Fighting Cellular Fraud

Wireless carriers and fraudsters are essentially battling over the wireless marketplace-and the result is a virtual technology arms race. As wireless carriers introduce new antifraud technologies, illegal users create new forms of fraud to exploit unguarded weaknesses. There is every reason to believe that this trend will continue.

"One thing that the industry recognizes is that wireless fraud is big business," says Tom Prosia, vice president of marketing at antifraud technology vendor Coral Systems of Longmont, Colo. "We may in fact stem the tide due to a number of different types of technologies, but the criminal's cash flow model has got to continue. They will find the path of least resistance; they will find the weak link, to try to defraud the system in another way.

"When AT&T Wireless starts posting billboards in the subways of New York, targeting the criminals, basically telling them that they're watching, they're prosecuting aggressively, they're pursuing fraud; you know you've got a pretty significant problem."

A Serious Problem

The problem is unquestionably significant. The Cellular Telephone Industry Association (CTIA) reported cellular fraud losses of about $650 million for 1995-which amounts to 3.8% of total industry revenues. This figure may even be low. The CTIA derives its numbers through a member survey, but the surveys may not reflect an accurate measurement. "The problem we're having is that not all of our members track it [fraud losses] the same so we have a difficult time getting our arms around a figure. What we don't have is a uniform way of tracking," says Tom McClure, head of the CTIA's Fraud Task Force. The numbers are difficult to gauge because of opportunity costs involved, the possible loss of roaming revenues and other factors.

McClure also points out that the exact numbers are not nearly as important as recognizing that there is a major problem, that the wireless industry needs to do all it can to stop fraud, and that constant vigilance is necessary to detect and counteract any new types of fraud. For now, he believes the industry has "leapfrogged" in front of criminals with fraud-fighting steps. "But the situation is, if you have the position of the interior you must protect at all areas," he says. "The criminal only has to penetrate one weakness from the exterior."

Cloning and Subscription Fraud

Of the two predominant fraud categories, the best known is cloning. There are two identification numbers specific to a cellular phone: the electronic serial number or ESN, and the mobile identification number or MIN (the telephone number). In cloning, both these numbers are literally stolen out of the air. Any cellular phone operating on the AMPS network transmits its ESN/MIN combination to the nearest cell site when its power is on, even if a call is not in progress. Once a fraudster scans and downloads these numbers onto another phone, the "cloned" phone can be used at will with the calls charged to the user whose numbers were stolen. (With current technology, this type of fraud is not possible on PCS digital networks because the handsets are designed differently and any crucial information transmitted through the air is encrypted. PCS fraud will be discussed later in this article.)

The second major fraud type is subscription fraud. In this case, a person uses a false identity to obtain a wireless phone subscription. The fraudster can then run up enormous charges without paying the bills. Often, they use valid information stolen from legitimate people. These innocent victims might have their credit ruined without even knowing. What the criminal wants, says McClure, is anonymity-which allows him or her to conduct business without being traced.

Some Side Effects

Actual fraudulent usage is costly to wireless carriers, but it also has some serious peripheral effects. One of the worst side effects of fraud is the customer churn it can create. If the average user arrives at home to find an outrageously high, fraud-ridden cellular bill, she will likely become upset with her cellular carrier even if she doesn't have to pay for the illegal usage. As she works to cancel her cloned phone, she may also decide it's time to switch to a different carrier because she feels unprotected. Fraud becomes a double-edged sword when cellular carriers lose good, paying subscribers. To reduce this problem carriers are making fraud transparent to the end-user. How is this done? By not letting the subscriber see fraudulent charges on the bill.

Profiling the Bill

One way to accomplish this is through profiling software such as Coral Systems' FraudBuster, currently used by Sprint PCS, American Personal Communications (APC) and Western Wireless. There are several different profiling systems on the market. Profilers break subscribers into groups based on typical usage patterns. By monitoring information taken from the switch and billing system, the profiler compares actual usage against the parameters of a customer's categorized usage profile. If a call is made that falls outside the set parameters, the event is flagged and assigned a point value. As events recur, "the score is added up and the severity of the event is determined by an investigator," says Tina Metivier, product manager for FraudBuster. If fraudulent usage is indicated, a case manager takes over to investigate.

