All posts by John Richardson

The Re-Emergence of Convergence

Operators and global industry forums continue to wrestle with the question of whether or not to merge their fraud and security teams/work-groups to cope better with criminals who are breaking in through IP-based networks in order to derive profit for themselves (or their causes), or just to wreak havoc and disruption on their “enemies”.  Fraudsters are not just partaking in the traditional crimes of bypass fraud, roaming, Dial Through, AIT/PRS, Call Selling fraud etc., but also the exciting new stuff…. Phishing, malware, spoofing, DDoS, Trojans etc.

One can be forgiven for thinking that fostering closer links between fraud and security domains is breaking new ground in terms of responding to the threats posed by 4G/LTE, NextGen, the continued growth of e/m-commerce and the proliferation of data passing over networks.   I guess it is a sign of my advancing years that I can’t help feeling that we have been here before…

15 years ago, when I was prepping for an interview for my first job in the fraud management arena, I was listening open-mouthed as a fraud expert was explaining to me the finer points of PBX Hacking.  Thinking back, two things were very clear:-

  1. The Operator in the UK already had a merged fraud and security group (which they later separated out, then subsequently re-merged again, by the way).
  2. The main advice to combat PBX Hacking was prevention, not detection… and that meant security prevention. The operator was keen to tell its business customers that they needed to physically lock away their PBX equipment, protect their passwords, switch off unnecessary/vulnerable services such as DISA/Voicemail, carry out security awareness training for switchboard operators, support staff, suppliers, use barring at switch or extension level, keep PBX call logging records to see hacking attempts before they succeed, shred old copies of internal directories, vet their security/cleaning staff, etc. etc.   The FMS only stepped in when all the prevention activities failed and the PBX was breached.  By the time that happened, operators were already losing money directly, if they were responsible for the switch, or indirectly if their customers were liable.  Customers may have been unwittingly facilitating the fraud by their lack of security awareness etc. but even so, if a small business – used to paying perhaps $1000 a month for calls, suddenly gets a bill for $20000, they are going to fight it, refuse to pay it or be unable to pay it.  The indirect cost to the operator of customer complaints, disputes, potential court cases, damage to the brand, bad publicity, negotiated settlements, debt write-off and churn etc. can cost far more than the original bill.  It was a lose/lose situation… unless you were the fraudster.

These days, with the emergence of 4G/LTE, IP-based Networks, perpetrators are still committing the same underlying crime for the same motives as before, but now they are breaking in through a host of different entry points, wearing better disguises, carrying bigger SWAG bags and using faster getaway vehicles.  In truth, many operators are struggling to keep up with the high number and seemingly unpredictable nature of these attacks.

Security teams are traditionally very good at preventing access to networks, but they are not perfect.  The pace at which network elements, components, interfaces and transactions are increasing is making it impossible for all the preventative measures to be in-situ from day one.  Not to mention the surfeit of off-the shelf tools that fraudsters can use to break in to more and more lucrative areas of daily commerce.

In practice, Prevention alone cannot succeed.  Detection, Analysis and Response are also essential elements of the fraud management cycle.


So, my point is this…. security and fraud teams cannot operate in silos.  Security teams must continue to try and prevent malicious intrusion as much as possible.  That requires taking in a lot of real-time data from the access points, identifying the nature of the content and the data patterns and quickly blocking anything that looks dubious.  But when the intruder gets in (and they do in their numbers), that is when the fraud team can also play their part.

Whilst the security team controls corporate IT networks, how well can they police the mobile workers and the homeworkers, the tablet users, the App Store/Android Users etc.?  And if you think that profiling subscribers was difficult historically, how much harder is it when you can’t even define what a subscriber is, let alone track their behaviour.  In the new world, the relationship between account holder, subscriber and product/service is not always obvious.  Also, the billing relationships for transactions can be mind-boggling.  Couple this with the speed at which these transactions are taking place and the value of services and content being passed across a proliferation of bearers, and you have a minefield to negotiate.

This is where a good Fraud Management System can supplement an operator’s security tools.  An FMS must now be equipped to take in much larger volumes of data than before, in many different forms and process it much quicker.   Any reputable FMS vendor will now be offering solutions with large scale, flexible data handling tools (including probe / deep packet inspection events), internal/sales partner audit logs/feeds, inline service/transaction monitoring, exhaustive rules engines (real-time, in-line and statistical), subscriber grouping & profiling features, reference data including Hotlists/Blacklists, fraud and device “fingerprinting” capabilities, ID verification, alarm prioritisation and established, flexible workflows, with a range of analytics tools and visualisation features.  All these components – in the hands of an experienced and well-managed fraud operations outfit – will help to choke fraudsters and drive them out to look for easier targets.

So, in summary, don’t let the security guys take all the strain at the prevention stage.  Share the data, share the knowledge and spread the load to the fraud team for a more comprehensive response.

To get more information about Subex Fraud products please click here.

