There are certain things that mobile network operators don't like to talk about. Revenues generated from adult content, under performing business units or disappointing service uptake are the types of prickly subject that tend to get swept under the PR carpet. But the issues of fraud and security probably top the list of things most likely to be kept tightly under wraps. Vendors, on the other hand, are keener than ever to bring these subjects to the fore.

March 31, 2008

15 Min Read
Mobile fraud: Phone loving criminals

By Sean Jackson

There are certain things that mobile network operators don’t like to talk about. Revenues generated from adult content, under performing business units or disappointing service uptake are the types of prickly subject that tend to get swept under the PR carpet. But the issues of fraud and security probably top the list of things most likely to be kept tightly under wraps. Vendors, on the other hand, are keener than ever to bring these subjects to the fore.

Broadly speaking, fraud and security issues fall into one of two camps. In the first sit the anti-malware vendors. Internet security firms, such as McAfee, Sophos and F-Secure, are making a lot of noise about the potential damage that malignant viruses, Tojans or other internet-style spam and scams will cause as they infiltrate the mobile handset population. It is this camp that catches the public’s attention and imagination. Consumers are well aware of the same issues in the desktop environment, and so as a result they can appreciate the potential for personal loss.

Meanwhile, over in the second camp sit the network and roaming vendors, firms such as Comptel, Roamware and Newport Networks. Their primary concern is centred on various types of subscription and revenue share roaming fraud. Their public profile is a lot lower than the first set of vendors, since the subject area is of negligible concern to the majority of consumers. Yet the costs for operators of these low-key frauds dwarf the costs incurred due to malware attacks.

The two camps, while falling under the same fraud and security umbrella, are largely unrelated. “Fraud is a very wide term for a carrier,” says Jan Volzke, global marketing manager, McAfee Mobile Security. “A major share of fraud within a carrier is not caused by malicious content, like viruses and spyware, but by criminal activity such as roaming fraud and SIM card cloning. The biggest mobile security risks are also different carrier versus consumer.”

McAfee presented the results of its annual Mobile Security Report at this year’s Mobile World Congress in Barcelona. The report, carried out in conjunction with analyst house Datamonitor, states that 86 per cent of the 2,000 mobile consumers it surveyed across the UK, US and Japan are worried about security risks posed to their mobile handset, with 79 per cent knowingly using unprotected devices. Consumers feel threatened, it seems, but not enough to do anything about it.

The onus of responsibility – according to McAfee – falls fairly and squarely with the operators. This notion is backed up by consumers, 60 per cent of those polled by Datamoniter felt that the carriers should protect the devices using their networks. In this respect then the cellular industry is the polar opposite of the ISP world when it comes to protection.

While PC owners are expected to look after their own security, those same people seem to want the mobile network operators to front the cost of antivirus software on their handsets. This imbalance almost certainly stems from the fact that the carriers still own the customers, handset roll outs are still heavily subsidised and the mobile internet still tends to operate in a walled garden environment.

There is a chance that, if and when we move towards a fat pipe future with network agnostic devices, attitudes towards handset protection will change. For the foreseeable future though, operators need to take the lead. Though this is not necessarily all bad news, since where there are threats, there are opportunities.

If, as McAfee suggests, consumers feel worried by the threats posed to handset security, and believe that it is the responsibility of the carriers to protect those handsets, then those same carriers could exploit the situation by offering security as a service add-on, that’s certainly the message coming from some parts of the anti-virus vendor marketplace. At the moment though, it is not happening. “The carriers may well say it’s down to the user to make sure they don’t click. But equally, if you’re going to take a service from somebody and that service is directing your call through a switch, you’d feel a damn sight more secure if the provider had a black list of numbers,” says Dave Gladwin, security expert at session border control manufacturer Newport Networks, “It’s a bit like 20 years ago; people said that safety didn’t sell cars. Try and tell that to people today.”

It is possible to divide handset security into roughly three areas: protecting data stored on the device from falling into the wrong hands – known as ‘lock and wipe’ – protecting the handset from attack using antivirus or firewall technology, and finally back up and restore, where information is captured in a secure space in the operator’s network and in the event that a subscriber’s phone is lost or stolen, that same valuable data can be recovered.

“Consumers are obviously interested in lock and wipe,” says David Ginsburg, VP marketing and product line management at device management firm InnoPath. “Even if you just have a feature phone, you’re using it to store all your information, or you have a bunch of interesting photos on there, the last thing you want is that stuff ending up on MySpace or YouTube. That is something that the operator can offer as a customer satisfaction add-on or something the consumer is willing to pay for.”

There is certainly a lot of noise being made in the malware camp about antivirus firewalls. The noise is focused on Windows Mobile, Symbian and Linux-powered devices rather than non-smartphones. “Every week we hear about a new type of attack. At the end of the day, though there is a lot of reporting on it, we don’t see it being a major issue,” says Ginsburg. “However, as people get more comfortable with email, email attachments and browser use, I think they’re going to be more open to attack because the vectors of attack are going to be that bit more obvious on handset right now.”

