global workshop what are the other top industry fraud types? cliff jordan and travis russell
TRANSCRIPT
Global Workshop
What are the Other Top Industry Fraud Types?
Cliff Jordan and
Travis Russell
2
Global Workshop
Topics
Challenges Statistics Premium Rate Service (PRS)
Fraud By-Pass SMS Fraud and Related Issues Scams
3
Global Workshop Fraud Management Challenge
Fraud Cases* 50% External 50% Internal
Fraud High Volatility Changing Technology Changing Techniques
Continuously Changing Characteristics One-Time Organized Event ‘Menu’ Approach to Committing Fraud
*IDC March 2003
4
Global Workshop
Wireless Fraud Spectrum By Type
Dealer
7%
Subscription
34%
Prepay
5%
Roaming
13%
Social Engineering
2% SMS
5%I nterconnect
7% Credit Card
3%
I nternal
6%
Other
5%
PRS
13%
5
Global Workshop
Premium Rate Service (PRS)*
Commissions to PRS Owner is Based on Total Minutes of Use Minus Cost of Service
National Identified by Unique NXX/exchange. e.g., 9xx
International PSTN (Public Switched Telephone Number) International Locations, Usually with High
Settlement Rates. Legitimate Except …..
Caller Does Not Pay or There is Misrepresentation
* also called “Revenue Sharing Fraud”
6
Global Workshop
Large Scale Mobile Operator 15 Handsets Calling Non-stop to 500 PRS
Numbers No Charge To Calls Less Then 2 Seconds Duration of each Call is 1 Second Over 24,000 Calls per Handset, per Day. Potential Losses were Over $5 M
Case Study - Technical PRS
500 PRS Numbers (Fraudsters)
Mobile Network
FMSCalling Mobile Stations
(Fraudsters)
7
Global Workshop
Prepaid Fraud
Main Risks: Recharge With Stolen Credit Cards
This is a CNP Transaction, and the Operator is Liable
Large Amount of Chargebacks can Cause the Service Provider to Be Fined
Stolen Prepaid Cards Fake Prepaid Cards Recharge With Stolen/forged Vouchers False Recharges Using Internal Fraud
Can Involve Employees and Dealers Configuration Changes: HLR vs. Billing
8
Global Workshop
By-Pass Methods
Methods Discussed are: Interconnect Settlement Fraud
(Carrier Fraud) Bypass via Illegal Landing Call-Back
9
Global Workshop
Local Exchange
Called Parties
Callers
Remote International Network
Interconnect Exchange
National Call
Interconnect Exchange
A-number A-number ManipulationManipulation
National callwith
Manipulation of the
A-number
““Interconnect Settlement Interconnect Settlement FraudFraud””
The Fraud: An international long The Fraud: An international long distance call appears as national distance call appears as national and is financially “settled” as if it and is financially “settled” as if it were a national call at a cheaper were a national call at a cheaper rate.rate.
Unethical Carrier Network
Victim Carrier Network
International Gateway
By-Pass Methods
10
Global Workshop
By-Pass Methods
Interconnect Settlement Fraud: Benefits to Fraudster (Unethical
Carrier): Inexpensive Termination Costs
Local Call Rates instead of International Call Rates
11
Global Workshop
Victim’s Network
Remote International
Network
Service Platform(Calling cards, pre-
paid)
Callers
Local call
Local Exchang
e
Called Parties
Local Exchang
e
PBX
““By-PassBy-Pass via Illegal Landingvia Illegal Landing””
The Fraud: An unlicensed carrier The Fraud: An unlicensed carrier terminates international long distance terminates international long distance calls as local calls by-passing the legal calls as local calls by-passing the legal route.route.
Illegal Call
Routing! Internet
By-Pass Methods
12
Global Workshop
By-Pass Methods
By-Pass via Illegal Landing:
Benefits to Fraudster (unlicensed carrier): Inexpensive Termination Costs
Local Call Rates instead of Intl Call Rates Tax Avoidance
Many countries charge taxes for inbound Intl calls. The unlicensed carrier does not report calls and therefore does not pay taxes.
