May 31, 2007

12 Min Read
Criminal Minds

By Tara Seals

TRADITIONALLY, SUBSCRIBER FRAUD has been defined as the problem of subscribers signing up for service they have no intention of paying for. But this seemingly simple (and credit-shattering) practice has ballooned into a delicate cat-and-mouse game of identity theft, illegal businesses, tax evasion and even money laundering. Fortunately, providers do have ways to prevent, detect and root out subscriber fraud, through technology, people and processes.

With VoIP and 3G services, a lot of new types of fraud have emerged, but one thing hasnt changed subscriber fraud, says Eric Splinter, senior consultant at revenue assurance vendor Lavastorm Technologies. Whether you pay a flat fee or per minute, subscription fraud will always be around to haunt you. Many specialists are leaving traditional peopleoriented fraud and focusing instead on new threats like worms and bots, but believe me, subscription fraud is still the biggest bucket of threats making an impact.

In fact, its on the rise. Acceptable rates for fraud are the .02 percent to 1 percent range, but losses are more typically 5 percent, up to 15 percent for some operators, vendors say. The Communications Fraud Control Association (CFCA) has placed fraud losses at $54.4 billion to $60 billion annually. This represents 5 percent of an operators gross revenue per year, with subscriber fraud accounting for about 47 percent of that. The study was conducted in 2006, and marks a 52 percent increase from the previous survey conducted in 2003.

So whats the impact of all of this nefarious activity? For one, organized crime is a big player in telecom subscriber fraud, which raises the stakes from a societal point of view. Identity theft is closely bound up with subscriber fraud as well, as it usually requires a clean ID to sign up for service. And many set up fake telecom companies and use aliases as a way to hide money and evade taxes. Then theres money laundering the government requires purchases of more than a certain amount (usually its $10,000) to be reported. But there is no such regulation in place for rechargeable phone cards, making prepaid service a favorite target for Mafia bosses, weapons dealers and others.

From a business standpoint, subscriber fraud eventually can bring a company down. Take the example of Omnipoint, a GSM provider in the United States. A Pakistani group in the Hague, Netherlands, found it was easy to obtain a subscription with the carrier with less than stellar credentials and so they did, wagonloads of them, says Splinter. The fraudsters would send the phones overseas for call cell purposes, which cost the company so much money, its shares lost 75 percent of their value, putting it out of business.

And for resellers, subscriber fraud is a particular risk, since they have to pay the network suppliers regardless of whether they collect on their bills. Operators today are struggling more than ever to stay profitable in a very competitive landscape and constantly face declining margins, says ECTels David Ronen, senior vice president of marketing and strategy. Staying on top of fraud-related revenue leakage is critical to the overall profitability of the business, and even more when IP and revenueshare content services are involved, which entails even lower margins and more complex value chains.

To Catch a Thief

To protect your business from fraud, a good starting place is to go inside the mind of the perpetrator, then beat them at their own game.

Fraudsters think in very specific and complex ways, and ask a series of questions when selecting a target. For instance, they evaluate what kinds of ID and service policies a provider requires. Is there creditvetting involved? What kind of services will be immediately available? When does the bill come? What are the policies on excessive usage? How long can they delay a payment? Does the provider accept partial payment and leave the service turned on?

What happens if they pay in cash?

Using this knowledge to implement policies that thwart fraudsters before they can gain access to the service is the first step to fraud control. By requiring credit checks, ensuring service is tied to a real physical address, not allowing excessive or international usage without prior approval, having a no-cash and nopartial payment policy, and so on, can ward off would-be fraudsters.

Startups, competitors and resellers are at a particular disadvantage, because they need to gain market share. So the balance between taking on customers and having a selective vetting process is tipped towards the former, says Splinter. Its always a balance between what marketing wants and what a fraud manager wants. Its important to identify the risks and do the analysis while a new service is still in development that is absolutely key to making money. But a big issue can be organizational columnization, where the fraud people are seen as the Gestapo by the marketing department.

Another useful technique is building databases of known fraud elements, known as blacklists. Fraudsters are resourceful in reusing data, says Matt Fuller, director of consulting services for Subex Azure Ltd. If they get a good ID, theyll use components of that ID within multiple subscriber activations.

And, if a subscriber wanting service is previously unknown, a reseller should ask for upfront payments, or make them earn the premium-rate services rather than making them available right away.

Its important to be able to detect and root out fraud once its started just in case anyone gets through the first lines of defense. Unfortunately, professional fraudsters are very difficult to distinguish from people with bad debt. Then there are the sleepers. They make a few calls, pay the bills for a couple of months, and then start committing fraud after the providers defenses are down. Its also more difficult for the VNO to capture data quickly from the underlying carrier in order to identify threats and connect them to specific subscribers, adds Splinter. So they need to do credit vetting, establish credit limits and watch the first months usage patterns carefully.

One answer lies in watching for certain red-flag behaviors and making sure credit limits are set. For instance, if a large volume of calls is going to certain countries, it could be a good indicator of call cell fraud. Or if the first call made on a line is an international one, it may be worth it to call the subscriber to check out whats happening, and then keep that person on a high-monitoring list. And if someone runs up a huge bill quickly, that should prompt a follow-up call.

Fuller also says to look at the application information and compare it to information from the first 30 days of service. The person may have stolen an ID or created a synthetic one. But they use a legitimate address and phone number to obtain service, he explains. Then, they change the address within the first 30 days, because they dont want the unwitting person who lives there to start getting strange bills, call up the operator and cancel the service.

