Network Protocol Analysis: A New Tool for Blocking
International Bypass Fraud Before Revenue is Lost
How to Defend Your Network Against
the New SIM Server Threat
A WHITEPAPER BY
SPONSORED BY
“The international bypass of telecom
operators via the SIM box is a costly and
highly destructive type of fraud”.
In the advanced industrial nations of the world, subscription fraud and
International Revenue Share Fraud (IRSF) are the fraud types that take the
greatest revenue toll. And that only makes sense, since postpaid subscription
accounts, smartphone subsidies, and IRSF-vulnerable PBX machines abound in
those nations.
But the main target of bypass or SIM box fraud is quite different. In bypass
fraud, the fraudsters prey primarily on the developing nations, those regions of
the world where the banking, commerce, and communications infrastructure
are relatively immature. And it’s in these nations where prepaid GSM phones
serve a large percentage of the population.
The SIM Box bypass fraud is not a new one. Most telecom operators around
the world have detection and control solutions in place. So, why does the
fraud continue to cause such massive losses? We’ll take a look at how new
technologies are exposing the need for operators to reexamine their approach
to this problem.
But probably the most destructive effect of bypass is its reverse Robin Hood
effect. Robin Hood stole from the rich to give to the local poor. But bypass
steals from relatively poor nations to enrich largely foreign criminals.
Robust telecom infrastructure and services are vital for growing the economic
prosperity of a nation’s people. Governments have neither the money nor skills
to invest, build, and run communications networks on their own. They rely on
private firms to do that. And for this very reason, regulators in each nation
strictly control the number of telecoms who are licensed to operate there.
But when major revenue from international voice calls is stolen by fraudsters,
the legal operators who play by the rules are severely hurt. Criminals in faroff places like Miami and Monaco steal a fortune, but the legal operators
-- who struggle to make payroll and earn a return on their investment -- are
discouraged from expanding their business and thereby helping the national
economy to grow.
Traditional Detection Techniques are No Longer Stopping
the Fraudsters
So how much revenue can a lone SIM box steal?
The Loss to Telecoms, Governments, and a Nation’s
Prosperity
Well, the experts at LATRO Services estimate that fraudsters can easily generate
over $100/day per modem in a SIM Box. And if a typical SIM box has 30 to
60 modems, that’s a revenue loss of $6,000/day or over $2 million per year.
Imagine the financial gain for the fraudster!
So how much telecom revenue is being lost from international bypass fraud
globally? The answer varies and is often based on industry association reports
from a limited number of telecom operators.
And while we can’t detect the precise monetary value of bypass (fraudsters
don’t report their income), the evidence that SIM boxers are succeeding can be
plainly seen from a carrier’s international interconnect revenue.
In 2013 the CFCA estimated the telecom loss through bypass to be about $2
billion a year. Other reports claim over $3 billion to $5 billion per year.
If SIM box mitigation is truly working, international revenue should see a
dramatic increase. But that’s usually not the case. In fact, operators in some
countries will privately tell you that their international inbound traffic have
decreased by as much as 50% in recent years!
Billions of dollars is a huge figure for telecom operators to lose. Plus in many
nations, bypass also greatly reduces the government tax revenues that are
added to inbound international calls.
Yet the irony is these same operators have invested heavily in anti-fraud
campaigns, and they actually do detect and block fairly large volumes of SIM
boxes on a daily basis.
So what does this mean? It means the fraudsters are succeeding despite the
anti-fraud efforts of the carriers. They are replacing the blocked SIM cards with
fresh supplies of SIMs and continue their bypass.
Test Call Generation technology worked very successfully for many years, but
recently fraudsters are succeeding in frustrating the test call method. Here’s
why:
To the fraudster, current anti-fraud measures are nothing more than a minor
annoyance – a speed bump on their way to multi-million dollar riches.
• SIM Boxers can Identify the Test Calls - The fraudsters analyze the voice
The History of Anti-Fraud Methods: Why the Fraudsters
are Winning
So why are current anti-fraud solutions no longer stopping SIM box fraud like
they used to?
