E N H A N C E D F R A U D D E T E C T I O N U S I N G S I G N A L I N G W U G M a l a y s i a 2 0 1 7
CONTACTS NUNO PESTANA FRAUD PROFESSIONAL SERVICES MANAGER +351 939 651 481 nuno.pestana@wedotechnol ogies.com January 18, 2017 Page 2
01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT DEMO
FRAUD THE LOW HANGING FRUIT T H E I M P A C T O F F R A U D Fraud amounts to $38.1 billion annually representing 1.69% of all Telecom revenues (based on estimations from CFCA of 2015) Cable or Satellite; 0,8 Service Reselling (e.g: Call Sell); 0,9 Friendly Fraud; 0,9 Commissions Fraud; 1,5 Wholesale Fraud; ; 2 Private Use; 0,8 Theft / Compromise of data (e.g. logins); 0,5 International Revenue Share Fraud (IRSF); 10,8 Fraudsters are everywhere and Operators are always desirable targets. Things can get worse considering the rising frequency and sophistication of fraudulent activity on networks, another factor putting Operators under extra pressure for action. Smart Networks have introduced, new and more complex fraud scenarios along with the wider business scope of Operators has multiplied the areas where fraud can occur. Black-box systems do not adapt well to this new reality. Domestic Revenue Share (DRSF); 2,1 Device / Hardware Reselling; 2,3 Theft / Stolen Goods; 2,8 Arbitrage; 2,9 CFCA 2015 Survey - Fraud Losses by Type in $ USD Billions Interconnect Bypass (e.g. SIM box); 6 Premium Rate Service; 3,8
FRAUD MANAGEMENT SOLUTIONS ADDRESSING INCREASING SOPHISTICATION OF FRAUDSTERS Technology change (SS7 fraud, SIP) Real time INFORMATION Fraudsters now have access to (SS7) networks new fraud risks to address Fraudsters understand the time window and act fast need to trap in real time VoIP/SIP traffic New forms of bypass and spoofing to address
01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT DEMO
WHAT IS THE DIFFERENCE? A GROSS SIMPLIFICATION SIGNALING V CDRS RADIO ACCESS NETWORK Manage secure, efficient, low error radio communication CORE NETWORK Manage mobility, routing, authentication and service control VPLMN HPLMN Managing mobility, AAA etc (eg: MAP) HLR AS Eg: BTS/BSC, NodeB/RNC, enodeb Eg: VLR, MSC, SGSN SGW, PGW, MME Control calls, data etc (eg: CAP) Eg: Prepay, Policy, AAA Routing of calls, data in/out (Eg: ISUP) CDRs Mediation 1. Register location and set up services in VLR 1. No CDRs. HPLMN aware 2. Make call BSS 2. Call info visible and under 3. Terminate call control of home. No CDRs yet. 3. CDRs generated in VPLMN 4. NRTRDE/TAP sent to HPLMN
WHAT IS THE DIFFERENCE? A GROSS SIMPLIFICATION SIGNALING V CDRS Both contain: Origin, destination, Date, time, length of calls, data volumes, text etc Cell id Primary purpose control of UE Real-time Controls calls, data, text can block/allow/interact Some additional information eg: mobility, device Multiple interfaces & protocols with different info Primary purpose billing and charging Post event Low delay at home, but significant delay when roaming Some information not easily accessible in signaling eg: QoS Multiple entities write CDRs or equivalent Call Detail Record (CDRs):
USING SIGNALING IN FRAUD DETECTION ENHANCE YOUR DETECTIONS Why Address fraud quicker to reduce fraud window. Use signaling information to enrich analysis of activity to improve detection How What Integration of Signaling data into your FMS system (RAID FMS) Extend rules by controlling new type of events Replace some of the sources of data for a faster detection Faster, sharper and smarter fraud detection capabilities Extending CDR analysis (eg: parallel calls, B-numbers, call symmetry/volume etc) eg: SIM box detection IRSF, IMEI stuffing Identifying signaling fraud (VoIP and SS7) eg: spamming, CLI spoofing
01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT DEMO
I N T E R N A T I O N A L R E V E N U E S H A R E F R A U D W H A T I S I T? International Revenue Sharing Fraud (IRSF), also known as traffic pumping fraud or toll fraud contributes to losses by operators of billions of dollars each year. Although the different fraud methodologies used (i.e. subscription fraud, PBX hacking, SIM cloning, etc.) the IRSF fraud consists in completing unauthorized calls to a high cost telephone number (i.e., typically an international premium rate number). While it is not difficult to detect IRSF by examining Call Detail Records (CDRs), by the time you collect the CDRs, the damage has been done!! Preventive measures have been introduced to minimize the problem Camel, NRTRDE there is still a delay on the delivery of data to the FMS and respective fraud detection. The driver for this criminal activity is the payout fraudsters receive from generating illegitimate phone calls to the international premium rate numbers. The victim receives a huge telephone bill for the unauthorized calls and the fraudster collects a payout from the premium rate number provider.