Intelligent Alarm Qualification in a Fraud Management System

Most leading rule-based Fraud Management Systems are based on a relatively simple process…. When an event (or series of events) occurs, the record associated with the event is processed in the FMS.  If the event breaks a rule in the FMS – perhaps because it is unusual for the customer, unusually long duration, unusually expensive or is one of a very high number of calls – an alarm is fired and that alarm is sent to the alarm page so that the fraud analyst can see it in their workstack and hopefully take prompt action to deal with the case.

The reality of course is that, in many instances, the alarm is competing with perhaps hundreds or thousands of other alarms for the attention of the analyst.  So, which is the most important alarm in the stack?  Well, as we know, most FMS systems will have a scoring system so that the alarms with the highest score will appear at the top of the stack.

Typically, when rules are built, they are given a score which reflects their “potential” severity, relative to other alarms.  Weird and wonderful algorithms are then used in the background to build a consolidated score for an alarm based on a combination of these various scores for each rule breach, bearing in mind that alarms usually comprise a combination of several rule breaches.

So a $50 call to an Adult entertainment line may have breached all of the following rules, each having a score associated with that breach:-

  • High Value Call to a Premium Rate Service
  • Long Duration Call to a Premium Rate Service
  • High Value Call to ANY number
  • Out of Hours Call

On the face of it, this seems a sensible solution.  However, there are three flaws with this methodology:-

  1. The scoring provided for a rule breach (alert) is arbitrarily/subjectively assigned at the time the rule is written
  2. Once the score is associated with the rule, it is unlikely it will be changed until a thorough rules review is conducted, which could be months/years later
  3. No consideration is given to the “actual” ruling that was subsequently assigned to the alarm.

But what if the score could change dynamically based on the history of ACTUAL rulings made by analysts, rather than remaining static, based on the POTENTIAL severity of the situation.

So, for example, if a particular set of rule breaches appear to be high risk but actually rarely result in a fraud, then surely over time, the score associated with that “event” should reduce.  Likewise, if a low score alarm always results in a fraud ruling, the score should automatically be enhanced the next time the system sees the same, or similar, behaviours.

In other words, the system learns from experience over time.  The more alarms that analysts rule correctly, the more accurately the score reflects the likelihood of that alarm being fraudulent or not.  It won’t reduce the number of false alarms, but it will ensure that the alarms most likely to be fraudulent will appear at the top of the list and be dealt with quicker than those that are known to be less risky…. And that means losses due to fraud are reduced.

Subex has been running this system for several years now.  It is known as Intelligent Alarm Qualification (IAQ) and – wherever it is deployed – the results have been excellent.  We have a benchmark which follows the Pareto Principle (the 80:20 Rule).  This means that customers who let IAQ score the alarms should find 80% of their fraud in the top 20% of their alarm stack.  The results in 95% of cases achieve this benchmark – and in the vast majority of cases, exceed it.

Of course, it relies on the fact that analysts do rule alarms as FRAUD or NOT FRAUD regularly, and it also assumes that such rulings are usually correct.  But as long as that is happening, as it is in most operations, then it is Happy Days!

To get more information about IAQ or to find out more about Subex Fraud products please click here.

There’s No Business Like “Know” Business!!

People of a certain “vintage” will remember well the speech by former US Secretary of Defence, Donald Rumsfeld when questioned on the lack of evidence linking the Iraqi government with the supply of chemical weapons to terrorists. For many of us it took a second hearing to fully appreciate the difference between our “known knowns” and our “known unknowns”, and if you are anything like me then the concept of ‘unknown unknowns’ – well that took a little bit longer!

The speech has been the source of much discussion through the years and the basic principle has been applied to many situations and domains, including Fraud Management.  However, one of the most interesting parts of the speech has largely been overlooked in all of the focus on the “knowns” and “unknowns”. In responding to the question Rumsfeld’s first sentence was;
“Reports that say that something hasn’t happened are always interesting to me”.

Fraud management, as with most other operational functions, is largely focused on something happening, whether that is in relation to configuring rules in the Fraud Management System or in working out the effectiveness of your business function (people &  process). The emergence of certain fraud types through the years has started us on the track of reaping the benefits from looking at things that have not happened as a detection method but for many organizations the principle has not been fully embraced.

Most organizations are now looking into more detailed analytics, but within these analytics programs, how much emphasis is put on things that didn’t happen?  Additionally, in a dynamic environment such as Telecoms Fraud Management even what we “think” we know (“known knowns”) may be rapidly out-dated or superseded.

In the “Big Data” era things are likely to be even more challenging for Fraud Professionals as the haystack just got a lot bigger, so even trying to keep on top of what we think we know is going to be a challenge. To start trying to uncover our “Known Unknowns” and “Unknown unknowns”,  – that will take INSIGHT.

To get more information about Subex Insight please click here.

LTE Fraud…. Evolution or Revolution?

