kelvin hilton [email protected] fraud in mobile technologies
TRANSCRIPT
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 2kch/soc/mc/mcfr page
ObjectivesOn completion you should understand
The scale of MC fraudDifficulties in producing quantitative / qualitative data on fraudTypes of known fraudStrategies for identifying and preventing fraud
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 3kch/soc/mc/mcfr page
Statistical Sources
Many fraudulent incidents go unreported as most Operators prefer to under-publicise network security deficienciesQuantifying difficult due to factors influencing figuresSources for fraud statistics
OperatorsCellular Telecommunications Industry Association (CTIA)Governments
Operators may inflate statistics to attempt to influence introduction of “friendly” legislationOperators may deflate statistics to avoid discouraging subscribers
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 4kch/soc/mc/mcfr page
Defining the Cost of Fraud
Two classes of fraudSoft Currency Fraud
Theoretical figure derived from lost revenue due to illegal use of servicesBased on the assumption that illegal use would have been paid for if the same use had been undertaken by legal userBasically piracy
Hard CurrencyReal money lossOperator has to pay someone else for service usage when they will not be paid themselves
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 5kch/soc/mc/mcfr page
Estimates of the Cost of Fraud
1997 - Telcom and Network Security
Review estimated cost of fraud as
between 4 – 6% of revenues2000 - Mobile Europe estimated cost at
$13 billion (US) approximately 5% of revenues2005 - Estimates between $30 - 40 billion (US) worldwide
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 6kch/soc/mc/mcfr page
Perpetrators
Telcom Fraud now more lucrative than drug trafficking!Evidence that Organised crime hiring computer hackersPetty criminalsGeneral PublicHackers seeking notorietyInternet provides easy, worldwide, access to fraud techniques / technologies
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 7kch/soc/mc/mcfr page
Categories of Fraud
Voice fraudSubscriber fraudData fraudInternal fraudInterconnection fraudRoaming fraudTechnical fraud
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 8kch/soc/mc/mcfr page
Voice Fraud
More and more modern commerce is conducted over the telephone Traditional services such as voice mailInteractive Voice Response (IVR) technology accelerating voice services
An example is accessing voice mail services either to leave nuisance messages or to appropriate sensitive information.
An example is accessing voice mail services either to leave nuisance messages or to appropriate sensitive information.
Threat of impersonation for malicious or profitable motives
Threat of impersonation for malicious or profitable motives
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 9kch/soc/mc/mcfr page
Subscriber Fraud
Common type of fraudEither
legitimate subscription obtained illegitimatelyIllegitimate use of a legitimate subscription
An example is when a misappropriated subscriber ID is used as a local proxy for international calls by using call forwarding.
An example is when a misappropriated subscriber ID is used as a local proxy for international calls by using call forwarding.
Use of a legitimate subscriber’s network access for malicious or profitable motives.
Use of a legitimate subscriber’s network access for malicious or profitable motives.
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 10kch/soc/mc/mcfr page
Data Fraud
2.5G+ networks are packet switched which exposes them to all of the traditional computer networksHacking, DOS, etc
An example is IP spoofing to allow access to corporate networks by altering the IP address in packets of a legitimate user.
An example is IP spoofing to allow access to corporate networks by altering the IP address in packets of a legitimate user.
Removal, inspection or insertion of data onto a network for malicious or profitable motives.
Removal, inspection or insertion of data onto a network for malicious or profitable motives.
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 11kch/soc/mc/mcfr page
Internal Fraud
Operator data (subscriber, device, billing) is valuable asset.Degree of transparency needed to service end-usersOperator employees have ready access to data
An example is network operator employees manipulating call transaction records to conceal fraudulent activity.
An example is network operator employees manipulating call transaction records to conceal fraudulent activity.
Abuse of access to operator data by an employee for malicious or profitable motives.
Abuse of access to operator data by an employee for malicious or profitable motives.
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 12kch/soc/mc/mcfr page
Interconnection Fraud
Operators negotiate service tariffs with fellow operators for example to support roamingOperators charge services based on these tariffsThey are not obliged to use themThe industry is very reticent about this type of fraud!
An example is arbitrage where calls are passed through a third-party network where tariffs are lower than the network the subscriber believes they are using.
An example is arbitrage where calls are passed through a third-party network where tariffs are lower than the network the subscriber believes they are using.
Exploitation of operator interconnection agreements for malicious or profitable motives.
Exploitation of operator interconnection agreements for malicious or profitable motives.
