E N H A N C E D F R A U D D E T E C T I O N U S I N G S I G N A L I N G. W U G M a l a y s i a

Similar documents
Nuno Pestana, WeDo Technologies

We will divide the many telecom fraud schemes into three broad categories, based on who the fraudsters are targeting. These categories are:

Reducing Telecoms Fraud Losses

Telephony Fraud and Abuse. Merve Sahin

Taking Over Telecom Networks

Fraud Detection in International Calls Using Fuzzy Logic

Mavenir Keynote. Think Smarter Secure communication Innovate Services. By Mohamed Issa Regional Head of Africa Sales

Fraude dans la Telephonie

BlueWater Software Constant Innovation by Orca Wave

David Morrow Group Corporate Security Fraud Manager Vodafone Group Services Limited.

COMPANY PRESENTATION

Paper on Handling Menace of International Grey Traffic

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Threat patterns in GSM system. Basic threat patterns:

Fraud classification and recommendations on dispute handling within the wholesale telecom industry Release May 2014

PBX Fraud Information

VoIP Theft of Service Protecting Your Network. Introduction to VoIP Theft of Service. Meet our Expert Phone Power

Personal Cybersecurity

Cyber Security Threats to Telecom Networks. Rosalia D Alessandro Hardik Mehta Loay Abdelrazek

Mavenir Spam and Fraud Control

GPRS billing: getting ready for UMTS

@First Anti Fraud Interconnect Roaming & Security of Transactions

Technical Report Mobile Standards Group (MSG); Overview of the technical framework for the separate sale of roaming services in the European Union

APPROACHING ROAMING CHARGES PRAGMATICALLY

Notice to our customers regarding Toll Fraud

Positive Technologies Telecom Attack Discovery DATA SHEET

On the Radar: Positive Technologies protects against SS7 network vulnerabilities

OTHER PEOPLE S MONEY: THE BASICS OF ASSET MISAPPROPRIATION (NO )

Best Practices Guide to Electronic Banking

ITU Arab Regional Workshop on Mobile Roaming: National & International Practices 27 to 29 of Oct, 2015 Sudan - Khartoum

COMPLETE TELECOME PROCESS MANAGEMENT SOLUTION

RAID Roaming. Datasheet. RAID Roaming Datasheet 1

FP7 NEMESYS Project: Advances on Mobile Network Security

Full-MVNx enrollment approaches for different target strategies. CTO Summer Summit St. Petersburg,

Predictive SIM Box Fraud Detection Model for ethio telecom

Course Outline Comprehensive Training on Bypass/SIM Box Fraud Detection and Termination Duration: 3 Days

ASSESSMENT LAYERED SECURITY

5G World 2016 VoLTE Roaming: an opportunity for new business models. Cédric Bonnet - Orange London June 30 th, 2016

Critical Information Summary

Secure Interworking Between Networks in 5G Service Based Architecture

National Travel Associates

BRIDGE TO GLOBAL MARKET FOR MVNOs. Local prices on mobile data around the world Global Mobile Data Exchange Gate to millions of underserved customers

3GPP TR V4.0.0 ( )

YOU CAN'T AFFORD FAKE ACCOUNTS. NOW, NEITHER CAN THE FRAUDSTERS. Fraud Report

Transition to IP & IPX Working Group IP/IPX a key pre-requisite to further transformation

Towards an ITU cost model for international mobile roaming for NRAs for ITU-D BDT

David Morrow. Preventing PBX Fraud. -basic steps to help secure your PBX. prevention will always be cheaper than cure

OTT MVNO. Traditional MVNO Deployments 2 OTT MVNO 4. Comparison of MVNO options 7. Case study: OTT MVNO in the US 7. Conclusion 10

THREATS TO PACKET CORE SECURITY OF 4G NETWORK

Technical description of international mobile roaming May 2010

Big Data for MNO. Sept

Cybersecurity for Service Providers

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

ETSI TS V4.0.0 ( )

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

The unbundling of international roaming

Security & Phishing

Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016

TOLL FRAUD POLICY. Toll Fraud. Liability

The Smart Enterprise. InGuard Application. 24/7/365 Protection from Toll Fraud Attack

