Transcript Slide 1

Fraud in Mobile Technologies
Kelvin Hilton
[email protected]
Objectives
On completion you should understand
The scale of MC fraud
Difficulties in producing quantitative /
qualitative data on fraud
Types of known fraud
Strategies for identifying and preventing fraud
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
2
Statistical Sources
Many fraudulent incidents go unreported as most
Operators prefer to under-publicise network
security deficiencies
Quantifying difficult due to factors influencing
figures
Sources for fraud statistics
Operators
Cellular Telecommunications Industry Association
(CTIA)
Governments
Operators may inflate statistics to attempt to
influence introduction of “friendly” legislation
Operators may deflate statistics to avoid
discouraging subscribers
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
3
Defining the Cost of Fraud
Two classes of fraud
Soft Currency Fraud
Theoretical figure derived from lost revenue due to
illegal use of services
Based on the assumption that illegal use would
have been paid for if the same use had been
undertaken by legal user
Basically piracy
Hard Currency
Real money loss
Operator has to pay someone else for service usage
when they will not be paid themselves
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
4
Estimates of the Cost of Fraud
1997 - Telcom and Network Security
Review estimated cost of fraud as
between 4 – 6% of revenues
2000 - Mobile Europe estimated cost at
$13 billion (US) approximately 5%
of revenues
2005 - Estimates between $30 - 40 billion
(US) worldwide
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
5
Perpetrators
Telcom Fraud now more lucrative than
drug trafficking!
Evidence that Organised crime hiring
computer hackers
Petty criminals
General Public
Hackers seeking notoriety
Internet provides easy, worldwide, access
to fraud techniques / technologies
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
6
Categories of Fraud
Voice fraud
Subscriber fraud
Data fraud
Internal fraud
Interconnection fraud
Roaming fraud
Technical fraud
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
7
Voice Fraud
Threat of impersonation for malicious or profitable motives
More and more modern commerce is
conducted over the telephone
Traditional services such as voice mail
Interactive Voice Response (IVR)
technology accelerating voice services
An example is accessing voice mail
services either to leave nuisance
messages or to appropriate sensitive
information.
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
8
Subscriber Fraud
Use of a legitimate subscriber’s network access for
malicious or profitable motives.
Common type of fraud
Either
legitimate subscription obtained illegitimately
Illegitimate use of a legitimate subscription
An example is when a misappropriated
subscriber ID is used as a local proxy
for international calls by using call
forwarding.
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
9
Data Fraud
Removal, inspection or insertion of data onto a network for
malicious or profitable motives.
2.5G+ networks are packet switched
which exposes them to all of the
traditional computer networks
Hacking, DOS, etc
An example is IP spoofing to allow
access to corporate networks by
altering the IP address in packets of a
legitimate user.
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
10
Internal Fraud
Abuse of access to operator data by an employee for
malicious or profitable motives.
Operator data (subscriber, device, billing) is
valuable asset.
Degree of transparency needed to service endusers
Operator employees have ready access to data
An example is network operator
employees manipulating call
transaction records to conceal
fraudulent activity.
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
11
Interconnection Fraud
Exploitation of operator interconnection agreements for
malicious or profitable motives.
Operators negotiate service tariffs with fellow
operators for example to support roaming
Operators charge services based on these tariffs
They are not obliged to use them
The industry is very reticent about this type of
fraud!
An example is arbitrage where calls
are passed through a third-party
network where tariffs are lower than
the network the subscriber believes
they are using.
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
12
Roaming Fraud
Exploitation of operator roaming agreements for malicious
or profitable motives.
Very common type of fraud
Using legitimate subscriber connections
on networks with roaming agreements
with subscriber’s network
A misappropriated subscriber’s account
is used on a network with a roaming
agreement with the legitimate
subscriber’s network.
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
13
Technical Fraud
Use of counterfeiting or other technologies to duplicate,
infiltrate or manipulate a mobile network for malicious or
profitable motives.
