OPERATIONAL RISK MANAGEMENT & COMPLIANCE

© 2012 – PROPRIETARY AND CONFIDENTIAL INFORMATION OF CVIDYA

Fraud Management Industry Update

Webinar, September 2014

Dr. Gadi Solotorevsky

CTO – cVidya Networks

Ambassador, Distinguished Fellow and RA Team Leader – TM Forum

Agenda

CFCA survey

TM Forum classification and survey

Account take over

Fighting Fraud with Cyber Intelligence

2

CFCA Survey 2013

CFCA Survey – Fraud Growth

Global fraud loss survey trend – based on previous surveys

Global fraud losses showing a 15% increase in 2013

CFCA Fraud Survey

5

CFCA Fraud Survey

6

CFCA Fraud Survey

7

CFCA Fraud Survey

8

CFCA Fraud Survey

9

CFCA Fraud Survey

10

CFCA Fraud Survey

11

CFCA Fraud Survey

12

Telephone numbers in the United Kingdom

13 Source Wikipedia: Telephone numbers in the United Kingdom

Telephone numbers in the United Kingdom

14

Source Wikipedia: Telephone numbers in the United Kingdom

CFCA Fraud Survey

15

CFCA Fraud Survey

16

CFCA Fraud Survey

17

CFCA Fraud Survey

18

Key Analysis and Observations

Revenue Share Fraud (International and National) continues to be the biggest reported threat at GSMA

– Both in terms of the number of cases and the value of losses reported

Revenue Share Fraud (International and National) is Driving Other Fraud Types

– Most subscription Fraud and PBX Hacking cases reported were linked to revenue share service abuse

PBX Hacking involving Supplied Equipment

– Several PBX hacking cases involved equipment that was not supplied by the operator

Usage monitoring is the primary method of detection cited

– FMS, High Usage Monitoring, NRTRDE/HUR, CDR Analysis etc

Is this due to a narrow focus?

Would these issues be a

better control point

An Impact of convergence?

Is this too reactive?

Fraud Classification Model – TM Forum

Fraud Classification Model – TM Forum

• Why do we need an effective FM Classification Model?

Fraud Scenario Referred Fraud Types Statistics

“Fraudster generates a high volume of calls to a PRS number range that he owns in another country with no intention to pay.”

• PRS

• IRSF

• PRS/IRSF

• Bypass/SIMBOX

• PABX Hacking

• Clip-on

• Stolen Line

• Subscription

• Dealer

• Payment

• PBX / Voicemail

• Roaming out

Unique: 39%

Multiple: 44%

Structured: 17%

An example from the 2012 TMForum Fraud Survey

CFCA 2011 f Survey Fraud types

22

Fraud Classification Model - Challenges

• Distinct names for the same Fraud Type

• Distinct interpretation depending on the core service (Mobile, Fixed, Cable, etc.)

• Multiple Frauds perpetrated in the same Fraud Case

• Fast changing nature of Fraud

• Need for a multi-dimensional analysis

• Need for different levels of abstraction

• Existence of several similar Ad hoc “Fraud Type” lists

Proposed Classification Model - TM Forum

Summary of Relations Between

Enablers – Fraud Types

Subscription Fraud

Hacking of Network Elements

Arbitrage

Mobile Malware

ENABLERS

(Vulnerabilities)

FRAUD TYPE

(Fraudulent Scheme)

TELE

CO

MS

SER

VIC

E FR

AU

D

Cloning of SIM Card/Equipment

Protocol/Signalling Manipulation

Tariff Rates/Pricing Plan Abuse

False Base Station Attack

Misconfiguration of Network/Service Platforms

International Revenue Share Fraud

Reselling of Calls

Wholesale Fraud

Private Use

Commissions Fraud

Traffic Inflation for Credits/Bonus

Charging Bypass

Interconnect Bypass SIMBox Gateway

OBJECTIVE

(Scope)

Make Money/Profit

Obtain Free Services/Goods

Obtain Credits/Bonuses

Obtain Commissions

Obtain Money

Access User Bank Account

Pretending to Be the Operator

……….