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Fraud Detection in International Calls Using Fuzzy Logic

Wholesale Roaming Resale Access Reference Offer of Latvijas Mobilais Telefons SIA

SERVICE SCHEDULE & ADDITIONAL TERMS AND CONDITIONS FOR DIRECT WHOLESALE INTERCONNECT VOICE SERVICE

Basics of GSM in depth

Exam Questions 4A0-M02

FAQ. Usually appear to be sent from official address

Telecom MISP. Building a Telecom Information Sharing Platform. Alexandre De Oliveira

Mobile School Training International Mobile Communication

Location Services. Location Services - Feature Description

VCL-NetProbe Product Brochure & Data Sheet

RSA Web Threat Detection

Guide to credit card security

E. The enodeb performs the compression and encryption of the user data stream.

Cyber Insurance: What is your bank doing to manage risk? presented by

RE-ARCHITECTING THE GI LAN OPTIMIZE & MONETIZE MOBILE BROADBAND. Bart Salaets Solution Architect

3GPP TS V9.4.0 ( )

Location Services. Location Services - Feature Description

Copyright

28 Deploying IN Services in a Mobile Environment

Phishing in the Age of SaaS

The strategies for preventing telecom fraud in EACO countries

ETSI TS V6.1.0 ( )

Express Monitoring 2019

Technical Bulletin. Toll Fraud Reminder & Update

Wire Fraud Begins to Hammer the Construction Industry

OTHER PEOPLE S MONEY: THE BASICS OF ASSET MISAPPROPRIATION

Outstanding Communications Solutions. Root Canal. A new class of SS7 vulnerabilities

REAL-TIME FRAUD DETECTION IN TELECOMMUNICATION NETWORK USING CALL PATTERN ANALYSIS

Safety and Security. April 2015

Network Protocol Analysis: A New Tool for Blocking International Bypass Fraud Before Revenue is Lost

ITU Multi-Countries Workshop for National Focal Points on ICT Indicators and Measurements

3GPP TS V5.0.0 ( )

Telecommunication Services Engineering Lab

ETSI TS V8.0.0 ( ) Technical Specification

Updated metrics for monitoring the mobile telecommunications markets

RECOMMENDATION ITU-R M SECURITY PRINCIPLES FOR INTERNATIONAL MOBILE TELECOMMUNICATIONS-2000 (IMT-2000) (Question ITU-R 39/8) TABLE OF CONTENTS

Communication Networks 2 Signaling 2 (Mobile)

TS-3GA (Rel4)v4.0.0 Gateway Location Register (GLR); Stage2

Protecting Your Business From Hackers

Transcription:

E N H A N C E D F R A U D D E T E C T I O N U S I N G S I G N A L I N G W U G M a l a y s i a 2 0 1 7

CONTACTS NUNO PESTANA FRAUD PROFESSIONAL SERVICES MANAGER +351 939 651 481 nuno.pestana@wedotechnol ogies.com January 18, 2017 Page 2

01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT DEMO

FRAUD THE LOW HANGING FRUIT T H E I M P A C T O F F R A U D Fraud amounts to $38.1 billion annually representing 1.69% of all Telecom revenues (based on estimations from CFCA of 2015) Cable or Satellite; 0,8 Service Reselling (e.g: Call Sell); 0,9 Friendly Fraud; 0,9 Commissions Fraud; 1,5 Wholesale Fraud; ; 2 Private Use; 0,8 Theft / Compromise of data (e.g. logins); 0,5 International Revenue Share Fraud (IRSF); 10,8 Fraudsters are everywhere and Operators are always desirable targets. Things can get worse considering the rising frequency and sophistication of fraudulent activity on networks, another factor putting Operators under extra pressure for action. Smart Networks have introduced, new and more complex fraud scenarios along with the wider business scope of Operators has multiplied the areas where fraud can occur. Black-box systems do not adapt well to this new reality. Domestic Revenue Share (DRSF); 2,1 Device / Hardware Reselling; 2,3 Theft / Stolen Goods; 2,8 Arbitrage; 2,9 CFCA 2015 Survey - Fraud Losses by Type in $ USD Billions Interconnect Bypass (e.g. SIM box); 6 Premium Rate Service; 3,8