Well, to answer that question, we need to look at the methods used to block
and frustrate the fraudsters. The major methods used today are three: 1) Test
Call Generators (TCGs), 2) Fraud Management Systems (FMS), and 3) SIM Card
Distribution Control.
Let’s now discuss the strengths and weaknesses of these methods:
1. Test Call Generation Systems
When the SIM box bypass problem was first identified in the late 2000’s, Test
Call Generation (TCG) was the first detection technique that proved effective.
Here’s how test calls work. Test phone numbers are set up within the local
market where the bypass fraud is occurring. Then test calls are generated
from many different countries via various interconnect voice routes around the
world including VOIP services, Calling Cards, wireless and fixed line services.
This establishes from where the grey routes are originating and the paths they
use to reach SIM boxes in the affected country.
Test Call Generation is all about probability. The more routes you test and the
more test calls you make, the higher the chance of finding SIM boxes. Once you
find routes that have a high volume of SIM box terminations, you can focus your
call campaigns on those routes to maximize detection.
call traffic coming toward their SIM boxes. Then based on usage and other
patterns, they can determine which calls are real subscriber calls and which
are originating from a TCG system. They can then either block the test calls
and prevent them from reaching the SIM box to begin with, or reroute the
calls to a legitimate route so as to avoid detection.
• SIM Boxers are using Pools of SIM Cards as Decoys - Fraudsters are even
allocating pools of their SIM Box cards as decoys to be sacrificed. That
is, they allow certain SIM cards to be detected to deceive the wireless
operators into thinking its anti-fraud measures are producing good results.
This ploy is a diversion that allows pools of undetected SIM cards to drive
the major bypass revenue losses.
• SIM Boxers are using Very Large Volumes of SIM Cards - Since the test call
method is all about probability, fraudsters are provisioning the latest SIM
Server systems to automatically manage hundreds of SIM cards per fraud
operation. By increasing the number of SIM cards used and decreasing the
usage per SIM card, they are making it increasingly improbable that a given
SIM card will be detected by test calls.
2. Fraud Management Systems (FMS) and CDR Analysis
The second technique used to detect/block SIM boxes is the Fraud Management
System (FMS), an enterprise-wide data analysis platform that works well in
detecting many different types of fraud.
In SIM box detection, the FMS uses Call Data Records (CDRs) to create usagebased profiles that distinguish the SIMs used in SIM boxes versus those used in
legitimate subscriber handsets.
FMS and similar CDR analysis platforms have also been effective in detecting
SIM boxes, but in recent years, fraudsters have found clever ways to evade
usage profile detection.
• Human Behavior Simulation – Go to a SIM box manufacturer’s website
and you’ll see they advertise a Human Behavior Simulation (HBS) software
capability. This means that the SIM boxes are programmed to mimic real
mobile subscriber behavior. HBS techniques involve automating features
on the SIM Box such as SMS messaging, self-calling, and international
dialing in order to frustrate detection algorithms used by FMS and CDR
analysis.
• Growing the Pool of SIM Cards – Another scheme is to rotate the use of a
large volume of SIM cards through a SIM Server system. When you do that,
the volume of traffic going across any one SIM card is reduced to the point
where they fall off the usage analysis radar.
Now in both cases -- test calls and the FMS -- by nature of their methodology,
the fraud has been committed by the time you detect it. So you are already
losing money before the detections occur.
3. SIM Card Distribution Control
And then finally, the third major mitigation strategy is controlling the distribution
of SIM cards in the nation affected.
The SIM Server: Fraudster’s Powerful New Stealth
Technology
SIM box fraudsters are often characterized as small-time crooks who buy
their equipment on eBay and keep their SIM boxes and antennas in a small
apartment.
Such a simplistic picture of the SIM box fraudsters may be true in certain
regions of the world, but the unmistakable trend among fraudsters is toward
large-scale automation and the use of advanced technology on a global scale.
