You are on page 1of 12

Battling illegal call operations

with Fraud Management Systems


02/12 Battling illegal call operations with Fraud Management Systems

Executive
summary
Telecommunication operators Fraud management systems (FMSs)
Contents worldwide have lost a significant are growing in popularity and this has
amount of revenue from interconnec- impacted illegal international call
02 Executive summary tion bypass, mainly due to increased termination gateway operators. For
usage of GSM VoIP Gateways - often the first time, GSM operators have
03 Compare: ratio of called SIM Boxes - and technology been utilizing FMSs to carry out
incoming to outgoing calls advances in GSM gateways and VoIP sophisticated analysis of CDRs (Call
technologies. GSM VoIP Gateways Detail Records) to search for unusual
03 Examine: ratio of on- are telecommunication devices that usage behaviour patterns to
network to off-network enable calls from fixed, mobile or effectively detect illegal international
calls Internet telephones to be routed call termination and block mobile SIM
through VoIP directly into a relevant cards engaged in such illegal
04 Look: no or low mobility GSM network. The most advanced activities. Although technological
GSM gateway installations can utilize advances have allowed GSM
05 Scrutinize: many hundreds of mobile SIM cards, operators to better detect such fraud
subscribers on one cell provide SIM rotation functionality, and blocking fraudulent subscribers,
and track suspicious allow remote pre-paid recharging, the problem still remains unresolved.
activity in close proximity feature antenna splitters and can This is because fraudsters are
even store SIM cards off-site. constantly adapting to new security
05 Ring, ring: high number of measures and learning how to
calls to distinct numbers GSM gateways are often installed counter detection techniques that
in an office’s private automatic prevent detection based on analysis
06 Goodnight calls: unusual branch exchange (PABX) in a bid to of mobile subscribers’ usage
number of night calls to save costs on office to mobile calls - patterns.
distinctive numbers this is legal in most countries.
However, offering commercial This white paper aims to explain the
06 Your friendly operator telecommunication services such as most common service usage charac-
speaking: voice-only providing international call termination teristics that allow detection of GSM
service usage via GSM gateways without a GSM gateways. It will also describe some
operator’s approval is usually illegal. of the advanced methods of avoiding
07 Gotcha!: avoiding false detection that are often used by
positives illegal GSM gateway operators.

08 Attention: best practices

10 Regulatory issues with


GSM gateways

11 Conclusion
03/12

Compare:
ratio of incoming to outgoing calls
It is unusual behaviour for a regular In addition to just comparing the Additionally, when checking if
mobile network user to only initiate number of incoming and outgoing particular numbers are used in GSM
voice calls, but never receive calls. It calls, operators now also compare the gateways, operators should also
is just the opposite with GSM duration of calls, as subscribers attempt to talk to subscribers, and not
gateways, which frequently initiate calling SIM Boxes will unlikely stay on disconnect just after hearing voice, as
outgoing calls to GSM network, but the call for more than few seconds. it could be just a recorded voice
never receive incoming GSM calls. Yet, in the constant battle between message.
This is because there is rarely any fraudsters and telecommunication
purpose in accepting any calls on operators, new techniques to prevent Examine: ratio of on-network to
GSM gateways, and surely none if a detection have also started to off-network calls
GSM gateway is used to illegally emerge. The highest ROI from interconnection
terminate international calls. FMSs bypass fraud can be gained if
are, therefore, able to detect GSM One of the latest techniques international calls are routed as local
gateways based on this distinctive employed by fraudsters is to simply on-net calls. This allows fraudsters to
characteristic of having an unusual play different versions of pre-recorded benefit financially from discounted
ratio of successful incoming to messages such as “Please wait. rates for on-net calls and often,
outgoing voice calls. It is not You’ll be connected in just a minute”, additional discounts such as free late
surprising then that this is also one of or dial tones normally heard when night calls. Consequently, the
the first characteristics that fraudsters waiting for users to pick up calls. This proportion of on-net calls to off-net
try to hide to avoid detection. is done to increase the duration of calls becomes an important
incoming calls. If such advanced characteristic of interconnection
Novice operators of illegal GSM fraud is detected, operators are able fraud. In practice, interconnection
gateways often divert all calls to to increase the threshold of ratio of fraud can be suspected if 90%-100%
mailboxes, or typically never pick up duration of incoming to outgoing calls of all calls are on-net calls, which on
calls. This allows for easy detection during profiling. Additionally, when most networks, is a rather unusual
by FMSs, enabling operators to block checking if particular numbers are usage pattern for regular subscribers.
the SIM cards used in illegal call used in GSM gateways, operators
termination. To counter this, more should also attempt to talk to Unfortunately, soon after this usage
advanced fraudsters try to avoid such subscribers, and not disconnect just characteristic started to be commonly
distinctive usage patterns. They do after hearing voice,as it could be just used in FMSs, advanced fraudsters
this by simply configuring GSM a recorded voice message. deduced this pattern was being
gateways to accept any voice calls, utilized in detection, prompting other
resulting in accepting calls of Yet, in the constant battle between counter techniques. Nowadays,
subscribers who attempt to call back fraudsters and telecommunication off-network calls on SIMs used in
the local VoIP number from the list of operators, new techniques to prevent illegal international call termination
missed calls on their mobile phones. detection have also started to frequently reach 35%, or even
This means that when such calls are emerge. One of the latest techniques become equal to a regular usage
received on the GSM gateway, employed by fraudsters is to simply pattern - depending on the country
incoming calls will be produced, play different versions of pre-recorded and operators’ fraud management
thereby adding incoming calls to messages such as “Please wait. practice.
CDRs, and making the usage pattern You’ll be connected in just a minute”,
less distinctive. Often, there is more or dial tones normally heard when It is important to mention that the
than one call produced for each waiting for users to pick up calls. difference between the cost of
missed call as subscribers usually will international and local calls (off-net or
call multiple times upon hearing This is done to increase the duration on-net) is still large enough to
silence during the first call, attributing of incoming calls. If such advanced generate significant profit; thus, the
it to a network problem. fraud is detected, operators are able need to route some calls as local
to increase the threshold of ratio of off-net calls is not a major impact to
This new detection avoidance duration of incoming to outgoing calls operators of illegal GSM gateways.
technique was noticed by some during profiling.
telecommunication operators and
additional usage profiling was
implemented in FMSs.
04/12 Battling illegal call operations with Fraud Management Systems

