When business opportunity becomes mobile fraud

Imagine the mood of a mobile phone sales person on hearing that the customer in his store wishes to open nine new phone lines for his business.  The commission alone should ensure a Happy Christmas!  However, recently in Petersburg, US, this kind of transaction was used to mask a fraud that has left mobile networks out of pocket by several thousand dollars.

Criminals visited two mobile stores and, falsely using the identity of a local business, signed up for a total of 16 new phone contracts – seven in one store and nine in the other.  The first sign of any problem came when the legitimate owner of the business received bills for the new mobile phone lines a month later.  You can read the full story on the NBC 12 website. 

This story highlights one of the most challenging issues for mobile operators – that of the handset subsidy applied to contract customers.  A glance at almost any mobile operator’s retail site (for example Vodafone UK’s here) shows a huge number of handsets available for free with a contract.  Obviously if the consumer thinks carefully about this, they realise that the cost of the handset is being paid for over the period of the contract – because if people had to pay the full cost of a mobile phone upfront they would change their phone less often. 

What most people do not realise is the extent of the subsidy that the mobile networks provide to contact customers.  At the date of this article an iPhone 5 SIM free on a typical website was retailing for £724.99, and whilst the networks will not be paying that much for each handset, it is still a considerable subsidy.

In the Petersburg, US, example, fraudsters would have left two retail stores with handsets worth around $8000.  These can then be unlocked and sold on the open market, leaving the network to pick up the cost of the fraud.

This kind of fraud demonstrates once again the importance of vigilance by retail staff in setting up contract customers, particularly business customers.  So much information is publically available now that fraudsters can find company information, addresses, phone numbers, registration numbers and Director’s names through a simple internet search.  It also begs the question, “why do the retailers let customers walk out of the door with products worth a small fortune rather than mailing them to the registered company address?”  A simple solution that would reduce this kind of fraud in a moment.

John McAfee’s knee jerk response raises serious issues about privacy

The Daily Telegraph reported last week that John McAfee, the entrepreneur and founder of McAfee Anti-Virus, who is currently wanted on murder charges, posted a request last week on a message board regarding how long it would take authorities to triangulate a mobile phone signal and with what accuracy.  You can see the Daily Telegraph report here. 

Whilst you can only assume that McAfee wanted this information for personal reasons, his question raises serious issues around the use of mobile technology to trace and track individuals.

It is worth starting by stating that technology is morally neutral.  It can be used as a force of good and bad.  Consider for example young people’s use of mobile phones.  Since the universal adoption of the mobile by young people, new negative phenomena such as cyber-bullying have come about (for an interesting infographic on the subject click here).  However, the adoption of mobile technology has also provided additional ways for young people to report bullying and other abuse, via text message for example.  It is clear that technology can be used for positive and negative reasons.

Location information is routinely used to locate mobile communications fraud, either by the operators themselves or third parties working on their behalf.   Being able to identify where fraud is taking place can lead to arrests, confiscation of equipment and reduction of crime.  It is therefore a far stronger deterrent than simply cutting off fraudsters’ numbers, as it actually enables criminals to be caught, rather than temporarily side-tracked. 

Of course the counter argument is that someone’s location is a matter of privacy and that whatever they are using their phone for, legal or illegal, should not be a matter for the state.  A recent ruling in the US, which is reported here, demonstrates that this is not the case.   It will be interesting to see how this matter develops over the course of the next few years and across other territories.

Either way, the answer to John McAfee’s original message board question, as to how long it would take for his phone to be traced and with what accuracy is likely to be “quicker, and with more accuracy,  than you think.”

Social media – the new playground for fraudsters. Part 2

As we have seen, social networking sites are particularly vulnerable to fraudsters because they are communities built on trust. The urge to post personal and often intimate details of your everyday social and working life makes these site rich pickings for identity theft.

Fraudsters will often set up false identities on the larger social networking sites, enabling them to present themselves as someone else, whether real or not. The false identity is the basic tool of the con artist, and though some false identities will be created for fun, most will have a more predatory mission, engaging the unsuspecting, establishing fake friendships and often leading to requests of aid, money and potentially more.

