1 / 49

What are the Other Top Industry Fraud Types?

What are the Other Top Industry Fraud Types?. Cliff Jordan and Travis Russell. Topics. Challenges Statistics Premium Rate Service (PRS) Fraud By-Pass SMS Fraud and Related Issues Scams. Fraud Management Challenge. Fraud Cases* 50% External 50% Internal Fraud High Volatility

orli
Download Presentation

What are the Other Top Industry Fraud Types?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What are the Other Top Industry Fraud Types? Cliff Jordan and Travis Russell

  2. Topics • Challenges • Statistics • Premium Rate Service (PRS) Fraud • By-Pass • SMS Fraud and Related Issues • Scams

  3. Fraud Management Challenge • Fraud Cases* • 50% External • 50% Internal • Fraud High Volatility • Changing Technology • Changing Techniques • Continuously Changing Characteristics • One-Time Organized Event • ‘Menu’ Approach to Committing Fraud *IDC March 2003

  4. Wireless Fraud Spectrum By Type

  5. Premium Rate Service (PRS)* • Commissions to PRS Owner is Based on Total Minutes of Use Minus Cost of Service • National • Identified by Unique NXX/exchange. e.g., 9xx • International • PSTN (Public Switched Telephone Number) • International Locations, Usually with High Settlement Rates. • Legitimate Except ….. • Caller Does Not Pay or There is Misrepresentation * also called “Revenue Sharing Fraud”

  6. Mobile Network Calling Mobile Stations (Fraudsters) FMS Case Study - Technical PRS • Large Scale Mobile Operator • 15 Handsets Calling Non-stop to 500 PRS Numbers • No Charge To Calls Less Then 2 Seconds • Duration of each Call is 1 Second • Over 24,000 Calls per Handset, per Day. • Potential Losses were Over $5 M 500 PRS Numbers (Fraudsters)

  7. Prepaid Fraud • Main Risks: • Recharge With Stolen Credit Cards • This is a CNP Transaction, and the Operator is Liable • Large Amount of Chargebacks can Cause the Service Provider to Be Fined • Stolen Prepaid Cards • Fake Prepaid Cards • Recharge With Stolen/forged Vouchers • False Recharges Using Internal Fraud • Can Involve Employees and Dealers • Configuration Changes: HLR vs. Billing

  8. By-Pass Methods • Methods Discussed are: • Interconnect Settlement Fraud (Carrier Fraud) • Bypass via Illegal Landing • Call-Back

  9. By-Pass Methods Remote International Network “Interconnect Settlement Fraud” The Fraud: An international long distance call appears as national and is financially “settled” as if it were a national call at a cheaper rate. Callers Local Exchange International Gateway Interconnect Exchange Interconnect Exchange A-number Manipulation National Call National call with Manipulation of the A-number Victim Carrier Network Unethical Carrier Network Called Parties

  10. By-Pass Methods • Interconnect Settlement Fraud: • Benefits to Fraudster (Unethical Carrier): • Inexpensive Termination Costs • Local Call Rates instead of International Call Rates

  11. PBX By-Pass Methods Remote International Network Callers “By-Passvia Illegal Landing” The Fraud: An unlicensed carrier terminates international long distance calls as local calls by-passing the legal route. Service Platform (Calling cards, pre-paid) IllegalCall Routing! Internet Victim’s Network Local Exchange Localcall Called Parties Local Exchange

  12. By-Pass Methods • By-Pass via Illegal Landing: • Benefits to Fraudster (unlicensed carrier): • Inexpensive Termination Costs • Local Call Rates instead of Intl Call Rates • Tax Avoidance • Many countries charge taxes for inbound Intl calls. The unlicensed carrier does not report calls and therefore does not pay taxes. • Use of VoIP is less expensive than satellite usage.

  13. By-Pass Methods “By-Passvia Call-Back” Call-Back Country Legal Call Routing! Rest of World Victim’s Network

  14. PBX By-Pass Methods “By-Passvia Call-Back” Step 1: A caller sends “Initiation Message” to PBX in Call-Back Country via: uncompleted call to specific DNR or SMS message or EMAIL or Internet Call-Back Country Initiation Message Rest of World Victim’s Network

  15. PBX By-Pass Methods “By-Passvia Call-Back” Step 1: A caller sends “Initiation Message” to PBX in Call-Back Country via: uncompleted call to specific DNR or SMS message or EMAIL or Internet Step 2: PBX makes call to the caller. Step 3: Caller signals via DTMF the destination number Call-Back Country 011-44-23456789 Rest of World Victim’s Network

  16. PBX By-Pass Methods “By-Passvia Call-Back” Step 4: PBX opens a second line and calls the destination number. Step 5: PBX conferences the two calls together. Step 6: Caller Pays Call-Back company in Call-Back Country! 44-23456789 Call-Back Country 011-44-23456789 Rest of World Victim’s Network

  17. By-Pass Methods • By-Pass via Call-Back: • Benefits to Fraudster (Call-Back Company): • Worldwide Penetration without Network Costs • Tax Avoidance • Clients do not have to pay LOCAL taxes for their Long Distance service.