I N T E R N A T I O N A L R E V E N U E S H A R E F R A U D W H A T D O R O A M I N G F R A U D S T E R S L O O K F O R? Fraudsters will look for weaknesses in the application process Lack of deposit however deposit is not really deterrent Immediate activation with no payment history Lack of credit control processes Multiple SIMs allowed Weak fraud detection controls Fraudsters will target operators who : Offer Multi party calling Offer Call forwards to international destinations Offer PRS whilst roaming Not offering NRTRDE Many networks restrict some of there services but is the visiting network doing the same?
I N T E R N A T I O N A L R E V E N U E S H A R E F R A U D H O W T O I M P R O V E T H E D E T E C T I O N W I T H S I G N A L I N G? VPLMN 2 CAP messages are exchanged with the HPLMN Intelligent Networks that may authorize the call Probe HPLMN $$$$$ 1 A call to PRS number is initiated by the fraudster CAP 3 Probe detects the messages and sends them to RAID FMS 4 RAID FMS applies rules and detects fraud FMS 5 Action to block the subscriber and/or end the call Signaling messages captured by probes can be sent to FMS to be used by the fraud detection. FMS can send actions to the system in order to block the fraud perpetrator or end the call in progress
W A N G I R I / C A L L - B A C K F R A U D W H A T I S I T? Wangiri Fraud, also known as Call Back Fraud is a fraud scenario where fraudsters trigger multiple single ring and disconnected calls (displaying a premium rate number) in order to receive the call-backs from the subscribers to generate artificial traffic to PRS numbers Some of the subscribers that receive the call may call-back to the originating number artificially inflating the traffic to the PRS number and paying the high value of the call. Usually this scenario is not detect early enough when using Switch Call Detail Records (CDRs) as most of the switch vendors do not generated call attempts. The driver for this criminal activity is the payout fraudsters receive from calls made to the premium rate numbers. $$$$$ The victim is not aware of the value of the call until they receive the invoice and figure out what may have happened Although most of the International PRS destinations are know and barred in the operator network there are always new destinations unknown to the network and FMS systems.
W A N G I R I / C A L L - B A C K F R A U D H O W T O I M P R O V E T H E D E T E C T I O N W I T H S I G N A L I N G? HPLMN 1 Fraudsters do a large set of one ring and disconnect calls to different subscribers Probe 5 Calls back to PRS will be blocked preventing fraud $$$$$ 2 Probe sends signaling messages of call attempts to RAID FMS FMS 4 Action to block destination number is sent to the network 3 RAID FMS applies rules and detects a number doing too many call attempts FMS can bar new PRS destinations before most of the subscribers call-back preventing fraud impact
S I M S W A P F R A U D W H A T I S I T? SIM Swap Fraud is a type of fraud that consists on hijacking a mobile subscriber account by replacing the SIM card in an unauthorized way. Fraudster may have get personal details from previously phishing calls to the subscriber and has collected a set of info that can be used to access not only the customer care but possible other channels (Bank Account being one of the more critical). After triggering a SIM swap (calling to the operator by phone, accessing the customer care or even physically in a store) frauds other fraudulent activities like calling PRS numbers. They can even be able to perform banking fraud by using the SMS channel used for out of band two-factor authentication. The subscriber may be a good customer and the related fraudulent activities can be considered normal and ignored by the operator FMS system. The driver for this criminal activity is the benefits that fraudsters can gain by impersonating
S I M S W A P F R A U D H O W T O I M P R O V E T H E D E T E C T I O N W I T H S I G N A L I N G? Fraudster does the SIM swap 3 1 Location Updates or location from Call events are being received by the Probes set over the network Probe 2 Location Events are sent to FMS Location Update Event is detected and sent to FMS 5 FMS 4 New Location Update is sent to the network 6 FMS detects fraud scenario and sends blocking commands to network 3 Fraudster does the SIM swap FMS can bar the fraudster as soon as he enters the network to avoid fraudulent activities
