Impact of non-service related signalling in GSM mobile networks M. Skomeršić, T. Gojević and M. Žuvanić Infobip Ltd, United Kingdom / Products and Solutions dpt., Zagreb, Croatia {marko.skomersic, tomislav.gojevic, marko.zuvanic}@infobip.com Abstract - In this paper, non-service related signalling in mobile networks, also known as HLR lookup is discussed. Although initially HLR lookups were intended for SMS, MMS and voice routing purposes, there are other services that could create additional revenue streams for both mobile network operators and enterprises. This paper will also discuss technical, commercial and security challenges of HLR lookup service with a detailed description of an international ATM anti-fraud use case. Keywords: mobile networks, HLR, MSC, IMSI, ATM I. INTRODUCTION Non service related signalling in GSM mobile networks is sensitive and often considered as a misuse of signalling in mobile networks. Altough mobile operators consider only challenging impacts that such signalling causes, there are many use cases that could introduce new services and revenue streams for all involved parties such as mobile number database cleaning, ATM anti-fraud checks, Least Cost Routing, resolving Number Portability issues, etc. Usually there are four groups of interest: End user who has a mobile phone with a unique mobile number and IMSI. Mobile operator that holds the core and access network infrastructure as well as the connection to the HLR lookup providers. HLR lookup providers who are connected to the mobile network operators and provide HLR lookups to various enterprises translating obtained HLR data to a user-friendly format. Enterprises that implement various services (internal and external) based on HLR lookups. All these parties share a common value chain and it is in their mutual interest to introduce services that are currently neglected. A. Technical background HLR (Home Location Register) lookup is a synonym for standardized SS7 MAP (Signalling System #7 Mobile Application Part) messages communication, SRI_for_SM and SRI_for_Call (Send Routing Information for Short Message/Call) [1], which are the mandatory „first part“ of signalling while sending SMS or initiating a call in mobile networks as described in figure 1. To perform an HLR lookup, SRI_SM_REQ request with MSISDN (Mobile Station Integrated Services Digital Network Number) parameter is needed to be sent to users home MNO's (Mobile Network Operator) HLR which will respond with SRI_SM_RESP MAP message that includes users IMSI (International Mobile Subscriber Identity) number and its current serving MSC (Mobile Switching Centar) address. Example trace of described MAP procedure in figure 2 (request) and figure 3 (response). Due to the protection of privacy, user sensitive data is withheld in the figures. HLR lookup service provider SRI-for-SM_REQ SRI-for-SM_RESP MOBILE network HLR MSC/VLR MT FSM MT FSM ACK (DELIVERY REPORT) Figure 1. Standard SMS sending MAP messages flow As a parameter, SRI_for_SM request must have an MSISDN to be queried and the address of the serving HLR. Within the SRI_for_SM response message, the needed information will be collected for further processing, such as IMSI and serving MSC. MIPRO 2012/CTI 669
Transcript
Impact of non-service related signalling
in GSM mobile networks
M. Skomeršić, T. Gojević and M. Žuvanić
Infobip Ltd, United Kingdom / Products and Solutions dpt., Zagreb, Croatia
Abstract - In this paper, non-service related signalling in
mobile networks, also known as HLR lookup is discussed.
Although initially HLR lookups were intended for SMS,
MMS and voice routing purposes, there are other services
that could create additional revenue streams for both mobile
network operators and enterprises. This paper will also
discuss technical, commercial and security challenges of
HLR lookup service with a detailed description of an
international ATM anti-fraud use case.
Keywords: mobile networks, HLR, MSC, IMSI, ATM
I. INTRODUCTION
Non service related signalling in GSM mobile
networks is sensitive and often considered as a misuse of
signalling in mobile networks. Altough mobile operators
consider only challenging impacts that such signalling
causes, there are many use cases that could introduce new
services and revenue streams for all involved parties such
as mobile number database cleaning, ATM anti-fraud
checks, Least Cost Routing, resolving Number Portability
issues, etc.
Usually there are four groups of interest:
End user who has a mobile phone with a unique
mobile number and IMSI.
Mobile operator that holds the core and access
network infrastructure as well as the connection
to the HLR lookup providers.
