The $14 Billion Brawl: The Fight Against Telecommunications Fraud

If the telecommunications industry has a collective voice, that voice emanates from the folks who fight fraud. Whether wireless or wireline carrier, U.S. or non-U.S. carrier, consultant or software/equipment vendor, the common cry is to pull together as an industry. While fraud departments have an intense desire to stop criminals, not just minimize losses, they require the tools and the wherewithal to do so.

When carriers lament serious revenue drains, fraud is always high on the list, along with customer churn, traffic billing gaps and bad debt. Drains serious enough to make any industry CFO see red-- figuratively and literally. Globally, fraud is gauged as anywhere from a $6-billion to $14-billion annual criminal industry. It could be higher.

The Needy

“Not many carriers conduct an adequate fraud risk assessment,” says Phil Kelly, director of Fraud Management, Ltd. (FML), a consultancy based in the U.K. “This is the key problem definition phase, but too many carriers reduce it down to reliance on fraud systems and profilers to just get in and do the job.” FML, publishers of Fraud Yearbook (www.fraudmanagement.com), uses a structured assessment approach that examines marketing and business plans, conducts interviews with personnel and reviews processes. It takes a rigorous look at the company itself, how criminals will attack, how systems will be attacked, and how criminals will use employees, buildings and processes to attain their objectives.

“Prevention, detection, analysis and response, with measurement in the middle,” says FML’s Kelly, “are the components of a solid [anti-] fraud posture.” Once the fraud variations have been identified, each risk can be measured, using fraud-modeling techniques. FML’s technique establishes an annual loss expectancy for each risk, defined by FML as to what a carrier can expect to lose over a year--the frequency of expected loss times the probability of losses times a typical loss for a given fraud type. This equation provides a way to calculate in dollars what a carrier is going to lose through, for example, subscription fraud and what will be the typical loss throughout the year. The equation adjusts for not seeing all fraud, and for writing some off as bad debt. It further allows for prioritization of risk, which could be 100 to 200 types. “If it is a not granular classification,” adds Kelly, “then how can one understand how to fight off all the attacks?”

Given a 4M-classification structure--motive, means, mode and method–motive and means are from the criminal’s perspective. Mode is how the criminal goes about it–through subscription, surfing, ghosting or accounting fraud. Subscription fraud is identity based, and is increasingly true-identity fraud. Surfing is a fraudster piggybacking on a valid account–through cloning, obtaining calling card numbers and other means. Ghosting is network-based, with no account in the billing system, or with the CDRs being suppressed, deleted or amended before reaching the billing system. ICG Netcom’s FIRST NAME Ames has even seen circuits in the access network or switch but with no billable account for the CDRs to go to. Accounting involves abuse of the billing system to give credits, refunds and the like.

“Design controls assigned to these modes, and to specific risks,” recommends FML’s Kelly. “The best tool is not always grabbing the first $1 million profiler off the shelf because profilers rarely work with risk before the loss is incurred.” The needs of a carrier are fairly unique to that carrier, and recommendations are against going for a “blueprint” solution. While generic countermeasures are necessary, each carrier is unique.

“So much of the needs assessment is based on your markets,” says Adrieanna Glover, manager of Loss Prevention at Alltel, “and the criticality of tools to fight fraud. In our move to go to A-key authentication, our current needs assessment revealed limitations in our switches.” Alltel examines how much it loses to fraud through different means, and aligns this to tools and resources. In addition, they establish expectations and set goals as a measure of progress.

“Since we want to keep criminals off our network,” says ICG Netcom’s Ames, “we would rather focus on prevention of fraud rather than just loss minimization.” This requires an arsenal of Lightbridge or NCTDE (Equifax) interfaces—real-time and near-real-time call data, changeable thresholds, immediate deactivations and tear-downs and tools for subscriber profiling--to identify and manage hot originating and terminating numbers, high toll, long duration calls and more.

“When performing ongoing needs assessment, we assume a strong product orientation,” explains Chris Ferguson, group manager of Risk Management at Sprint. From a long distance perspective, Ferguson’s group looks at every product Sprint offers including calling card, 1+, operator services and toll-free services. Conversely, they closely examine services their long distance customers may purchase from a LEC that would transit the Sprint long distance network, such as remote call forwarding (RCF).

