This document summarizes a webinar on fraud management and compliance. The webinar covered several topics: - A CFCA survey that found global fraud losses increased 15% in 2013, with revenue share fraud as the largest threat. - The TM Forum's fraud classification model and survey, which found revenue share fraud is driving other fraud types. - Account takeover fraud, where fraudsters manipulate customer service processes to gain access to accounts. Pressure points like authentication and sales incentives enable this fraud. - Fighting fraud through cyber intelligence techniques like monitoring dark web sites and forums where fraudsters share tactics and stolen customer information.

1. OPERATIONAL
RISK MANAGEMENT & COMPLIANCE
© 2012 – PROPRIETARY AND CONFIDENTIAL INFORMATION OF CVIDYA
Fraud Management Industry Update
Webinar, September 2014
Dr. Gadi Solotorevsky
CTO – cVidya Networks
Ambassador, Distinguished Fellow and RA Team Leader – TM Forum

2. Agenda
CFCA survey
TM Forum classification and survey
Account take over
Fighting Fraud with Cyber Intelligence
2

3. CFCA Survey 2013

4. CFCA Survey – Fraud Growth
Global fraud loss survey trend – based on previous surveys
Global fraud losses
showing a 15%
increase in 2013

5. CFCA Fraud Survey
5

6. CFCA Fraud Survey
6

7. CFCA Fraud Survey
7

8. CFCA Fraud Survey
8

9. CFCA Fraud Survey
9

10. CFCA Fraud Survey
10

11. CFCA Fraud Survey
11

12. CFCA Fraud Survey
12

13. Telephone numbers in the United Kingdom
13
Source Wikipedia: Telephone numbers in the United Kingdom

14. Telephone numbers in the United Kingdom
14
Source Wikipedia: Telephone numbers in the United Kingdom

15. CFCA Fraud Survey
15

16. CFCA Fraud Survey
16

17. CFCA Fraud Survey
17

18. CFCA Fraud Survey
18

19. Key Analysis and Observations
Revenue Share Fraud (International and National) continues to be the biggest reported threat at GSMA
–Both in terms of the number of cases and the value of losses reported
Revenue Share Fraud (International and National) is Driving Other Fraud Types
–Most subscription Fraud and PBX Hacking cases reported were linked to revenue share service abuse
PBX Hacking involving Supplied Equipment
–Several PBX hacking cases involved equipment that was not supplied by the operator
 Usage monitoring is the primary method of detection cited
–FMS, High Usage Monitoring, NRTRDE/HUR, CDR Analysis etc
Is this due to a narrow focus?
Would these issues be a better control point
An Impact of convergence?
Is this too reactive?

20. Fraud Classification Model –
TM Forum

21. Fraud Classification Model – TM Forum
•Why do we need an effective FM Classification Model?
Fraud Scenario
Referred Fraud Types
Statistics
“Fraudster generates a high volume of calls to a PRS number range that he owns in another country with no intention to pay.”
•PRS
•IRSF
•PRS/IRSF
•Bypass/SIMBOX
•PABX Hacking
•Clip-on
•Stolen Line
•Subscription
•Dealer
•Payment
•PBX / Voicemail
•Roaming out
Unique: 39%
Multiple: 44%
Structured: 17%
An example from the 2012 TMForum Fraud Survey

22. CFCA 2011 f Survey Fraud types
22

23. Fraud Classification Model - Challenges
•Distinct names for the same Fraud Type
•Distinct interpretation depending on the core service (Mobile, Fixed, Cable, etc.)
•Multiple Frauds perpetrated in the same Fraud Case
•Fast changing nature of Fraud
•Need for a multi-dimensional analysis
•Need for different levels of abstraction
•Existence of several similar Ad hoc “Fraud Type” lists

24. Proposed Classification Model - TM Forum
Summary of Relations Between
Enablers – Fraud Types
Subscription Fraud
Hacking of Network Elements
Arbitrage
Mobile Malware
ENABLERS
(Vulnerabilities)
FRAUD TYPE
(Fraudulent Scheme)
TELECOMS SERVICE FRAUD
Cloning of SIM Card/Equipment
Protocol/Signalling Manipulation
Tariff Rates/Pricing Plan Abuse
False Base Station Attack
Misconfiguration of Network/Service Platforms
International Revenue Share Fraud
Reselling of Calls
Wholesale Fraud
Private Use
Commissions Fraud
Traffic Inflation for Credits/Bonus
Charging Bypass
Interconnect Bypass
SIMBox Gateway
OBJECTIVE
(Scope)
Make Money/Profit
Obtain Free Services/Goods
Obtain Credits/Bonuses
Obtain Commissions
Obtain Money
Access User Bank Account
Pretending to Be the Operator
……….
BA - Related Fields
Fraud
Management
Security Management
Revenue
Assurance -Revision of Internal Procedures, Processes and Products/Services -Implementation of Technical Solutions at Network and Service Platforms Development, Enhancement and Reconfiguration of Fraud Management Systems (FMS)