“Long Term Evolution” (LTE)..… it was hardly the sexiest name that could have been pinned to a new standard for high speed wireless communication when the first service went live in Sweden and Norway back in 2009. However, on reflection, it is the perfect nomenclature for the technology itself because LTE does not rip up the past and start again but it does represent a series of forward steps which will continue for a long while. The stated objectives of LTE according to the LteTM Encyclopaedia are:-

  • Increased downlink and uplink peak data rates.
  • Scalable bandwidth
  • Improved spectral efficiency
  • All IP network
  • A standard’s based interface that can support a multitude of user types.

The Encyclopaedia goes on to say that LTE networks are intended to bridge the functional data exchange gap between very high data rate fixed wireless Local Area Networks (LAN) and very high mobility cellular networks.
Evolution also aptly describes the behaviour of the criminal fraternity who are changing their modus operandi in order to keep one step ahead as Operators, Carriers, Vendors, Content/Service Providers and Subscribers take those steps along the 4G LTE path. At the same time, the clever ones are also hoping to scavenge a few valuables that may be left unguarded in the old world, as 4G LTE prospectors redeploy their resources.
LTE is certainly not revolutionising fraud behaviour. The vast majority of the methodologies for obtaining fraudulent gain from LTE/4G services have been tried and trusted over many years through a number of earlier technologies. The scale of gain (or loss if you are the victim) may change for a specific fraud type, and the perpetrator may need to work smarter in order to find the angle of attack; but overall, LTE services are just as susceptible to fraud as the legacy platforms have proved to be.
The challenge for Telcos is to make sure that they too are fine-tuning their prevention, monitoring and detection capabilities accordingly so they are not left trailing in the wake of the perpetrator.
A good fraud manager will want to be alert to the nuances that LTE 4G technology bring and consider some fine tuning of their systems and operations to respond accordingly. For example:-

  • New LTE-based services are often separated from the bearer itself. Bearer and service data transactions/events will need to be fed into the FMS, but these will be in different streams. If they can be linked up in the system, that will give the analyst better visibility – and more control – of the end to end activity, thereby providing more context and greater detection capability.
  • Because of the split between the bearer and the service, it becomes far more important for the operator to know what service the customer should have access to. Operators must spend more time preventing provisioning fraud (perhaps facilitated by an employee) by checking the usage against the “bill of materials” for that subscriber.
  • Events will not necessarily be as simple as they used to be (with a start, an end, an A Number and a B Number), so thought needs to be given to maximising the fraud detection value contained in what may be a complex event (or collection of related events).
  • Billing models may change. E.g. There will be more “all you can eat” packages, and some packages may charge on packet sizes rather than minutes. Bills may also be split between different parties in complex revenue chains.
  • Working on trying to identify IMEIs on a far wider portfolio of CPEs, Smartphones (& applications) is important. As well as IMEIs, the FMS will need to be flexible enough to monitor numerous other “identifiers” that are useful in tracing fraud across the range of LTE services Eg. IMSI, MSISDN, MAC, IP address, PDP context, URLs, customer account ID etc.
  • Subscription Fraud. By definition, LTE devices tend to be more feature-rich and expensive, and are therefore more attractive to criminals. Real-time fraud checks before activation can prevent equipment losses. Checks can include subscriber validation, multiple subscriptions, payment instrument, dealer checks, etc before the customer receives the kit.
  • Much higher data speeds over 4G networks may well result in a proliferation of visible M2M events. If the specific M2M behaviours can be identified for each service, there is an opportunity to profile that usage in each scenario and flag where deviations occur. So, a security system might send a periodic short duration, low volume signal to confirm activation or heartbeat. If this device suddenly shows voice calls or high data volumes (such as video streaming), something fishy may be occurring.
  • VoLTE (Voice over LTE). This could be highly profitable to fraudsters using LTE for bypass, call selling etc.
  • IP-based Frauds such as Spoofing, Hacking, DoS and Malware may require closer monitoring of IP traffic and even content.

This does not mean that Telcos have to go out and replace their FMS tomorrow. But they should start asking questions of themselves and their vendor, such as:-

  • Is my FMS flexible enough to deal with a multifold increase in data types /sources and data volumes?
  • Does my FMS have solid profiling features?
  • Does my FMS have an “inline” or near-real time precheck capability to provide preactivation checks as a fraud prevention strategy.
  • Does my FMS have a robust workflow module to enable the analyst to make the right decisions when an alarm is raised?
  • How well do I know my customer?
  • Do I understand which services my customers are subscribed to?
  • Am I carrying out Fraud Risk Assessments on my LTE services before launch?
  • Are my analysts capable of interacting with other parts of the organisation that they may not previously have encountered (eg. IT Security)?

So, in summary, LTE is not a revolution in terms of new fraud but it is certainly altering the mix significantly. Operators must respond quickly to the changing landscape if they are to stay ahead of, or even just a short step behind, the fraudsters.

Get Started with Subex