Also, providers should watch for people who sign up for the service but then dont use the phone. Many fraudsters will sign up for multiple lines of service, use two or three until theyre shut down, then move on to the next two or three, and so on, so they always have a store of available lines.

Theres also the guilt by association factor. If theres a call to or from a known fraudster, raise an alarm and look at everyone theyve called, and everyone thats called them, Fuller says. About 60 or 70 percent of the time those people are also frauds.

Fraud Taxonomy

To protect your business, it helps to know what to look for. Fraud comes in many forms with increasing costs.

“Some individuals just want to get free phone service, and thats the least expensive incarnation for service providers because theyre losing potential revenue in that case but not incurring hard costs, explains Matt Fuller, director of consulting services for Subex Azure Ltd.

Then, the next level is call cell operation. These are fraud rings that sign up for multiple accounts or lines of service and resell the service to people on the street, essentially setting up their own phone companies. Long-distance and international services often are priced by the minute and involve out-of-pocket costs paid to interconnected carriers for carrying or terminating the traffic. This means that there is high per-minute cost to carry fraudulent traffic and operators need to identify and stop those specific calls before incurring these out-of-pocket losses, says ECTels David Ronen, senior vice president of marketing and strategy.

An offshoot of this is premium-rate service fraud, where a fraudster artificially inflates traffic to premium-rate numbers where they have established a revenue share with a service provider. The traffic can be inflated by using dialers, manually or by using fraudulently obtained handsets. In this scam, the fraudster collects his money from the traffic sent to the PRS number, explains Ronen.

Thirdly, theres equipment fraud. These are people who have no interest in the usage side of things, he notes. Its mostly a VoIP and wireless problem. Theyll sign up for service, get an expensive device like a BlackBerry, sell it on eBay and never pay for the service.

In the United States, devices typically are locked to a carrier, but they can be unlocked pretty easily by people who know what theyre doing, Fuller adds. And while you could detect the device if it shows up on your network, you cant see it at all if its on someone elses. They may even send it to Europe. The industry likely will see much more of this type of fraud as expensive, high-end consumer electronics devices continue to roll out.

Related to this is the problem of teleporting, where a phone is shown to attach to the network in New York but then shows up in Tokyo, say, seconds later. What has happened is the phone has been cracked open to extract the SIM card information, which is then copied and sold. The charges of the person who buys the phone information go to the original account. In a prepaid scenario, theres no way of tracking down the original subscriber.

In the miscellaneous category, roaming fraud is a concern. When a person uses a cell phone while roaming, whether reselling the calls or simply stealing service, they can take advantage of the lag time between call records making it back to the home carrier. Thus, they can continue to use the service for longer until theyre finally cut off.

Prepaid operators and MVNOs should be aware of another common gambit that well call balance fraud, where a prepaid cell phone may have one minute left on the balance. A user can initiate a call and then talk for an hour or two for free, because providers often dont have the systems in place to revisit the balance information during the active portion of the call. Meanwhile, the MVNO still has to pay the carrier for those minutes of use.

And then theres VoIP fraud. VoIP is making subscriber fraud a much more complicated thing, because its an open ecosystem. The Internet is not a closed network, so the cat and mouse game of subscriber fraud will become trickier, says John Partridge, vice president of market development at StreamBase Systems Inc., a company that does complex event processing for streamed data streams. Not tied to geography, VoIP users are harder to track, and their identity tougher to verify.

Tools of the Trade



Tekelecs Travis Russell



StreamBases John Partridge

People are still central to interpreting the data and making decisions about how to handle a situation, but the actual monitoring of traffic for patterns is the province of tools.

The StreamBase Systems Inc. platform allows an operator do just that, in real time. A provider would take a large body of call information, determine known fraud cases and signatures within that historical information and identify factors for patterns of abuse. Then the reseller can write an algorithm into StreamBase that can monitor for those patterns. It then generates alerts, disconnect signals, e-mails a systems operator, generates reports, pages or calls someone or triages suspicious activity for consideration later, says John Partridge, vice president of market development at StreamBase Systems Inc.

There are fraud-management systems available from most revenue-assurance vendors  to perform monitoring and analysis, many of them on a service bureau basis. A reseller also might consider an overlapping set of platforms. There are a number of software applications available that focus on fraud, says Travis Russell, senior manager at Tekelecs communication software solutions group. However, operators have quickly learned that one software application is not enough to find and stop all fraud threats, so combinations of analysis applications are used.

For example, Tekelecs Integrated Applications Solution (IAS) provides analysis of signaling data to detect in real time traffic anomalies characteristic of fraud. When alarms are raised, investigators can engage in real time instead of post-event to determine the origination of the breach and the magnitude of the breach.

For all these best practices, its worth remembering that the magnitude and volume of subscriber fraud is continuing to increase, so ongoing education is the final piece of the protection puzzle. Trends change every day, says Russell. Many operators fraud and security groups work with organizations such as the CFCA, FIINA and CINAA to share with one another the most current threats and investigations, as collaboration is critical to detecting many forms of fraud.

For more information about CFCA, Communications Fraud Control Association, go to www.cfca.org.

Links

Communications Fraud Control Association www.cfca.org
ECtel www.ectel.com
Lavastorm Technologies www.lavastorm.com
StreamBase Systems Inc. www.streambase.com
Subex-Azure Ltd. www.subexazure.com
Tekelec www.tekelec.com

Read more about:

Agents
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like