Continuing our occasional series on the
different kinds of fraud that take place on mobile networks, Mark Yelland, an
international expert on mobile fraud and revenue protection looks at the risks
associated with subscription fraud:
Subscription
fraud is usually described as using a service with no intention to pay. The concept is straightforward: the fraudster
signs up for a service, exploits that service and then defaults on the bill.
For
post-paid (or contract) customers, the fraudster uses a number of tricks to
overcome the simple checks implemented by networks, for example he builds up a
picture of a user with some small usage regularly settling the bill on
time. At the appointed time the fraud is
initiated: the fraudster then uses the phone to run up a significant bill and
uses his social engineering skills and ‘good behaviour’ to keep the service
going until such time as the network terminates service.
A more
recent trend is for genuine customers to have fraudsters’ phone numbers added
to their accounts and settled by the customer unwittingly or not. This can be achieved through a number of
different methods from postal interception, refuse examination for account
details, passing off or simply contacting the relevant helpdesk to request the
addition of another handset and bluffing.
The key indicator is the level of bad debt and whether it is in line
with the industry average.
For pre-paid
customers, the situation is slightly more complex. The fraudster tops up the credit on the phone
regularly using a number of stolen credit card numbers. There is nothing in the payment process to
alert the network to a potential issue, until the cards are actually cancelled
and a chargeback is applied by the card issuer to the network. For the network the losses are not simply the
value of the traffic, but potentially any fines levied by the card issuers and
as a last resort, the removal of the ability to take card payments directly or
even indirectly through services such as PayPal. Hence the key indicator is the level of card
transactions being refused by the relevant card processor.
The weakness being exploited is the failure to
confirm the identity of the person making the request for service. The first check needs to be a check that the
request does not come from an originating country that has been blacklisted as
a high risk environment. If it is, then
additional verification steps should be implemented or the service
declined. The second check is that the Media
Access Control (MAC) address is valid and not registered on a fraud
database. However, with the introduction
of virtualisation
software, it is possible to spoof MAC addresses and those should also be
disallowed. Having verified, as far as
is practicable, that the originating address is valid, the next requirement
needs to be a two-stage sign-up process, whereby the person signing up has to
activate the account by replying to an email. This method is not foolproof as
there are a number of email services, such as GuerillaMail.org
that can provide a disposable email account that is valid for a few hours,
which gives the fraudster time to reply to the verification email. In the case
of passing off, the email should be sent to the account holder, not the
individual concerned.
Recognising that these checks can always be beaten, the next
step is to minimise the exposure. This
can be limiting the number of SIMs that can be bought at any one time or
restricting the services available until certain behaviours have been observed,
for example:
·
disabling calls to Premium Rate Services or
Roaming
·
putting a limit on the number of different cards
that can be used to top up a service on a single SIM
·
putting a limit on the number of SIMs that can
be topped up by a single card
implementing
the 3D Secure process appropriately but recognising its limitations, for
example it cannot be used alongside an auto top-up process but should be
invoked for any change to a service. 