Look:
no or low mobility
VoIP to GSM gateways are typically For instance, in one country, central storage, remote access and
installed in data centres with fraudsters started to place GSM remote management on any number
broadband Internet connectivity; gateways in mini-vans and operate of SIM cards, which can be remotely
therefore, the typical characteristic of from several locations during the used in GSM gateways or other GSM
SIMs used in illegal call termination day, using long range WiFi for equipment through Local Area
will be very low mobility or no mobility connectivity. Although it is not a very Network (LAN)-connected SIM
at all. advanced way of escaping detection, emulation adapters. In practice, SIM
it is nevertheless an interesting cards used in illegal international call
This characteristic usage in detection method. The most significant termination, SIM arrays and SIM
of GSM gateways depends on the advancement in avoiding detection of control server can be located in one
size of GSM cells, but usually SIMs GSM gateways based on low or no building, while GSM gateways, SIM
used in interconnection fraud will mobility came with the use of the SIM emulation hosts and SIM adapters
appear only in a few neighbour cells, Server technology. can be placed in different buildings,
or will disappear and reappear in a with all buildings connected using a
distant cell without any cell-to-cell SIM Server is a solution that allows wireless network.
handovers between - indicating that
the GSM gateway was moved to
another data centre. Building A Building B, C, D...
(SIM Server Location) (GSM Gateway Location)
This interconnection fraud
characteristic is particularly
troublesome for fraudsters to avoid
as anti-detection techniques require
a lot of effort and can be costly. The
simplest method employed by
fraudsters to avoid this fraud pattern
SIM control SIM
is to “take SIMs for a ride”. SIM arrays
server emulation
SIM adapter
host

On a daily basis, some SIM card


modules are taken out and placed in
VoIP Gateway installed on a car, and
SIM boards GSM gateway
driven around different GSM cells.
SIM cards Internet
This puts the SIM cards in multiple
locations and will likely prevent basic
detection of stationary SIMs by FMSs. Call Termination using SIM Server and GSM Gateway

