2014 march falcon business fraud classification model (3attendees)

1,480 views
1,309 views

Published on

Fraud Classification Model at Telecom Industry

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,480
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
121
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2014 march falcon business fraud classification model (3attendees)

  1. 1. 17th March, 2014 1 Fraud Classification Model (FCM) A New Perspective for the Industry ZonOptimus, Portugal
  2. 2. AGENDA 1. Project Context 2. Reason for FCM Project 3. Core Concept of FCM 4. Industry Reaction to FCM 5. FCM Register Explained 6. FIINA Fraud Reporting Template 7. An Industry Perspective FCM (Fraud Classification Model) 2
  3. 3. 1. Project Context ZonOptimus Collaboration with TMForum 3
  4. 4. TM FORUM AND Fraud Group Overview TM Forum Fraud Group works to assemble and maintain best practices from operators around the world relating to Fraud Management. This information will continue to be updated and expanded to account for evolving fraud tactics. TM Forum is a global, non-profit industry association focused on enabling service provider agility and innovation, through the development of several projects at key business areas:  65,000 Member Professionals  900+ Member Companies  195 Countries Represented 4
  5. 5. TM FORUM FRAUD GROUP Fraud Management Guidebooks GB954 Fraud Classification Guide Arm operators with fraud information and offers them a best practice for the properly Classification of Fraud Cases: o Fraud Classification Model o Fraud Enablers Definitions o Fraud Types Definitions o Categories and Atributes ZonOptimus attended TMForum Fraud Group sessions and proposed the development of a Fraud Classification Model for the benefit of Telecom Industry - Project started in January, 2012 5
  6. 6. 2. Reason for FCM Project Why the Telecom Industry Requires a Model 6
  7. 7.  TMForum 2012 Fraud Survey results, highlighted the lack of a common Fraud Classification at Industry level: o Distinct names for the same Fraud Types o Distinct interpretations of same fraud incidents o Multiple Frauds perpetrated in the same case  There is a clear need for a Multi-Dimensional Analysis with different levels of abstraction. Telecommunications Industry was presented with many different and not synchronized ways of Fraud Classification Roaming Fraud Internal Fraud Subscription Fraud PaymentFraud Credit Card Fraud Hacking SIM Cloning Mobile Malware Prepaid Fraud Dealer Fraud Wangiri SS7 Tampering Handset Subsidy Loss PROBLEM AT INDUSTRY LEVEL (at the time of project start up, January 2012) 7
  8. 8. Environment “Example of Distinct Interpretations of Same Fraud Incident” At 2011 CFCA Fraud Survey
  9. 9. 3. Core Concept of FCM The Baseline for Fraud Classification Model 9
  10. 10. TECHNOLOGYFRAUDSTER OBJECTIVE ENVIRONMENT ATTACK CUSTOMER SERVICE PAYMENT IMPACTS AAA ViG WLAN Network UTRAN CS-CSCS-MS CS-DS CS-WS CS-AS EFWS SRD EMA Portal FOCAMN-OSS MM RSS-CSCF S-CSCFI-CSCF ENUM/ DNS MGCF/SG MG N-SBGA-SBG HSS PSTN PLMN HTT P/H TTP S FTP H.248 SIP SIP DIAMETER ISC LDAP DNS SIP ISUP TDM IMT LDAP HTTP/HTTPS HTTP/HTTPS BRI PRI BRI POTS SIP H.323 SIP RTP RTP IP Backbone RTP /SI P/H 323 RT P/ SIP /H 32 3 GGSN SGSN PDG WAG P-CSCF PCRF Gx+ Rx+ Gm (SIP) DIAMETER DIAMETER PPS DIAMETER OSS-RC Other VoIP Networks CORBA Fraud Classification Attributes FRAUD CASES CLASSIFICATION FRAUD TYPE ENABLER TECHNIQUE  The core concept of the “Fraud Classification Model” is a clear differentiation at the Classification of Fraud Cases between the: o ENABLER TECHNIQUE  What was the vulnerability method explored to get access to network, products or services? versus o FRAUD TYPE  What was the fraud committed at network, products or services by exploring the vulnerability above? FRAUD CLASSIFICATION MODEL (BASIC PRINCIPLES) 10