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 13kch/soc/mc/mcfr page
Roaming Fraud
Very common type of fraudUsing legitimate subscriber connections on networks with roaming agreements with subscriber’s network
A misappropriated subscriber’s account is used on a network with a roaming agreement with the legitimate subscriber’s network.
A misappropriated subscriber’s account is used on a network with a roaming agreement with the legitimate subscriber’s network.
Exploitation of operator roaming agreements for malicious or profitable motives.
Exploitation of operator roaming agreements for malicious or profitable motives.
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 14kch/soc/mc/mcfr page
Technical Fraud
Very common type of fraudDigital systems are more secure than the old analogue (which used to start each call by publishing, unmasked, the subscriber / device ID)However, all use Standards and these are in the public domain!
An example is cloning where a legitimate subscriber’s access is cloned and calls are made using their network access.
An example is cloning where a legitimate subscriber’s access is cloned and calls are made using their network access.
Use of counterfeiting or other technologies to duplicate, infiltrate or manipulate a mobile network for malicious or profitable motives.
Use of counterfeiting or other technologies to duplicate, infiltrate or manipulate a mobile network for malicious or profitable motives.
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 15kch/soc/mc/mcfr page
Examples of Known Fraud (1)
Roaming fraudWhen operators have roaming agreement Operator A must pay Operator B for the time used on their network regardless of whether Operator A is paid for the timePrinciple problem is the time it takes for billing from Operator B to Operator A
Used to be 72 hours now down to 24 using EDI from billing engines
GSM Memorandum of Understanding states that any user exceeding 100 Special Drawing Rights (SDR) a universal currency specified by the IMF must be billed within 24 hours
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 16kch/soc/mc/mcfr page
Examples of Known Fraud (2)
Roaming fraud cont…Example, SIM cards were taken out of the phones acquired with false identities and mailed abroad where they were used in calling selling fraud. Call lengths of up to 10-12 hours
In one case 110 call forwards were instigated in 2 hours resulting in 12.5 hours of calls from one subscription
Example, another call forward number changed once a minute for 16 hours resulting in £12,000 in callsOne Operator shut down all calls to Vietnam because of suspected fraud levels, only 1 subscriber complained!
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 17kch/soc/mc/mcfr page
Examples of Known Fraud (3)
Cloning fraudGSM SIM’s can be cloned because authentication protocol has flaw
COMP128 is the algorithm used by most operatorsProblem is that the algorithm is a published standard and it leaks information at every attempt to connect. With sufficient number of challenges to the SIM card enough info can be gathered to deduce the secret key for the SIMApproximately 150000 queries required takes about 8-11 hours with a suitable smartcard reader.Can be done over the air by base station spoofing
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 18kch/soc/mc/mcfr page
Examples of Known Fraud (4)Cloning fraud cont…
Any user can be tracked by their mobile phone with varying accuracy (within 100m in metropolitan areas with large number of base stations)GSM phones have unique IMEI (International Mobile Equipment Identity) & subscriber information IMSI (International Mobile Subscriber Identity)Law enforcement agencies can access this info in real-time and use it to track / locate individualsTherefore criminals use stolen or cloned phones to ensure anonymityUS Law enforcement agents have found that 80% of drug dealers arrested in US using cloned phonesStaggeringly Pablo Escobar was tracked down using his mobile phone activity
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 19kch/soc/mc/mcfr page
Examples of Known Fraud (5)
Internal FraudMobile markets are very competitiveOperators subsidise handset charges (or even give them away) to entice new customers to subscribe
Dealers can sell these handsets on (frequently to overseas dealers)Pre-paid handsets can be unlocked and used on any network
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 20kch/soc/mc/mcfr page
Examples of Known Fraud (6)
Subscription FraudCall selling using GSM conference calling feature
Fraudster acts as an "operator" sets up calls between parties & then drops the call and commences anotherThe cloned subscriber is billed for the call
GSM call forwardingFraudster sets call forward to required numberCaller calls the Fraudster’s phone and is transferredFraudster drops call and starts overCaller only pays for the call to the Fraudster’s phone
Fraudsters offer international “call box” from shops
The cloned subscriber is billed for all calls
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 21kch/soc/mc/mcfr page