Though such a system is reactive-only detecting fraud after it has occurred rather than preventing it-it does have some strong benefits. Profiling can track just about any type of fraud, including both subscription fraud and cloning. An illegal user will generally give false home and office numbers when acquiring service he never intends to pay for. One easy tipoff for the profiling system is to find that no calls are being made to the given home or office numbers. Similarly, if the phone of a subscriber grouped in the minimum usage category suddenly has several costly international calls, an investigator could deduce that this phone may have been cloned and is being used illegally.

"scrubbing" the Bill

One of FraudBuster's strongest features is its ability to detect fraudulent usage, separate it from valid usage, and instruct a billing system to "scrub" a customer's bill, eliminating any fraudulent charges. This is especially helpful with cloning, where fraudulent charges may end up on the valid subscriber's bill. If inflated charges from fraudulent use are removed from the bill before it goes to the subscriber, the customer will likely never be shocked into changing carriers. Profiling technology also allows a carrier to detect fraud and contact the customer whose phone may have been cloned. The carrier can alert the customer to the problem and take care of it immediately, making the customer feel safer and more comfortable. With profiling technology "we are moving from the upset customer to the one who says 'thank you very much,'" says McClure. AMPS carriers definitely need to keep their customers smiling, especially as PCS technology becomes more available. PCS is being marketed as a fraud-free technology, and while this may appear attractive to the consumer, it is not entirely true.

Fraud-free PCS: Believe It or Not

"The myth about PCS being a fraud-free environment is exactly that: a myth," says Michelle Wheeler, product manager for subscription fraud products at Lightbridge, Inc. of Waltham, Mass. In truth, PCS technology is currently clone proof, not fraud proof. PCS phones use a Subscriber Identity Module (SIM) card that can be moved from phone to phone. The user's subscription information is embedded in the card so cloning the phone is pointless. As mentioned earlier, all critical information transmitted over PCS networks is encrypted so it cannot be snatched easily out of the air. There have been some rumors that SIM cards have been duplicated, but there is no hard evidence to show that the technology has been compromised. One of the greatest attractions of PCS technology is the improved customer care and advanced services it can enable. Ironically, however, the technology that can improve customer care is also potentially harmful. "All the things that eliminate the hurdles to actually get you on the network in fact contribute to the potential for subscription fraud," says Coral Systems' Prosia. In the phone-in-a-box, over-the-air activation realm of PCS, subscription fraud is becoming easier, and it can be as big a problem for PCS carriers as cloning has been for AMPS carriers. Though subscription fraud is less apparent to the subscriber, it still has negative effects. As long as there is fraud, subscribers will pay for it in higher rates.

Another problem, especially in Europe, is that some PCS dealers, fighting for subscribers and striving to meet subscription incentives, are knowingly activating fraudulent subscriptions. Either in collusion with fraudsters or simply to meet quotas, dealers can, for example, sneak an extra subscription into a large corporate account hoping the carrier won't notice. What's more, even legitimate dealers cannot be expected to handle the task of preventing subscription fraud. "The dealer needs to have a certain level of training and knowledge, but not too much. They really can't be in a position where they are trying to scrutinize the people who are applying; it's somebody else's job to do that. They're in the position to put the good face out to the world and not to potentially alienate people," says Wheeler. What's at issue is preventing subscription fraud without scaring away valid customers.

One system, designed to handle the most sophisticated subscription fraud, is Lightbridge's Fraud Sentinel. "Giving someone cellular service is like giving them an open line of credit" comments Wheeler. PCS carriers and AMPS carriers alike need to be sure that they are not developing a customer base consisting of many fraudulent users. Fraud Sentinel gives a carrier three security checkpoints to help verify that a new subscriber is legitimate. The three checkpoints are:
• Postalpro, which verifies the address to make sure street, city and zip code all mesh. Any false combination will be flagged and rejected.
• Fraud Detect, developed by Trans Union, which checks social security numbers to make sure that they match with the given date of birth and that they belong to a living person. Fraud Detect also checks phone number and area codes against the given address, and checks to make sure that the given business address is not unreasonable given the home address. This checkpoint also verifies driver's license information.
• ProFile, an industry database developed by Lightbridge, which has more than 500,000 records of previous write-offs and shut-offs. The system checks to make sure that the new subscriber is not blacklisted nationally.
The dealer must check all this information with the carrier. If a discrepancy is flagged, the dealer is told that the subscription is pending, while the problem is verified. Once verified, a trained credit analyst gets on the phone with the customer to determine what the situation is. The analyst is trained to derive the truth from the subscriber without scaring off or offending a legitimate customer. Usually, a person attempting fraud will just walk away rather than risk detection. The carrier, of course, is never required to take on a subscription it suspects of being fraudulent.
A Constant Struggle