25. Account Takeover

26. What is it?
Account Takeover Fraud (ATO, also known as ‘Facility takeover’ fraud) occurs where a person (the ‘facility hijacker’) unlawfully obtains access to details of the ‘victim of takeover’, namely an existing account holder or policyholder, and fraudulently operates the account or policy for his or her own (or someone else’s) benefit.
Methodologies often form around the social engineering of existing customers or customer service and sales processes
–Web Self Service portals
–IVR
–Upgrades, additional lines & Sim Swap
?
?
?

27. 2008
Account Takeover Overview
As a result of the Credit crunch operator behaviours have changed encouraging the growth in ATO worldwide (particularly well developed and competitive markets)
As an example - Growth of ATO in the UK
–330% in 2009, In 2010 a further 70% growth
Upgrades or Additional Lines?
–In 2008 - 92% additional, 8% upgrades
–In 2009 – 55% additional, 45% upgrades
–In 2010 – 37% additional, 63% upgrades
–Further growth in 2011 & 2012
This growth has been replicated worldwide
Source: Cifas
2009
2010

28. Issues and Causes
Pressure points in your organisation and market allowing ATO;
–Focus on Customer retention & Churn reduction
–Simplifying Customer Services (CS) processes
–Customer satisfaction
–Push for reductions in CS costs and ACHT
–Reliance on simplistic Knowledge Based Authentication (KBA)
–Internal sales pressure on staff
–Desire for growth
Fraudsters manipulate these pressure points
–KBA, can be weak (ease of use) and simply compromised via social engineering
–CS staff also liable to social engineering, based on sales & time pressures and related financial incentive
–Less restrictions and checks in place on existing customer processes (compared to new applications)
–Greater profit value for fraudsters (top offers for existing customers)

29. Typical flow & Pressure points
AGENT LOGISTICS
CRM
WWW
IVR
Social engineering
Data Misuse
Process Abuse
Logistics Manipulation

30. Account Takeover
30
http://diario.elmercurio.com/detalle/index.asp?id=%7B3c91699d-fa58-4d2a-a3d0-496a46fc9a55%7D

31. Account Takeover
31
http://diario.elmercurio.com/detalle/index.asp?id=%7B3c91699d-fa58-4d2a-a3d0-496a46fc9a55%7D

32. SIM Swap Fraud
http://www.finextra.com/blogs/ fullblog.aspx?blogid=7766
32

33. Fighting Fraud with Cyber Intelligence
33

34. SIM Card Trade
Anonymous SIM card trade on an underground market
−It isn't clear whether these cards are stolen from customers or the company itself
−These SIM cards are available in big quantities

35. Fraudsters Guides
Hand Picked Set of Guides for Beginner Fraudsters – Premium. Including fraud method of how to get your own SIM cards from anywhere.
How to steal people's information

36. Account Take Over Guide

37. Stolen Identities are cheap on the darknet
37
Source: http://www.itspecialist. com/Home/FeatureArticles/TabId/208/ArticleId/99/language/en- US/#.VBftKdK_nmI

38. Customer’s & Employees Information
XXX workers' emails leaked by YYYY pre-leak
Online publication of XXX clients and workers' information
–Client's details (name, cell number, ssn on file, address)
XXX.net users and passwords (published in an underground forum):

39. Public Web
•“How to” blogs and forums
•Customer’s complaint sites
•Paste Sites
Dark-Net
•Underground Markets – sales of fraud services, SIMs, Identities and Internal information
•Underground Forums – Tutorials and methods to perform different types of fraudulent activities
Sources of Information

40. Dark-Net Search
–The Dark-Net search, looks all over the Internet for information, located mostly in hackers and fraudsters’ forums and boards
–This information is hard to reach, sometimes hidden in closed forums or chat rooms behind passwords and vetting processes
–The Dark-Net search can be tailor-made to CSPs specific needs and gives a clear picture about the company’s reflection in the illegal zones of the web

41. Questions?
Gadi@cVidya.com

42. THANK YOU!
www.cvidya.com
42