Rather than fake an identity, many cyber criminals will simply ‘hack’ a profile page, all they need is a username and password. In many cases, this is their idea of a game, and will result in little more than defacing the page with graffiti. However, in more serious cases, these hacks will be used to install malicious code, often for the purposes of spamming others, or in the worst case to launch cyber bullying and trolling attacks on others.

Most concerning is the rise in identity theft initiated through social media sites. The way most criminals gain access to an identity is by phishing for a log-on password, usually by sending a message via the social network which appears to be an invite from a friend to their new profile page. This fake page will ask for a second log in. That is how easy it is for your confidential password to fall in to the wrong hands. Most social network log-in passwords will almost certainly give access to other sites, from additional social networks to banking, which in turn are enhancing their security with questions built around your personal preferences. Social media profile pages are a rich source for exactly this kind of personal information that can be used for ID theft, from age and birth date, to location, phone number, email address, as well a job and family details. More than anything else, the fraudster will have access to recent photography of you. In the worst case, fraudsters will use this information to not only pillage your bank account, but will target your network of friends and family using your identity.

In part three we will suggest some useful advice on how to prevent becoming a victim of social media fraud... 

Protecting your phone

News reaches us from Juniper Research via Gomo News that only 5% of smartphones and tablets are “protected”.  In this case the definition of “protected” appears to be that a device has security software installed.  What caught our eye was also a comment from Gomo News expressing surprise about this figure, with the increased publicity around the risks of mobile phone “malware, fraud and device theft”.

This raises some interesting issues.  Whilst it may be shocking that as little as 5% of all smartphones have security software installed, for many the shock will be that as many as 5% have protected their devices.  Having asked people in the close vicinity (many of whom are far more mobile savvy than much of the population) it is clear that the 5% figure is much higher than our straw poll.

The second interesting point is the bundling together of risks from “malware, fraud and device theft”.  The reality is the threats from each of these demons can be considerably different.  You can download malware but not device theft.  Fraud is easier to achieve with a simple telephone call or text message than with the creation of an app.  In this sense, users need more than “protection” for their device. 

Which brings into focus the final point.  As Gomo News points out, there are a number of free software services that enable you to protect your device, but from what?  Free software will not protect a user from a Wangiri fraud.  Whilst it may be able to ensure that data on a device is not accessible if a phone is stolen, it cannot ensure that the device is not stolen in the first place.

Anti-virus and anti-malware software for smartphone is a good thing – particularly when it is free and effective.  However, users need to understand the wider threats associated with fraud, theft and criminal activity in telecommunications.  Mobile fraud will not be beaten by protecting devices alone.  A wider awareness of the threats and risks of all criminal activity in telecommunications is needed to reduce this risk.

It's an apps world

The growth in the mobile app market has been nothing short of spectacular.

This completely new market has developed from scratch to a potential market value of $100 billion by 2017 according to industry analysts, with the average smartphone user having 41 downloaded apps on their device in 2012 according to research by Neilsen.  Rather like the number of blogs or websites, numbers cannot do justice to the volume of apps available and any estimate of the numbers would be completely meaningless and outdated in days.

Mobile users have embraced not only free but also paid for apps, yet users will not pay any attention to where the app comes from and who publishes it.  Users probably should because apps represent perhaps one of the most effective means through which fraud can be perpetrated on mobile users. This was recently highlighted by research from Lookout that was reported on the BBC.  Mobile viruses that steal money have grown in the past nine months from 29% to 62% of all mobile malware. 

It is no surprise to hear that fraudsters are now looking to monetise the mobile app industry - where there is brass there is muck after all.  The worrying issue for users is one of trust: the apps industry is so young that it is difficult to know who, amongst thousands of developers, can be trusted and who cannot.

The other issue is one of transaction size.  The article on the BBC hints at viruses surreptitiously adding unexpected charges to a user’s bill.  The relatively low cost of apps means that users are less likely to notice this kind of micro-fraud – let’s face it most people will notice an absence of £69 from their bank account quicker than 69p.  More pertinently users that are simply keen to grab the latest app are unlikely to check the terms and conditions that are attached. Users might therefore being duped into paying on-going costs for an app each and every month unwittingly. 