Use of VoIP is less expensive than satellite usage.
13
Global Workshop By-Pass By-Pass MethodsMethods
Victim’s Network
Rest of World
Call-Back Country
Legal Call Routing!
““By-PassBy-Pass via Call-Backvia Call-Back””
14
Global Workshop By-Pass By-Pass MethodsMethods
Victim’s Network
Rest of World
Call-Back Country
PBX
““By-PassBy-Pass via Call-Backvia Call-Back””
Step 1: A caller sends “Initiation Message” to PBX in CallStep 1: A caller sends “Initiation Message” to PBX in Call --Back Country via: uncompleted call to specific DNR Back Country via: uncompleted call to specific DNR or SMS message or EMAIL or Internetor SMS message or EMAIL or Internet
Initiation Message
15
Global Workshop By-Pass By-Pass MethodsMethods
Victim’s Network
Rest of World
Call-Back Country
PBX
““By-PassBy-Pass via Call-Backvia Call-Back””Step 1: A caller sends “Initiation Message” to PBX in CallStep 1: A caller sends “Initiation Message” to PBX in Call --
Back Country via: uncompleted call to specific DNR Back Country via: uncompleted call to specific DNR or SMS message or EMAIL or Internetor SMS message or EMAIL or Internet
Step 2: PBX makes call to the caller.Step 2: PBX makes call to the caller.
Step 3: Caller signals via DTMF the destination numberStep 3: Caller signals via DTMF the destination number
011-44-23456789
16
Global Workshop By-Pass MethodsBy-Pass Methods
Victim’s Network
Rest of World
Call-Back Country
PBX
““By-PassBy-Pass via Call-Backvia Call-Back””
Step 4: PBX opens a second line and calls the destination Step 4: PBX opens a second line and calls the destination number.number.
Step 5: PBX conferences the two calls togetherStep 5: PBX conferences the two calls together..
Step 6: Caller Pays Call-Back company in Call-Back Step 6: Caller Pays Call-Back company in Call-Back Country!Country!
011-44-23456789
44-23456789
17
Global Workshop
By-Pass Methods
By-Pass via Call-Back:
Benefits to Fraudster (Call-Back Company):
Worldwide Penetration without Network Costs
Tax Avoidance Clients do not have to pay LOCAL
taxes for their Long Distance service.
Global Workshop
Managing SMS
19
Global Workshop What is SMS?
Short Messaging Service (SMS)
Very popular, mostly outside U.S.A.
Gaining popularity in North America among younger generation
Recognized communications method of choice for criminal activities (including terrorists)
SS7 is the bearer path for SMS 3G/4G Messaging may include
video, audio, text, or voice
20
Global Workshop
What is SMS?
SMS is also the vehicle for delivering content
Subscriber dials a “short code” that is assigned within a carrier’s network to a content provider
The short code is sent via signaling network (i.e., SS7) through the network to a portal for the content provider
Content is then delivered via IP or some other technology to the carrier for final delivery to the subscriber
Global Workshop
How does SMS work?
22
Global Workshop
RA
NR
AN
RA
NR
AN MSC
MSC
MSC
MSC
STP
STP
SMS-c
HLR
Mobile Originated Phase
Mobile originated SMS
Transported via SS7 to the SMSc
23
Global Workshop
RA
NR
AN
RA
NR
AN MSC
MSC
MSC
MSC
STP
STP
SMS-c
HLR
Mobile Terminate Phase
Destination may be another subscriber or an application
SMSc responsible for routing to destination
Queries HLR to find subscriber
Global Workshop
Why is SMS an issue?
25
Global Workshop
Why is SMS an issue?