New types of fraud are bound to appear as the industry continues to crack down on current problems. "We think the next attacks will be on our networks. We are shoring those networks up, we're putting up the right firewalls, our carriers are putting together teams of people to study their networks to make sure that they are secure, so that they keep these hackers out of the system," says McClure. More than 10,000 law enforcement officials, led by the U.S. Secret Service, have been trained to watch out for wireless fraud. "I spent 20 years as a federal agent tracking down these criminals," notes McClure. "They do stupid things and that's how we catch them."

The most important thing is that both the AMPS and PCS industries are wise to fraud and recognize that it must be minimized if not eliminated. Technologies such as profiling must be implemented to detect new types of fraud and keep wrongful charges off the subscriber's bill. Furthermore, technology such as verification and RF-fingerprinting must be used to prevent fraud on the front end. The key for carriers is to remain vigilant, not only to protect themselves from the losses from illegal usage, but to make their paying customers feel protected so that they remain loyal. As well, carriers need to be sure that their antifraud efforts do not result in a loss of good customers.

Verification, RF Fingerprinting and Authentication

Three technologies designed specifically to fight cloning fraud are roamer verification, radio frequency fingerprinting and authentication.
Roamer verification is extremely important to AMPS cellular carriers because it protects their most valuable resource: national roaming coverage. AMPS carriers have been hurt badly by cloners who "hide-out" in roaming markets; some carriers have stopped providing roaming service in high fraud areas such as New York, Los Angeles and Miami. Suspension of roaming service, known as "brown outs," can be bad for business-especially as PCS gains greater coverage-because subscribers expect to be able to use their AMPS phones wherever they travel in the United States.

"While they [AMPS carriers] have the widest coverage and will have for the next several years, if customers arrive in a foreign market and don't receive service, they will gain the impression that the coverage of PCS is better than cellular. The perception is more important than the actuality," says Robert A. Stuernagel, vice president of marketing and sales at Authentix Networks. A verification system, such as Authentix's Roamer Verification System, can allow a cellular carrier to avoid brown outs and the resultant negative perceptions. When a subscriber roams into a high fraud market and initially attempts to make a call, the call is intercepted by the system and routed to the home carrier's customer service department. An agent then asks for a specific piece of information that only the valid subscriber would know, such as a social security number, and asks how long the customer will need roaming service. Once verified, the subscriber can use the phone freely and may feel more comfortable knowing about these fraud-protection features. There is a potential market for roamer verification technology with PCS carriers as well. Once dual-mode phones are introduced, if the second mode is AMPS, these phones also will need to be protected from possible cloning. Radio frequency, or RF fingerprinting, is another anti-cloning technology. The technology employed in RF fingerprinting was originally developed for the U.S. government to track reconnaissance targets by radio frequency. The basis of this technology is that no two transmitters create an identical signal. Therefore, a wireless phone's unique signal "fingerprint" can be matched to its ESN/MIN combination. Every call made is scanned by the system to verify that the fingerprint and the ESN/MIN go together, which they would not if the call was made from a cloned phone. If there is no match, the call is not connected. This technology potentially is extremely effective, but it is expensive and requires each cell site to be armed with special hardware. RF fingerprinting is being used in many major markets, such as Los Angeles and Chicago, but it has yet to achieve national coverage.

Authentication is the third anti-cloning technology and the one which most cellular carriers seem to be moving toward. This technology requires that a specially equipped handset be used, which generates an algorithm along with the ESN/MIN combination. The authentication system attached to the network is programmed to recognize the algorithm in order to verify a legitimate user. The only problem with this technology is that it is five to 10 years away from being fully realized. With more than 36 million non-authentication equipped phones already operating, the transition process will not be rapid, and AMPS carriers need to protect their networks immediately.