Very common type of fraud
Digital systems are more secure than the old
analogue (which used to start each call by
publishing, unmasked, the subscriber / device
ID)
However, all use Standards and these are in the
public domain!
An example is cloning where a
legitimate subscriber’s access is cloned
and calls are made using their network
access.
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
14
Examples of Known Fraud (1)
Roaming fraud
When operators have roaming agreement
Operator A must pay Operator B for the time
used on their network regardless of whether
Operator A is paid for the time
Principle problem is the time it takes for
billing from Operator B to Operator A
Used to be 72 hours now down to 24 using EDI
from billing engines
GSM Memorandum of Understanding states
that any user exceeding 100 Special
Drawing Rights (SDR) a universal currency
specified by the IMF must be billed within 24
hours
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
15
Examples of Known Fraud (2)
Roaming fraud cont…
Example, SIM cards were taken out of the
phones acquired with false identities and
mailed abroad where they were used in
calling selling fraud. Call lengths
of up
to 10-12 hours
In one case 110 call forwards were instigated in 2
hours resulting in 12.5 hours of calls from one
subscription
Example, another call forward number
changed once a minute for 16 hours resulting
in £12,000 in calls
One Operator shut down all calls to Vietnam
because of suspected fraud levels, only 1
subscriber complained!
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
16
Examples of Known Fraud (3)
Cloning fraud
GSM SIM’s can be cloned because
authentication protocol has flaw
COMP128 is the algorithm used by most operators
Problem is that the algorithm is a published
standard and it leaks information at every attempt
to connect. With sufficient number of challenges to
the SIM card enough info can be gathered to
deduce the secret key for the SIM
Approximately 150000 queries required takes about
8-11 hours with a suitable smartcard reader.
Can be done over the air by base station spoofing
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
17
Examples of Known Fraud (4)
Cloning fraud cont…
Any user can be tracked by their mobile phone with
varying accuracy (within 100m in metropolitan areas
with large number of base stations)
GSM phones have unique IMEI (International Mobile
Equipment Identity) & subscriber information IMSI
(International Mobile Subscriber Identity)
Law enforcement agencies can access this info in realtime and use it to track / locate individuals
Therefore criminals use stolen or cloned phones to
ensure anonymity
US Law enforcement agents have found that 80% of
drug dealers arrested in US using cloned phones
Staggeringly Pablo Escobar was tracked down using his
mobile phone activity
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
18
Examples of Known Fraud (5)
Internal Fraud
Mobile markets are very competitive
Operators subsidise handset charges (or even
give them away) to entice new customers to
subscribe
Dealers can sell these handsets on (frequently to
overseas dealers)
Pre-paid handsets can be unlocked and used on
any network
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
19
Examples of Known Fraud (6)
Subscription Fraud
Call selling using GSM conference calling
feature
Fraudster acts as an "operator" sets up calls
between parties & then drops the call and
commences another
The cloned subscriber is billed for the call
GSM call forwarding
Fraudster sets call forward to required number
Caller calls the Fraudster’s phone and is transferred
Fraudster drops call and starts over
Caller only pays for the call to the Fraudster’s
phone
Fraudsters offer international “call box” from
shops
15/07/2003
The cloned subscriber is billed for all calls
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
20
Issues Effecting Fraud Management
Most IP based security systems are only suitable
for enforcing local, static, security policies
Mobile IP systems provide multiple entry points,
dynamic access (address changes on
connection)
A strategy for Fraud Management requires
Maintain the integrity of the entire infrastructure
Act against the perpetrator not the attempt
Flexible configurations
Extensible
Intelligent data collection
Provide immediate feedback on abuse
Learn from experience to avoid recurrence
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
21
Fraud Management Systems (FMS)
FMS’s are sophisticated software systems that
Operators use to detect / prevent fraud
Data collection, interrogation and interpretation
are major factor component in FMS’s
Mobile networks generate massive quantities of data
AT&T process 300 million+ calls a day
Potential data sources are:
Application-Level Usage Records provided by
Feed into billing data (not all applications billable!)