FMS I M E I S t u f f i n g Identify in real time unusual call pattern and IMEI change to limit fraud loss from stolen SIMs HPLMN REAL TIME CONTROL IMMEDIATE ANALYSIS AND ACTION : BLOCK CALLS ASK USER MINIMAL FRAUD WINDOW FLEXIBLE RULES INTL B NUMBER NOT HOME/LOCAL FREQUENT IMEI CHANGE CREDIT LIMIT FASTER ACTION FEWER FALSE POSITIVES VPLMN $$$$$ MONITOR ALL ROAMERS MONITOR INTL SIGNALING CAMEL (GTPc) SIMPLE TO IMPLEMENT
01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT DEMO
REAL TIME FRAUD MANAGEMENT SOLUTION BRINGING NEXT-GENERATION FRAUD DETECTION INTO YOUR BUSINESS Why Address fraud in real time to reduce fraud window. Use signaling information to enrich analysis of activity to improve detection How RAID FMS existing data sources and rules extended with capability to interact with probes and network in real time Faster, sharper and smarter fraud detection capabilities What Extending CDR analysis to real time (eg: parallel calls, B-numbers, call symmetry/volume etc) eg: SIM box detection IRSF, IMEI stuffing Identifying signaling fraud (VoIP and SS7) eg: spamming, CLI spoofing
WeDo RAID RAID + PROBES: ARCHITECTURE IMPLEMENTATION USER INTERFACES FRAUD SERVICES Case Mgmt., KPI and reporting Rule Definition Near Real Time Rules Real Time Rules Rule Execution Engine Alarm Scoring Detection and Correlation KPI and reporting Analysis Event Analysis Signalling Logs Near Real Time + Real Time Defines the fraud rules; Loads event records into RAID FMS; Correlates with other events; Executes Non-Real Time rules Executes Real Time rules; Portal for KPI, reporting and analysis for both systems; INTEGRATION Network Mediation CRM etc Event records and Alarms PROBE ENGINES Provisioning (Rules, IMSI etc) Real time interaction with the network; Real time action; Post event as required; NETWORK Integrates into network; Manages interception of appropriate message flows for relevant IMSI / MSISDN; Could be enriched with rules to identify and act on fraud in real time;
FMS S S 7 F R A U D ( S p a m m i n g, S p o o f i n g... ) http://www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking/ http://www.cbsnews.com/videos/hacking-your-phone/ HPLMN SPAM SPOOF USER AND SEND MESSAGES HACK VOICEMAIL MAP/CAP, Diameter etc EVESDROP CALLS AND MESSAGES BLOCK SERVICE DIVERT CALLS TO PREMIUM TRACK LOCATION MODIFY SERVICE FLAGS (EG:PREPAY) IDENTIFY DEVICE
FMS S I M - B O X a n d B Y P A S S Monitor calling behavour on target IMSI to identify and block SIM box HPLMN REAL TIME CONTROL IMMEDIATE ANALYSIS AND ACTION : BLOCK CALLS ASK USER REDUCED FRAUD WINDOW FLEXIBLE RULES CALL & TXT VOLUME MO/MT BALANCE FIXED LOCATION IMEI CLI FEWER FALSE POSITIVES CAP TRIGGER ON FLEXIBLE SET OF IMSI NEW IMSI RISKY TARIFF IMSI SCAN RISK TRADEOFF
R E A L T I M E D E T E C T I O N S W I T H S I G N A L I N G A D V A N T A G E S Early fraud detection Immediate action Fewer false positives Improved insight into fraud behavior = Reduced fraud window. Reduced loss Improved customer satisfaction Improved reaction time to new threats
01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT RAID FMS DEMO
END TO END SOFTWARE F O R C O N T I N U O U S B U S I N E S S M O N I T O R I N G Collect Monitor Notify Discover Act Smart Data Stream (Etl & Cep) Unified Validation Engine Fraud Management Engines Advanced Fraud Detection (Afd) Eba Cockpit Kpi Designer Business Sensors Balance Scorecards Investigation Workbench Smart Data Blueprints Link Analysys Adaptive Case Management Web Portal Dashboard & Reporting
N E X T G E N E R A T I O N F M S T H E H Y B R I D S Y S T E M ADVANCED FRAUD DETECTION (UNKOWN FRAUD SCENARIOS) Find patterns for new fraud scenarios (zero-day threats) through Data Mining: Unsupervised models: unusual behaviors in our data Supervised models: subscribers with high probability of being fraudsters CREATE CORRECT IMPROVE RULES (KOWN FRAUD SCENARIOS) The rule engine can be enriched with new and/or modified rules. It targets specific, well identified types of fraud: Rely on common sense knowledge of how fraud works. Rules are accurate and highly performant, covering know fraud types as well new fraud types.
RAID FMS M A N A G I N G R U L E S Full integration with the Rules Manager enabling rules management by end users HOLISTIC SYSTEM
THANK YOU