RCF is particularly susceptible to fraud because it allows a way to disguise the call origination point. The fraudster contacts the LEC that a subscriber has existing service with, pretending to be the subscriber, then orders RCF on the subscriber’s phone without the subscriber’s knowledge. The fraudster gets to set up an RCF password for it, with all the numbers that can be dialed from the remote phone. The criminal may forward the subscriber’s phone to Sprint’s 800 or another IXC carrier’s access number. While the subscriber may live in Kansas, the criminal is in New York. Now dialing from New York to Kansas is enabled, which is not a high-risk traffic corridor. As soon as the fraudster connects to the subscriber’s phone and receives the bong tone, he can dial out on a stolen calling card to China or elsewhere. Neither calls from New York to Kansas nor calls from Kansas to China look suspicious, while calls from New York to China may.

SS7 tags calls that have been forwarded, or are 3-way, to provide some help with RCF fraud. However, few carriers have a usable, automated interface from SS7 into the fraud management systems. Today it is generally a manual interface, and a record must be created from an SS7 message for an analyst to examine. SS7 and how it may assist in the fight against fraud is part of most carriers’ current needs assessment.

Sprint’s Ferguson praises the cooperation between carriers on the fraud front: “Fraudsters have become more sophisticated, using 2 or 3 carriers for legs of a fraudulent call. We may see fraud on a Sprint FONCARD, but it is originating on an AT&T or MCI 800 number. We will contact AT&T or MCI to work through it, as they do with us. And we will share emerging fraud types, patterns and trends.”

Shadows of Shifting Emphasis

FML’s Kelly defines fraud migration and fraud shift: “Fraud migration is where we see one carrier or part of a carrier offer more attractive products and [therefore] attract fraudsters to them by nature of the product. Fraud shift is where we move the fraudster off because we do something they don’t like, and it shifts the problem somewhere else.”

Fraud emphasis seems momentarily focused more on subscription fraud (using fabricated identities or the legitimate identities of others) than ever before. Digital wireless, along with authentication techniques and RF fingerprinting, means that telecommunications thieves have less opportunity to engage in practices such as cloning--stealing numbers from the air and illegally duplicating the stolen numbers. Meanwhile, calling card fraud, the old enemy, is used with other types of fraud instead of alone. Fraudsters use PBXs from multiple locations, looping, open ports in switches and cloned or stolen wireless handsets, along with the compromised cards. The losses are minimized because calling card providers have become smarter and more sophisticated in their fraud detection methods.

Sprint reports that last year it experienced a resurgence in clip-on toll fraud, in which a thief connects between someone’s phone and the central office, or onto a business’s PBX, and makes unauthorized calls.

Fraud management systems must continue to evolve not only to fight new types of fraud, but become more diligent at fighting the older fraud types, such as cloning and calling card fraud.

Fraud Management Systems

“Fraud management systems, regardless of abundance of features, are only as effective as the ability to wrap adequate business processes around them,” says FML consultant Kelly. “Profilers, particularly, are susceptible to a self-fulfilling prophecy that shows a carrier has reduced or eradicated fraud, because parameters may be set at a given level and nothing below that is deemed fraud by the system. Those who may not be able to identify all their fraud may claim they have a very low fraud problem, but may not know where to look.” FML points out that profilers are valuable, but are only part of the fraud-fighting retinue. Kelly’ iceberg analogy is appropriate: “If you only chop off the tip of the problem, you may never see what is really under the water.”

Fraud management systems have in the past suffered from first-call exposure, at a minimum. Sprint has evolved its fraud management system to function now as a loss prevention device, rather than as a loss minimization tool, by redesigning the front-end so it can stop a call right away if the fraud probability is high enough.

Originally developing its fraud management system in the mid-1980s as an interference engine running on a Symbolics database with near-real-time CDR feeds, Sprint embarked immediately thereafter on a program of continuous update. Now patented, Sprint’s fraud management system runs under Unix on an Oracle database, utilizing memory-based reasoning. According to Ferguson, ancillary tools supplement Sprint’s system for CART and related analyses. A 2-level system, it takes a broad sweep that considers network activity, such as whether the traffic intensity along a given corridor is normal for a Monday morning. It then can drill down to anomalies and grapple with them at the account level. If it blocks a calling card for suspected fraud, it “hotlines” the next call into the fraud management center. It can reactivate a calling card within a minute, and takes call data from operator service centers (such as monitoring third party charging) as well as raw data from each switch.

