Call selling

Continuing our series on different types of mobile fraud, Mark Yelland analyses the risks of call selling to mobile operators

Call selling is the practice of selling service to customers at below market rates but using another person’s system and equipment to deliver that service.

The usual practice is to sell cheap international calls to an expat community.  The community may well not be aware that the service they are using is illegal and is generally in support of cheaper calls back home. 

The operator may have to make payments to his international partners as they will have connected a call.  He will have a potential irate customer who will be experiencing bill shock and have the option of writing off all or part of the bill and the possibility of the customer churning.  There is no relationship between the fraudster and the calls being made.

In addition to the System Access Fraud described above, there are other ways of getting access to the network, some are:

1.       Voicemail feed through – where someone has left open their voicemail platform and as one of the options is to “dial another number” without restricting the number to be internal to the organisation.

2.       Stolen mobile phones – using the three-way calling to set up numerous concurrent calls from the customers to the mobile and then three-way calling to the far end.

3.       Seizing the circuit from a cordless phone from outside the premises

4.       Friendly switch engineer providing a circuit that does not generate a billing record

5.       Out-of-hours security accessing the PBX

The fraudster makes money by selling the calls to his customers.  The key indicator is the traffic pattern unexpectedly changing for a customer.

Although the network could legally require the customer to pay for the fraudulent traffic, there is usually some compromise agreement reached.  Again, the weakness being exploited is the failure of the customer to secure his equipment from external or internal threats by implementing a strong security policy.  

System Access Fraud

Continuing our occasional series on the different kinds of fraud that take place on mobile networks, Mark Yelland, an international expert on mobile fraud and revenue protection looks at System Access Fraud:

Most PABX systems have a means for the maintainer to dial into the system to perform remote diagnostics and system maintenance through dialling a number (often a freephone number) and entering a password.  This access is often referred to as the Direct Inward System Access port (DISA port).  This port gives total access to the system and allows outgoing calls to be made.

By chaining several of these hacked PABXs, and relying on the lack of co-operation across different telecommunications providers, the fraudster is able to hide.  Having access to an external line, the fraudster is then able to generate revenue by providing services at a cheaper rate than through the legitimate operators.

Although traditionally these frauds have been initiated by fixed line fraudsters, as calls to Freephone numbers from mobiles may be charged, with the advent of web sites which provide the translated number, these can now be access using mobiles with unlimited calls to fixed lines.

In addition, as convergent services are being developed, and the proliferation of ip-pbx systems, the fraudster first hacks the company website to gain access to the internal intranet network.  He then uses this to access the pbx and can initiate calls from the pbx.    Potentially, with the growth of smartphones and LTE equipment, the opportunity for the fraudster to attempt to hack the web address can be delivered from anywhere, and the service can be sold anywhere, simply breaking out in the local country.

From a mobile network operator’s perspective, the contract between the customer and the network usually specifies that the customer is liable for all calls originating from his equipment.  Theoretically, this means that the customer could be charged for all fraudulent traffic, but in practice there is usually an agreement reached whereby the network writes off part of the losses.

The key indicator for this type of fraud is traffic being generated outside normal parameters for this type of business, for example out-of-office calls, excessive number of destinations called, and so on.

The weakness being exploited is the failure of the customer to secure his equipment from external or internal threats by implementing a strong security policy.

Subscription fraud

Continuing our occasional series on the different kinds of fraud that take place on mobile networks, Mark Yelland, an international expert on mobile fraud and revenue protection looks at the risks associated with subscription fraud:

Subscription fraud is usually described as using a service with no intention to pay.  The concept is straightforward: the fraudster signs up for a service, exploits that service and then defaults on the bill. 

For post-paid (or contract) customers, the fraudster uses a number of tricks to overcome the simple checks implemented by networks, for example he builds up a picture of a user with some small usage regularly settling the bill on time.  At the appointed time the fraud is initiated: the fraudster then uses the phone to run up a significant bill and uses his social engineering skills and ‘good behaviour’ to keep the service going until such time as the network terminates service.

A more recent trend is for genuine customers to have fraudsters’ phone numbers added to their accounts and settled by the customer unwittingly or not.  This can be achieved through a number of different methods from postal interception, refuse examination for account details, passing off or simply contacting the relevant helpdesk to request the addition of another handset and bluffing.  The key indicator is the level of bad debt and whether it is in line with the industry average.  

