
How Global Titles Work
The industry has attempted to tackle these problems itself, such as via the GSMA Global Title Leasing Code of Conduct and controls implemented by some Global Title lessors (e.g. signalling firewalls that block unauthorised message types and monitoring tools). But Ofcom stated that those efforts “have not been effective” and so they’ve opted to ban the leasing of Global Titles with immediate effect (details).
Advertisement
Natalie Black, Ofcom’s Group Director for Networks and Comms, said:
“We are taking world-leading action to tackle the threat posed by criminals gaining access to mobile networks.
Leased Global Titles are one of the most significant and persistent sources of malicious signalling. Our ban will help prevent them falling into the wrong hands – protecting mobile users and our critical telecoms infrastructure in the process.”
Just to be clear. The ban on entering new leasing arrangements is effective immediately. But for leasing that is already in place, the ban will come into force on 22nd April 2026. The aim of the latter is to “give legitimate businesses who currently lease Global Titles from mobile networks time to make alternative arrangements“.
The only exception to the above deadline relates to two specific migration journeys, which have been given until 22nd October 2026 to adapt. “We received detailed evidence on the significant challenges arising from the changes to network functionality associated with these migration journeys which distinguish them from others. We also have no evidence of misuse associated with the use of the relevant Global Titles,” said Ofcom.
The decision should help to improve the reputation of UK mobile numbers, by making them harder to abuse. However, this approach ideally needs to be followed by regulators in other countries, in order to be fully effective. Such things are often easier said than done, internationally speaking.
Just to get a bit technical. The issue above specifically relates to the Signalling System No. 7 (SS7) protocol suite, which is used by 2G and 3G mobile networks (not 4G, which uses the Diameter protocol) to facilitate the provision of mobile services (e.g. authenticating handsets to the network, setting up and terminating calls, sending SMS messages, subscriber profile management and to facilitate roaming).
Advertisement
The above consultation is thus about the security risks arising from SS7 signalling associated with GTs formed from +44 mobile numbers. But users of 4G and 5G networks can also be affected by malicious SS7 signalling because 2G and 3G networks operate alongside 4G and 5G networks, providing fallback coverage in areas where 4G or 5G coverage is not yet available.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« O2 Expand UK 3G Mobile Switch Off to Norwich, Telford, Guildford and Torquay
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Yep, we’ve been plagued on our landline recently with supposed mobile numbers (074********) claiming to be from “Bank Security” claiming there has been unauthorised payments from our account. Mobile numbers seem to be able to get around BT call filtering.
Won’t it be trivial to get around this, if you’re sufficiently inclined, by setting up a dummy UK address/company?
What verification is Ofcom going to insist upon to define a vaild user of these titles?
This is a very interesting situation which is not really solvable without the UK operators opening up GT connectivity to legitimate entities. Presently the only way to offer certain solutions to customers whilst remaining independent of the big four (soon to be three) is by GT leasing. So, it may solve some security issues, but in reality, these days spam operators are using cheap SIMs and burning them until the credit expires (so it won’t stop this). A lot of the things you used to be able to do with SS7 has been blocked through advances in technology, such as the BroadForward STP platform.
In addition there’s also DIAMETER, which is a bit better on the security aspects (and there’s more kit available to verify legitimate use). The biggest issue is that the UK operators simply do not want to facilitate interconnect unless it’s on their terms and normally using their RAN.