Sprint uses the Equifax-managed NCTDE, as do most major long distance and local carriers, which is an industry-wide negative database used to deter subscription fraud and to reduce bad debt. Not only will it check subscriptions, but it will also send new address information to the last carrier if a customer has moved on with a past due balance.

Lightbridge, with its ProFile database, has gained wide acceptance for a similar inter-carrier subscription checking capability, in the wireless segment, for write-offs and shut-offs. As of November, 71 markets nationwide were accessing ProFile.

The Profiler

Most carriers use profiling systems today. These are rules and threshold-based applications, with interfaces to the switches through site collectors or mediation processors, to bring in CDRs as near to real-time as possible. A translator extracts a subset of the CDR and formats it for the profiler. The profiler rules are established around factors such as velocity, collision, and hot originating and terminating locations. The thresholds are changeable and vary by carrier, and are usually crafted so as to reduce the number of “false-positive” alarms. However, the inverse effect is to reduce the fraud visibility window, in that anything under the threshold is allowed, even if fraudulent. Given this, a profiler by itself is generally regarded as a loss minimization tool and not a loss prevention tool. The software profiles calling patterns based on the data in the CDRs, and when a deviation from a normal profile occurs, alarms are tripped and a case is generated. Although profilers compile data and reason against existing profiles, the fraud cases are usually generated for human review for authenticity.

“The next generation of profilers is coming in,” says Alltel’s Glover, “and we want to see profiling based on the individual patterns of subscribers–along with being Y2K compliant. We want link analysis to patterns and account information back to known bad guys.”

Carriers also want profiling systems that can trend by market in order to identify hotspots, and to be able to set thresholds by market rather than globally. The hunt is on, and carriers such as Alltel are assessing profilers from GTE TSI, SystemsLink and others.

The New Breed of Profiler

Usage-only profiling arguably generates too many false-positives, especially as more sensitive thresholds are set. Too many alerts result in raising the bar, increasing the thresholds so that caseload is not so high. Unfortunately, what is indicative of fraud is also indicative of good behavior, so 25 calls to Karachi or Bogota could generate an alert that may or may not be false, depending on who is calling. But don’t doubt for a moment that fraudsters learn where given carriers set their thresholds, and subsequently operate just below the bar. Sometimes it is darn you if you do, and darn you if you don’t. Although the current generation of profilers must be credited with lowering fraud losses tremendously, many assert it is time to go to the next level and not profile based just on usage anymore.

“Subscriber profiling is the next technique in fraud detection,” says Simon Williams, vice president of Sales at Nortel Fraud Systems. “Everyone has individual behavior patterns, and we need to analyze each subscriber to find fraud.”

With subscriber profiling, each CDR must be examined for certain characteristics. To, from, duration, type of service--international, premium rate--and about 30 other data items. Subscriber profiling establishes a profile of behavior for every caller. A current profile is built and compared to recent history, such as the previous week, then against a longer period, looking for anomalous behavior.

Nortel has developed SuperSleuth, a neural network profiling product for both wireless and wireline, which uses subscriber profiling and assumes a fraud prevention, rather than fraud minimization, posture--looking to be aware that something is happening while a call is in progress–at the switch level. “If I am taking real-time data, I better be able to deal with it real-time or the benefits go away,” says Nortel’s Williams.

SuperSleuth’s neural network uses arithmetical progression, as opposed to algorithms, allowing it to process huge volumes of data. Neural networks learn. If an analyst tells the system that it has alerted incorrectly, the system can recalibrate (learn), rather than force administrative overhead of resetting thresholds. The user interface allows toggles on subscriber profiles to “correct-correct-return,” updating profiles. This eventually results in fewer false-positives.

Since a neural network learns as it goes, and Nortel’s product is no exception, it is not on day one as agile or intelligent as later on, just like the human brain. “Our clients ask, ‘are we exposed as a new carrier coming on-line?’” says Williams. “Since the neural network must learn, Nortel added traditional rules and thresholds front-end.” With this hybrid solution, carriers have a front-line of defense while the system builds profiles. It can use comparable behaviors, and a knowledge module with examples of behavior seen at other carriers pulls it up at a bootstrap level. The more data, the better and more accurate it becomes. It has a quasi-rating engine that gives a rough valuation to calls.