  11. 11.  In some circumstances the “Enabler Technique” is not a fraudulent attack but the exploitation of a risk vulnerability from other Business Assurance areas, such as Revenue Assurance and Security Management: o The FCM assumes the relationship of the Fraud Management activity to Security Management; Revenue Assurance and Risk Management Functions  The Fraud Classification Model assures CSPs/Operators with data collection to allow the Understanding of Fraud and the development of Mitigation Strategies at the following levels: o Revision of Internal Procedures, Processes and Products/Services o Implementation of Technical Solutions at Network and Service Platforms o Development, Enhancement and Updated Configuration of Fraud Management Systems (FMS)/Control Solutions 11 FRAUD CLASSIFICATION MODEL (BASIC PRINCIPLES)
  12. 12. “Fraud Classification Model Brain-Center” - Revision of Internal Procedures, Processes and Products/Services - Implementation of Technical Solutions at Network and Service Platforms Development, Enhancement and Reconfiguration of Fraud Management Systems (FMS)/Control Solutions Subscription Fraud Hacking Customer Account Take-Over Mobile Malware FRAUD ENABLER (fraudulent way to obtain/access service) FRAUD TYPE (fraudulent scheme) TELECOMSSERVICEFRAUD SIM Card Cloning Network/Protocol/Signalling Manipulation Tariff Rates/Pricing Plan Abuse Social Engineering Arbitrage International Revenue Share Fraud Service Reselling Wholesale Fraud Private Use Commissions Fraud Traffic Inflation for Credits/Bonus Charging Bypass Interconnect Bypass SIMBox Gateway Theft of Company Handsets/Equipments OBJECTIVE (Scope)  Make Money/Profit  Obtain Free Services/Goods  Obtain Credits/Bonuses  Obtain Commissions  Access User Bank Account  Access Subscriber Information  ………. BUSINESS ASSURANCE AREAS Security Management Fraud Management Revenue Assurance 12 FRAUD CLASSIFICATION MODEL (BASIC PRINCIPLES)
  13. 13. The Effective Relation Between “Fraud Enablers” and “Fraud Types” Fraud Types Advance Payment Fraud a a Charging Bypass a a a a Commissions Fraud a a a a Interconnect Bypass / SIMBox Gateway a a a a International Revenue Share Fraud (IRSF) a a a a a a a a a a a a a a a a a a Toll Free Number Fraud a a a a Money Laundering a Online Banking Fraud a a a a a a a Premium Rate Service Fraud a a a a a a a a a a a a a a a a a a Private Use a a a a a a a a Service Reselling a a a a a a a a a a a Spamming a a a a a a a a a Theft of Company Handsets / Equipment a a a a Theft of Information a a a a a a Traffic Inflation for Credits / Bonus a a a a a a Wholesale Fraud a a a a a TariffRates/PricingPlansAbuse ClipOnAbuse TechnicalFailureatNetwork/ServicePlatforms SocialEngineering SubscriptionFraud FraudEnablers Network/Protocol/SignalingManipulation OpenSMS-CAbuse Operator/Company/Brand/StaffImpersonation Phishing CustomerHandset/EquipmentTheft FalseBaseStationAttack Hacking MaliciousApplication/Software MisconfigurationofNetwork/ServicePlatforms MobileMalware AbuseofCompanyProcedures/Processes Arbitrage Cloning CompromisedCreditCards CustomerAccountTake-Over Relational Matrix | Fraud Enablers vs Fraud Types Fraud Classification Model (Basic Principles) 13 GB954 Fraud Classification Guide
  14. 14. 4. Industry Reaction to FCM Model Sharing with Global Fraud Organisations 14
  15. 15. GSMA Fraud Forum | Ireland and Malta Meetings May and September 2012  ZonOptimus presented the Core Concept of the Fraud Classification Model at the GSMA Fraud Forum event held in Ireland (May 2012).  Fraud Forum updated its Fraud Incident Reporting template, readapting it to include FCM Core Concept and issued a new version at the FF meeting held in Malta (September 2012). 15 MODEL SHARING WITH GSMA FRAUD FORUM
  16. 16. FF Classification before September, 2012 FF Classification after September, 2012 BEFORE AFTER 16 MODEL SHARING WITH GSMA FRAUD FORUM