There’s no better example of this than the recent rise of the SIM Server and its
associated banks of thousands of SIM cards.
The SIM Server, which was developed in the early 2000’s, was first used as a
central test platform for various end-to-end quality of service and roaming test
automation. Unfortunately, it also proved a major breakthrough for fraudsters
because it “virtualizes” the SIM card. The server could be located in Singapore
or Los Angeles, but it can manage multiple SIM box operations on multiple
continents simultaneously.
SIM cards, of course, are the enabler of international bypass fraud: to complete
a call, every device on a GSM network needs to have an IMSI Subscriber ID
number that resides on the SIM card.
Here’s a quick rundown on the major challenges that SIM Servers bring to the
bypass battlefront:
Now over the years, as carriers got better at SIM Box detection, fraudsters
needed to obtain thousands more SIM cards to replace those already detected
or “burned” and made no longer usable on the network.
technology arrived, fraudsters would typically run out of SIM cards in a
week since the SIMs would be detected and “burned”. But by virtualizing
the SIM card’s use, fraudsters no longer need to maintain a local supply of
SIM cards in the country where their SIM boxes operate. So a pool of 1,000
SIM cards can last a month or two.
• The Supply of SIM Cards are No Longer an Issue – Before SIM server
At first, fraudsters had no trouble obtaining SIMs in large quantities. This is
why nations experiencing bypass introduced measures to control SIM card
distribution and block fraudsters from buying SIMs. These measures include
requiring government IDs to buy SIMs, cross-checking multiple SIMs registered
by the same person, and preventing the sale of pre-activated SIMs.
• The SIM Box becomes an Empty Shell – The net effect of SIM virtualization
Yet despite these control efforts, the fraudsters in most countries have -- through
identify theft, fake IDs, and other schemes -- been able to get their hands on the
volumes of cards needed to keep their SIM box operations humming.
• SIM Detection via Test Calls Becomes a Lot Harder – With the expanded
is that the local SIM box no longer needs to have any SIM cards at all! It’s a
box with only modems inside. This means that in-country SIM distribution
control programs will rapidly become obsolete.
pool of SIMs in SIM Servers, massive volumes of test calls are needed to
detect the hundreds to thousands of SIMs in the SIM banks.
SIM Server The Battle To Stop International Bypass
Why the Fraudsters are Winning
SIM Servers, a recent fraudster innovaRon, can control SIM boxes from anywhere in the world. SIM Servers can: TCG interconnect "grey route" AutomaDcally manage & replace hundreds of SIM cards. Test Call Generators (TCGs) Test calls are made from many countries to test numbers in the country where SIM boxes operate. The interconnect grey routes to the SIM boxes are discovered, so the paths can be blocked. Test Call defense.. . Virtualize SIM cards so that SIMs can be quickly assigned to modems and rotated between calls. Fraudsters spot test calls from their usage paPerns, so the test calls are blocked or traﬃc is redirected to avoid detecRon. Enable IMEI & IMSI pairing in a database so every SIM has a unique IMEI. They use pools of SIMs as decoys. They are sacrifaced to give false hope that SIM blocking eﬀorts are working. Look like hundreds of unique mobile subscribers, rather than a central machine cycling many SIMs through a small set of modem hardware. SIM Card Control SIM cards enable bypass fraud, but as SIM cards are "burned" (detected & blocked), the fraudsters need a fresh supply of SIMs. So governments control the distribuRon of SIMs by requiring IDs to obtain them at stores where they are sold. SIM Card Control defense Fake IDs o/en enable fraudsters to maintain a big supply of SIMs on hand. SIM Servers are making SIM control obsolete because SIMs can be obtained and consumed in large quanRRes in another country. The local SIM box becomes merely a box with modems. Large pools of reserve SIMs at SIM Servers means a huge number of test calls are needed to detect all the SIMs. Fraud Management System (FMS) SIM Box CDR