According to Ginsburg, back up and restore is tangentially related to security. “It is something a number of operators are interested in offering. This is something that could be bundled into a lock and wipe service,” he adds.

Two further issues of security that occasionally crop up are spam and phishing. As with their equivalents in the online world, mobile spam and phishing are generally little more than an annoyance to the consumer. Although, the former may be more problematic for the operators, Ginsburg says: “I saw reports from one European operator that 15 per cent of the messaging on the backbone was spam.” The latter is best avoided by employing common sense. However, relying on subscribers’ awareness is tricky territory for the operator. When subscribers are duped, they tend to hold their carrier or financial service provider if not responsible, then certainly liable.

Fortunately, for the carriers and subscribers alike, the problems with handset security outlined above are rarely encountered. “We first saw malware for mobile phones appear at the beginning of this century,” says Graham Cluley, senior technology consultant, Sophos. “But they have always been largely proof of concept. So written by kids mostly to show off.”

Of course whenever these ‘kids’ release one of their creations onto an unsuspecting world, one of the antivirus vendors will issue a press release warning the population at large that it needs to be prepared for the worst, it’s this type of warning that tends to get picked up by the mainstream press, but it doesn’t necessarily mean that it is much of a threat. Cluley estimates that there are about 200 known mobile phone viruses currently running ‘wild’, this compares to over 300,000 for Windows.

“I think the criminals simply thought ‘well yes we could write viruses for mobile phones, but they’re unlikely to give us as good a return as the viruses for Windows at the moment’,” says Cluley. “Because with mobile phones you have to think about the different operating systems and the different devices. Many of the phones out there simply aren’t compatible with each other, so you are instantly narrowing your market of how many people you can infect.”

Anton von Troyer, solution marketing manager, F-Secure agrees with Cluley: “If you talk about mobile viruses, the problem hasn’t really exploded as was perhaps forecasted a few years back.”

According to von Troyer there are two key reasons for a lack of malware in the mobile space: “First, the operating system vendors, such as Symbian, have taken quite good steps forward in protecting the operating system itself. So they have been able to stop quite a few viruses from spreading. Second, people are more sceptical, they’re quite savvy about the threat that they have on PCs, so they’re not as trusting on their mobiles, even though they have less experience. There has been a lot of coverage in the press about mobile viruses, so the general public awareness is quite high.”

Sophos’s Cluley says: “We think the security industry has been guilty of over-hyping the mobile malware threat. It is something to consider, but it is probably a long way down your list of priorities when considering the other threats that are happening right here, right now.”

It would be imprudent, however, for operators to completely ignore the potential threats, as InnoPath’s Ginsburg warns: “As advanced services become more widespread and smartphone penetration grows, so the number and sophistication of the threats will go up. Twenty years ago the first internet worm surfaced and it brought into people’s consciousness the awareness that the internet could suffer an attack and security was important. I think sometime in the next few years, there may be an attack against smartphones that has legs and burns that awareness into people’s consciousness.”

The malware camp may well be making all the noise, but according to some, roaming fraud is a much bigger problem. Olivier Suard, marketing director of OSS firm Comptel certainly thinks so: “Generally with fraud of any type, as with revenue leakage, the operators don’t want to say anything that would influence their share price. If you admit to suffering from fraud, you are admitting to having problems with your systems. I don’t think the operators talk about malware either, but it is more prominent because everyone seems to experience it. Not many people have experience of roaming fraud.”

A typical example of subscription fraud stems from identity theft. Typically an individual will approach an operator or reseller and, using fake ID, acquire a post-paid subscription, they then generate calls that are extremely expensive with no intention of paying any bill. Sometimes the resellers themselves are involved in this type of fraud. Another common network fraud involves staff or personnel working for the operator defining the parameters on a subscription and allowing free calls.

Adding an additional layer of sophistication to basic subscription fraud is revenue share roaming fraud. A criminal syndicate uses falsely obtained accounts or accounts obtained with cash that needs laundering to automatically call a premium line that they have set up in a different market.

Alex Monedero, director of technology, Roamware, provides anecdotal evidence of the figures involved in a typical revenue share roaming fraud: “Fifty stolen SIM cards calling six premium or satellite numbers per day at four per minute, with existing anti fraud techniques, would cost the operator ???2.8m.

“As you can imagine,” adds Monedero, “people will not assume the risk of going to jail for a small amount of money.”

Accurate figures are hard to uncover in this field. Comptel’s Suard says he’s seen Staffordshire University research pegging worldwide industry losses due to fraud at $40bn per annum, while figures released in March 2006 by the Communications Fraud Control Association estimate that annual global fraud losses in the telecoms sector were between $56bn and $60bn.