BA - Related Fields

Fraud Management

Security Management

Revenue Assurance

- Revision of Internal Procedures, Processes and Products/Services

- Implementation of Technical Solutions at Network and Service Platforms

Development, Enhancement and Reconfiguration of Fraud Management Systems (FMS)

Account Takeover

What is it?

Account Takeover Fraud (ATO, also known as ‘Facility takeover’ fraud) occurs where a

person (the ‘facility hijacker’) unlawfully obtains access to details of the ‘victim of takeover’,

namely an existing account holder or policyholder, and fraudulently operates the account or

policy for his or her own (or someone else’s) benefit.

Methodologies often form around the social engineering of existing customers or customer

service and sales processes

– Web Self Service portals

– IVR

– Upgrades, additional lines & Sim Swap

? ? ?

2008

Account Takeover Overview

As a result of the Credit crunch operator behaviours have changed encouraging the growth in ATO worldwide (particularly well developed and competitive markets)

As an example - Growth of ATO in the UK

– 330% in 2009, In 2010 a further 70% growth

Upgrades or Additional Lines?

– In 2008 - 92% additional, 8% upgrades

– In 2009 – 55% additional, 45% upgrades

– In 2010 – 37% additional, 63% upgrades

– Further growth in 2011 & 2012

This growth has been replicated worldwide

Source: Cifas

2009

2010

Issues and Causes

Pressure points in your organisation and market allowing ATO;

– Focus on Customer retention & Churn reduction

– Simplifying Customer Services (CS) processes

– Customer satisfaction

– Push for reductions in CS costs and ACHT

– Reliance on simplistic Knowledge Based Authentication (KBA)

– Internal sales pressure on staff

– Desire for growth

Fraudsters manipulate these pressure points

– KBA, can be weak (ease of use) and simply compromised via social engineering

– CS staff also liable to social engineering, based on sales & time pressures and related financial incentive

– Less restrictions and checks in place on existing customer processes (compared to new applications)

– Greater profit value for fraudsters (top offers for existing customers)

Typical flow & Pressure points

LOGISTICS AGENT

CRM

WWW

IVR

Social engineering Data Misuse

Process Abuse Logistics Manipulation

Account Takeover

30

http://diario.elmercurio.com/detalle/index.asp?id=%7B3c91699d-fa58-4d2a-a3d0-496a46fc9a55%7D

Account Takeover

31

http://diario.elmercurio.com/detalle/index.asp?id=%7B3c91699d-fa58-4d2a-a3d0-496a46fc9a55%7D

SIM Swap Fraud

http://www.finextra.com/blogs/fullblog.aspx?blogid=7766

32

Fighting Fraud with Cyber Intelligence

33

SIM Card Trade

Anonymous SIM card trade on an

underground market

− It isn't clear whether these cards are stolen from customers or the company itself

− These SIM cards are available in big quantities

Fraudsters Guides

Hand Picked Set of Guides for Beginner Fraudsters – Premium. Including fraud method of how to get your own SIM cards from anywhere.

How to steal people's information

Account Take Over Guide

Stolen Identities are cheap on the darknet

37

Source: http://www.itspecialist.com/Home/FeatureArticles/TabId/208/ArticleId/99/language/en-US/#.VBftKdK_nmI

Customer’s & Employees Information

XXX workers' emails leaked by YYYY pre-leak

Online publication of XXX clients and workers' information

– Client's details (name, cell number, ssn on file, address)

XXX.net users and passwords (published in an underground forum):

Public Web

• “How to” blogs and forums

• Customer’s complaint sites

• Paste Sites

Dark-Net

• Underground Markets – sales of fraud services,

SIMs, Identities and Internal information

• Underground Forums – Tutorials and methods to

perform different types of fraudulent activities

Sources of Information

Dark-Net Search

– The Dark-Net search, looks all over the Internet for information, located mostly in hackers and fraudsters’ forums and boards

– This information is hard to reach, sometimes hidden in closed forums or chat rooms behind passwords and vetting processes

– The Dark-Net search can be tailor-made to CSPs specific needs and gives a clear picture about the company’s reflection in the illegal zones of the web

Questions?

Gadi@cVidya.com

THANK YOU! www.cvidya.com

42