Switch SIM Box deployment & carrier revenue loss SIM boxes are o/en deployed at 5 to 10 gateways in a city so as to serve a large numbers of mobile users. Fraudsters can make $100/day per modem (aka channel) in a SIM Box. With 30 to 60 modems in a SIM Box, they can generate a loss of $6,000/day or $2 million a year. If a SIM box miRgaRon is truly working, regular internaRonal revenue should go up. But some countries are experiencing 50% loss of internaRonal traﬃc even with acRve SIM box defense soluRons in place. It's proof that the fraudsters are succeeding despite the many eﬀorts to detect and block them. The FMS uses Call Data Records (CDRs) oﬀ the switch to create usage-‐based analysis proﬁles to detect SIMs being used in SIM boxes versus those used in legiRmate subscriber handsets. FMS defense.. . Simulate human behavior: SIMs call & SMS each other & move between modem geographic locaRons. These make it very hard to detect them. Distribute huge volumes of voice calls across a high volume of SIM cards, keeping the calls per SIM very low. This is achieved using a SIM Server. Losing money before detecDons occur. In both FMS and TCG soluRons, signiﬁcant revenue losses occur before any SIM boxes are detected. • A Vast Number of Fake Mobile Subscribers - SIM Servers can change IMEIs
with every call, enabling a database of paired IMEI and IMSI so that every
SIM card has a unique IMEI. Hence, the SIM Server looks to the network
like a collection of hundreds of unique subscribers rather than a centralized
machine cycling many SIMs through a small set of modem hardware.
• Huge SIM Card Reserves Enable a Flexible Usage Strategy - The SIM banks
that live in remote countries are large enough to allow fraudsters to employ
a very flexible strategy. The latest electronic chassis can carry 6,500 SIMs
inside. So they can drive multi-national campaigns. And as SIM cards are
burned, they are automatically replaced.
• Detecting SIMs with an FMS Becomes an Order of Magnitude Tougher
- Consider this: To detect SIM boxes, FMS systems rely primarily on
volumetric data. Their algorithms hone in on usage that is statistically
significant, or rises above the number of calls an average mobile caller
makes. Yet we know that FMS systems are already having a hard time
detecting SIM boxes with 60 SIM cards inside. So imagine how hard it is
to detect SIM cards from a remotely controlled bank of 6,500 cards! Not
only that, the virtual IMSIs and IMEIs are automatically rotated and served
up across multiple modems and perhaps multiple countries where the SIM
fraudsters operate! In other words, the usage footprint of any individual
SIM card at a single modem is exceeding small – so small that the SIM can
easily hide in the noise of other traffic.
Network Protocol Signatures – A New Detection Solution
for the SIM Server Threat
The introduction of the SIM Server has given fraudsters a new stealth technology
allowing them to leapfrog carrier efforts to detect and block bypass.
But all is not lost. Carriers have a new technological trick up their sleeves that
can help them meet the SIM Server challenge.
The new technology to leverage is Network Protocol Analysis, and its main
virtue is that it recognizes the signature (or fingerprint) of the SIM Box as it
comes onto the network, blocking the use of any SIM card used on the box’s
modem.
Network Protocol Analysis performs its magic through network signaling data
-- a set of data never before used to detect SIM box fraud.
To understand how it works, you can think of signaling as the computer
operating system of the mobile network. It’s the lower level protocol messages
being exchanged between the mobile device, cell towers, base stations, and
the like. SIM boxes, including SIM Servers, generate a characteristic set of these
protocol messages, allowing the fraudulent devices to be distinguished from
other users on the mobile network.
By the way, this rich set of data goes far beyond the information that’s captured
in CDRs. In all, the data set tracks the information contained in dozens of
protocol messages that are exchanged to set up a single GSM call – and before
the first CDR is even cut on the switch.
These signaling data provide the key to distinguish calls made by a SIM box
modem from those made from regular mobile handset or smartphone. In fact,
the technology works without having to know the IMSI of the SIM card or the
IMEI of the modem hardware at all.