Issues Effecting Fraud Management
Most IP based security systems are only suitable for enforcing local, static, security policiesMobile IP systems provide multiple entry points, dynamic access (address changes on connection)A strategy for Fraud Management requires
Maintain the integrity of the entire infrastructureAct against the perpetrator not the attemptFlexible configurationsExtensibleIntelligent data collectionProvide immediate feedback on abuseLearn from experience to avoid recurrence
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 22kch/soc/mc/mcfr page
Fraud Management Systems (FMS)
FMS’s are sophisticated software systems that Operators use to detect / prevent fraudData collection, interrogation and interpretation are major factor component in FMS’s
Mobile networks generate massive quantities of dataAT&T process 300 million+ calls a dayPotential data sources are:
Application-Level Usage Records provided byFeed into billing data (not all applications billable!)VoIP Gateways, H.323 Gatekeepers, etc provide usage dataEmail, web/WAP serversBroadcast servers (music/video on demand)Voice Switches
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 23kch/soc/mc/mcfr page
FMS – Data SourcesPotential data sources cont…
Login & Authentication Records fromRAS serversLDAP serversDHCP serversDNS serversFirewallsVPN’s
Network monitoring servicesRouters & switchesCisco NetflowSNMP / Remote MonitorAddress translation
Non-IP Network elements (eg Base Stations)
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 24kch/soc/mc/mcfr page
FMS – Intrusion Detection Systems (IDS)
IDS use sophisticated algorithms for detecting abuseCombine leading-edge science (expert systems, data mining, AI, machine learning)Use various techniques
Threshold-Based AnalysisInference Rules AnalysisProfile-Based AnalysisNeural Networks
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 25kch/soc/mc/mcfr page
IDS – Threshold-Based Analysis
Compares traffic patterns against predefined thresholdsPremise – most Operator losses due to large-scale professional FraudstersAlerts can be triggered if calls being made from a certain location exceeds the thresholdFor
Simple, efficient implementation well suited to the large data volumes on Operator networks
AgainstThreshold must be accurateOnly detects certain types of fraud
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 26kch/soc/mc/mcfr page
IDS – Inference Rules Analysis
Fraud-containment method based on expert systems and rule production enginesDefine and preconfigure sophisticated inference rulesFor
Can detect sophisticated fraudFlexible
AgainstDifficult to manageRequires highly-skilled programmersRequires constant updates to keep pace with new fraud techniques
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 27kch/soc/mc/mcfr page
IDS – Profile Based Analysis
Based on customer’s habitual usage patternProfile is developed and any deviation from the profile triggers a positive alarmPeriodic comparison (daily, weekly, etc)For
Easy to read and analyse resultsRemoves need to preconfigure
AgainstGenuine significant deviation of usage can trigger a large number of false positive alarmsInvestigation of an alarm is labour intensive and thus a large number of alarms will be an expensive and laborious use of operator resources
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 28kch/soc/mc/mcfr page
IDS – Profile Based Analysis Example
Sample legitimate User Profile
Call Log
Name A Punter
Subscriber ID 34-24-32
Service Low Cost Business
Home Register Stafford
Date 01/01/2003
Number Location Duration
234-987 Stafford 06:15
123-4567 London 01:23
111-222 Birmingham 05:23
333-444 Stafford 10:02
21-22-012-567 Paris, France 12:43
335-567 Stafford 00:39
234-987 Stafford 02:02
341-144 Stafford 03:54
786-635 Glasgow 05:21
321-123 Stafford 09:12
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 29kch/soc/mc/mcfr page
IDS – Profile Based Analysis Example
Sample User Profile with anomalies
Call Log
Name A Punter
Subscriber ID 34-24-32
Service Low Cost Business
Home Register Stafford
Date 02/01/2003
Number Location Duration
11-22-234-234 Belgrade 123:23
11-22-123-456 Belgrade 94:35
11-22-567-890 Belgrade 170:16
333-444 Stafford 10:01
21-34-321-111 Osaka 88:28
335-567 Osaka 210:06
234-987 Stafford 1:45
341-144 Stafford 2:56
21-22-012-567 Paris, France 15:09
19-20-2122-23 Cape Town 123:34
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 30kch/soc/mc/mcfr page
IDS – Neural Networks
Systems simulating human thought and understandingTriggering of command chains in response to assimilation of dataCan calculate and adapt User Profiles independentlyFor
Operational cost reductions as they adapt without human intervention
AgainstLack of logicInherent problems of Profile Based Analysis
15/07/2003 Copyright: All rights reserved. Not to be reproduced without consent. 31kch/soc/mc/mcfr page
ReviewThe scale of MC fraudDifficulties in producing quantitative / qualitative data on fraudTypes of known fraudStrategies for identifying and preventing fraud
Questions ?