Top Industry Fraud Types
Download
Report
Transcript Top Industry Fraud Types
Global Workshop
What are the Other Top
Industry Fraud Types?
Cliff Jordan
and
Travis Russell
Global Workshop
Topics
Challenges
Statistics
Premium Rate Service (PRS) Fraud
By-Pass
SMS Fraud and Related Issues
Scams
2
Global Workshop
Fraud Management Challenge
Fraud Cases*
Fraud High Volatility
50% External
50% Internal
Changing Technology
Changing Techniques
Continuously Changing Characteristics
*IDC March 2003
One-Time Organized Event
‘Menu’ Approach to Committing Fraud
3
Wireless Fraud Spectrum By Type
Global Workshop
Subscription
34 %
PRS
13 %
Other
5%
Social Engineering
2%
SMS
5%
Interconnect
7%
Credit Card
3%
Internal
6%
Dealer
7%
Prepay
5%
Roaming
13 %
4
Global Workshop
Premium Rate Service (PRS)*
Commissions to PRS Owner is Based on Total
Minutes of Use Minus Cost of Service
National
International
Identified by Unique NXX/exchange. e.g., 9xx
PSTN (Public Switched Telephone Number)
International Locations, Usually with High
Settlement Rates.
Legitimate Except …..
Caller Does Not Pay or There is Misrepresentation
* also called “Revenue Sharing Fraud”
5
Global Workshop
Case Study - Technical PRS
Large Scale Mobile Operator
15 Handsets Calling Non-stop to 500 PRS Numbers
No Charge To Calls Less Then 2 Seconds
Duration of each Call is 1 Second
Over 24,000 Calls per Handset, per Day.
500 PRS
Potential Losses were Over $5 M
Numbers
(Fraudsters)
Mobile Network
Calling Mobile Stations
(Fraudsters)
FMS
6
Global Workshop
Prepaid Fraud
Main Risks:
Recharge With Stolen Credit Cards
This is a CNP Transaction, and the Operator is
Liable
Large Amount of Chargebacks can Cause the
Service Provider to Be Fined
Stolen Prepaid Cards
Fake Prepaid Cards
Recharge With Stolen/forged Vouchers
False Recharges Using Internal Fraud
Can Involve Employees and Dealers
Configuration Changes: HLR vs. Billing
7
Global Workshop
By-Pass Methods
Methods Discussed are:
Interconnect Settlement Fraud
(Carrier Fraud)
Bypass via Illegal Landing
Call-Back
8
Global Workshop
By-Pass Methods
“Interconnect Settlement
Fraud”
Remote International
Network
Callers
The Fraud: An international long
distance call appears as national
and is financially “settled” as if it
were a national call at a cheaper
rate.
Local
Exchange
Interconnect
Exchange
Interconnect
Exchange
A-number
Manipulation
International
Gateway
National Call
Called
Parties
Victim Carrier
Network
National call
with
Manipulation of the
A-number
Unethical Carrier
Network
9
Global Workshop
By-Pass Methods
Interconnect Settlement Fraud:
Benefits to Fraudster (Unethical
Carrier):
Inexpensive Termination Costs
Local Call Rates instead of International
Call Rates
10
Global Workshop
By-Pass Methods
Remote
International
Network
“By-Pass via Illegal Landing” Callers
The Fraud: An unlicensed carrier
terminates international long distance
calls as local calls by-passing the legal
route.
Service Platform
(Calling cards, prepaid)
Illegal Call
Routing!
Internet
Victim’s Network
Local
Exchange
Called
Parties
Local call
Local
Exchange
PBX
11
Global Workshop
By-Pass Methods
By-Pass via Illegal Landing:
Benefits to Fraudster (unlicensed carrier):
Inexpensive Termination Costs
Tax Avoidance
Local Call Rates instead of Intl Call Rates
Many countries charge taxes for inbound Intl calls.
The unlicensed carrier does not report calls and
therefore does not pay taxes.
Use of VoIP is less expensive than satellite
usage.
12
Global Workshop
By-Pass Methods
“By-Pass via Call-Back”
Call-Back Country
Legal Call Routing!
Rest of World
Victim’s Network
13
Global Workshop
By-Pass Methods
“By-Pass via Call-Back”
PBX
Step 1: A caller sends “Initiation Message” to PBX in CallBack Country via: uncompleted call to specific DNR
or SMS message or EMAIL or Internet
Call-Back Country
Rest of World
Victim’s Network
14
Global Workshop
By-Pass Methods
“By-Pass via Call-Back”
PBX
Step 1: A caller sends “Initiation Message” to PBX in CallBack Country via: uncompleted call to specific DNR
or SMS message or EMAIL or Internet
Step 2: PBX makes call to the caller.
Step 3: Caller signals via DTMF the destination number
Call-Back Country
011-44-23456789
Rest of World
Victim’s Network
15
Global Workshop
By-Pass Methods
“By-Pass via Call-Back”
Step 4: PBX opens a second line and calls the destination
number.
PBX
Step 5: PBX conferences the two calls together.
Step 6: Caller Pays Call-Back company in Call-Back Country!