SuperSleuth operates on an HP9000 box, and is structured in three modules, while the call information query (CIQ) module is on an Oracle database. It receives CDRs from the switches through a mediation device. The front-end is a customizable parser, coded in C++, that strips out 30-40 characteristics (with capability for up to 120) from every CDR. The CDRs are streamed into the subscriber profiling modules, which run in parallel with the rules and thresholds module. The system feeds to a GUI back-end, where it displays probability of fraud. The analyst double-clicks on an alert to see why the system thinks it is fraudulent, and can look at variations on patterns, day by day, type of service, and other data. The system can drill down to another level of statistics, but does not prompt for the next step in procedure, nor will it take down service or perform call tear-down. That is left to the discretion of the carrier.

Subsequent development will have SS7-based signaling information to complement completed CDRs, and will look at uncompleted information as well, such as call attempts. Utilizing SS7 messages, SuperSleuth will be able to look at calls in progress.

Installed at Viag in Germany and Esat Telecom in Ireland, SuperSleuth takes about 8 weeks to implement. It requires standard alignment, that is, with the nature of the CDR stream and with the CDR characteristics relevant for a given carrier in its marketplace. Nortel manages parser maintenance. The neural network can be taught with existing data before it goes live, if the carrier is an incumbent with retained data.

Time Is on Our Side

An attractive alternative to using switch-based CDRs exclusively is to use an SS7 link monitoring system to create real-time CDRs directly from the SS7 protocol–a layered protocol used to set up calls in a modern digital network and to control communications between switches. The link monitoring system gathers the signaling units non-intrusively using high-impedance probes usually deployed around signal transfer point (STP) sites. By monitoring the messages flowing across the SS7 links, the link monitoring system can build CDRs for selected calls.

Since these CDRs can be produced seconds after the call begins, there is no delay in delivering the CDRs to the fraud system. In addition, CDRs can also be delivered when a call exceeds a specified length, so that suspicious calls, say those exceeding 15 minutes, can be detected while they are in progress. One final advantage of SS7-based CDRs is that even if billing records for a particular number or group of numbers have been disabled on the switch, calls originating from that number will be seen by the link monitoring system. This might indicate insider fraud or incorrect configuration of the switch.

A real-time CDR can be generated from SS7 messages flowing between the originating and terminating switches. Starting with an Initial Address Message (IAM), the link monitoring system CDR generator collects the messages relating to the call and generates a CDR when or before the call completes. The CDR generator is programmed to build only selected CDRs–for example, CDRs for international calls to high-risk fraud destinations. The CDR will contain information on the calling and called numbers and the call duration. The CDR generator can also be programmed to provide additional fields as required, such as the carrier who originated the call, the type of call (for example, pay phone or ISDN) and whether the call has been billed to a different charging number.

The CDR generator must be able to collect and correlate CDRs even when the messages relating to the calls have been diversely routed through the SS7 network. Diverse routing is used to increase the reliability of the SS7 network and to reduce link loading. Consequently, all the messages, which the CDR generator needs to build a CDR, may not be present at the same STP site. Therefore the CDR generator needs to include complex filtering, with cross-triggering between STP sites, and fast searching and matching.

The programmable CDR generator builds call records for suspect calls directly from the SS7 protocol. Typically, the CDR generator will be programmed to build CDRs for calls only to known or high-risk destinations. The CDR generator could be programmed to produce CDRs from a particular calling number or numbers. This flexibility allows the system to be modified to look for new types of fraud or changing fraud patterns.

That Is the Question

To RF fingerprint or authenticate in wireless? The debate wages on, but there is admirable success using both methods of fraud prevention against the most insidious of wireless fraud--cloning. “Authentication,” says Alltel’s Glover, “is being touted as the silver bullet to prevent cloning fraud.”

Borrowed from GSM, A-key authentication is a switch-based solution. The handset itself has the A-key algorithm encrypted within it. When the handset is used, the cellular switch sends a challenge to the handset, and the handset must reply to the interrogation with the correct value. A-key authentication requires a management center and authentication center, to obtain, store, provision and authorize the A-keys. When a call is attempted, it ping-pongs off the authentication center, and management center which validate and verify the mobile identification number (MIN) in conjunction with the specific A-key. Since the cloner does not have the A-key programmed into a handset, the method will disallow the call. This may slightly affect call set-up time, but not enough to overshadow the benefit. A-key authentication can be market-by-market.