  17. 17. CFCA Educational Event | Scottsdale, USA | September 2012  Presentation of Fraud Classification Model to CFCA (Communications Fraud Control Association) organisation.  CFCA updated its Fraud Reporting template, readapting it to include FCM Core Concept. CFCA (Communications Fraud Control Association) 17 MODEL SHARING WITH CFCA
  18. 18. Fraud Classification before October, 2012 Fraud Classification after October, 2012 BEFORE AFTER 18 MODEL SHARING WITH CFCA
  19. 19. 2013 CFCA Worldwide Communications Industry Fraud Survey Released at 5th September, 2013 the annual CFCA Fraud Survey, is now reflecting the Core Concept (Fraud Enablers vs Fraud Types) of the Fraud Classification Model, but still some adjustments need to be made to the survey in the future. FRAUD TYPE (fraudulent abuse) Wholesale Fraud | USD$ 5.32 B Premium Rate Service | USD$ 4.73 B Cable or Satellite Signal | USD$ 3.55 B Hardware Reselling | USD$ 2.96 B Hacking | USD$ 8,04 Billion - PBX (USD$ 4.42B) - VoIP System (USD$3.62B) Account Take Over | USD$ 3.62 B FRAUD ENABLER (fraudulent way to obtain/access service) TELECOMSSERVICEFRAUD (ValuesinUSD$Billions) Subscription Fraud | USD$ 5.22 B USD$ 6.11 Billion of the frauds have been committed in Roaming USD$ 3.35 Billion of the frauds have been perpetrated by Dealers NOTES  Estimated Global Fraud Losses o USD$ 46.3 Billion  Estimated Global Telecoms Revenues o USD$ 2.214 Trillion  Fraud Losses as % of Telecoms Revenues o 2.09% 19
  20. 20. FIINA Plenary | Port Louis, Mauritius | November 2012  Presentation of Fraud Classification Model to the FIINA (Forum for Irregular Network Access) plenary meeting held in Mauritius.  Liaison Agreement signed between TMForum and FIINA for future cooperation and joint activities on FCM (project running). MODEL SHARING WITH FIINA 20
  21. 21. 5. FCM Register Explained Categories and Attributes 21
  22. 22. GENERAL DATE: CUSTOMER TYPE: CUSTOMER SUB TYPE: ACQUISITION SALES CHANNEL: PAYMENT METHOD: PAYMENT TYPE: LOSSES QUALITATIVE: LOSSES QUANTITATIVE: MAIN IMPACTS: CASE DESCRIPTION: OPERATOR: COUNTRY: REGION: FMS STATUS: ENABLERFRAUDTYPE FRAUD ENABLER:  ATTACK TYPE -  FRAUDSTER TYPE -  LOCATION -  ENVIRONMENT - FRAUD ABUSE/TYPE:  LOCATION -  ENVIRONMENT -  OBJECTIVE -  TECHNOLOGY -  SERVICE -  SUPPLEMENTARY SERVICE - FRAUD CLASSIFICATION FRAUD MITIGATION DETECTION:  DETECTION SYSTEM - PREVENTION:  PREVENTION SYSTEM - MITIGATION DESCRIPTION: 22 Fraud Classification Model RegisterModel Concept Template
  23. 23. Fraud Classification Model Register ENABLERTECH FRAUDTYPE FRAUD ENABLER: …..  ATTACK TYPE -  FRAUDSTER TYPE –  LOCATION –  ENVIRONMENT – FRAUD ABUSE/TYPE: …..  LOCATION –  ENVIRONMENT –  OBJECTIVE –  TECHNOLOGY -  SERVICE –  SUPPLEMENTARY SERVICE - FRAUD CLASSIFICATIONFRAUD ENABLERS  Abuse of Business Procedures/Processes Weaknesses  Abuse of Technical Failure at Network/Service Platforms  Arbitrage  Cloning  Compromised Credit Cards  Customer Account Take-Over  Customer Handset/Equipment Theft  Customer Handset/Equipment Configuration Abuse  False Base Station Attack  Hacking  Malicious Application/Software  Misconfiguration Abuse of Network/Service Platforms  Mobile Malware  Network/IT Systems Access Abuse  Network/Protocol/Signalling Manipulation  Open SMS-C Abuse  Operator/Company/Brand/Staff Impersonation  Phishing  Social Engineering/Single Ring Solicitation  Subscription Fraud  Tariff Rates/Pricing Plans Abuse  Clip On Abuse  Abuse of Contract Terms and Conditions ATTACK TYPE  External  Internal FRAUDSTER TYPE  Hacker  Dealer  Business Partner  Service User  Third Party  Employee  Service Provider  ……. LOCATION  Home Network  Visited Network  Home and Visited Network  National Network  International Network  Customer Offices  Dealer Offices  World Wide Web  ……. ENVIRONMENT  National Territory  International Territory  Roaming IN  Roaming OUT  ….. Categories and Attributes Description – Fraud Classification (1) 23
