Fraud Scenarios in GSM Networks

Editor’s Note: One of the hottest and most intriguing topics in the industry today is fraud. Service providers are quiet about many issues—they don’t want to give away strategies, future marketing efforts, and so on. But when it comes to fraud, it is in everyone’s best interest to know what is happening. What you don’t know hurts you—badly. Most fraud can be deterred or managed, but only if service providers know what to look for.

So we introduce this article as the first of what we hope will be monthly columns, for vendors and service providers alike to submit stories on what they see happening. Our purpose is emphatically not to embarrass the victims—in fact, the column can run anonymously, if need be. (We’ll also take care not to provide so many details that it’s a how-to cookbook; as much as possible, the focus will be detection and prevention.) Please contact us if you have first-hand knowledge of new schemes. No need to name names—let’s just identify and expose the fraud. It’s one problem that the whole industry must come together on. Our thanks to HP for this inaugural submission.

Even though GSM wireless networks were designed with some level of security in mind and have decent built-in authentication, they are still victimized by fraud with subscription fraud being the most widespread.

The most significant vehicle for fraud in GSM networks is international roaming. With international roaming, the calling data about a given subscriber is usually delayed as it makes its way back to the home carrier. This delay gives fraudsters more time before they are detected.

Taking advantage of some of the supplementary services in the GSM network, subscribers can use call forwarding to connect an incoming call with a third destination number (often international). And while that rerouted call is in progress, the fraudster can program the phone to forward to another destination number for the next incoming call. As a result, many concurrent calls can be routed through a fraudulent GSM service, racking up huge losses for the carrier. One GSM operator in Europe discovered the following:

• Three SIM cards (subscribers) had 110 call-forwards in a two-hour period.

• One SIM card had 12.5 hours of usage in a two-hour period.

• During a three-day weekend, eight SIM cards had a total of $121,000 worth of usage, which was never paid.

Another capability of GSM is that traveling customers can take only their SIMs with them to use in other handsets obtained locally. They can use their SIMs in any GSM phone, so they can rent or borrow handsets at their destination—they don’t have to take their own. Besides the convenience, this feature also gets around the different network frequencies and the need for multiband handsets (North America uses the 1900 MHz band, while most of the rest of world uses 900/1800 MHz).

While perfectly legitimate, however, the ability to switch SIMs and handsets is also a tool from which the fraudster benefits. Criminals often obtain fraudulent service in quantity. They sometimes pose as a representative of a small company (often fictitious) buying a large batch of SIM cards (20 to 30), pretending that they are going to be used by company employees. Each SIM will generate a modest amount of traffic, but the total will be high. Then the company will default at the end of the billing period.

To make matters worse, fraudsters often swap different SIMs in a single handset, and also pass SIMs around to be used in multiple handsets. As a result, no single SIM or handset is abused all at once.

Yet another temptation is that some operators subsidize their handsets (especially for prepaid) in the hope of attracting new customers with an attractive entry package. This results in a very appealing offer where the telephone is almost for free. The fraudsters “split the package” and resell the phone and the card separately, resulting in the carrier’s loss of the subsidy.

Things Carriers Can Do to Combat Fraud

In addition to their normal techniques, GSM operators should watch for customers who begin roaming immediately after acquiring service. If a new customer doesn’t make any calls to or from the home country, but instead immediately exports the service and begins calling from abroad, that is a significant indicator of potential fraud. This is a perfectly legal activity—but most who do it immediately following activation are perpetrating fraud.

For the “small company” scenario, the carrier can check the overall usage of all the company’s subscriptions to detect when the overall account is going above the expected levels.

Also, carriers should be alert to instances where a SIM is used in multiple handsets, or when a handset is used for multiple SIMs. Again, this is a perfectly legal activity, but a large percentage of these cases end up being fraudulent.

For subsidized handsets, carriers can detect when an original handset is used with a different SIM, indicating a split package.

John Frost is a senior fraud management consultant with HP. For almost ten years, he advised telecommunications service providers on fraud prevention and detection in both fixed and wireless networks. He can be reached at john.frost@hp.com