FRAUD MANAGEMENT SOLUTIONS ADDRESSING INCREASING SOPHISTICATION OF FRAUDSTERS Technology change (SS7 fraud, SIP) Real time INFORMATION Fraudsters now have access to (SS7) networks new fraud risks to address Fraudsters understand the time window and act fast need to trap in real time VoIP/SIP traffic New forms of bypass and spoofing to address

01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT DEMO

WHAT IS THE DIFFERENCE? A GROSS SIMPLIFICATION SIGNALING V CDRS RADIO ACCESS NETWORK Manage secure, efficient, low error radio communication CORE NETWORK Manage mobility, routing, authentication and service control VPLMN HPLMN Managing mobility, AAA etc (eg: MAP) HLR AS Eg: BTS/BSC, NodeB/RNC, enodeb Eg: VLR, MSC, SGSN SGW, PGW, MME Control calls, data etc (eg: CAP) Eg: Prepay, Policy, AAA Routing of calls, data in/out (Eg: ISUP) CDRs Mediation 1. Register location and set up services in VLR 1. No CDRs. HPLMN aware 2. Make call BSS 2. Call info visible and under 3. Terminate call control of home. No CDRs yet. 3. CDRs generated in VPLMN 4. NRTRDE/TAP sent to HPLMN

WHAT IS THE DIFFERENCE? A GROSS SIMPLIFICATION SIGNALING V CDRS Both contain: Origin, destination, Date, time, length of calls, data volumes, text etc Cell id Primary purpose control of UE Real-time Controls calls, data, text can block/allow/interact Some additional information eg: mobility, device Multiple interfaces & protocols with different info Primary purpose billing and charging Post event Low delay at home, but significant delay when roaming Some information not easily accessible in signaling eg: QoS Multiple entities write CDRs or equivalent Call Detail Record (CDRs):

USING SIGNALING IN FRAUD DETECTION ENHANCE YOUR DETECTIONS Why Address fraud quicker to reduce fraud window. Use signaling information to enrich analysis of activity to improve detection How What Integration of Signaling data into your FMS system (RAID FMS) Extend rules by controlling new type of events Replace some of the sources of data for a faster detection Faster, sharper and smarter fraud detection capabilities Extending CDR analysis (eg: parallel calls, B-numbers, call symmetry/volume etc) eg: SIM box detection IRSF, IMEI stuffing Identifying signaling fraud (VoIP and SS7) eg: spamming, CLI spoofing

01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT DEMO

I N T E R N A T I O N A L R E V E N U E S H A R E F R A U D W H A T I S I T? International Revenue Sharing Fraud (IRSF), also known as traffic pumping fraud or toll fraud contributes to losses by operators of billions of dollars each year. Although the different fraud methodologies used (i.e. subscription fraud, PBX hacking, SIM cloning, etc.) the IRSF fraud consists in completing unauthorized calls to a high cost telephone number (i.e., typically an international premium rate number). While it is not difficult to detect IRSF by examining Call Detail Records (CDRs), by the time you collect the CDRs, the damage has been done!! Preventive measures have been introduced to minimize the problem Camel, NRTRDE there is still a delay on the delivery of data to the FMS and respective fraud detection. The driver for this criminal activity is the payout fraudsters receive from generating illegitimate phone calls to the international premium rate numbers. The victim receives a huge telephone bill for the unauthorized calls and the fraudster collects a payout from the premium rate number provider.

I N T E R N A T I O N A L R E V E N U E S H A R E F R A U D W H A T D O R O A M I N G F R A U D S T E R S L O O K F O R? Fraudsters will look for weaknesses in the application process Lack of deposit however deposit is not really deterrent Immediate activation with no payment history Lack of credit control processes Multiple SIMs allowed Weak fraud detection controls Fraudsters will target operators who : Offer Multi party calling Offer Call forwards to international destinations Offer PRS whilst roaming Not offering NRTRDE Many networks restrict some of there services but is the visiting network doing the same?