When you power up your mobile phone, the first thing the device does is
register itself and authenticate the SIM card that’s in the phone. So the Protocol
Signature of the mobile device is the set of messages and data passed back and
forth when the device signs onto the network. It is subsequently used for calls,
texts, and data.
And no matter how a fraudster tries to hide its SIM Box’s identity or play the
human simulation game, the fingerprint of the modem in the SIM box cannot
be masked because the messages it sends to the network reveal its true identity.
Not surprisingly, the engineers who developed this SIM Box detecting
mechanism are experts in the radio network domain. Their solution detects
SIM box modems coming onto the network in real-time and also includes a
strong big data capability enabling the analysis of millions of mobile network
calls per day.
The key advantages that Network Protocol Signatures bring to the SIM box
battle are as follows:
A. SIM Boxes are Detected as Soon as They Come onto the Network There’s nothing the fraudsters can do to prevent detection. Before they
generate any bypass, the SIM modem announces itself in the signaling
layers.
As soon as the modem communicates, a network protocol signature is
created. Even if the SIM Box attempts to disguise itself as a Samsung S5
smartphone, the Network Protocol Signature technology is not fooled and
detects the SIM Box or SIM Server immediately.
B. It Stops Fraud Before Revenue is Lost - Other means of SIM box
detection such as test calls and FMS require considerable time to collect
the usage, analyze it, and take action on the usage data. In that time,
the fraudsters can do a lot of bypass. But protocol signatures detect the
modems and block the bypass as soon as they sign onto the network – and
before revenue is lost.
C. It’s Fully Passive - Unlike active detection technology such as test call
generation, network protocol signatures are captured passively so the
fraudster is not aware of the method of detection.
How to Stop the SIM Server: Use a Coordinated Attack
Strategy
OK, here are our recommendations on how to fight SIM box fraud in the coming
era of global SIM Server deployments:
1. Use Protocol Signature Analysis as the First Line of Defense - Protocol
signatures are desperately needed to regain the edge over SIM box
fraudsters. So fraud and revenue assurance experts need to quickly get
up to speed on this new, unfamiliar technology so they can deploy it wisely
and rapidly.
2. Employ a Multi-Pronged Defense Strategy - Protocol Signature Analysis
is a powerful technology, but it’s not a “silver bullet”. It needs to be used
in concert with the fraud management tools already in place. For instance,
the intelligence gained from FMS systems enable Protocol Analysis systems
to be deployed in the most fraud infected parts of the network.
Likewise, TCG systems are critical for pinpointing the interconnect carriers
who are sending bypass traffic toward its networks. And the more
interconnect routes you can send test calls through, the better. For this
reason, working with multiple TCG vendors – each employing different test
routes -- is very useful.
3. Invite All Solution Parties to the Integration Table – Fraudsters know
full well that it’s advantageous if the anti-fraud solutions of a carrier remain
siloed solutions that fail to coordinate and pass information freely between
each other. Therefore, it’s the carrier’s responsibility to see that vendors
truly open up their APIs and make a concerted effort to defeat the common
enemy.
As we’ve seen, the arrival of the SIM Server has made the battle to stop
international bypass much harder. The SIM Server has enabled fraudsters to
leapfrog conventional FMS and TCG solutions’ ability to keep a lid on bypass.
In fact, carriers who have their SIM box fraud problems under control today
are now quite vulnerable to the new SIM Server threat. It’s likely these carriers
will see a resurgence of bypass due to the formidable stealth power and
deployment flexibility that SIM Servers enables.
To survive and thrive in the new era of SIM Server-led bypass, carriers must add
protocol signature analysis to create an integrated and effective anti-SIM box
defense.
Technology Research Institute (TRI) is an analyst firm that has been
following the market for telecom systems and software since 1995.
TRI is also the publisher of Black Swan Telecom Journal.
For more information about Protocol Signature™ detection and advanced
bypass fraud control, contact LATRO Services, Inc
[email protected]
Copyright 2015 Technology Research Institute and LATRO Services, Inc.
1550 Lehigh Drive, West Easton, PA 18042
www.latroservices.com