19. Key Analysis and Observations
Revenue Share Fraud (International and National) continues to be the biggest reported threat at GSMA
–Both in terms of the number of cases and the value of losses reported
Revenue Share Fraud (International and National) is Driving Other Fraud Types
–Most subscription Fraud and PBX Hacking cases reported were linked to revenue share service abuse
PBX Hacking involving Supplied Equipment
–Several PBX hacking cases involved equipment that was not supplied by the operator
Usage monitoring is the primary method of detection cited
–FMS, High Usage Monitoring, NRTRDE/HUR, CDR Analysis etc
Is this due to a narrow focus?
Would these issues be a better control point
An Impact of convergence?
Is this too reactive?
21. Fraud Classification Model – TM Forum
•Why do we need an effective FM Classification Model?
Fraud Scenario
Referred Fraud Types
Statistics
“Fraudster generates a high volume of calls to a PRS number range that he owns in another country with no intention to pay.”
•PRS
•IRSF
•PRS/IRSF
•Bypass/SIMBOX
•PABX Hacking
•Clip-on
•Stolen Line
•Subscription
•Dealer
•Payment
•PBX / Voicemail
•Roaming out
Unique: 39%
Multiple: 44%
Structured: 17%
An example from the 2012 TMForum Fraud Survey
23. Fraud Classification Model - Challenges
•Distinct names for the same Fraud Type
•Distinct interpretation depending on the core service (Mobile, Fixed, Cable, etc.)
•Multiple Frauds perpetrated in the same Fraud Case
•Fast changing nature of Fraud
•Need for a multi-dimensional analysis
•Need for different levels of abstraction
•Existence of several similar Ad hoc “Fraud Type” lists
24. Proposed Classification Model - TM Forum
Summary of Relations Between
Enablers – Fraud Types
Subscription Fraud
Hacking of Network Elements
Arbitrage
Mobile Malware
ENABLERS
(Vulnerabilities)
FRAUD TYPE
(Fraudulent Scheme)
TELECOMS SERVICE FRAUD
Cloning of SIM Card/Equipment
Protocol/Signalling Manipulation
Tariff Rates/Pricing Plan Abuse
False Base Station Attack
Misconfiguration of Network/Service Platforms
International Revenue Share Fraud
Reselling of Calls
Wholesale Fraud
Private Use
Commissions Fraud
Traffic Inflation for Credits/Bonus
Charging Bypass
Interconnect Bypass
SIMBox Gateway
OBJECTIVE
(Scope)
Make Money/Profit
Obtain Free Services/Goods
Obtain Credits/Bonuses
Obtain Commissions
Obtain Money
Access User Bank Account
Pretending to Be the Operator
……….
BA - Related Fields
Fraud
Management
Security Management
Revenue
Assurance -Revision of Internal Procedures, Processes and Products/Services -Implementation of Technical Solutions at Network and Service Platforms Development, Enhancement and Reconfiguration of Fraud Management Systems (FMS)
26. What is it?
Account Takeover Fraud (ATO, also known as ‘Facility takeover’ fraud) occurs where a person (the ‘facility hijacker’) unlawfully obtains access to details of the ‘victim of takeover’, namely an existing account holder or policyholder, and fraudulently operates the account or policy for his or her own (or someone else’s) benefit.
Methodologies often form around the social engineering of existing customers or customer service and sales processes
–Web Self Service portals
–IVR
–Upgrades, additional lines & Sim Swap
?
?
?
27. 2008
Account Takeover Overview
As a result of the Credit crunch operator behaviours have changed encouraging the growth in ATO worldwide (particularly well developed and competitive markets)
As an example - Growth of ATO in the UK
–330% in 2009, In 2010 a further 70% growth
Upgrades or Additional Lines?
–In 2008 - 92% additional, 8% upgrades
–In 2009 – 55% additional, 45% upgrades
–In 2010 – 37% additional, 63% upgrades
–Further growth in 2011 & 2012
This growth has been replicated worldwide
Source: Cifas
2009
2010
28. Issues and Causes
Pressure points in your organisation and market allowing ATO;
–Focus on Customer retention & Churn reduction
–Simplifying Customer Services (CS) processes
–Customer satisfaction
–Push for reductions in CS costs and ACHT
–Reliance on simplistic Knowledge Based Authentication (KBA)
–Internal sales pressure on staff
–Desire for growth
Fraudsters manipulate these pressure points
–KBA, can be weak (ease of use) and simply compromised via social engineering
–CS staff also liable to social engineering, based on sales & time pressures and related financial incentive
–Less restrictions and checks in place on existing customer processes (compared to new applications)
–Greater profit value for fraudsters (top offers for existing customers)
29. Typical flow & Pressure points
AGENT LOGISTICS
CRM
WWW
IVR
Social engineering
Data Misuse
Process Abuse
Logistics Manipulation
34. SIM Card Trade
Anonymous SIM card trade on an underground market
−It isn't clear whether these cards are stolen from customers or the company itself
−These SIM cards are available in big quantities
35. Fraudsters Guides
Hand Picked Set of Guides for Beginner Fraudsters – Premium. Including fraud method of how to get your own SIM cards from anywhere.
How to steal people's information
37. Stolen Identities are cheap on the darknet
37
Source: http://www.itspecialist. com/Home/FeatureArticles/TabId/208/ArticleId/99/language/en- US/#.VBftKdK_nmI
38. Customer’s & Employees Information
XXX workers' emails leaked by YYYY pre-leak
Online publication of XXX clients and workers' information
–Client's details (name, cell number, ssn on file, address)
XXX.net users and passwords (published in an underground forum):
39. Public Web
•“How to” blogs and forums
•Customer’s complaint sites
•Paste Sites
Dark-Net
•Underground Markets – sales of fraud services, SIMs, Identities and Internal information
•Underground Forums – Tutorials and methods to perform different types of fraudulent activities
Sources of Information
40. Dark-Net Search
–The Dark-Net search, looks all over the Internet for information, located mostly in hackers and fraudsters’ forums and boards
–This information is hard to reach, sometimes hidden in closed forums or chat rooms behind passwords and vetting processes
–The Dark-Net search can be tailor-made to CSPs specific needs and gives a clear picture about the company’s reflection in the illegal zones of the web