  18. Managing SMS

  19. What is SMS? • Short Messaging Service (SMS) • Very popular, mostly outside U.S.A. • Gaining popularity in North America among younger generation • Recognized communications method of choice for criminal activities (including terrorists) • SS7 is the bearer path for SMS • 3G/4G Messaging may include video, audio, text, or voice

  20. What is SMS? • SMS is also the vehicle for delivering content • Subscriber dials a “short code” that is assigned within a carrier’s network to a content provider • The short code is sent via signaling network (i.e., SS7) through the network to a portal for the content provider • Content is then delivered via IP or some other technology to the carrier for final delivery to the subscriber

  21. How does SMS work?

  22. Mobile Originated Phase HLR RAN MSC • Mobile originated SMS • Transported via SS7 to the SMSc STP RAN MSC SMS-c STP RAN MSC RAN MSC

  23. Mobile Terminate Phase HLR RAN MSC • SMSc responsible for routing to destination • Queries HLR to find subscriber STP RAN MSC SMS-c STP RAN MSC • Destination may be another subscriber or an application RAN MSC

  24. Why is SMS an issue?

  25. Why is SMS an issue? • Impacts signaling network • Peak SMS periods result in excess SMSC capacity • Flood attacks are simple to initiate using SMS, especially via the Web • Impacts the signaling network, resulting in service disruptions • Smaller networks may be more at risk than larger networks due to lack of security investment in the signaling network • Impacts Revenue! • Prepaid SMS is trickiest due to limitations on SMSc platforms • Some Prepaid charging is sometimes done after the message is delivered • Fraudsters have already identified issues with platforms and are exploiting

  26. 100% 5% 90% 10% 85% Issue: Message Center Overload Other Carrier Serving MSC STP SMPP Gateway Target MSC SMS-C MO Routing MO Routing IP MT MO and Routing components got overloaded SMPP Application

  27. Issue: Bursty Traffic Impacts Network Mobile-to-Application Voting traffic Intensity Engineered for 5 SMS-C Mobile-to-Mobile traffic Time Voting Carrier to carrier MO SMS-C MO Routing MT MT Voting Voting

  28. HLR RAN MSC STP RAN MSC SMS-C SMS-C SMS-C STP RAN MSC SMS-C ……… RAN MSC IP SMS-C =Not Utilized SMS-C Result  Excess SMSC Capacity HLR RAN MSC SMPP App Voting SMPP App Ring tone STP RAN MSC SMPP Hub Carrier SMPP Gateway STP SMS-C RAN MSC RAN MSC Other Wireless Carrier =Utilized

  29. 100% 90% 85% Issue: SMS Prepaid Overload Other Carrier Serving MSC STP SMPP Gateway Target MSC SMS-C Prepaid Checks MO Routing IP MT Can’t keep up with volume of prepaid queries Prepaid Platform

  30. What do I look for?

  31. SMS Fraud Cases • SMS flooding • A massive load of messages to one or several destinations • Usually SPAM • Flooding the network will cause congestion in the signaling network resulting in service disruptions • SMS Messages are large and consume valuable SS7 resources • SMS faking • SCCP or MAP addresses are manipulated • Invalid or taken from a real existing message • Originated from the international SS7 network and terminated to a mobile network • SMS spoofing • SMS MO manipulated A-MSISDN (real or invalid) • Coming into the home network from a foreign VLR (real or invalid SCCP Address) • Method used for sending floods of SPAM messages

  32. How do I solve it?

  33. Addressing SMS issues • Impacts signaling network • Peak SMS periods result in excess SMSC capacity • SMG MO-FDA Offload • Flood attacks are simple to initiate using SMS • IAS SMS Suite coupled with GSM MAP Screening • Impacts the signaling network, resulting in service disruptions • Smaller networks more at risk than larger networks due to investment in the signaling network • Impacts Revenue! • Prepaid SMS is trickiest due to limitations on the SMSc platforms • SMG Real Time Prepaid Rating Engine • Fraudsters have already identified issues with platforms and are exploiting • GSM MAP Screening stops or redirects SMS