For pre-paid customers, the situation is slightly more complex.  The fraudster tops up the credit on the phone regularly using a number of stolen credit card numbers.  There is nothing in the payment process to alert the network to a potential issue, until the cards are actually cancelled and a chargeback is applied by the card issuer to the network.  For the network the losses are not simply the value of the traffic, but potentially any fines levied by the card issuers and as a last resort, the removal of the ability to take card payments directly or even indirectly through services such as PayPal.  Hence the key indicator is the level of card transactions being refused by the relevant card processor.

 The weakness being exploited is the failure to confirm the identity of the person making the request for service.  The first check needs to be a check that the request does not come from an originating country that has been blacklisted as a high risk environment.   If it is, then additional verification steps should be implemented or the service declined.  The second check is that the Media Access Control (MAC) address is valid and not registered on a fraud database.  However, with the introduction of virtualisation software, it is possible to spoof MAC addresses and those should also be disallowed.  Having verified, as far as is practicable, that the originating address is valid, the next requirement needs to be a two-stage sign-up process, whereby the person signing up has to activate the account by replying to an email. This method is not foolproof as there are a number of email services, such as GuerillaMail.org that can provide a disposable email account that is valid for a few hours, which gives the fraudster time to reply to the verification email. In the case of passing off, the email should be sent to the account holder, not the individual concerned.

Recognising that these checks can always be beaten, the next step is to minimise the exposure.  This can be limiting the number of SIMs that can be bought at any one time or restricting the services available until certain behaviours have been observed, for example:

·         disabling calls to Premium Rate Services or Roaming

·         putting a limit on the number of different cards that can be used to top up a service on a single SIM

·         putting a limit on the number of SIMs that can be topped up by a single card

implementing the 3D Secure process appropriately but recognising its limitations, for example it cannot be used alongside an auto top-up process but should be invoked for any change to a service.   

When business opportunity becomes mobile fraud

Imagine the mood of a mobile phone sales person on hearing that the customer in his store wishes to open nine new phone lines for his business.  The commission alone should ensure a Happy Christmas!  However, recently in Petersburg, US, this kind of transaction was used to mask a fraud that has left mobile networks out of pocket by several thousand dollars.

Criminals visited two mobile stores and, falsely using the identity of a local business, signed up for a total of 16 new phone contracts – seven in one store and nine in the other.  The first sign of any problem came when the legitimate owner of the business received bills for the new mobile phone lines a month later.  You can read the full story on the NBC 12 website. 

This story highlights one of the most challenging issues for mobile operators – that of the handset subsidy applied to contract customers.  A glance at almost any mobile operator’s retail site (for example Vodafone UK’s here) shows a huge number of handsets available for free with a contract.  Obviously if the consumer thinks carefully about this, they realise that the cost of the handset is being paid for over the period of the contract – because if people had to pay the full cost of a mobile phone upfront they would change their phone less often. 

What most people do not realise is the extent of the subsidy that the mobile networks provide to contact customers.  At the date of this article an iPhone 5 SIM free on a typical website was retailing for £724.99, and whilst the networks will not be paying that much for each handset, it is still a considerable subsidy.

In the Petersburg, US, example, fraudsters would have left two retail stores with handsets worth around $8000.  These can then be unlocked and sold on the open market, leaving the network to pick up the cost of the fraud.

This kind of fraud demonstrates once again the importance of vigilance by retail staff in setting up contract customers, particularly business customers.  So much information is publically available now that fraudsters can find company information, addresses, phone numbers, registration numbers and Director’s names through a simple internet search.  It also begs the question, “why do the retailers let customers walk out of the door with products worth a small fortune rather than mailing them to the registered company address?”  A simple solution that would reduce this kind of fraud in a moment.

John McAfee’s knee jerk response raises serious issues about privacy

The Daily Telegraph reported last week that John McAfee, the entrepreneur and founder of McAfee Anti-Virus, who is currently wanted on murder charges, posted a request last week on a message board regarding how long it would take authorities to triangulate a mobile phone signal and with what accuracy.  You can see the Daily Telegraph report here. 

Whilst you can only assume that McAfee wanted this information for personal reasons, his question raises serious issues around the use of mobile technology to trace and track individuals.