VoIP Gateways, H.323 Gatekeepers, etc provide usage data
Email, web/WAP servers
Broadcast servers (music/video on demand)
Voice Switches
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
22
FMS – Data Sources
Potential data sources cont…
Login & Authentication Records from
RAS servers
LDAP servers
DHCP servers
DNS servers
Firewalls
VPN’s
Network monitoring services
Routers & switches
Cisco Netflow
SNMP / Remote Monitor
Address translation
Non-IP Network elements (eg Base Stations)
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
23
FMS – Intrusion Detection Systems (IDS)
IDS use sophisticated algorithms for
detecting abuse
Combine leading-edge science (expert
systems, data mining, AI, machine
learning)
Use various techniques
Threshold-Based Analysis
Inference Rules Analysis
Profile-Based Analysis
Neural Networks
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
24
IDS – Threshold-Based Analysis
Compares traffic patterns against
predefined thresholds
Premise – most Operator losses due to
large-scale professional Fraudsters
Alerts can be triggered if calls being made
from a certain location exceeds the
threshold
For
Simple, efficient implementation well suited to
the large data volumes on Operator networks
Against
Threshold must be accurate
Only detects certain types of fraud
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
25
IDS – Inference Rules Analysis
Fraud-containment method based on
expert systems and rule production
engines
Define and preconfigure sophisticated
inference rules
For
Can detect sophisticated fraud
Flexible
Against
Difficult to manage
Requires highly-skilled programmers
Requires constant updates to keep pace with
new fraud techniques
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
26
IDS – Profile Based Analysis
Based on customer’s habitual usage pattern
Profile is developed and any deviation from the
profile triggers a positive alarm
Periodic comparison (daily, weekly, etc)
For
Easy to read and analyse results
Removes need to preconfigure
Against
Genuine significant deviation of usage can trigger a
large number of false positive alarms
Investigation of an alarm is labour intensive and thus a
large number of alarms will be an expensive and
laborious use of operator resources
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
27
IDS – Profile Based Analysis Example
Sample
legitimate User
Profile
15/07/2003
Call Log
Name
A Punter
Subscriber ID
34-24-32
Service
Low Cost Business
Home Register
Stafford
Date
01/01/2003
Number
Location
234-987
Stafford
06:15
123-4567
London
01:23
111-222
Birmingham
05:23
333-444
Stafford
10:02
21-22-012-567
Paris, France
12:43
335-567
Stafford
00:39
234-987
Stafford
02:02
341-144
Stafford
03:54
786-635
Glasgow
05:21
321-123
Stafford
09:12
Copyright: All rights reserved. Not to be reproduced without consent.
Duration
kch/soc/mc/mcfr page
28
IDS – Profile Based Analysis Example
Sample User
Profile with
anomalies
15/07/2003
Call Log
Name
A Punter
Subscriber ID
34-24-32
Service
Low Cost Business
Home Register
Stafford
Date
02/01/2003
Number
Location
11-22-234-234
Belgrade
123:23
11-22-123-456
Belgrade
94:35
11-22-567-890
Belgrade
170:16
333-444
Stafford
10:01
21-34-321-111
Osaka
88:28
335-567
Osaka
210:06
234-987
Stafford
1:45
341-144
Stafford
2:56
21-22-012-567
Paris, France
19-20-2122-23
Cape Town
Copyright: All rights reserved. Not to be reproduced without consent.
Duration
15:09
123:34
kch/soc/mc/mcfr page
29
IDS – Neural Networks
Systems simulating human thought and
understanding
Triggering of command chains in
response to assimilation of data
Can calculate and adapt User Profiles
independently
For
Operational cost reductions as they adapt
without human intervention
Against
15/07/2003
Lack of logic
Inherent problems of Profile Based Analysis
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
30
Review
The scale of MC fraud
Difficulties in producing quantitative /
qualitative data on fraud
Types of known fraud
Strategies for identifying and preventing
fraud
15/07/2003
Copyright: All rights reserved. Not to be reproduced without consent.
kch/soc/mc/mcfr page
31
Questions ?