11 ways that mobile network operators pay for telecom fraud

This guest blog post was written by our technology partner, RoamsysNext. Together we have created the first secure global platform for roaming and interconnect fraud, bringing key data feeds into one place, with simple tools for quick and smart analysis of fraud data. So it’s easier to identify and minimise this costly type of fraud. Find out more about the GSMA Fraud Intelligence Service here.

It’s no secret that telecom fraud is a fast-growing issue. And why not: it’s a cutting-edge and relatively low-risk alternative to traditional crime methods like muggings and bank robberies. Telecom fraud funnels significant amounts of money from carrier or subscriber accounts directly into the pockets of criminals. According to a 2019 report by Europol’s European Cybercrime Centre, fraud costs the telco industry an estimated €10.6 billion ($12 billion) per year. MNOs must usually bear the cost of fraud themselves; there is certainly cross-border cooperation in the fight against fraud, but investigations take a long time, and sometimes, cases cannot be conclusively resolved. Moreover, fraud has caused problems within companies: damage resolution costs time and effort on multiple fronts. MNOs suffer from the loss of revenues, subscriber churn and the deterioration of their brand image. Acquiring new customers costs much more time, money and effort than retaining existing ones.

International Revenue Share Fraud
International Revenue Share Fraud calls often terminate at destinations with low tracking rates for any type of fraud or crime. A large number of calls from the victim network towards International Premium Rate Numbers (IPRNs) are made at high termination rates on a destination network they control. Then, the victim network has to pay the international carriers for the traffic generated by its network towards the destination network.

IP PBX / PBX Hacking
IP PBX / PBX hacking scammers are specifically designed to scour the Internet looking for vulnerabilities in a company’s PBX (private branch exchange/telephone system). As long as the connection is open, illegal revenue can be generated, so attacks are often launched at night, in the early morning hours, or on weekends.

Roaming Fraud
Roaming fraud is a special case where the victim’s cell phone or stolen SIM cards are used to make exactly these expensive calls. Often, the victim is traveling, and a criminal steals the victim’s cell phone or SIM card. The device is then used excessively until it is locked/unlocked. Fortunately, compared to 20 years ago, fraud managers today have virtually 100% visibility of roaming traffic, as they can feed their Fraud Management Systems with data that is all available on the home network.

Interconnect Bypass Fraud
In Interconnect bypass fraud, the scammer exploits the difference between high international interconnect rates and low retail prices for on-net and off-net calls, causing $4.27 billion in lost revenue worldwide (CFCA survey 2017).

SIM Box Fraud 
In SIM box fraud, criminals exploit a local rate for on-net-to-on-net calls by purchasing SIM cards in one country and using them in SIM boxes to terminate calls to subscribers on the network from international routes. In this way, scammers pay only the subscription fee and the local rate (usually free minutes are included with a SIM card) and can make large profits.

Refiling, A-Party Refiling, A-Party Caller Spoofing, and other terms describe the method by which carriers, such as transit carriers or clearinghouses authorized to terminate traffic to an operator, spoof the CLIs (Calling Line Identity) of calls to a network. False Answer Supervision means that the call is actually answered, but this is not reported back to the caller, driving up the minutes and cost of the call.

Grey routes, Spam and Smish
SMS has a reputation as a secure communication channel and is growing due to application-to-person (A2P) messaging, e.g., from two-factor authentication to delivery notifications. This has led to a variety of attack vectors via SMS. Grey routes SMS scams benefit from the fact that international text messages can be routed to their destination in a variety of ways, so each route is calculated differently. Grey routes are prevalent where the mobile operator has an imbalance between international and local termination charges for SMS, coupled with an ineffective SMS firewall. Subscriber Targeting “Spam” is the unsolicited notification of a subscriber that can lead to a dangerous privacy attack through “smishing” (SMS phishing). It usually contains a call-to-action, such as a phone number or web address to click. Apart from the cost of handling subscriber complaints, this can lead to a high churn rate.

Signalling attacks
The vulnerabilities of SS7 and newer Diameter protocols and their use for signalling attacks is sufficiently documented and unfortunately widespread. If the home network cannot provide adequate protection, attackers are able to gain access to the SS7/Diameter interconnection network and launch attacks against any mobile network and subscriber in the world. These attacks range from privacy breaches to fraud to denial of service attacks on the core network infrastructure impacting millions of subscribers.

Insecure GTP
The new world of 5G offers the opportunity to address the vulnerabilities of another long-standing technology: GTP, the GPRS Tunneling Protocol. It is used to transmit user data and control traffic on 2G, 3G and 4G networks and will also be used as part of 5G. The main reason for successfully carried out attacks is the inability of GTP to verify the user’s location, so it is important to have as much traffic visibility as possible. Given the complexity of both LTE and 5G roaming networks, configuration errors must be avoided at all costs. Attackers discover misconfigurations very quickly and exploit them to their advantage.

Helping MNOs become fraud-proof
As complex as fraud prevention and detection is, we should never settle for cleaning up the mess after an attack, let’s take a proactive approach to fighting network fraud. Fortunately, many effective and powerful countermeasures already exist. The GSMA Fraud Intelligence Service has been designed to help MNOs and MVNOs in their fraud prevention efforts. It enables them to curate fraud data using simple tools, from the High Risk Numbers information contributed by GSMA members in real time, from GSMA IR.21 roaming data, and ipdata providing threat intelligence from more than 200 OSINT (open source intelligence) threat feeds. So, for the first time, quick detection, smart analysis and fast sharing of this information is possible, plus the data is systematically checked and verified as it’s uploaded. This all means that operators can act on the information swiftly, and with confidence.