It is worth starting by stating that technology is morally neutral.  It can be used as a force of good and bad.  Consider for example young people’s use of mobile phones.  Since the universal adoption of the mobile by young people, new negative phenomena such as cyber-bullying have come about (for an interesting infographic on the subject click here).  However, the adoption of mobile technology has also provided additional ways for young people to report bullying and other abuse, via text message for example.  It is clear that technology can be used for positive and negative reasons.

Location information is routinely used to locate mobile communications fraud, either by the operators themselves or third parties working on their behalf.   Being able to identify where fraud is taking place can lead to arrests, confiscation of equipment and reduction of crime.  It is therefore a far stronger deterrent than simply cutting off fraudsters’ numbers, as it actually enables criminals to be caught, rather than temporarily side-tracked. 

Of course the counter argument is that someone’s location is a matter of privacy and that whatever they are using their phone for, legal or illegal, should not be a matter for the state.  A recent ruling in the US, which is reported here, demonstrates that this is not the case.   It will be interesting to see how this matter develops over the course of the next few years and across other territories.

Either way, the answer to John McAfee’s original message board question, as to how long it would take for his phone to be traced and with what accuracy is likely to be “quicker, and with more accuracy,  than you think.”

Social media – the new playground for fraudsters. Part 2

As we have seen, social networking sites are particularly vulnerable to fraudsters because they are communities built on trust. The urge to post personal and often intimate details of your everyday social and working life makes these site rich pickings for identity theft.

Fraudsters will often set up false identities on the larger social networking sites, enabling them to present themselves as someone else, whether real or not. The false identity is the basic tool of the con artist, and though some false identities will be created for fun, most will have a more predatory mission, engaging the unsuspecting, establishing fake friendships and often leading to requests of aid, money and potentially more.

Rather than fake an identity, many cyber criminals will simply ‘hack’ a profile page, all they need is a username and password. In many cases, this is their idea of a game, and will result in little more than defacing the page with graffiti. However, in more serious cases, these hacks will be used to install malicious code, often for the purposes of spamming others, or in the worst case to launch cyber bullying and trolling attacks on others.

Most concerning is the rise in identity theft initiated through social media sites. The way most criminals gain access to an identity is by phishing for a log-on password, usually by sending a message via the social network which appears to be an invite from a friend to their new profile page. This fake page will ask for a second log in. That is how easy it is for your confidential password to fall in to the wrong hands. Most social network log-in passwords will almost certainly give access to other sites, from additional social networks to banking, which in turn are enhancing their security with questions built around your personal preferences. Social media profile pages are a rich source for exactly this kind of personal information that can be used for ID theft, from age and birth date, to location, phone number, email address, as well a job and family details. More than anything else, the fraudster will have access to recent photography of you. In the worst case, fraudsters will use this information to not only pillage your bank account, but will target your network of friends and family using your identity.

In part three we will suggest some useful advice on how to prevent becoming a victim of social media fraud... 

Protecting your phone

News reaches us from Juniper Research via Gomo News that only 5% of smartphones and tablets are “protected”.  In this case the definition of “protected” appears to be that a device has security software installed.  What caught our eye was also a comment from Gomo News expressing surprise about this figure, with the increased publicity around the risks of mobile phone “malware, fraud and device theft”.

This raises some interesting issues.  Whilst it may be shocking that as little as 5% of all smartphones have security software installed, for many the shock will be that as many as 5% have protected their devices.  Having asked people in the close vicinity (many of whom are far more mobile savvy than much of the population) it is clear that the 5% figure is much higher than our straw poll.

The second interesting point is the bundling together of risks from “malware, fraud and device theft”.  The reality is the threats from each of these demons can be considerably different.  You can download malware but not device theft.  Fraud is easier to achieve with a simple telephone call or text message than with the creation of an app.  In this sense, users need more than “protection” for their device. 

Which brings into focus the final point.  As Gomo News points out, there are a number of free software services that enable you to protect your device, but from what?  Free software will not protect a user from a Wangiri fraud.  Whilst it may be able to ensure that data on a device is not accessible if a phone is stolen, it cannot ensure that the device is not stolen in the first place.

Anti-virus and anti-malware software for smartphone is a good thing – particularly when it is free and effective.  However, users need to understand the wider threats associated with fraud, theft and criminal activity in telecommunications.  Mobile fraud will not be beaten by protecting devices alone.  A wider awareness of the threats and risks of all criminal activity in telecommunications is needed to reduce this risk.