However, this technique will not be a


major obstacle for the operator’s This solution provides numerous benefits to fraudsters, such as:
fraud management team. If such an
anti-detection technique is used, • the ability to make SIM cards appear mobile by virtually switching SIM
GSM operators can configure FMSs cards using the SIM Management Server to assign SIM stored in SIM
to perform analysis not based on Server to different GSM gateways
reported locations of mobile SIM • intelligent SIM card usage, e.g., night calls handled by selected SIM
cards when activated, but on the cards
locations of SIMs when voice calls • easy management of SIM cards (SIMs easily accessible in one location
were made. Although this method is on SIM arrays using hot swappable SIM slots)
very effective in detecting GSM • lack of evidence in police raids, as no SIM cards nor SIM management
gateways, it is unlikely to stop the PCs are found on the location where GSM gateways are located (GSM
most committed fraudsters, who positioning techniques are often used to identify the location of data
constantly try to find new ways to centres used in interconnection fraud)
avoid detection.
The development of such advanced technology definitely proves that call
termination via GSM gateways is a highly profitable business.
05/12

Scrutinize:
many subscribers on one cell and track
suspicious activity in close proximity
Major GSM gateway operators In order to prevent such significant Ring, ring: high number of calls to
commonly use hundreds of SIM cards unusual increase of SIMs on one cell, distinct numbers
installed in large VoIP gateways that fraudsters are trying to find large cells Interconnection bypass usage pattern
can be simultaneously activated and to place GSM gateways where it is is also characterized by a high
used. The characteristic of constantly easy to hide any number of SIM number of voice calls to distinct
having a high number of SIM cards cards. phone numbers as VoIP gatewats
used on one cell could indicate the tend to service a large number of
usage of a GSM gateway. However, Due to the requirement of using users calling different numbers.
the location and consistency in the several SIMs in one location, it is However, the application of this
load must also be considered. For rather difficult to find large free cells characteristic is error-prone, as GSM
instance, in case of bigger than usual that can handle big volumes of calls, boxes legally used in PABXes of
usage, we can expect to have making this a major obstacle for GSM recruitment companies often are
elevated usage from a high number of gateway operators. Optionally, wrongly classified as used in
SIM cards at a given location. On the fraudsters can also disable SIM cards interconnection fraud. The next
contrary, constantly having many when not in use and activate it characteristic could be useful in
network users in a data centre whenever there are no more active preventing such false positives.
located outside the city is a very SIM cards that can handle the call.
unusual pattern, indicating possible
fraudulent use. Furthermore, SIM In general, fraudulent usage in close
cards used in illegal call termination proximity is very difficult for fraudsters
will often appear on the same cell or to avoid, even more than the lack of
neighbour cells; thus, when positively mobility, which makes this
detecting several cases of illegal call characteristic particularly useful in
termination on one cell, other less finding GSM gateways when
suspicious SIMs on the same cell can sophisticated anti-detection methods
automatically be classified as are used.
fraudulent based on fewer fraud
characteristics.
06/12 Battling illegal call operations with Fraud Management Systems

Goodnight calls:
unusual number of night calls
to distinctive numbers
It is highly unusual for a regular office Your friendly operator speaking:
subscriber to frequently call distinctive voice-only service usage
numbers during late night hours. The vast majority of mobile network
Thus, the presence of frequent late users will frequently use both SMS
night calls to distinctive numbers is and voice services; hence, not
another unusual pattern that can sending SMS is also a characteristic
indicate SIM Boxing. When paired of SIM Boxing.
with the characteristic of high number
of distinct destinations of voice calls, In theory, it is possible for fraudsters
it can yield very good detection to send random SMSes, i.e.,
results. informing callers about the duration of
the call, or optionally service interna-
This characteristic is also difficult for tional SMSes via GSM gateways or
fraudsters to avoid. International VoIP distribute spam via SMS. Yet, this has
services cater to a large number of rarely been observed on real
users, most calling different phone networks. Therefore, usage of only
numbers. It is, therefore, highly voice services by subscribers remains
unusual for a regular user to a very valuable tool in detecting
constantly call different mobile interconnection fraud.
numbers, making this characteristic
useful in detecting SIM Boxes. The
common method to counter detection
by FMSs is to implement automatic
SIM mapping depending on time of
the day, and route night calls through
separate SIM cards. Such SIM
routing features are commonly
provided with SIM server solutions
and are sometimes supported by
more advanced GSM gateway
products.
07/12