Impacts signaling network Peak SMS periods result in excess SMSC capacity Flood attacks are simple to initiate using SMS,
especially via the Web Impacts the signaling network, resulting in service
disruptions Smaller networks may be more at risk than larger
networks due to lack of security investment in the signaling network
Impacts Revenue! Prepaid SMS is trickiest due to limitations on SMSc
platforms Some Prepaid charging is sometimes done after the
message is delivered Fraudsters have already identified issues with
platforms and are exploiting
26
Global Workshop
SMPPApplication
100%
MO
MTRouting
SMS-C
85%
10%5%
90%
SMPPGateway
MOMO
RoutingRouting
MO and Routing
components got
overloaded
STP
TargetMSC
ServingMSC
Other Carrier
Issue: Message Center Overload
IP
27
Global Workshop
Inte
nsit
y
Time
Engineered for 5
SMS-C
MO
Mobile-to-Mobile traffic
MO
MTRouting
SMS-CVoting
Voting VotingMT
Carrier to carrier
Mobile-to-Application Voting traffic
Issue: Bursty Traffic Impacts Network
28
Global Workshop
RA
NR
AN
RA
NR
AN MSC
MSC
MSC
MSC
STP
STP
SMS-C
HLR
Result Excess SMSC Capacity
SMPP AppVoting
SMPP AppRing tone
SMPPGateway
RA
NR
AN
RA
NR
AN MSC
MSC
MSC
MSC
STP
STP
SMS-C
HLR
OtherWirelessCarrier
SMS-C
SMS-C
SMS-C =Utilized
SMS-C =Not Utilized
SMS-C
……
…
IP SMPPHub
Carrier
29
Global Workshop
PrepaidPlatform
100%
MO
MTRouting
SMS-C
85%
90%
SMPPGateway
PrepaidChecks
PrepaidChecks
Can’t keep up with volume of prepaid
queries
STP
TargetMSC
ServingMSC
Other Carrier
Issue: SMS Prepaid Overload
IP
Global Workshop
What do I look for?
31
Global Workshop
SMS Fraud Cases SMS flooding
A massive load of messages to one or several destinations Usually SPAM
Flooding the network will cause congestion in the signaling network resulting in service disruptions
SMS Messages are large and consume valuable SS7 resources SMS faking
SCCP or MAP addresses are manipulated Invalid or taken from a real existing message
Originated from the international SS7 network and terminated to a mobile network
SMS spoofing SMS MO manipulated A-MSISDN (real or invalid) Coming into the home network from a foreign VLR (real or
invalid SCCP Address) Method used for sending floods of SPAM messages
Global Workshop
How do I solve it?
33
Global Workshop
Addressing SMS issues Impacts signaling network
Peak SMS periods result in excess SMSC capacity SMG MO-FDA Offload
Flood attacks are simple to initiate using SMS IAS SMS Suite coupled with GSM MAP Screening
Impacts the signaling network, resulting in service disruptions Smaller networks more at risk than larger networks due to
investment in the signaling network Impacts Revenue!
Prepaid SMS is trickiest due to limitations on the SMSc platforms
SMG Real Time Prepaid Rating Engine Fraudsters have already identified issues with platforms and
are exploiting GSM MAP Screening stops or redirects SMS
34
Global Workshop
IAS SMS Suite - SMS Flooding
Automatically search for the top 10 SMS originators every 5 minutes Generate alarm when the % of SMS traffic reaches a predetermined
threshold Stop the Flooding with GSM MAP Screening in the Eagle (SMS Firewall)
CdPA, CgPA and Op Code Screening 1000 individual and 1000 ranged entries
35
Global Workshop
IAS SMS Suite - SMS SPAM
Looking for SMS originating from a source other than a mobile phone
Assumption can be made that if the origination is an ISDN device (identified via the signaling data) and there is a high volume of SMS from the same source, then the content is SPAM
Stop or Redirect the SMS SPAM with GSM MAP Screening the Eagle (SMS Firewall)
36
Global Workshop
SMS Spoofing
Number of SMS submitted from subscriber abroad per Roaming partner
Real time traffic measurement Alarm generation on traffic increase
Comparison of the number of Location Updating received and the number of SMS Submitted
