The Growing Threat of Telecom Fraud

Posted Jul 2010

Network Fraud: Storm Warning

Mobile phone networks face rising levels of fraud and network hacking. Various developments in the industry mean that it is no easier than ever for them to gain access to the network. Robin Burton argues that, unless operators implement on line, real time and automatic systems to identify and eliminate new and evolving forms of fraud and network attack, the consequences may be very serious.

Network Defences Have Been Weakened

The SS7 network that links operators together, was once considered a protected area which was insulated from the outside world and inhabited solely by trusted telecom operators. However the barriers that protect this “safe area” are being increasingly undermined.

Changes in legislation, regulatory policies and customer demand have lowered the barriers to entry for new telecom operators. This has led to a rise in the number of operators, MVNOs and hub operators with access to the SS7 network. At the same time developments in advanced inter-networking, data applications and voice over IP (VOIP) have all provided fraudsters and hackers with new ways to get access to the network. The once secure world, of trusted operator members, is in danger of facing an onslaught of fraud and hacking. Many fear that the threat is of similar proportions to that suffered by the Internet community today.

Perhaps the biggest problem has developed from the convergence of SS7 with IP. This convergence is central to the development of a next generation network and as well as promising great potential, also brings significant threats. Many IP-SS7 gateways have been developed by new players in the market. Often their approach is based on commercial standard computer systems running flexible SS7 protocol stacks and lacks robust SS7 security.

Of course hackers know IP very well indeed. Now that SS7 knowledge is also available to anyone, programming a PC to “speak SS7” requires relatively little effort. This means that hacker communities are now busy finding ways to gain network access. Sometimes their aim is purely to disrupt services “for fun”. Sometimes the intent is to defraud the network or its customers. Some fraud specialists speculate that we may be less than a year away from a tidal wave of SS7 based fraud.

The Nature of the Threat

Many fraudsters are highly intelligent. They should not be underestimated. And they often approach their activities with a high level of dedication and effort. The high level of rewards that they can gain, also means that they are often well funded and highly organised. They are also highly reactive. They learn how operators look for fraud. Then they adapt their methods to avoid detection. It is essentially an arms race. Actions are met with counter actions and these counter actions themselves being met with counter actions. For example let’s look at the case of a cloned phone. This was long thought to be a fraud only of the pre-GSM past but now seems to be making something of a comeback. You may look out for this type of fraud by looking for high roaming usage and then blocking off that phone. The fraudster learns what thresholds are used and adapts to keep below them. This may involve cloning more phones and spreading the traffic over a longer period.

Types of Fraud

There are many types of fraud being perpetrated today. Many of them are difficult to detect. Here below we consider just a few of these fraud types:

Sim Box Fraud

SIM boxes, often known as GSM Gateways, can be used to bypass standard network inter-connection points. Typically calls are routed via the internet and then connect to appear to the network as a local mobile call. This causes the operator to lose the difference in cost between a mobile to mobile call and the usual international or national termination rate. It can also deliver a poor quality of sound to the service users.

SMS Spoofing

Fraudsters hi-jack the personality of a roamer. They use this to send high numbers of SMS messages. Usually these messages try to persuade the recipient to dial a premium rate number to enter a competition, register for a free service or claim a prize. Sometimes 100,000’s of messages can be sent with a couple of hours. This loses the operator SMS termination fees. It also leads to extreme customer annoyance, both for those who receive the messages and for those who have had their identity hijacked and often receive return calls complaining about the messages. This causes high customer service costs and damages the credibility of SMS messaging for bona fide advertising and m-commerce applications.

Premium Service Fraud

Fraudsters use many methods to try and persuade subscribers to call premium rate numbers. On method is the so called “Wangiri” or single ring fraud. This is where automated dialling connects to random subscribers and rings just once. The subscriber sees the missed call and calls back. Various methods are then used to try and hold him on the call as long as possible. Another approach is the “fat finger” fraud. This is used where fraudsters obtain numbers that are adjacent to heavily used genuine numbers, such as the number for a theatre or an airline. These numbers forward to a premium rate number and the caller is led through a series of genuine seeming voice mail options and finally left on hold, all the time clocking up costs on the premium rate line. These frauds can cause real distress to subscribers. This in turn causes high volumes of customer support calls, refunds and potential churn.

The Traditional Answer To Fraud

Many fraud systems rely on the analysis of call data records or CDRs. These records are generated by the switch once a call or session has been completed. Their principal purpose is to provide a way of billing the customer for the call or session. An analysis of CDRs will certainly show up many things. It can certainly reveal high usage and premium number based frauds. However it is very much an “after the fact” approach. Most switches buffer CDRs before forwarding them to fraud management systems. This means that a lot of fraud can be committed before the operator can react to close it down. One operator referred to it as “trying to stop shoplifting by analysing till receipts and stock levels”. Many now agree that a more real-time analysis is required; preferably something which allows automatic and immediate intervention to cut off frauds in progress.

SS7 Analysis

SS7 carries a huge amount of information in addition to anything carried by CDRs. It can reveal aspects of subscriber behaviour even if they do not make a call or initiate a data session. It can reveal, for example, a subscriber’s true location as well as every inter switch call attempt, every request for subscriber information, every update location request and the timings of events within calls.

This means that not only call SS7 analysis uncover more frauds in progress more quickly than CDR analysis, but it can also often reveal fraudsters preparing an attack. However it can be challenging to obtain and to analyse SS7 data. The necessary probes can be very expensive. And even a small network can generate several Gigabytes of data in just a few minutes. To be viable for many operators, low cost loss less probes and intelligent data management systems are therefore vital.

For certain types of fraud, such as SIM box fraud, it is useful to also use an external radio probe or “automated subscriber”. These can generate know calls of know duration. They can also report back any signalling that they see. This knowledge, once combined with the SS7 data, can be very powerful. It can even help to identify issues such as anti-steering of roaming.

Intervention

To be able to identify fraud is very useful. However unless you can take action, and take it quickly, its value is limited. You need an intelligent, automatic and on line fraud management system. This needs to be able to either hold up traffic pending advice from another system or human operator, to automatically re-direct in to another destination or to block traffic to or from specific destinations. The system needs to be highly agile. It needs to be able to adapt to meet new fraud threats. It also needs to be able to quickly develop its own responses as fraudsters launch their own counter measures.

Economies of Scale and Scope

There is no doubt that knowledge is the key to defeating fraud. This means that centralised fraud management systems may provide the ultimate solution. It would mean that knowledge gained about fraud patterns in one operator could be used to protect other operators. Solutions to counter new frauds could be rolled out to multiple operators immediately. This would reduce the “window of opportunity” for fraudsters to move on to attack other operators. A centralised approach would also help to share costs.

Precursor to Financial Fraud

Perhaps more worrying is the use of telecom fraud as a contributor to identity theft and financial fraud. Telecom frauds such as call forwarding fraud and SIM swap fraud are increasingly being used by criminals to circumvent transaction verification procedures. These fraud often lead to the victims losing thousands of pounds in a few minutes. For the operator they can result in serious loss of goodwill.

Under The Carpet

Simply trying to ignore the SS7 fraud threat, and hoping that it will go away, does not look like a sensible approach. A reliance on traditional CDR based fraud management systems alone, may also leave operators badly exposed. A pre-active approach based on SS7 analysis and automatic in-line intervention seems like the best answer. And the sooner, the better.