Gotcha!:
avoiding false positives
Good FMSs will allow implementation Additional characteristics that could
of all the above rules to detect also increase the likelihood of mobile
gateway interconnection fraud. In SIM cards being used in fraud are:
order to lower the risk of false
positives, it is necessary to consider • Suspected number is prepaid
multiple fraud characteristics in • Recently activated SIM cards
analysis. If only one characteristic is • False information provided by
used to detect interconnection fraud, subscriber (i.e., invalid contact
such as subscriber-only using voice information given during registra-
services, the analysis would certainly tion)
be invalid, as all subscribers who
simply do not like to use SMS would In general, articulation of multiple
be considered as potential GSM detection techniques lowers the risk
gateways. of false detection of SIM cards used
in illegal call termination. Mobile
However, by adding one more factor operators should be aware, however,
such as the ratio of incoming to that fraudsters could change usage
outgoing calls, the analysis becomes patterns to avoid detection with the
more valuable as subscribers who do use of sophisticated methods. This
not use SMS, make many calls but white paper covered some of the
never receive calls are very rare. It is most common methods. However, to
important to note that even by using prevent usage by illegal GSM
two-factor analysis, it is still possible gateway operators, this document will
to get false positives. not discuss other successful anti-
detection techniques.
Consider this scenario: in one case
where a FMS identified several
subscribers with the following usage
pattern:

• High number of outgoing calls with


no incoming calls
• Unusual ratio of on-network to
off-network calls
• No mobility
• High number of distinct destination
of calls
08/12 Battling illegal call operations with Fraud Management Systems

Attention:
best practices
As previously explained, analysis of
usage patterns in FMSs is highly
effective in fighting illegal GSM
gateways, but can sometimes result
in falsely identifying legitimate mobile
SIM cards as being used in intercon-
nection fraud. It is also possible for
fraudsters to employ sophisticated
techniques to avoid detection through
analysis of certain known fraud
patterns. Thus, for the most effective
and least-error prone method of
detecting GSM gateways used in
interconnection fraud, the best
approach lies in a combination of
utilizing FMSs and test calls.
Furthermore, based on test-call Unfortunately, test-calls without FMS
The main advantage of adding results, operators have another is not an effective solution as GSM
test-calls to the process is error-free advantage - that is the ability to know operators are not able to run test calls
discovery of SIM cards used in illegal the cell-id in which SIM cards are from every single VoIP service in the
call termination. Operators can simply used in illegal call termination. As world, resulting in potentially missing
call on-net numbers by using VoIP previously explained, fraudulent some VoIP GSM gateway operators.
service and based on the CDRs, usage in close proximity is very
identify on-net MSIDSNs that handled difficult for fraudsters to avoid, which Furthermore, in order to identify every
the calls. If the VoIP calls were found makes this characteristic particularly single SIM card used in a GSM
to be unauthorized by the operator, it useful in detecting GSM gateways gateway, operators would have to run
will unveil SIM cards that are used in even if sophisticated anti-detection hundreds of test-calls - one for each
illegal call termination. The advantage methods are used. SIM - making it a costly operation.
of error-free discovery is not limited to Another factor to consider is that
immediately terminating SIM cards By knowing the location of SIM cards test-call activities financially benefit
used in fraudulent activities without used in illegal call termination, GSM operators of illegal GSM gateways.
affecting legitimate users; it can also operators can simply search for other
be used to gather intelligence on suspicious SIM cards on the same There are simple and practical
detection-avoidance techniques used cell. If the GSM cell size is relatively methods of fraud analyzing. For
by illegal GSM gateway operators. small, operators can take the risk of example, fraud management teams
blocking all SIMs on suspect cells could use a scoring methodology
Operators can simply extract CDRs, without taking any significant risk of when deciding to block particular
analyse usage patterns based on the blocking legitimate subscribers. SIMs, or even block International
SIMs used in illegal call termination. Mobile Equipment Identity (IMEI).
This will reveal all the detection This leads to the question, “If test- However, it is important to be very
avoidance techniques used by calls are so successful in detecting careful with blocking IMEIs as this
fraudsters and allow operators to illegal use of GSM gateways, why has been effectively targeted by
optimize FMSs to detect more don’t we simply use it instead of fraudsters and could affect regular
sophisticated interconnection fraud. FMSs?” users.
09/12

A sample scoring methodology used to identify SIM cards used on illegal GSM gateways
follows:

Usage characteristic scoring

Usage characteristic Uniqueness Difficulty to avoid detection Fraud Score

No mobility or low mobility High Very high +7

Use of only voice service Medium Very high +6

Ratio of incoming to outgoing calls High Medium +5

High number of calls to distinct numbers Medium High +5

Very high usage of voice service Low Medium +3

Significant number of subscribers on one cell Low Medium +3

Unusual number of night calls Medium Low +3

Ratio of on-network to off-network calls Low Low +2

Scoring points: Low = 1, Medium = 2, High = 3, Very High = 4

Note: If advanced GSM gateway fraud is not observed on the network, scoring can be based on the
uniqueness without considering the ‘difficulty to avoid detection’ factor.