So, is the situation improving? “If anything it has gotten worse over the years,” says Jarkko Leppalahti, director of Comptel’s convergent and mediation business. “Thanks to the network evolution and capability of the network to offer more advanced services which opens up more opportunities for fraud.”

Kurt Ruecke, a spokesperson for Deutsche Telecoms’ IT services company T-systems, explains why T-Mobile USA recently implemented his firm’s Minotaur risk management tool: “The average revenue leakage among global telecoms operators is estimated at 13.6 per cent. Fraud is the single largest area of this revenue leakage at 4.5 per cent.”

According to Ruecke, subscription fraud is the most prevalent fraud type. However, he adds that subscription fraud is often the starting point for many other frauds, “therefore, catching fraudsters at application stage greatly reduces fraud levels.”

A number of initiatives have been taken up over the years to combat subscription and revenue share roaming fraud. One simple solution is barring foreign calls to premium numbers. It’s straightforward enough, if an operator restricts access to premium numbers in a foreign market then the fraud becomes less attractive, and the fraudsters need to search for alternatives. However, the problem the industry is facing is that not all operators are implementing such counter measures and even if they do implement them, it is sometimes wrongly configured, so the fraud still happens. It’s not ideal solution even when it does work, since successful call barring reduces genuine revenue opportunities.

Most of the traditional anti-fraud systems in the telecoms industry are based on massive data processing and data mining technologies that enable carriers to compare call data records (CDRs) looking for high usage rate patterns. Unfortunately, those systems are far from ideal since they’re completely reactive. In other words, operators only know what has gone on once it has happened, so they’re closing the stable door as much as 36 hours after the horse has bolted. Additionally, sophisticated fraudsters will have systems in place that automatically alter the usage patterns.

An alternative to traditional anti-fraud systems that does not rely on heavily time-lagged data exchange, is a set of standards known as Customised Applications for Mobile Enhanced Logic (Camel). These are deployed on GSM networks and enable Intelligent Network services. Essentially, the home network has full call control of a roaming subscriber. Camel’s downfall centres on its lack of footprint. Only a limited number of carriers have deployed it, so typically operators would have around 400 roaming agreements and only 70 to 100 Camel agreements. So carriers are exposed to fraud because they do not have worldwide coverage.

Finally, there exists a solution put forward by industry trade body the GSM Association. The Near Real-Time Roaming Data Exchange (NRTRDE) was introduced to solve all the above issues. The Association recommended in August 2007 that its 700 members should introduce “a new, much more efficient approach to exchanging roaming call records.” With a deadline of October 1st 2008, GSMA member operators need to be able to exchange roaming information with roaming partners in under four hours. “Under four hours” is still some way off “near real time”, however, this window of fraud opportunity is down from the current standard High Usage Records data exchange time of 36 hours.

In an attempt to avoid the footprint problems encountered with Camel, for the NRTRDE the GSMA introduced an interesting new concept to roaming fraud protection: a liability shift. Meaning, if the visited network involved in a roaming fraud is unable to inform the home network in under four hours, then it is liable for the cost of the fraud.

Not surprisingly, the driving force behind the introduction of the NRTRDE came from the larger more influential carriers that make up the GSMA’s membership, the same group who have the financial resources to introduce NRTRDE compliant systems. While the smaller carriers, which are also more likely to be carriers in countries where roaming fraud originates – the top five such countries according to Roamware’s Monedero are Pakistan, India, Bangladesh, Cuba and the Philippines – do not have the financial resource to overhaul their billing systems.

It’s unlikely that the majority of the GSMA’s 700 strong operator membership will be anywhere near NRTRDE compliant by October 2008. Roamware’s Monedero certainly thinks not: “According to the surveys that we’ve seen it is very unlikely that operators will have that functionality in time, so it is going to take a long time before you are protected. Because if you really want to be protected it means that all your roaming partners need to have NRTRDE, and there are a number of developing countries with very limited capex to invest on the business. They will not focus on somebody else’s problems, they will focus on their own business.

“Everybody in the industry knows that if they do not send the NRTRDE files and a fraud is committed, then you have two options: go to court and terminate the roaming agreement or assume the fraud,” he says.

Comptel’s Leppalahti agrees: “The deadline is October 2008 and based on our experience with our customers and where they are going with the NRTRDE initiative, the majority of Joe Average operators do not have concrete plans for rolling out NRTRDE to solve the problem.”

The initiative has at least given the subject more attention, however, and there have been some big wins, including Vodafone – which is playing a key role in defining the standard. Leppalahti says: “I think it is coming and the roadmap is there, but the majority of the Tier 2 operators haven’t done anything. Most are looking for the easy way out, which is not so good in the long term.”

One solution for a quick fraud protection fix, as with many other ‘non-core’ services, could be to outsource to a third party. Whether or not a carrier would feel comfortable with this is debatable. For now though, it looks as though fraud and security – of all types – will remain closely guarded issues. At least as far as the carriers are concerned.

Read more about:

Discussion

You May Also Like