From PLMN subscribers abroad per Roaming partner Real time compared traffic measurement Alarm generation on focused traffic increase
Measure the number of invalid MSISDN who submit a SMS to the SMS-C for a specific period
Real time traffic measurement of abnormal load of request or reject
Alarm generation on spoofing attack condition Redirect Spoofing to an off board platform with GSM MAP
Screening Redirect
37
Global Workshop
SMS Summary
SMS will increase Impact is already being realized by major operators Effect is not limited to wireless; wireline operators
can also be effected Visibility to the traffic from the network is
critical The visibility must come from monitoring tools that
have access to the network signaling data Switch-based and node-based records are no good
for these types of real-time studies Proactively address SMS issues in the
network
38
Global Workshop
Scams
BlueTooth Hacking / BlueSnarfing Spoofing Pharming Phishing / Wi-Phishing Spam / SPIM / SPIT Trojans Get Rich Quick (With Little Effort)
39
Global Workshop
Bluetooth Hacking Facts
Devices in Non-discoverable or Hidden Modes Are Vulnerable
Pairing is Not Required to Exploit Vulnerabilities
Vulnerabilities are Well Known. Information Available Widely on the Web
Multiple Tools Available Publicly to Exploit Known Vulnerabilities
40
Global Workshop
BlueSnarfing
Mobile Phone Bluetooth Attacks Reading/Writing Phone books
Entries Reading SMS Stored on the Device Sending (Premium) SMS Message Setting Call Forward (Predefined
Number) e.g., +49 1337 XXXX Initiating Phone Call (Predefined
Number) e.g., 0900 284 8283
41
Global Workshop
Spoofing
Fraudster Uses a CLI/Caller-ID Device to “spoof” the Legitimate Customer’s Telephone Number or Business
Result: Social Engineering at its Best Fools the Customers into Thinking that
the Call Originated from a Bank and they may Divulge Personal Information
Impact Emergency Services
42
Global Workshop
Pharming
Site Appears to be Legitimate Internet Users are Forcibly
Redirected to Sites Chosen by the Hacker.
Result: Divulge Personal Information Incur Added Costs
43
Global Workshop
Phishing / Wi-Phishing
Phishing – Means of Enticing People to Provide Personal Information (email, website, or other)
Using a Wireless Enabled Laptop or Access Point to get Data from or Introduce Malicious Code to Wireless Enabled Laptops.
44
Global Workshop
SPAM/SPIM / SPIT
SPAM - Unsolicited, and usually unwanted, commercial e-mail
SPIM – Unsolicited Instant Messages
SPIT – SPAM over the Internet Result:
Annoying Can be Used for Denial of Service
Attack
45
Global Workshop
Trojans
New Variation for Mobile Phones Distributed via file-sharing or IRC
Trojan Tries to Install a Corrupted File onto the Infected phone, Causing it to Fail with the Next Reboot
Damages the Application Manager, Preventing new Programs from being Installed and stopping the Trojan from being uninstalled.
46
Global Workshop
Get Rich Quick With Little Effort
Lottery Winners Political Refugees Inheritance
If it sounds too good to be true, it is! Ask yourself, “Did you buy a lottery
ticket?”
47
Global WorkshopWhy Do Some Experts Estimate That Fraud May Grow?
Business Trend Fraud ImpactNew Technologies New Venues to Commit Known Fraud
New Products New Types of Fraud
Increase ARPU Increased Loss
More Content Providers
Low-margin Products With Significant Out-of-pocket Expense = Larger Fraud ImpactMerchant Fraud
Great Content More Lucrative Content to Resell
M-Payment & E-wallet Products
Financial Fraud
Seamless, Global Service
More Roaming Issues
Separation of Network and Service Providers
Less Control on Service Usage
Global Workshop
What Types of Fraud are You Seeing?
?
49
Global Workshop Presentation Contribution Credits
Travis Russell, Tekelec Bob Delaney, Tekelec Tal Eisner, ECtel Clemmie Scott, AT&T Carlos Lowie, Belgacom