Additional scoring for suspected subscribers

Additional scoring Fraud Score

MSISDN detected using test-calls Maximum

SIM Boxing detected on the same cell +9

Incoming calls diverted to mail-box +4

Suspected number is prepaid +1

Number recently activated +1

Using this very basic scoring methodology, any subscriber with a usage characteristic
matching a fraud score above 22 can be considered as GSM SIM Boxing suspects. If
combined with additional scoring, the final number goes above 32, consider blocking the
suspect subscriber. A lower score could require further review before deciding on blockage.
Blocking of IMEIs on networks should be considered for subscribers with the MAXIMUM
scores, or if particular IMEIs were detected multiple times where illegal SIM Boxing was
detected. However, operators should be very careful with blocking IMEI of devices suspected
to be used in illegal GSM gateway operations.

Please note that this is just a sample scoring and in real practice, operators will likely need to
design comprehensive methodologies and define the process of dealing with GSM gateways.
10/12 Battling illegal call operations with Fraud Management Systems

Regulatory issues
with GSM gateways
It is also important to consider legal The option being implemented by
issues when dealing with GSM most operators is to ensure that
gateways. In several countries, commercial terms and conditions
operators of GSM gateways filed in exclude the use of GSM gateways for
lawsuits against telco operators routing third party traffic. Operators
following termination of SIM cards should then be free to detect, identify
used in GSM gateways. and terminate such subscriptions
which are in breach of contract or in
Legal regulations concerning bypass breach of any national legislation
vary from country to country and, preventing the use of such devices.
unfortunately, rarely encourage
mobile operators to carry out GSM Europe further recommends
enforcement procedures. Hence, that the use of GSM gateways by
operators usually follow the practice private and corporate users should
of introducing restrictions into remain possible but that mobile
contracts forbidding routing calls operators should be free to define
from/towards other networks and the reasonable commercial terms and
reselling of calls. conditions to protect the integrity and
quality of their networks.
GSM Europe’s (European Interest
Group of the GSM Association) [Source: GSM Europe paper on “Use of
recommendation for the European Gateways for Mobile Communications”,
Commission and industry bodies is to 2003]
encourage Member States to prohibit
the use of GSM gateways for the
conveyance of third party traffic by
carriers.
11/12

Conclusion

To conclude, a combination of FMSs


and test-calls is the optimal tool in
fighting illegal call termination using
GSM gateways (SIM Boxes). Fraud
management teams must also stay
abreast of current fraud types and
methods, as well as acquiring the
knowledge of implementing
appropriate detection techniques in
various scenarios.
Nokia Siemens Networks Corporation
P.O.Box 1
FI-02022 Nokia Siemens Networks
Finland

Visiting address:
Karaporti 3, ESPOO, Finland

Switchboard +358 71 400 4000 (Finland)


Switchboard +49 89 5159 01 (Germany)

Author
Nokia Siemens Networks is a leading global enabler of communications services. The company provides a complete,
well-balanced product portfolio of mobile and fixed network infrastructure solutions and addresses the growing demand
for services with 20,000 service professionals worldwide. Nokia Siemens Networks is one of the largest
telecommunications infrastructure companies with operations in 150 countries. The company is headquartered in
Espoo, Finland.

The contents of this document are copyright © 2008 Nokia Siemens Networks. All rights reserved.

A license is hereby granted to download and print a copy of this document for personal use only. No other license to
any other intellectual property rights is granted herein. Unless expressly permitted herein, reproduction, transfer,
distribution or storage of part or all of the contents in any form without the prior written permission of Nokia Siemens
Networks is prohibited.

The content of this document is provided “AS IS”, without warranties of any kind with regards its accuracy or reliability,
and specifically excluding all implied warranties, for example of merchantability, fitness for purpose, title and
non-infringement. In no event shall Nokia Siemens Networks be liable for any special, indirect or consequential
damages, or any damages whatsoever resulting from loss of use, data or profits, arising out of or in connection with the
use of the document. Nokia Siemens Networks reserves the right to revise the document or withdraw it at any time
without prior notice.

Nokia Siemens Networks and the Wave-logo are registered trademarks of Nokia Siemens Networks. Nokia Siemens
Networks product names are either trademarks or registered trademarks of Nokia Siemens Networks. Other product
and company names mentioned herein may be trademarks or trade names of their respective owners.

Product code: C401-00268-WP-200809-1-EN www.nokiasiemensnetworks.com