HLR lookup providers who are connected to the
mobile network operators and provide HLR
lookups to various enterprises translating
obtained HLR data to a user-friendly format.
Enterprises that implement various services
(internal and external) based on HLR lookups.
All these parties share a common value chain and it is
in their mutual interest to introduce services that are
currently neglected.
A. Technical background
HLR (Home Location Register) lookup is a synonym
for standardized SS7 MAP (Signalling System #7 Mobile Application Part) messages communication, SRI_for_SM and SRI_for_Call (Send Routing Information for Short Message/Call) [1], which are the mandatory „first part“ of signalling while sending SMS or initiating a call in mobile networks as described in figure 1.
To perform an HLR lookup, SRI_SM_REQ request with MSISDN (Mobile Station Integrated Services Digital Network Number) parameter is needed to be sent to users home MNO's (Mobile Network Operator) HLR which will respond with SRI_SM_RESP MAP message that includes users IMSI (International Mobile Subscriber Identity) number and its current serving MSC (Mobile Switching Centar) address. Example trace of described MAP procedure in figure 2 (request) and figure 3 (response). Due to the protection of privacy, user sensitive data is withheld in the figures.
HLR lookup service
provider
SRI-for-SM_REQ
SRI-for-SM_RESP
MOBILE network
HLR MSC/VLR
MT FSM
MT FSM ACK(DELIVERY REPORT)
Figure 1.
Standard SMS sending MAP messages flow
As a parameter, SRI_for_SM request must have an
MSISDN to be queried and the address of the serving
HLR.
Within the SRI_for_SM response message, the needed
information will be collected for further processing, such
as IMSI and serving MSC.
MIPRO 2012/CTI 669
There are five main parameters that can be extracted from
submitted and collected signalling data:
------------------------------------
MAP
------------------------------------
Begin = begin (Begin)
*******
parameter = local
OP Code = 45 (SendRoutingInfoForSM)
argument
MAP-SM-DataTypes.RoutingInfoForSM-Arg
msisdn = XX 8X 95 XX 23 XX 67
*******
1------- Extension Bit = 1 (no extension)
Address signals = XX5X5X3X8X7X
sm-RP-PRI = TRUE
serviceCentreAddress = XX 8X 95 15 00 10 00
*******
1------- Extension Bit = 1 (no extension)
Address signals = 385951000100
Figure 2.
SRI_for_SM MAP request example
------------------------------------
MAP
------------------------------------
End = end (End)
*******
parameter = local
OP Code = 45 (SendRoutingInfoForSM)
resultinfo
MAP-SM-DataTypes.RoutingInfoForSM-Res
imsi = 219020000154245f
locationInfoWithLMSI
msc-Number = 91 83 95 15 00 00 00
*******
1------- Extension Bit = 1 (no extension)
Address signals = 385951000000
Figure 3.
SRI_for_SM MAP request example
1) SRI_for_SM request
From the MSISDN parameter it is possible to
conclude the exact original network operator that holds
this numbering range.
2) SRI_for_SM response
From IMSI number [2] it is possible to extract MCC
(Mobile Country Code) and MNC (Mobile Network
Code) that uniquely identify the current mobile operator
that the end customer uses.
From the serving MSC/VLR (Visited Location
Register) address, it is possible to conclude if the end
customer is roaming, and if it is, in which country and
which roaming network.
For example, if the MSISDN number to be queried is
in the E.146 format [3] – 447920423874, when HLR
lookup is completed, the results as follows:
MSISDN = 4479XXXXXXXX
IMSI = 234159108139107
VLR = 60194030006
Respective HLR analysis has to be performed as
displayed in table 1.
TABLE I. HLR ANALYSIS EXAMPLE
MSISDN
Original network provider
CC NDC SN
44 79 20423874
United Kingdom
Vodafone Ltd
Subscriber No.
IMSI
Home Network provider
MCC MNC MSIN
234 15 9108139107
United
Kingdom
Vodafone
Ltd
Mobile Sub.
Identification No.
MSC /
VLR
address
Current Network provider
CC NDC SN
60 19 4030006
Malaysia Celcom Subscriber No.
Results of respective HLR analyses are interpreted as
follows:
According to the end customers' MSISDN one can conclude that its original network provider is from UK (United Kingdom) defined by its CC (Country Code) [3],[4], and that its operator, defined by NDC (National Destination Code) is Vodafone UK Ltd.
According to the customers IMSI one can conclude that its current Network provider is from UK defined by its MCC [3] and that it is Vodafone UK Ltd. By the IMSI analysis one can conclude if the user has ported the number to another MNO (in which case IMSI will show a different MNC than the original one).
According to the MSC/VLR address received from the HLR, one can conclude that this user is currently roaming due to the CC which shows that the roaming country is Malaysia and, according to the NDC, the users current MNO provider is Celcom.
In most cases SN (Subscriber Number) and MSIN (Mobile Subscriber Identification Number) can be discarded.
According to the HLR analysis, the final results are presented to the customer but with privacy concern as discussed by GSMA [5] SG (Security Group) where MSC/VLR and IMSI parts must be withheld from third parties [6].
670 MIPRO 2012/CTI
II. IMPACT ON MOBILE OPERATORS
There are multiple impacts on the MNO's structure
presented in figure 4. Each of those have positive and
negative sides and should be treated case-by-case to find
feasibility.
LEGAL / REGULATORY
FINANCIAL
TECHNICAL
HLR lookup impact
SECURITY
Figure 4.
HLR lookup service impact on mobile operators
A. Legal / Regulatory impact
According to national telecommunications or legal
regulations in some countries (for example [7], [8]) there
is a telecommunications operator responsible for keeping
customer data private and not to disclose it to the third
parties. This is the case where the third party provider
doesn't have written consent of each customer. It is not
clear if data such as IMSI is private or not if MSISDN is
public. There are other cases that have no regulation at all
(for example [9]).
As a positive legal impact, HLR lookup could be used
to reduce growing frauds in financial sector such as ATM
skimming fraud [10] which will be discussed in chapter
IV.
B. Technical impact
Due to additional SRI_for_SM MAP messages (non-
service related) there is more proccessing power needed
by MNO's equipement than initially planned (HLR
esspecially) that can cause overloads or the need for
additional licences and hardware installations as well as
some additional work-hours to be introduced within the
MNO.
As a positive side, HLR lookups will ease the
handling of outdated number databases by call/contact
centres, financial institutions, etc. Resolving number
portability issues for messaging hubs, VoIP (Voice over
Internet Protocol) providers, virtual operators, etc.
C. Financial impact
There is additional signalling cost for SRI_for_SM
MAP responses that operators are charged for from their
signalling providers. There is an additional cost for
workforce that handles the HLR lookup product line
(altough this is not as significant).
As a positive, MNO's have additional revenue stream
that can be very significant in comparison with overall
costs caused by HLR lookup product line.
D. Security issues
There are several security issues reported that HLR
lookup results are required to perform. Mainly those are
eavesdropping and fraudulent SMS. All of them are
eliminated if there is no complete/exact IMSI or
MSC/VLR address provided or if parts of IMSI and
MSC/VLR address that are not relevant to agreed use
cases (such as subscriber number, etc ...) are masked.
HLR lookups can be partialy blocked by operators
that implement SMS Home Routing procedure with some
disadvantages of this procedure such as assurance of
SMS delivery, additional cost for Home network
operator, etc. described more detailed in [11].
III. ATM ANTI-FRAUD USE CASE
As an example of positive HLR lookup usage, ATM
anti-fraud use case is presented and discussed. This use
case is not only limited to ATMs but is also applicable to
POS devices, credit cards, electronic banking and mobile
payment.
A. Problem
Many of ATM card frauds are based on “card
cloning” and cashing out in international destinations
without the card owner approval or knowledge.
Let’s assume that an ATM card from client in
Country A has been cloned/skimmed and replicated in
Country B. The criminal in Country B goes to a local
ATM and tries to initiate a cash-out with a fake ATM
card, causing unwanted cost to the card owner, the bank
and insurance companies. This case is described more in
detail in [12], [13].
According to [14], in 2010. overall ATM skimming
losses in European Union reached approximately
€270.000.000 which has had great impact on all involved
parties.
B. Proposed solution
Upon each ATM transaction, the bank or processing
house has the possibility to check if a mobile phone of
registered ATM card owner is in same country/region
where ATM cash withdrawal is initiated as described in
figure 5. According to the received result one can initiate
appropriate action, such as:
Allow withdrawal,
Deny withdrawal and
o Call the client to recheck the request directly,
o Send one-shot password to repeat the
transaction,
o Initiate USSD session towards client to validate
transaction.
o etc.
MIPRO 2012/CTI 671
MNO
MNO
MNO
MNO
MNOBANK
MNO
Paymentswitch
HLR lookup system
API
BTS
Client DB
BTS
BTSBTS
BTSBTS
Cash_out
customer
Check roaming location
RoamingINFO_REQ
RoamingINFO_RESP
Figure 5. HLR lookup check example
Potential drawbacks of the proposed solution are:
ATM or Credit Card issuer must have written
approval of the customer to initiate HLR lookups
towards its MSISDN in some situations or upon
each ATM/POS transaction.
End user may not have a mobile phone nearby
when travelling and initiating ATM/POS
transactions.
If those cases are applicable, the credit card holder
can fall back to the traditional, more complex and
expensive, methods of validation ATM/POS transactions,
such as phone calls or similar.
IV. CONCLUSION
This paper addresses the growing usage of HLR
lookups in both unwanted but also preferred way. ATM
anti-fraud use case clearly shows that the proposed
solution is one way to fight growing fraudulent activities
in the financial sector. Altough mobile operators consider
HLR lookups as an unwanted or fraudulent non-service
related signalling, there are many cases of new and secure
revenue streams for all involved parties including the end
customer who benefits with more secure and comfortable
way of doing transactions, financial institutions that can
decrease financial losses of ATM fraud, HLR lookup
providers, signalling providers and mobile operators with
new and sustainable revenue stream.
REFERENCES
[1] 3GPP TS 29.002, “Mobile Application Part (MAP) specification”,
Dec. 2011.
[2] ITU-T recommendation E.212, „The International Identification plan for Mobile terminals and Mobile users“, Nov. 2010.
[3] ITU-T recommendation E.164, „The international plublic telecommunication numbering plan“, Nov. 2010.
[4] ITU-T recommendation E.123, „Notation for National and International Telephone Numbers, e-mail addresses and Web addresses“, Feb. 2001.
[5] GSM Association – GSMA, www.gsm.org, accessed, Jan. 2012.
[6] GSMA preporuka u kojoj se kaze da se HLR rezultati smatraju privatnim IMSI i MSC maskiranje
[7] “The Privacy and Electronic Communications (EC Directive) Regulations”, United Kingdom, 2003. No. 2426
[8] “Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)”, Official Journal L 201, 31/07/2002 pp. 0037 – 0047.
[9] Cuijpers C., Roosendaal A., Koops B-J., “Del 11.5: The legal framework for location-based services in Europe”, FIDIS Deliverables 11 (5), 2007.
[10] Adelowo Solomon A., Mohammed Enagi A., “Challenges of Automated Teller Machine (ATM) Usage and Fraud Occurrences in Nigeria – A Case Study of Selected Banks in Minna Metropolis”, Journal of Internet Banking and Commerce, vol. 15, No. 2., Aug. 2010.
[11] GSMA doc. AGREE_41_007, Information SMS Home Routing, Mar. 2007.
[12] Divya S., Pratima K, Priyanka C., Abhishek V., Utkarsh G., A Proposed Framework to Prevent Financial Fraud through ATM Card Cloning, Proceedings of the World Congress on Engineering 2011 Vol. I, WCE 2011, July 6-8, 2011, London, U.K.
[13] Rashmi G. Dukhi, Soft Computing Tools in Credit card fraud & Detection, International Journal of Emerging Technology and Advanced Engineering, IJETAE, Vol. 1, Issue 2, December 2011.
[14] European ATM Security Team, (EAST), ATM Fraud Analisys Report Ver. 1.1., 18. July 2011.