I N T E R N A T I O N A L R E V E N U E S H A R E F R A U D H O W T O I M P R O V E T H E D E T E C T I O N W I T H S I G N A L I N G? VPLMN 2 CAP messages are exchanged with the HPLMN Intelligent Networks that may authorize the call Probe HPLMN $$$$$ 1 A call to PRS number is initiated by the fraudster CAP 3 Probe detects the messages and sends them to RAID FMS 4 RAID FMS applies rules and detects fraud FMS 5 Action to block the subscriber and/or end the call Signaling messages captured by probes can be sent to FMS to be used by the fraud detection. FMS can send actions to the system in order to block the fraud perpetrator or end the call in progress

W A N G I R I / C A L L - B A C K F R A U D W H A T I S I T? Wangiri Fraud, also known as Call Back Fraud is a fraud scenario where fraudsters trigger multiple single ring and disconnected calls (displaying a premium rate number) in order to receive the call-backs from the subscribers to generate artificial traffic to PRS numbers Some of the subscribers that receive the call may call-back to the originating number artificially inflating the traffic to the PRS number and paying the high value of the call. Usually this scenario is not detect early enough when using Switch Call Detail Records (CDRs) as most of the switch vendors do not generated call attempts. The driver for this criminal activity is the payout fraudsters receive from calls made to the premium rate numbers. $$$$$ The victim is not aware of the value of the call until they receive the invoice and figure out what may have happened Although most of the International PRS destinations are know and barred in the operator network there are always new destinations unknown to the network and FMS systems.

W A N G I R I / C A L L - B A C K F R A U D H O W T O I M P R O V E T H E D E T E C T I O N W I T H S I G N A L I N G? HPLMN 1 Fraudsters do a large set of one ring and disconnect calls to different subscribers Probe 5 Calls back to PRS will be blocked preventing fraud $$$$$ 2 Probe sends signaling messages of call attempts to RAID FMS FMS 4 Action to block destination number is sent to the network 3 RAID FMS applies rules and detects a number doing too many call attempts FMS can bar new PRS destinations before most of the subscribers call-back preventing fraud impact

S I M S W A P F R A U D W H A T I S I T? SIM Swap Fraud is a type of fraud that consists on hijacking a mobile subscriber account by replacing the SIM card in an unauthorized way. Fraudster may have get personal details from previously phishing calls to the subscriber and has collected a set of info that can be used to access not only the customer care but possible other channels (Bank Account being one of the more critical). After triggering a SIM swap (calling to the operator by phone, accessing the customer care or even physically in a store) frauds other fraudulent activities like calling PRS numbers. They can even be able to perform banking fraud by using the SMS channel used for out of band two-factor authentication. The subscriber may be a good customer and the related fraudulent activities can be considered normal and ignored by the operator FMS system. The driver for this criminal activity is the benefits that fraudsters can gain by impersonating

S I M S W A P F R A U D H O W T O I M P R O V E T H E D E T E C T I O N W I T H S I G N A L I N G? Fraudster does the SIM swap 3 1 Location Updates or location from Call events are being received by the Probes set over the network Probe 2 Location Events are sent to FMS Location Update Event is detected and sent to FMS 5 FMS 4 New Location Update is sent to the network 6 FMS detects fraud scenario and sends blocking commands to network 3 Fraudster does the SIM swap FMS can bar the fraudster as soon as he enters the network to avoid fraudulent activities

FMS I M E I S t u f f i n g Identify in real time unusual call pattern and IMEI change to limit fraud loss from stolen SIMs HPLMN REAL TIME CONTROL IMMEDIATE ANALYSIS AND ACTION : BLOCK CALLS ASK USER MINIMAL FRAUD WINDOW FLEXIBLE RULES INTL B NUMBER NOT HOME/LOCAL FREQUENT IMEI CHANGE CREDIT LIMIT FASTER ACTION FEWER FALSE POSITIVES VPLMN $$$$$ MONITOR ALL ROAMERS MONITOR INTL SIGNALING CAMEL (GTPc) SIMPLE TO IMPLEMENT