“Currently this is a switch limitation on our network,” says Alltel’s Glover, “and represents a significant investment in software upgrade.” As an interim, Alltel uses a third party for authentication in roaming environments in markets that have authentication deployed by their carrier. “If BellSouth has authentication deployed in Atlanta, and we are using a third party for authentication, Atlanta can protect Alltel customers.” If not, Alltel can automatically revert back to its PIN system as a deterrent.

PIN systems such as GTE TSI’s Fraud Force are more invasive to the subscriber because they intercept calls and hotline the subscriber into an IVR. When a subscriber is roaming in a high fraud market, the PIN system validates the subscriber and routes the subscriber to the IVR, and the subscriber must establish a PIN.

GSM authentication uses a method of encryption that allows mobile subscribers to originate calls and update their location without revealing their International Mobile Subscriber Identity (IMSI) to an eavesdropper on the radio path. It prevents location tracing performed by listening to the signaling exchanges on the radio path.

An authorized cryptographic attack in April of this year by UC Berkeley research student David Wagner and colleagues was well publicized. Within a day, they had found a fatal cryptographic flaw in Comp128, a specific algorithm of the A38 type, used to protect the identity inside the subscriber identity module (SIM). They created a system to exploit the flaw by repeatedly asking the SIM to identify itself; by processing the responses, they were able to extract the secret from inside the SIM. However, this interrogation was over several hours, computer-intensive, and beyond the means of the everyday criminal–for now. In the real world, several variants of the algorithm could be implemented simultaneously on a carrier’s network.

Corsair Communications’ RF fingerprinting application, PhonePrint, has been making enormous strides in the market, and its cost-to-entry and management overhead is considered comparatively attractive.

RF fingerprinting is based on the premise that every cellular phone is a radio and thus has its own unique RF fingerprint or signature tied to the MIN and ESN. This fingerprint is stored on a database and, when a call is made, the fingerprint is compared. If it is not a match, the call is not allowed.

“The technology had its roots in defense,” says Corsair’s Taliaferro, “and our key technologists came from TRW.” Based on radio emissions, the signal’s intelligence technology was used for identifying aircraft, ships and submarines. PhonePrint measures certain aspects of the RF carrier--pulse width, pulse repetition rate, bit rate and other characteristics--and has to overcome propagation in the real world.

“The Phone Print computer sits at the cell site,” says Diane O’Flaherty, director of product management at Corsair. “An intelligent deployment may constitute installation at 50 percent of a carrier’s cell sites.” The logic behind where to deploy is driven by building a database of RF fingerprints on phones and observing the highest percentage of phones in the market from the least number of sites, and then deploying to the cell sites where the fraud is happening. In general, fraud concentrates in a reasonable percentage of total cell sites. The main function is to pick up signals and characterize transmitters in the market. “A carrier’s needs,” adds O’Flaherty, “are based on high volume sites and high fraud sites.”

PhonePrint situates the radio frequency unit (RFU) at the cell site. It connects to a reverse control channel to monitor all signals from the handsets. Using a DS0 connection to a router on the carrier’s network, the data gets routed back to the system control center (SCC) at the carrier’s facility or to the Corsair service bureau. The SCC, on a Sun server, does offline data processing and heavy crunching off-peak. The real-time application server (also a Sun) sits on the carrier’s LAN. The server “sees” the fraud analysts’ PCs and connects to the switch so it can deny a call or tear down a call using intelligent messages to the switch. The system works mainly without operator involvement. It sees the calls; the RFU builds the print and compares it to the fingerprint database. The RFU at the cell site makes the decision whether to allow the call. The user interface is for reporting and observing--because of the number of calls being checked it is not feasible to have a human in the decision chain. However, the analyst can put a subscriber on the “always allow” list, so calls will not be stopped.