At some point during the 1990 and 2000s email users understood the message that it was a bad idea to open certain attachments from people that did not know.  During the 2010s mobile users will need to learn the same vigilance – sadly on the way many will be duped and conned.

Social media – the new playground for fraudsters

Earlier this year Javelin Strategy & Research issued new figures on identity fraud, and unsurprisingly the focus of the research was social media. Social, dating and business networking websites such as Facebook, MySpace, Bebo, and LinkedIn, have rewritten the digital landscape as users create their own profile and share conversations, photos, videos, links and personal information with friends and other online users. Unfortunately this opens the door to fraudsters who use these trusted services to target victims with their scams. Many will be familiar to computer owners: malware; spam; and page hacks; but less so in their new social media guises...

Malware remains by far the most common social networking fraud because members will install user-created applications on their profile pages. These might be used for animation, calendars, photo-feeds or simple games, unfortunately they can often hide spyware, trojans and viruses that members then unknowingly either download to their own computers or post on their profile page. Social networking sites are particularly vulnerable because, by their very essence, they are communities built on trust. Users don't expect to be scammed by other users and that makes them easy targets for fraudsters.

Spamming is another familiar issue, such as the Nigerian 419 advance fee scam, only these are now often able to bypass spam filters by coming through the social network. A great deal of social media spam will originate from the victim, usually because they have installed a malware widget program. Often purported to advance the design of a user's page, such malware will actually be designed to spam all the user’s contacts.

But fraudsters do not only want to use your profile to spam others. They want to spam you. This is achieved with carefully targeted emails using the social media search tools to identify a members' area of interest. In the worst case these details can be collated into master spam lists of people with specific interests that are sold on to other spammers.

In part 2 we will look at the growing threat from social media identity theft...

The value of your phone

Do you know what your phone is worth?  According to recent research, the average value of a recycled phone has topped £100 for the first time.  Good news for people recycling phones and to find out the value of your current handset, you might wish to click here.

However, we suspect that headline figure significantly undervalues the handset in your pocket for a number of reasons:

• Think of all of the data on your phone.  Pictures, messages, emails.  All of this information could potentially be of value to a fraudster, far beyond the actual cash that can be generated from the hardware itself.
• Now think about cross referencing this information with easily accessible public profiles on social networks.  Take a simple example.  Your phone is stolen, it is then used to cross reference you with information held on social networking sites.  This can help locate you and even give a fraudster an idea of what you are doing at any time.  Imagine how useful even a simple phrase like “working away until the weekend” or posting a location status could be?
• So the fraudster could now know your location, your mobile number, the numbers of your contacts, have access to your emails and potentially know your address.  All of this information is invaluable to a fraudster.

In this environment, it is astonishing that up to half of phone users do not use the lock on their phone to secure it, effectively leaving an open channel for fraudsters to access confidential information.

Accentuating the positives, people check that their phones are to hand far more often than they check their wallets, which does at least mean that, should you have a handset stolen, you will discover this quickly.  But by then the damage could be done.

The digital footprint available to fraudsters from an unsecured mobile phone and publically available social networking information is a goldmine to fraudsters and this emphasises the importance of having a joined up approach to personal anti-fraud measures in the 21^st Century.  In the late 20^th Century we were advised to shred important documents.  A far more proactive and resilient approach to private data security is needed in the digital age to secure private information.

Bypass Fraud hits Manila

We were struck by this article in the Manila Standard Today newspaper from the Philippines.  It demonstrates what a huge international issue GSM Gateway or SIM Box fraud really is.

The interesting thing about this story is threefold:

1. It demonstrates a clear connection between international telecommunications fraud and terrorist activity.  Hopefully this will help to put lie to the myth that telecoms fraud is a victimless crime: whilst some people might have little sympathy for mobile operators losing revenues, it’s impossible to sympathise with the illicit gains of this activity funding the Bali bombings and other similar activities.
2. It shows the scale of the problem.  The article quotes a figure for operator losses of $3 billion per annum.  It’s hard to put that into context so the more pertinent figure comes later in the article.  In one scam alone, 22 million fraudulent minutes were sold for $55 million.  That’s one scam, in one country.  With SIM box fraud happening in almost every operator in every country globally, you begin to understand how that $3 billion figure is, if anything, an understatement.
3. It also gives us a view as to why SIM box fraud continues, even after more than 10 years.  To catch and convict the fraudsters requires international co-operation: across governments; law enforcement agencies and the judicial system.  That is not a simple thing to achieve, particularly to convince busy police forces that they can help to reduce international criminal activity through their own actions on the ground.