  24. 24. Fraud Classification Model Register ENABLERTECH FRAUDTYPE FRAUD ENABLER: …..  ATTACK TYPE -  FRAUDSTER TYPE –  LOCATION –  ENVIRONMENT – FRAUD ABUSE/TYPE: …..  LOCATION –  ENVIRONMENT –  OBJECTIVE –  TECHNOLOGY -  SERVICE –  SUPPLEMENTARY SERVICE - FRAUD CLASSIFICATION FRAUD TYPES  Advanced Payment/Fee Fraud  Charging Bypass  Commissions Fraud  National Revenue Share Fraud  Interconnect Bypass/SIMBox Gateway  IRSF (International Revenue Share Fraud)  Money Laundering  Online Banking Fraud  Premium Rate Service Fraud  Private Use  Service Reselling  Spamming  Theft of Company Handsets/Equipments  Theft of Information/Content  Toll Free Number Fraud  Traffic Inflation for Credits/Bónus  Wholesale Fraud LOCATION  Home Network  Visited Network  Home and Visited Network  National Network  International Network  Customer Offices  Dealer Offices ENVIRONMENT  National Territory  International Territory  Roaming IN  Roaming OUT  ….. OBJECTIVE  Make Money/Profit  Obtain Free Services/Goods  Collect Credits/Bonuses/C ash  Obtain Commissions  Access/Steal Information  Access User Bank Account  Operator’s Impersonation TECHNOLOGY  GSM  GPRS  3G  4G/LTE  IP /IMS  CDMA  ADSL  FTTH  ………. SERVICE  Voice Inbound  Voice Outbound  VoIP Inbound  VoIP Outbound  SMS Inbound  SMS Outbound  MMS Inbound  MMS Outbound  Data  M – Commerce  M – Payments SUPPLEMENT SERVICE  Call Conference  Call Forward  Call Hold  ………. Categories and Attributes Description – Fraud Classification (2) 24
  25. 25. GENERAL DATE: June, 2013 CUSTOMER TYPE: Postpaid CUSTOMER SUB TYPE: Corporate Business ACQUISITION CHANNEL: NAp PAYMENT METHOD: Postpaid Invoice Payment PAYMENT TYPE: Various LOSSES QUALITATIVE: Very High LOSSES QUANTITATIVE: Financials NAv (150.000 minutes) MAIN IMPACTS: Financial CASE DESCRIPTION: Tests performed at Network/Session Border Gateway (SBG) for new VoIP Services left a backdoor at network level. This vulnerability was used by an IP Address originating from Palestine who hacked SBG and performed 150.000 minutes of calls to Int. Premium Rate Services. OPERATOR: Eagle Telecom COUNTRY: USA REGION: North America FMS STATUS: In-House FMS ENABLERTECHFRAUDTYPE FRAUD ENABLER: Hacking: Session Border Gateway  ATTACK TYPE - External  FRAUDSTER TYPE – Hacker  LOCATION – Home Network  ENVIRONMENT – National Territory FRAUD TYPE: IRSF (Spain; Somalia and Zimbabwe)  LOCATION – Home Network  ENVIRONMENT – National Territory  OBJECTIVE – Make Money/Profit  TECHNOLOGY – IP IMS  SERVICE – VoIP Outbound  SUPPLEMENTARY SERVICE – NAp FRAUD CLASSIFICATION FRAUD MITIGATION DETECTION: Traffic Monitoring/Analysis  DETECTION SYSTEM – Fraud Management System (FMS) PREVENTION: Network Technical Solution  PREVENTION SYSTEM – Session Border Gateway (SBG) MITIGATION DESCRIPTION: Engineering Department secured SBG and blocked calls to International Premium Rate Services for all future Network testing programs. Case 1 25
  26. 26. 6. FIINA Fraud Reporting Template The Summary of the Work Made at FIINA 26
  27. 27. Fraud Classification Model FIINA Fraud Reporting Template
  28. 28. Fraud Classification Model FIINA Fraud Reporting Template
  29. 29. Fraud Classification Model FIINA Fraud Reporting Template
  30. 30. 7. An Industry Perspective Through the Model? The Model Potential - Graphics hereby presented do not represent an Industry reality - Fraud varies from region-to-region 30
  31. 31. 31 Subscription Fraud Network/Protocol/Signalling Manipulation Hacking Misconfiguration Abuse of Network/Service Platforms Arbitrage Tariff Rates/Pricing Plans Abuse Customer Account Take-Over Customer Handset/Equipment Theft World-Wide Fraud Enablers
  32. 32. IRSF (International Revenue Share Fraud) Interconnect Bypass/SIMBox GatewayCharging Bypass Private Use Wholesale Fraud Theft of Company Handsets/Equipments Commisions Fraud Theft of Information Service Reselling Traffic Inflation for Credits/Bonus 32 World–Wide Fraud Types