The system decision on whether to allow a call is reached in 500 milliseconds, and tear-down happens within 3 to 5 seconds of a voice channel assignment. According to Corsair, the system is accurate enough to identify not only the fingerprint, but the phone manufacturer and model, too. Tear down is sometimes done by spoofing, mimicking a phone hanging up by injecting a 10 kHz tone into the first voice channel. With switch-based tear down, with the connection between server and switch, a message is sent to the switch, and the switch sends commands–leaving no billing residue. Billing residue can result in the RF tear down method, so carriers need to consider treatment of short duration calls.

“What happens if A38 fails?” asks Corsair’s Taliaferro. “Well, Corsair does not have a ‘break glass in case of cracks in authentication,’ but development is commencing at customers’ request on digital–IS-136.” Today PhonePrint works with IS-54, AMPS, N-AMPS and ETACS. It should be IS-136 ready in about a year. According to Corsair, a fundamental difference between RF fingerprinting and authentication is that fingerprinting is measuring a natural phenomenon in a man-made object. This involves measuring properties of the signal that are unintentional, thus hard to control, whereas authentication is based on encryption keys.

Is RF fingerprinting infallible? When it was new, fraudsters would make a call to 911, thus bypassing the fingerprinting, initiate a conference call and then hang up on 911. This has since been remedied in the switch software. And just like neural networks need time to learn, the RF fingerprinting application needs time to build and mature its database. It needs to observe a certain number of call originations in order to know what the good guy looks like. How quickly PhonePrint reduces fraud is based on density, and while it was first deployed with high success in Los Angeles, Chicago and New York, it is now in over 160 markets. The dynamic between the database build and cloning activity is such that the criminals can find numbers not fingerprinted until the database hits critical mass and tear downs increase. Cloners then make attempts, but fail. The financial impact registers after a few months.

For the past two years, Corsair has offered a real-time roaming network where markets can talk through the SCCs and do real-time fingerprinting. All carriers using PhonePrint in the United States are on the roaming network. Because of the distributed approach, tear down happens as quickly while roaming, and therefore has led to wide product acceptance based on the protection offered in the roaming environment. Puerto Rico and Mexico have re-opened to roaming due to PhonePrint, and carriers are again realizing revenues from these roaming markets.

The Soft Underbelly

New products and new technologies are the soft underbelly that attracts crime, crime that is informed, intelligent and usually organized. Remote call forwarding, and possibly its predecessor, local number portability, continues to be an exposure point, but may be closed somewhat by a more rapid introduction of automated SS7 interfaces to fraud management systems. Roaming, even with RF fingerprinting and authentication, is still a problem for traditional profiling systems, because any delay in receiving CDRs is a costly delay. International roaming can mean several days before records are processed–not very effective in fighting fraud. The burgeoning resale markets mean additional layers between the subscriber and actions enacted to protect the subscriber.

The explosive prepaid services market forces the industry to ask the tough question: Do carriers, once the revenues are in-pocket, care as much as they should about fraud on prepaid calling cards and prepaid wireless? Although some carriers, such as Sprint, actively monitor for fraud on their prepaid calling card product, it is not clear that all carriers do. Although RF fingerprinting will work on prepaid wireless, it is not clear whether any carriers are working in this direction. As the prepaid market grows in popularity, and larger increments of service are sold this way, it will increasingly attract the criminals because of its underlying anonymity and its reputation for breakage.

Will the digital network be compromised? It could happen, and authentication will have to assume a constantly shifting posture in order to stay one step ahead of the fraudsters–and this may become costly to manage.

What can carriers do? According to ICG Netcom’s Ames, security support needs to come from the top executive levels down, and security needs to be a part of the overall company structure. Nortel’s Williams agrees that fraud management needs to be an organization-wide change in culture. “No one product you can buy can fully address fraud,” says Williams. Awareness, procedures and training must be put in place. Databases such as Lightbridge’s fraud Sentinel and NCTDE (Equifax) must be actively utilized. Iterative tweaking of thresholds must be routine practice. Trends and specifics must be provided to law enforcement agencies.

“If I just push the fraudster off my network, onto someone else’s network he will come back to me,” says ICG Netcom’s Ames. Telecommunications fraudsters live on the dark side and are recidivist. They come back. Fraud departments need to be a couple of steps ahead, but they need the tools and the industry-wide cooperation to do so.

Frank Slavick is a telecommunications consultant based in Denver, Colorado, specializing in product development, new business development, and billing and customer management. He can be reached at 303/554-0958, or at fslavick@earthlink.net.