As the fraudsters get smarter, so the need for anti-fraud detection and elimination become more important.  The mobile operators have to do all they can to eliminate SIM box fraud and continue to raise the issue at the highest levels of government – not only to protect their own revenues but, more importantly, to protect the public from the illicit gains made by telecoms fraud.

New moves to combat handset theft

Our attention was drawn to a story in the media regarding mobile fraud.

First, thirteen operators in Latin America have joined forces to combat mobile handset theft.  This is a positive move that will enable operators in Latin America to share information on stolen handsets with their counterparts to ensure these devices are not reused.  This helps reduce the sell on value of mobile phone and hopefully ensuring that mobiles are therefore a less enticing target for criminals.

A similar system has existed in Europe for some time, so one obvious question is why has it taken the operator community so long to instigate their own scheme. Nevertheless the initiative is welcome.

Talk to anyone that has a phone stolen (and plenty of people do) and one of the major frustrations is not only the loss of hardware but also the data kept on the device.  In the last few years this has become even more of an issue with mobile banking apps, email, private photos and other data all accessible from the handset.  It is pretty astonishing that more than half those with a smartphone do not apply any kind of security to the device.

The different frauds: Interconnect Bypass

Traditionally, mobile fraud was seen as something that took place against the consumer – this is often what generates the headlines.  But there are also a number of mobile frauds that are hidden from the end user. 

They may be inadvertently involved but often users are completely unaware they are participating in a fraud.

Over the next few weeks we will be highlighting some of these frauds and the implications they can have for the mobile industry.

Interconnect Bypass:

Interconnect bypass is also known as GSM Gateway or SIM Box fraud.

When you make a call abroad, a number of different telecoms operators will handle the transfer of this call from home to the other side of the world.  This all happens automatically and within hundredths of seconds, but each company will be paid a small proportion of the call revenue for passing the call over their network.  When the call arrives in the destination country, the local operator will be paid what is called a ‘termination fee’ for passing the call on to the recipient.

The opportunity for fraud comes when the value of the termination fee exceeds the cost of a local mobile to mobile call in a country.  For example, if the termination fee is 10p, but the local operator offers local mobile to mobile calls for 5p a minute, there is a potential money making scheme of 5p per call available if someone can divert calls from the mobile operators traditional routes.

The next question is how to achieve this? This is where the ‘SIM Box’ element of the fraud comes about.  SIM boxes are machines that can house thousands of SIM cards.  If you fill a SIM box with active cards, you can connect and terminate as many calls as you have SIM cards.  And if the 5p per call opportunity exists, you can generate this from every call.

So how do these ‘call terminations’ end up in the telecoms system?  Mobile operators tend to have relationships with other operators through which they ‘buy’ a number of minutes on their network each month.  But there is also an “open market” for the buying and selling of call termination.  This enables operators to sell on excess capacity they have or buy more terminations if they need them in a country.  SIM box fraudsters will bundle together millions of terminations on thousands of routes between countries and sell these on the open market.  These can end up as part of the routes that operators buy to terminate calls meaning that the calls are diverted from the mobile operator in country through a SIM box fraudster.

Why does any of this matter?  For the operators the answer is obvious – they lose money from not terminating as many calls as they would if SIM box fraud did not exist. 

But there are also implications for consumers and even governments.  A consumer would not know that their call is being routed via a SIM box but they might well be aware of a poor connection, interference on the line or calls that cut out.  They will also not receive normal telephony services such as caller line identity. 

For governments the issues are more complex.  SIM Box fraud often funds other frauds, organised crime and exploitation.  Furthermore, governments lose a proportion of the revenues that the operators should be paying them.

SIM Box fraud is one of the most serious frauds for operators.  It is estimated to cost operators billions of dollars a year.  Whilst the public might not recognise it as a consumer facing fraud, its implications are considerable.