  33. 33. IRSF (International Revenue Share Fraud) Service Reselling Theft of Information Premium Rate Service Fraud Wholesale Fraud Spamming What Are the Main Fraud Types Committed Through Hacking? Fraud Types Through Hacking PABX VoIP Gateway/Switch SMS - C IP Broadband Router Mobile Voice Mail System Websites SIP Switch Network Elements Victim of Hacking? 33
  34. 34. 34 Wholesale Fraud Through Hacking FRAUD OPERATION SCENARIO | TRAFFIC BROKERING | CASE STUDY  Negotiating “Traffic Termination Rates” at the Wholesale Market.  Traffic Brokers offer the lowest price for call termination at a specific country. TRAFFIC BROKERS (Least Cost Routers) TELECOM OPERATORS (Mobile-Fixed-Convergent) END CUSTOMERS (Mobile-Fixed-Convergent) Pays Termination  Hacking Corporate Customers IP-BX Systems to terminate traffic for free, forcing the Billing of these calls upon Telecom Clients.  Hacked Corporate Customers pay the termination rate. Traffic Negotiation Traffic Negotiation Traffic Negotiation CORPORATE CUSTOMER CORPORATE CUSTOMER CORPORATE CUSTOMER HACKING HACKING HACKING
  35. 35. IRSF (International Revenue Share Fraud) Theft of Company Handsets/Equipments Commisions Fraud Traffic Inflation for Credits/Bonus Premium Rate Service Fraud Interconnect Bypass/SIMBox Gateway Private Use Fraud Types Through Subscription Fraud
  36. 36. IRSF (International Revenue Share Fraud) Wholesale Fraud Interconnect Bypass/ SIMBox Gateway Traffic Inflation for Credits/Bonus Fraud Types Through Arbitrage
  37. 37. Interconnect Bypass/SIMBox Gateway Traffic Inflation for Credits/Bonus Spamming Fraud Types Through Tariff Rates Abuse
  38. 38. Service Reselling Theft of Company Handsets/Equipments Premium Rate Service Fraud HomeBanking Fraud Commisions Fraud IRSF (International Revenue Share Fraud) Fraud Types Through Customer Account Take-Over
  39. 39. Revenue Assurance - Arbitrage - Open SMS-C Abuse - Tariff Rates/Pricing Plans Abuse - Misconfiguration Abuse of Network/Service Platforms - Abuse of Technical Failure at Network/Service Platforms Fraud Management - Customer Account Take-Over - Operator/Company/Brand/Staff Impersonation - Phishing - Social Engineering - Subscription Fraud - Customer Handset/Equipment Theft - Abuse of Business Procedures/Processes Weaknesses Security Management - Cloning - Compromised Credit Cards - False Base Station Attack - Hacking - Malicious Application/Software - Mobile Malware - Network/Protocol/Signalling Manipulation - Misconfiguration Abuse of Network/Service Platforms Fraud Management Security Management Revenue Assurance Classification of Enablers by Business Assurance Area
  40. 40. Service User Hacker Third Party Dealer Employee Main Fraud Perpetrators by Enablers
  41. 41. Make Money/Profit Obtain Free Services/Goods Collect Credits/Bonuses Obtain Commissions Objectives of Fraud Types
  42. 42. Subscription Fraud Hacking Arbitrage Social Engineering Customer Handset/Equipment Theft Misconfiguration Abuse of Network/Service Platforms Compromised Credit Cards Customer Account Take-Over Enablers Contributing to IRSF (International Revenue Share Fraud)
  43. 43. Tariff Rates/ Pricing Plans Abuse Subscription Fraud Abuse of Business Procedures/Processes Weaknesses Arbitrage Enablers Contributing to SIMBox Gateway Fraud
  44. 44. IRSF (International Revenue Share Fraud) Interconnect Bypass/SIMBox Gateway Private Use Charging Bypass Traffic Inflation for Credits/Bonus Wholesale Fraud Credit Balance Reselling Commisions Fraud Fraud Types at Prepaid Variations of Fraud Types at Prepaid vs Postpaid Customers IRSF (International Revenue Share Fraud) Theft of Company Handsets/Equipments Service Reselling Premium Rate Service Fraud Commisions Fraud Private Use Interconnect Bypass/SIMBox Gateway Wholesale Fraud Fraud Types at Postpaid
  45. 45. Traffic Monitoring/Analysis Customer Complains Security Report/Alert CDR/Transaction Analysis Proactive Review Revenue Assurance Report/Alert High Usage Report (HUR) Test Calls Generation Main Fraud Detection Methods
  46. 46. jose.sobreira@zonoptimus.pt + 351 93 101 3018 THANK YOU FOR YOUR TIME 46

×