  34. IAS SMS Suite - SMS Flooding • Automatically search for the top 10 SMS originators every 5 minutes • Generate alarm when the % of SMS traffic reaches a predetermined threshold • Stop the Flooding with GSM MAP Screening in the Eagle (SMS Firewall) • CdPA, CgPA and Op Code Screening • 1000 individual and 1000 ranged entries

  35. IAS SMS Suite - SMS SPAM • Looking for SMS originating from a source other than a mobile phone • Assumption can be made that if the origination is an ISDN device (identified via the signaling data) and there is a high volume of SMS from the same source, then the content is SPAM • Stop or Redirect the SMS SPAM with GSM MAP Screening the Eagle (SMS Firewall)

  36. SMS Spoofing • Number of SMS submitted from subscriber abroad per Roaming partner • Real time traffic measurement • Alarm generation on traffic increase • Comparison of the number of Location Updating received and the number of SMS Submitted • From PLMN subscribers abroad per Roaming partner • Real time compared traffic measurement • Alarm generation on focused traffic increase • Measure the number of invalid MSISDN who submit a SMS to the SMS-C for a specific period • Real time traffic measurement of abnormal load of request or reject • Alarm generation on spoofing attack condition • Redirect Spoofing to an off board platform with GSM MAP Screening Redirect

  37. SMS Summary • SMS will increase • Impact is already being realized by major operators • Effect is not limited to wireless; wireline operators can also be effected • Visibility to the traffic from the network is critical • The visibility must come from monitoring tools that have access to the network signaling data • Switch-based and node-based records are no good for these types of real-time studies • Proactively address SMS issues in the network

  38. Scams • BlueTooth Hacking / BlueSnarfing • Spoofing • Pharming • Phishing / Wi-Phishing • Spam / SPIM / SPIT • Trojans • Get Rich Quick (With Little Effort)

  39. Bluetooth Hacking Facts • Devices in Non-discoverable or Hidden Modes Are Vulnerable • Pairing is Not Required to Exploit Vulnerabilities • Vulnerabilities are Well Known. Information Available Widely on the Web • Multiple Tools Available Publicly to Exploit Known Vulnerabilities

  40. BlueSnarfing • Mobile Phone Bluetooth Attacks • Reading/Writing Phone books Entries • Reading SMS Stored on the Device • Sending (Premium) SMS Message • Setting Call Forward (Predefined Number) e.g., +49 1337 XXXX • Initiating Phone Call (Predefined Number) e.g., 0900 284 8283

  41. Spoofing • Fraudster Uses a CLI/Caller-ID Device to “spoof” the Legitimate Customer’s Telephone Number or Business • Result: • Social Engineering at its Best • Fools the Customers into Thinking that the Call Originated from a Bank and they may Divulge Personal Information • Impact Emergency Services

  42. Pharming • Site Appears to be Legitimate • Internet Users are Forcibly Redirected to Sites Chosen by the Hacker. • Result: • Divulge Personal Information • Incur Added Costs

  43. Phishing / Wi-Phishing • Phishing – Means of Enticing People to Provide Personal Information (email, website, or other) • Using a Wireless Enabled Laptop or Access Point to get Data from or Introduce Malicious Code to Wireless Enabled Laptops.

  44. SPAM/SPIM / SPIT • SPAM - Unsolicited, and usually unwanted, commercial e-mail • SPIM – Unsolicited Instant Messages • SPIT – SPAM over the Internet • Result: • Annoying • Can be Used for Denial of Service Attack

  45. Trojans • New Variation for Mobile Phones • Distributed via file-sharing or IRC • Trojan Tries to Install a Corrupted File onto the Infected phone, Causing it to Fail with the Next Reboot • Damages the Application Manager, Preventing new Programs from being Installed and stopping the Trojan from being uninstalled.

  46. Get Rich Quick With Little Effort • Lottery Winners • Political Refugees • Inheritance If it sounds too good to be true, it is! Ask yourself, “Did you buy a lottery ticket?”

  47. Why Do Some Experts Estimate That Fraud May Grow?

  48. What Types of Fraud are You Seeing? ?

  49. Presentation Contribution Credits • Travis Russell, Tekelec • Bob Delaney, Tekelec • Tal Eisner, ECtel • Clemmie Scott, AT&T • Carlos Lowie, Belgacom

More Related