Call-Back Country
011-44-23456789
44-23456789
Rest of World
Victim’s Network
16
Global Workshop
By-Pass Methods
By-Pass via Call-Back:
Benefits to Fraudster (Call-Back
Company):
Worldwide Penetration without
Network Costs
Tax Avoidance
Clients do not have to pay LOCAL taxes
for their Long Distance service.
17
Global Workshop
Managing SMS
Global Workshop
What is SMS?
Short Messaging Service
(SMS)
Very popular, mostly outside
U.S.A.
Gaining popularity in North
America among younger
generation
Recognized communications
method of choice for criminal
activities (including terrorists)
SS7 is the bearer path for SMS
3G/4G Messaging may include
video, audio, text, or voice
19
Global Workshop
What is SMS?
SMS is also the vehicle for
delivering content
Subscriber dials a “short code”
that is assigned within a carrier’s
network to a content provider
The short code is sent via
signaling network (i.e., SS7)
through the network to a portal
for the content provider
Content is then delivered via IP
or some other technology to the
carrier for final delivery to the
subscriber
20
Global Workshop
How does SMS work?
Global Workshop
Mobile Originated Phase
RAN
MSC
RAN
MSC
HLR
STP
SMS-c
RAN
MSC
RAN
MSC
STP
Mobile
originated
SMS
Transported
via SS7 to the
SMSc
22
Global Workshop
Mobile Terminate Phase
RAN
HLR
MSC
RAN
MSC
STP
SMS-c
RAN
MSC
RAN
MSC
SMSc responsible
for routing to
destination
STP
Queries HLR to
find subscriber
Destination may
be another
subscriber or an
application
23
Global Workshop
Why is SMS an issue?
Global Workshop
Why is SMS an issue?
Impacts signaling network
Peak SMS periods result in excess SMSC capacity
Flood attacks are simple to initiate using SMS, especially via
the Web
Impacts the signaling network, resulting in service
disruptions
Smaller networks may be more at risk than larger networks
due to lack of security investment in the signaling network
Impacts Revenue!
Prepaid SMS is trickiest due to limitations on SMSc
platforms
Some Prepaid charging is sometimes done after the message
is delivered
Fraudsters have already identified issues with platforms and
are exploiting
25
Global Workshop
Issue: Message Center Overload
Other Carrier
Serving
MSC
STP
Target
MSC
SMPP
Gateway
SMS-C
MO
Routing
IP
MT
MO and Routing
components got
overloaded
85%
SMPP
Application
26
Issue: Bursty Traffic Impacts Network
Intensity
Global Workshop
Mobile-to-Application
Voting traffic
Engineered
for 5
SMS-C
Mobile-to-Mobile
traffic
Time
Voting
MO
SMS-C
Carrier to carrier
MO
MT
Routing
MT
Voting
Voting
27
Global Workshop
Result Excess SMSC Capacity
RAN
HLR
MSC
SMPP App
Voting
SMPP App
Ring tone
RAN
STP
MSC
SMS-C
SMPP
Gateway
IP
SMPP
Hub
Carrier
SMS-C
RAN
MSC
STP
SMS-C
STP
MSC
STP
RAN
SMS-C
MSC
RAN
SMS-C
MSC
RAN
=Utilized
Other
Wireless
Carrier
RAN
SMS-C
………
RAN
MSC
MSC
HLR
SMS-C
=Not Utilized
28
Global Workshop
Issue: SMS Prepaid Overload
Other Carrier
Serving
MSC
STP
Target
MSC
SMPP
Gateway
SMS-C
MO
MT
Can’t keep up
with volume of
prepaid queries
Prepaid
Routing
Checks
IP
85%
Prepaid
Platform
29
Global Workshop
What do I look for?
Global Workshop
SMS Fraud Cases
SMS flooding
A massive load of messages to one or several destinations
Flooding the network will cause congestion in the signaling network
resulting in service disruptions
SMS Messages are large and consume valuable SS7 resources
SMS faking
SCCP or MAP addresses are manipulated
Usually SPAM
Invalid or taken from a real existing message
Originated from the international SS7 network and terminated to a
mobile network
SMS spoofing
SMS MO manipulated A-MSISDN (real or invalid)
Coming into the home network from a foreign VLR (real or invalid
SCCP Address)
Method used for sending floods of SPAM messages
31
Global Workshop
How do I solve it?
Global Workshop
Addressing SMS issues
Impacts signaling network
Peak SMS periods result in excess SMSC capacity
Flood attacks are simple to initiate using SMS
SMG MO-FDA Offload
IAS SMS Suite coupled with GSM MAP Screening
Impacts the signaling network, resulting in service disruptions
Smaller networks more at risk than larger networks due to
investment in the signaling network
Impacts Revenue!
Prepaid SMS is trickiest due to limitations on the SMSc platforms
SMG Real Time Prepaid Rating Engine
Fraudsters have already identified issues with platforms and are
exploiting
GSM MAP Screening stops or redirects SMS
33
IAS SMS Suite - SMS Flooding
Global Workshop
Automatically search for the top 10 SMS originators every 5 minutes
Generate alarm when the % of SMS traffic reaches a predetermined
threshold
Stop the Flooding with GSM MAP Screening in the Eagle (SMS Firewall)
CdPA, CgPA and Op Code Screening
1000 individual and 1000 ranged entries
34
Global Workshop
IAS SMS Suite - SMS SPAM
Looking for SMS originating from a source other than a
mobile phone
Assumption can be made that if the origination is an
ISDN device (identified via the signaling data) and there
is a high volume of SMS from the same source, then the
content is SPAM
Stop or Redirect the SMS SPAM with GSM MAP Screening
the Eagle (SMS Firewall)
35
Global Workshop
SMS Spoofing
Number of SMS submitted from subscriber abroad per
Roaming partner
Comparison of the number of Location Updating received and
the number of SMS Submitted
Real time traffic measurement
Alarm generation on traffic increase
From PLMN subscribers abroad per Roaming partner
Real time compared traffic measurement
Alarm generation on focused traffic increase
Measure the number of invalid MSISDN who submit a SMS to
the SMS-C for a specific period
Real time traffic measurement of abnormal load of request or
reject
Alarm generation on spoofing attack condition
Redirect Spoofing to an off board platform with GSM MAP
Screening Redirect
36
Global Workshop
SMS Summary
SMS will increase
Visibility to the traffic from the network is
critical
Impact is already being realized by major operators
Effect is not limited to wireless; wireline operators can
also be effected
The visibility must come from monitoring tools that
have access to the network signaling data
Switch-based and node-based records are no good for
these types of real-time studies
Proactively address SMS issues in the network
37
Global Workshop
Scams
BlueTooth Hacking / BlueSnarfing
Spoofing
Pharming
Phishing / Wi-Phishing
Spam / SPIM / SPIT
Trojans
Get Rich Quick (With Little Effort)
38
Global Workshop
Bluetooth Hacking Facts
Devices in Non-discoverable or Hidden
Modes Are Vulnerable
Pairing is Not Required to Exploit
Vulnerabilities
Vulnerabilities are Well Known.
Information Available Widely on the
Web
Multiple Tools Available Publicly to
Exploit Known Vulnerabilities
39
Global Workshop
BlueSnarfing
Mobile Phone Bluetooth Attacks
Reading/Writing Phone books Entries
Reading SMS Stored on the Device
Sending (Premium) SMS Message
Setting Call Forward (Predefined
Number) e.g., +49 1337 XXXX
Initiating Phone Call (Predefined
Number) e.g., 0900 284 8283
40
Global Workshop
Spoofing
Fraudster Uses a CLI/Caller-ID Device
to “spoof” the Legitimate Customer’s
Telephone Number or Business
Result:
Social Engineering at its Best
Fools the Customers into Thinking that the
Call Originated from a Bank and they may
Divulge Personal Information
Impact Emergency Services
41
Global Workshop
Pharming
Site Appears to be Legitimate
Internet Users are Forcibly
Redirected to Sites Chosen by the
Hacker.
Result:
Divulge Personal Information
Incur Added Costs
42
Global Workshop
Phishing / Wi-Phishing
Phishing – Means of Enticing
People to Provide Personal
Information (email, website, or
other)
Using a Wireless Enabled Laptop or
Access Point to get Data from or
Introduce Malicious Code to
Wireless Enabled Laptops.
43
Global Workshop
SPAM/SPIM / SPIT
SPAM - Unsolicited, and usually
unwanted, commercial e-mail
SPIM – Unsolicited Instant Messages
SPIT – SPAM over the Internet
Result:
Annoying
Can be Used for Denial of Service Attack
44
Global Workshop
Trojans
New Variation for Mobile Phones
Distributed via file-sharing or IRC
Trojan Tries to Install a Corrupted File onto
the Infected phone, Causing it to Fail with
the Next Reboot
Damages the Application Manager,
Preventing new Programs from being
Installed and stopping the Trojan from
being uninstalled.
45
Global Workshop
Get Rich Quick With Little Effort
Lottery Winners
Political Refugees
Inheritance
If it sounds too good to be true, it is!
Ask yourself, “Did you buy a lottery
ticket?”
46
Global Workshop
Why Do Some Experts Estimate That Fraud May Grow?
Business Trend
Fraud Impact
New Technologies
New Venues to Commit Known Fraud
New Products
New Types of Fraud
Increase ARPU
Increased Loss
More Content Providers
Low-margin Products With Significant
Out-of-pocket Expense = Larger Fraud Impact
Merchant Fraud
Great Content
More Lucrative Content to Resell
M-Payment &
E-wallet Products
Financial Fraud
Seamless, Global Service
More Roaming Issues
Separation of Network
and Service Providers
Less Control on Service Usage
47
Global Workshop
What Types of Fraud are You
Seeing?
?
Global Workshop
Presentation Contribution Credits
Travis Russell, Tekelec
Bob Delaney, Tekelec
Tal Eisner, ECtel
Clemmie Scott, AT&T
Carlos Lowie, Belgacom
49