01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT DEMO

REAL TIME FRAUD MANAGEMENT SOLUTION BRINGING NEXT-GENERATION FRAUD DETECTION INTO YOUR BUSINESS Why Address fraud in real time to reduce fraud window. Use signaling information to enrich analysis of activity to improve detection How RAID FMS existing data sources and rules extended with capability to interact with probes and network in real time Faster, sharper and smarter fraud detection capabilities What Extending CDR analysis to real time (eg: parallel calls, B-numbers, call symmetry/volume etc) eg: SIM box detection IRSF, IMEI stuffing Identifying signaling fraud (VoIP and SS7) eg: spamming, CLI spoofing

WeDo RAID RAID + PROBES: ARCHITECTURE IMPLEMENTATION USER INTERFACES FRAUD SERVICES Case Mgmt., KPI and reporting Rule Definition Near Real Time Rules Real Time Rules Rule Execution Engine Alarm Scoring Detection and Correlation KPI and reporting Analysis Event Analysis Signalling Logs Near Real Time + Real Time Defines the fraud rules; Loads event records into RAID FMS; Correlates with other events; Executes Non-Real Time rules Executes Real Time rules; Portal for KPI, reporting and analysis for both systems; INTEGRATION Network Mediation CRM etc Event records and Alarms PROBE ENGINES Provisioning (Rules, IMSI etc) Real time interaction with the network; Real time action; Post event as required; NETWORK Integrates into network; Manages interception of appropriate message flows for relevant IMSI / MSISDN; Could be enriched with rules to identify and act on fraud in real time;

FMS S S 7 F R A U D ( S p a m m i n g, S p o o f i n g... ) http://www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking/ http://www.cbsnews.com/videos/hacking-your-phone/ HPLMN SPAM SPOOF USER AND SEND MESSAGES HACK VOICEMAIL MAP/CAP, Diameter etc EVESDROP CALLS AND MESSAGES BLOCK SERVICE DIVERT CALLS TO PREMIUM TRACK LOCATION MODIFY SERVICE FLAGS (EG:PREPAY) IDENTIFY DEVICE

FMS S I M - B O X a n d B Y P A S S Monitor calling behavour on target IMSI to identify and block SIM box HPLMN REAL TIME CONTROL IMMEDIATE ANALYSIS AND ACTION : BLOCK CALLS ASK USER REDUCED FRAUD WINDOW FLEXIBLE RULES CALL & TXT VOLUME MO/MT BALANCE FIXED LOCATION IMEI CLI FEWER FALSE POSITIVES CAP TRIGGER ON FLEXIBLE SET OF IMSI NEW IMSI RISKY TARIFF IMSI SCAN RISK TRADEOFF

R E A L T I M E D E T E C T I O N S W I T H S I G N A L I N G A D V A N T A G E S Early fraud detection Immediate action Fewer false positives Improved insight into fraud behavior = Reduced fraud window. Reduced loss Improved customer satisfaction Improved reaction time to new threats

01 02 03 04 05 HOW IS FRAUD EVOLVING SIGNALING VS CDRS USE CASES FRAUD SCENARIOS REAL TIME FRAUD MANAGEMENT RAID FMS DEMO

END TO END SOFTWARE F O R C O N T I N U O U S B U S I N E S S M O N I T O R I N G Collect Monitor Notify Discover Act Smart Data Stream (Etl & Cep) Unified Validation Engine Fraud Management Engines Advanced Fraud Detection (Afd) Eba Cockpit Kpi Designer Business Sensors Balance Scorecards Investigation Workbench Smart Data Blueprints Link Analysys Adaptive Case Management Web Portal Dashboard & Reporting

N E X T G E N E R A T I O N F M S T H E H Y B R I D S Y S T E M ADVANCED FRAUD DETECTION (UNKOWN FRAUD SCENARIOS) Find patterns for new fraud scenarios (zero-day threats) through Data Mining: Unsupervised models: unusual behaviors in our data Supervised models: subscribers with high probability of being fraudsters CREATE CORRECT IMPROVE RULES (KOWN FRAUD SCENARIOS) The rule engine can be enriched with new and/or modified rules. It targets specific, well identified types of fraud: Rely on common sense knowledge of how fraud works. Rules are accurate and highly performant, covering know fraud types as well new fraud types.

RAID FMS M A N A G I N G R U L E S Full integration with the Rules Manager enabling rules management by end users HOLISTIC SYSTEM

THANK YOU

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback