Вы находитесь на странице: 1из 8

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/224093590

Fraud in roaming scenarios: An overview

Article  in  IEEE Wireless Communications · January 2010


DOI: 10.1109/MWC.2009.5361183 · Source: IEEE Xplore

CITATIONS READS

4 6,042

3 authors:

Gabriel Maciá-Fernández Pedro García-Teodoro


University of Granada University of Granada
73 PUBLICATIONS   1,516 CITATIONS    84 PUBLICATIONS   1,633 CITATIONS   

SEE PROFILE SEE PROFILE

Jesús E. Díaz-Verdejo
University of Granada
75 PUBLICATIONS   1,692 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

VERITAS: VISUALIZACION DE EVENTOS EN RED INTELIGENTE PARA EL TRATAMIENTO Y ANALISIS DE LA SEGURIDAD View project

Relay Node Placement in Wireless Sensor Networks View project

All content following this page was uploaded by Jesús E. Díaz-Verdejo on 01 June 2014.

The user has requested enhancement of the downloaded file.


DIAZ-VERDEJO LAYOUT 12/3/09 12:21 PM Page 88

ACCEPTED FROM OPEN CALL

FRAUD IN ROAMING SCENARIOS: AN OVERVIEW


GABRIEL MACIA-FERNANDEZ, PEDRO GARCIA-TEODORO, AND JESUS DIAZ-VERDEJO,
UNIVERSITY OF GRANADA

Billing
HPMN ABSTRACT available for analyzing the algorithms and tech-
niques applied. Consequently, we seek to stimu-
system In the mobile telecommunications sector in late research in this area by highlighting the
general, and in the roaming scenario in particu- main problems, which to some extent overlap
CDR lar, fraud can lead to large financial losses. This with those encountered in intrusion detection in
2 transfer article first presents the major concerns regard- the area of data networks.
AP/CIBER
ing such security threats, and then proposes a
classification for this type of attack, highlighting
the necessity for the different players involved to MOBILITY AND ROAMING BASICS IN
R 2
CDR
take joint action. COMMUNICATIONS
transfer
Roaming is the ability of the subscribers of a
INTRODUCTION mobile network, referred to as the proprietary
ling
stem 1 CDR The mobile telecommunications sector is severe- network (hereinafter HPMN, i.e., home public
generation ly affected by security threats, with fraud attacks mobile network), to use remotely the services of
Te in roaming contexts one of the greatest causes of such a network by accessing it through a different
VPMN
financial losses in the industry every year [1]. network, referred to as the visited network (here-
Because of the evolution of the services provid- inafter VPMN, i.e., visited public mobile net-
In the mobile telecom ed by telecommunications operators, more and work). Three major actors intervene in roaming
more elaborate attack techniques are being scenarios: the subscriber, who makes use of the
sector fraud can lead developed by international fraudsters. These telecommunications services provided; the
to large financial activities impact directly on the companies
involved and have repercussions regarding
HPMN, which handles the user’s subscription and
services; and the VPMN, in whose geographical
losses. The authors potential increases in tariffs. Therefore, it is nec- coverage area users gain access to the services
essary for providers, governments, and users to contracted with the HPMN. To enable the opera-
present the major establish and facilitate technical, political, eco- tor’s subscribers to engage roaming facilities in a
nomic, and social measures to prevent fraud in given VPMN, a roaming agreement must previ-
concerns regarding roaming. Success in this undertaking will benefit ously be negotiated between the two telecommu-
all parties except the wrongdoers. To illustrate nications operators. The procedures for drafting
such security threats, the incidence and relevance of the issues dealt this business aspect are usually standardized, as in
and then propose a with in this article, some global statistics regard-
ing current worldwide mobile communications
the case of Global System for Mobile Communi-
cations (GSM) service through the GSM Associ-
classification for this are provided in Table 1. It should also be noticed ation (GSMA; www.gsmworld.com) procedures.
that the progressive deployment and integration Roaming can be triggered for both voice and
type of attack. of new broadband technologies (3G/4G) in the data services. In the former case, the VPMN,
near future could help reduce fraud in the field before providing access to the visiting users
of mobile communications. (through the mobile switching center/visited
With these considerations in mind, this article location register [MSC/VLR], which provides
presents an overview of the problem of fraud in geographical coverage to requesting subscribers),
roaming environments for mobile communica- queries the HPMN about the services to which
tions, as well as various strategies or techniques these users are subscribed (information held in
to tackle it. Two main contributions are made. the home location register [HLR] database
First, fraud techniques and related protection owned by the HPMN). Then, if the subscriptions
methods are described and classified, and the are correct, the subscribers will be enabled to
advantages and drawbacks of each are reviewed. gain access to the corresponding services (e.g.,
Second, because the visibility of fraud incidents voice call establishment). Figure 1a shows the
influences customers’ perception of the reputa- steps followed in this scenario.
tions of the companies affected, the latter are Data roaming is similar, although some fea-
reluctant to publicize details of such occur- tures differentiate it from the voice call case.
rences. Little research has been carried out in Here, the subscriber is associated (after querying
this field, partly due to the low perception of the the HLR) with a node called the serving General
problem and also because of the lack of data Packet Radio Service (GPRS) support node

88 1536-1284/09/$25.00 © 2009 IEEE IEEE Wireless Communications • December 2009


Authorized licensed use limited to: UNIVERSIDAD DE GRANADA. Downloaded on January 4, 2010 at 06:58 from IEEE Xplore. Restrictions apply.
DIAZ-VERDEJO LAYOUT 12/3/09 12:21 PM Page 89

Total Roaming To enable the


Number of subscribers (millions) 2000 (>80% GSM) 700 operator’s subscribers
Revenues ($ in billions) 800 120
to engage roaming
facilities in a given
Financial losses due to fraud ($ 40 6
in billions) ~ 0.002 per incident (large operators) VPMN, a roaming
~ 0.015 per incident (the highest one)
agreement must
Table 1. Worldwide data on current mobile communications, where the percentage of roaming is around
15% (Source: GSMA and MACH, 2007). previously be
negotiated between
the two telecommuni-
HLR
HPMN
Data network
cations operators.
HLR
The procedures for
GGSN
HPMN drafting this business
2
4 3 aspect are usually
MSC standardized.
2 SGSN
VPMN 3
Roamer Roamer

VPMN
1
1

(a) (b)

Figure 1. Scenarios for voice and data calls in roaming: a) voice call, 1: network connection request (to
MSC/VLR), 2: query by the MSC to the HPMN (HLR) about the subscription, 3: voice connection (VLR);
b) data call, 1: network connection request (to SGSN), 2: SGSN query to HPMN about the subscription
(HLR), 3: context establishment request to GGSN, 4: data connection establishment.

(SGSN). Then the roamer indicates the data net- sent to the billing systems in their respective net-
work to which a connection should be made, and works (step 2 in Fig. 2). These systems are in
a context is established between them through a charge of the processing of CDRs and the gener-
node called the gateway GPRS support node ation of invoices to subscribers. As the HPMN is
(GGSN). The steps for this process are shown in responsible for generating invoices for both sub-
Fig. 1b. Note that the SGSN belongs to the scriber and roamer, the VPMN sends CDR
VPMN, whereas the GGSN is located in the information to the HPMN (step 3 in Fig. 2)
HPMN. Therefore, both the data transmitted compiled in a well established data structure.
and those received by the mobile subscriber nec- For this compilation process, the GSMA has
essarily go through the HPMN. On the contrary, defined the standard transfer account procedure
this does not happen in the voice traffic case, for (TAP) [2], whereas code-division multiple access
which the VPMN-HPMN interaction is often (CDMA) networks use the cellular intercarrier
reduced to just the initial query to the HLR. billing exchange roamer (CIBER) record. There
Figure 2 shows a scenario in which a sub- are well established timescales for the transfer of
scriber in an HPMN calls a roamer in a VPMN. these files [3]. To relieve operators with a large
The call is established in three parts or legs: number of roaming agreements of the onerous
• An originating leg (OL) between the sub- task of managing the TAP/CIBER files for every
scriber and MSC1 operator under the agreement, certain compa-
• A roaming leg (RL) between MSC1 and MSC2 nies act as a clearinghouse for these data. Such
• A terminating leg (TL) between MSC2 and companies are called data clearing houses
the roamer (DCHs). A DCH is a single interface for an
The subscriber in this scenario will be charged operator, and is in charge of managing all aspects
for the OL, while the roamer will pay for the RL of transmitting, receiving, and converting the
and TL. The process to charge both the sub- TAP/CIBER files on behalf of the operator hir-
scriber and roamer is as follows. Data related to ing the service. Finally, once the TAP/CIBER
the call (duration, time, origin, destination, etc.) files are received, the HPMN must pay the debt
is collected by MSCs (or SGSN and GGSN) in incurred with the VPMN in accordance with the
call data files referred to as call detail records corresponding roaming agreement tariffs, termed
(CDRs) (step 1 in Fig. 2). Next, these CDRs are interoperator tariffs (IOTs) [2].

IEEE Wireless Communications • December 2009 89


Authorized licensed use limited to: UNIVERSIDAD DE GRANADA. Downloaded on January 4, 2010 at 06:58 from IEEE Xplore. Restrictions apply.
DIAZ-VERDEJO LAYOUT 12/3/09 12:21 PM Page 90

telecommunications operator that is affected by


HPMN it, roaming fraud can be classified as shown in
Billing 1
CDR Fig. 3. This classification is not intended to be
system generation
Originating exhaustive, but only to give an idea of different
leg (OL) means used by fraudsters in order to illegally
CDR
3 2 transfer obtain benefits. These are discussed in greater
TAP/CIBER
MSC1 Subscriber detail below.
DCH
Roaming TYPE 1. FRAUD BASED ON TECHNICAL
leg (RL)
3 TAP/CIBER 2 NETWORK FACTORS
CDR
transfer In this case fraudsters take advantage of techni-
MSC2 cal faults in the configuration, design, or archi-
Billing tecture of the operator network. The most
system 1 CDR
common causes in this respect are the following.
generation
Terminating
Roamer Interoperability faults (type 1A): Errors in
VPMN leg (TL) the expected interfunctioning between the oper-
Signaling/voice flow
ators’ network equipment frequently arise, due
Billing information flow to the presence of different technologies and/or
equipment from various suppliers (multivendor
environments). Malfunctions are frequently asso-
Figure 2. Billing information flow process in a call from HPMN to a roamer in
ciated with incorrect implementation of stan-
a VPMN. Step 1: generation of CDRs in MSCs. Step 2: transfer of CDRs from
dards. Consequently, certain items of equipment
MSCs to billing systems. Step 3: transfer of CDRs from VPMN to HPMN by
fail to correctly parse the information coming
using TAP/CIBER.
from others. This, together with the lack of
exhaustive roaming tests, can give rise to faults.
Consider the case of a prepaid roaming GSM
FRAUD ATTACKS IN subscriber with a null credit balance, or a post-
ROAMING ENVIRONMENTS paid subscriber who has reached his/her limit.
Improper communication between the VPMN
Fraud in a roaming scenario consists of access by and the HPMN might enable the user to contin-
the subscriber to the resources of the HPMN via ue using the service while the HPMN will be
the VPNM in such a way that the operator of impeded from charging for it.
the HPMN is unable to charge the subscriber for Another common interoperability fault con-
the services provided and is obliged to pay the cerns barrings (restrictions in telephone
operator of the VPNM for the facilities provided exchanges), especially in multivendor VPMNs,
in the roaming scenario. mainly because conformance testing sets are
Fraud in roaming may be considered an conducted in only one exchange before roaming
extension of the fraud techniques used in con- agreements are completed. If the manufacturer
ventional environments. Nevertheless, the roam- of such an MSC is different from that of the
ing fraud case has some particular characteristics MSC where the roamer is located, severe prob-
that make it even more harmful, because of the lems may appear. A particular case is that of a
losses incurred [4, 5]. subscriber who is subject to barring on outgoing
Longer detection time: Since the fraud is per- calls and is located in a VPMN MSC with the
petrated from a network other than that of the described fault. When the MSC receives notifi-
subscriber, the time required to detect the fraud cation from the HPMN about the barring of all
is longer, mainly because of the existence of outgoing calls from the HPMN network, it does
delays in the communication of the information not process this information properly, and hence
between VPMN and HPMN. the subscriber may continue using the service.
Longer response time: Once the fraud has Time delay in data exchange (type 1B): This
been detected, the technical and administrative type of fraud takes advantage of the exposure
difficulties to prevent it from persisting are time interval, that is, the elapsed time between
greater than when the victim operator has direct when the fraud starts being perpetrated and the
control over all the systems affected. instant at which it is detected and measures to
More technical difficulties in resolving the combat it are deployed. This interval is deter-
fraud: Prevention, detection, and automatic mined by the time involved in sending the CDR-
response systems to combat fraud are more com- related information from the VPMN to the
plex in roaming scenarios, mainly because of the HPMN, and the time employed to investigate
diversity of the VPMNs and HPMNs involved. the potential existence of a fraud attack.
In many cases this leads to a decrease in the Network configuration flaws (type 1C): These
speed of the global process, which makes the flaws are triggered by inefficient operation and
fraud even greater. maintenance procedures, and also by inade-
Higher financial losses: Fraud in traditional quately trained technical staff. Two illustrative
communication scenarios implies financial losses examples can be cited. First, when unprotected
for service providers. This loss can be much short message service centers (SMSCs) receive
greater in roaming environments due to the short messages from subscribers other than their
charges payable to the VPMN under the roam- own subscribers, they carry out the processing
ing situation. but are unable to charge for them afterward.
Depending on the method used to perpetrate Another interesting example of this kind of
fraud actions and the business area of the fraud occurs when roaming subscribers dial pre-

90 IEEE Wireless Communications • December 2009


Authorized licensed use limited to: UNIVERSIDAD DE GRANADA. Downloaded on January 4, 2010 at 06:58 from IEEE Xplore. Restrictions apply.
DIAZ-VERDEJO LAYOUT 12/3/09 12:21 PM Page 91

mium rate numbers (entertainment or adult calls)


in a VPMN. Generally, this is not allowed in the
VPMN-HPMN interconnection agreements. Type 1A
Interoperability
Although the VPMN may prevent this service
from being provided, a faulty configuration
could make such scenarios possible. Type 1 Type 1B
Technical network Information transmission
TYPE 2. FRAUD ENABLED BY FLAWS IN OTHER factors delays

BUSINESS AREAS
This type of fraud stems from inefficient/poorly Type 1C
designed business processes, or because of tech- Configuration flaws
nical aspects not directly related to the telecom-
munications network. Some examples of this
kind of fraud are described below.
Subscription fraud (type 2A): This type of Type 2A
fraud involves an impostor subscriber who uses Subscription fraud
false accounts or cards with insufficient credit
balance to gain fraudulent access to services.
Some of the most common actions in this respect Type 2B
are as follows. Call sale ranges from phone Internal origin
Type 2
rentals to the setting up of telephone booths to Other business
make calls. Call forwarding consists of fraudu- areas
lently providing local calls, and then forwarding Type 2C
them to more expensive international remote M-commerce
services. The use of micro-payments and calls to
premium rate numbers with fraudulent cards may
also generate substantial losses for operators. Type 2D
Similar to the premium rate case, the interna- Copyright and hacking
tional revenue share fraud (IRSF) [6] claims,
after the subscription attack, for high-cost inter-
national calls. As a rule, the calls do not reach Figure 3. Classification for fraudulent methods in roaming environments.
the geographical destinations, but are routed by
an intermediate operator to a third provider
with a shared payment service, which obtains the consist of the stages indicated in Fig. 4. First of
benefit. all, a prevention stage should exist, in which mea-
Internal frauds (type 2B): These frauds are sures aimed at preventing or hampering the per-
committed by personnel belonging to the petration of fraud are established. Alongside this
telecommunications companies themselves, first stage, the remaining stages are sequentially
enabled by defective internal security systems or carried out. In the data collection stage VPMNs
protocols. Two variants consist of the theft of generate CDR data as well as possible notifica-
SIM cards and their subsequent activation, and tions about fraudulent actions. Subsequently,
the use of test cards for roaming scenarios. there is a detection stage during which the data
Fraud in M-commerce (type 2C): The use of received by the HPMN are reviewed to search
stolen or false credit cards for mobile commerce for fraudulent behavior patterns. The result of
services entails fraud costs for the providers. this stage will consist of a list of subscribers with
This type of fraud is identical to that perpetrated possibly anomalous behavior, which is passed on
in e-commerce environments, the mobility of the to the supervision stage for the analysis of high-
subscribers being the only difference in commit- risk events by specialized staff. Finally, if
ting the fraud. response actions are required, the mechanisms
Copyright fraud (type 2D): The new content needed to counter the evolution of the fraud are
download services (music, video, logos, etc.) activated in the response stage.
incur copyright costs for the operators. Two key parameters in evaluating the effi-
Fraud types 2C and 2D are not specific for ciency of a fraud protection system are the aver-
roaming scenarios, but are general to all envi- age resolution time, TR, that is, the time elapsed
ronments. Types 2A and 2B are, however, criti- between the occurrence of a fraudulent action
cal in roaming circumstances, mainly due to and the execution of the necessary response
longer detection times and the existence of measures, and the accuracy of the results given
greater technical difficulties and higher financial by the system. As a first approach, the value of
losses, as discussed earlier. TR can be expressed as

TR = TVPMN→HPMN HPMN1
+ TCDR HPMN2,
+ TCDR
PROTECTION SYSTEMS AGAINST CDR

ROAMING FRAUD where the latter three terms are the time spent
in receiving the CDR data collected by the
A fraud protection system is used in the HPMN VPMN, the delay in the HPMN in initiating the
for the purpose of reducing as much as possible handling of the information, and the time
both the possibility of being the victim of fraud involved in raising a fraud alarm and resolving
HPMN2
and the impact of a fraud attack if one does take the corresponding problem, (TCDR = Tdetection
place. A system to protect against fraud should + Tsupervision + Tresponse), respectively.

IEEE Wireless Communications • December 2009 91


Authorized licensed use limited to: UNIVERSIDAD DE GRANADA. Downloaded on January 4, 2010 at 06:58 from IEEE Xplore. Restrictions apply.
DIAZ-VERDEJO LAYOUT 12/3/09 12:21 PM Page 92

DATA COLLECTION STAGE


Prevention
Optimizing this second stage is crucial to reduce
the average resolution time, TR. It is advisable to
decrease this interval to the utmost to eliminate
Data Detection Supervision Response the perpetration of fraud type 1B, which exploits
collection
time delay in data exchange.
Most CDMA operators in America tackle
Average resolution time, TR this matter by exchanging CDRs in almost real
time. The unprocessed CDRs are picked up by
Figure 4. Stages comprising a fraud protection system. the VPMN and sent directly (without even pass-
ing through the data exchange centers) to the
corresponding HPMN. This greatly decreases
As in any other security system, the level of fraud risks [7]. In the GSM world, however, vari-
security provided by a fraud protection system is ous other techniques have been proposed, exam-
determined by the lowest security level provided ined, and implemented. The main proposals
by each of its components. Below, each of the made to date for the implementation of the data
stages comprising a fraud protection system is collection stage are:
examined in greater detail. High Usage Report: Defined by the GSMA [8],
HUR consists of VPMN monitoring of the call
FRAUD PREVENTION STAGE data tickets related to the subscribers in roaming.
In this stage preventive measures are taken to If a subscriber exceeds a given threshold, a notifi-
hamper the perpetration of fraud. Among oth- cation is sent to the HPMN. The procedure, pro-
ers, the following have been proposed and posed as mandatory by the GSMA until September
applied: 30, 2008, has two fundamental drawbacks. First,
Service restrictions when the subscriber is in the time lag involved in receiving the reports is
roaming mode: A strategy consisting of the grad- broad, because they depend on the billing cycles (it
ual activation of services as the subscriber proves can take up to 36 hours to send a TAP billing file).
to be trustworthy. This may be achieved in vari- In addition, the reports provide limited informa-
ous ways: the gradual activation of the roaming tion about the fraud scenario, and it is advisable to
mode for customers, selective roaming to/from wait for the complete call data files in order to
only certain operators, restrictions on calls to obtain an overall view of the problem.
premium rate numbers in roaming, prevention Fraud Information Gathering System:
of international calls forwarding in roaming, lim- Defined by 3GPP [9], FIGS is a solution based
itation of the duration for phone calls, and so on the CAMEL signaling exchange system
on. This type of measure, although helping pre- between operators [10], by which the VPMN can
vent fraud, has a direct impact on the quality of send, in real time, the CDRs pertaining to a
the service provided to the customer, who must given number of subscribers to the HPMN. This
provide the operator with prior justification in scheme, too, presents certain drawbacks. First,
order for services to be provided. because there is a ceiling on the number of sub-
Optimization of roaming agreements: In scribers to be monitored, it is not clear how to
roaming agreements it is important to consider choose the specific subscribers that require
all the aspects that might arise during the service surveillance. In addition, the deployment of
provision, in order to forestall potential prob- CAMEL by the operators is assumed, which is
lems. Thus, it is important to apply the recom- not always the case. Finally, if CAMEL signaling
mendations made by certain organizations (e.g., exists, technical staff is required for specific
GSMA), as discussed in the previous sections. training in these procedures.
Exhaustive roaming testing sets: These kinds Monitoring of signaling information: Signaling
of tests curtail the possibility of suffering from monitoring obtains information that makes it pos-
fraud types 1A and 1C. They involve not only sible, under certain circumstances, to facilitate the
roaming related services but also CDR files, task of identifying patterns of fraudulent behav-
interoperator interoperability, and so on. To ior. The information is usually obtained from the
carry out these tests, it is advisable to use equip- VLR (VPMN)-HLR (HPMN) communication.
ment from various providers in the HPMN and Thus, the behavior of certain subscribers can be
VPMN. The GSMA, among other organizations, observed to obtain data such as the load level for
has made recommendations about the testing requests, or the identity of the networks that issue
protocols to be considered. the requests. This scheme can only be considered
Prevention of subscription fraud: Specific as complementary to others, because the informa-
recommendations have been made to prevent tion provided does not allow a given behavior
this kind of fraud (type 2A), essentially aimed at pattern to be classified as certain fraud.
optimizing business processes for client manage- Near Real Time Roaming Data Exchange:
ment and distribution. Some of the main mea- Developed by GSMA, the purpose of this
sures proposed regard validating the information scheme is the transmission of CDRs in almost
provided by subscribers, enhancing staff training real time. Specifically, there is a 4-hour time-
to combat fraud, auditing customer credits, limit for this transmission [3]. Implementation of
drawing up a structure to punish fraud, and so NRTRDE is mandatory since October 2008. In
on. Certain after-sale procedures are also advis- addition to the substantial decrease achieved in
able, such as those aimed at checking customers’ lags with respect to the time required for infor-
personal information and requesting email mation transfer, the present technique has other
replies. advantages. The fact that the call data are sent

92 IEEE Wireless Communications • December 2009


Authorized licensed use limited to: UNIVERSIDAD DE GRANADA. Downloaded on January 4, 2010 at 06:58 from IEEE Xplore. Restrictions apply.
DIAZ-VERDEJO LAYOUT 12/3/09 12:21 PM Page 93

into an information flow that is separate from


the TAP files makes it possible to compare the
given subscriber or group of subscribers, i.e.,
usage profiles are extracted and used as normali-
The fraud alarms
CDRs and thus detect inconsistencies, and also ty models. Some authors use neural networks, triggered by the
to check the integrity of the systems. Moreover, expert systems or data mining, among other
detection systems can be better adjusted, thus techniques, to derive these profiles and extract detection system
reducing their “false positive rate” (level of the relevant parameters from CDRs. A repre-
events erroneously detected as fraudulent). sentative example of this approach is the must be thoroughly
However, although NRTRDE constitutes a con- ASPeCT project [15]. On the other hand,
siderable improvement over previous systems, it machine learning methods have also been tested reviewed before it is
also has some drawbacks that should be pointed
out. First, there are few incentives for the VPMN
in order to establish a general normality (or
abnormality) model for the whole system. In this
definitively concluded
to put it into practice, because the principal ben- case, not only CDRs, but also voice or signaling that the observed
eficiary is the HPMN. Additionally, receiving an traffic, and other related events might be consid-
extra flow for CDRs requires investment in addi- ered [14]. event is indeed a
tional processing and storage infrastructure. Although some of these techniques seem
Data traffic monitoring: Since the subscriber’s promising for the detection of fraud in roaming, fraud attack. This
data traffic in roaming flows between the SGSN their main problem is related to the so called
of the VPMN and the GGSN of the HPMN, it is false positives rate [12, 13]. In order to reduce review is normally
possible for the latter to monitor such traffic as
if it were generated by the network itself. To do
them, detection modules in current solutions use
to work in a supervised manner. However, this
conducted by the
this, the use of systems known as RTC (“Real leads to an increase in the average resolution company’s fraud
Time Charging,” in pre-pay, or “Roaming Traf- time, TR.
fic Control,” in post-pay), located in the SGSN- There exist many current commercial systems department or by
GGSN data route, is recommended. These from companies in this field, some of which are
systems monitor data traffic in real time, provid- still incipient, while others are consolidated (e.g., an outsourced
ing this information for the detection stage. Mach, Syniverse Technologies, FairIsaac, Agi-
It should be noted that considerable effort is lent, StarHome, ECtel, gmv). specialized company.
currently being made towards deploying online Finally, let us note that systems for data traf-
charging systems [11], especially in IMS (“IP fic monitoring in real time (RTC) also incorpo-
multimedia system”) frameworks, which aim at rate detection capabilities, and thus make it
providing a standard interface to integrate the possible to observe possibly fraudulent behavior.
charging of heterogeneous network equipment
on a real time basis. These systems will reduce SUPERVISION STAGE
to a minimum the value of TR, as they monitor The fraud alarms triggered by the detection sys-
and transfer per flow and obtain service charging tem must be thoroughly reviewed before it is
information in real time, thus making the net- definitively concluded that the observed event is
works less vulnerable to frauds caused by delays indeed a fraud attack. This review is normally
in data exchange (fraud type 1B). conducted by the company’s fraud department
or by an outsourced specialized company.
DETECTION STAGE The principal difficulties arising during this
The detection module uses all the information stage are those due to the lags that arise as the
generated during the data collection stage, and it fraud investigation takes place. These lags
must decide whether a behavior is anomalous or increase considerably when the notifications of
not. In this stage, the FMS (“Fraud Manage- the detection system take place during off hours.
ment System”) plays a crucial role, as it is an In many such cases, the companies involved have
automatic (or semi-automatic) system that pro- not envisaged any kind of action plan. This lack
cesses the CDR information and searches for of planning nullifies the effort and investment
fraud patterns. made in other stages of the protection system to
The detection of fraudulent activities is a pat- reduce the average resolution time. This sce-
tern classification problem, quite similar to oth- nario is more frequent than might be expected
ers like intrusion detection in the network at first sight; international fraud networks are
security field. Current available techniques that aware of the limitations of companies in this
tackle these problems range from statistical respect, and take advantage of exposure timings
approaches to more complex methods, i.e., data to perpetrate their fraud.
mining, machine learning and neural networks Note that, by means of this stage, the accura-
[7, 12, 13]. cy of the system is maximized, assuming that a
Although pattern classification is a very active manual inspection of the data is more reliable.
research area, there exist few works related to However, manual inspection involves greater val-
fraud detection in telecommunications and even ues of TR. This fact highlights the necessity for
fewer are focused on the peculiarities of fraud in the development of improved automatic detec-
roaming. This fact is mainly due to privacy, tion algorithms that provide acceptable accuracy.
brand image, and economic concerns from the With the use of these algorithms, the supervision
major operators [14]. These are usually reluctant and the detection stages could be merged into a
to make data available for research purposes. single phase.
A good overview on methods for fraud detec-
tion in telecommunications is presented in [14]. RESPONSE STAGE
Some of them are based on the use of signatures If a fraud alarm is raised during the supervision
or rules, e.g., when a call is over 30 minutes, an stage, it is necessary to act in some way to abort
alarm signal is raised. Other approaches rely on the fraudulent action. To do this, it is advisable
statistical characterization of the behavior of a for the HPMN, first, to suspend the calls or ser-

IEEE Wireless Communications • December 2009 93


Authorized licensed use limited to: UNIVERSIDAD DE GRANADA. Downloaded on January 4, 2010 at 06:58 from IEEE Xplore. Restrictions apply.
DIAZ-VERDEJO LAYOUT 12/3/09 12:21 PM Page 94

The know-how gained vices currently in use, and, second, to prevent


the fraud from continuing. Another less intrusive
This article has been partially supported by the
Spanish Government through MEC (Project
in this field should type of solution can also be opted for, such as TSI2005-08145-C02-02, FEDER funds 70 per-
that of a prior notification to the customer to cent). Finally, we thank the anonymous review-
help us win the battle avoid affecting the service when fraud does not ers for their comments, which have enabled us
really occur (false positive case). to significantly improve the quality of this article.
against fraudsters. To prevent further provision of the service,
the fraudulent user’s subscription is altered to at REFERENCES
Finally, social and least prevent the generation of SMS, barring all [1] Mach, “White Paper on Fraud Protection,” Nov. 2007;
http://www.mach.com
political aspects are outgoing and incoming calls in roaming, and
preventing the connection to data access points. [2] S. K. Siddiqui, Roaming in Wireless Networks, McGraw
Hill, 2006.
relevant to the fight Suspension of calls and services can be effect- [3] GSMA, “PRD BA.08, v19.0, Timescales for Data Trans-
ed in real time by using the IST (“Immediate fer,” May 2007.
against fraud. Thus, Service Termination”) functionality, if a CAMEL [4] M. Johnson, “Revenue Assurance, Fraud & Security in
3G Telecom Services,” J. Economic Crime Mgmt., vol. 1,
signaling agreement with the VPMN exists [10].
there is a need to Another alternative which does not involve the
no. 2, 2002.
[5] J. Hynninen, “Experiences in Mobile Phone Fraud”;
suspension of the services in real time is to noti- http://citeseer.ist.psu.edu /hynninen00experiences.html
analyze the social fy the VPMN (by e-mail, phone call, etc.), which [6] GSMA, “PRD FF.17, v2.0, International Revenue Share
Fraud,” Oct. 2007.
impact of fraud and will then carry out the interruption. [7] T. Fawcett and F. Provost, “Fraud Detection,” W. Klös-
gen and J. Zytkow, Eds., Handbook of Data Mining and
the political and CHALLENGES IN FIGHTING Knowledge Discovery (Sec. F2), Oxford Univ. Press,
2002.
regulatory measures FRAUD IN ROAMING [8] GSMA, “PRD FF.04, v2.3, High Usage Report Format
and Contents,” Oct. 2007.
[9] 3GPP, “ETSI TS 101 107, v8.0.1, Fraud Information
that should be Up to now, few private companies have focused Gathering System (FIGS), Service Description,” June
on helping operators to fight fraud in roaming, 2001.
deployed. mainly because of the poor perception of this [10] R. Noldus, CAMEL, Intelligent Networks for the GSM,
GPRS and UMTS Network, Wiley & Sons, 2006. ISBN: 0-
problem and also due to the lack of data provid- 470-01694-9.
ed by the operators for analysis and research. [11] K. Ahmavaara, H. Haverinen, and R. Pichna, “Interworking
In order to plan a roadmap for fighting fraud Architecture between 3GPP and WLAN Systems,” IEEE
Commun. Mag., vol. 41, no. 11, 2003, pp. 74–81.
in roaming, the first step is to clarify the magni- [12] R. Bolton and D. Hand, “Statistical Fraud Detection: A
tude of the problem, in terms of the current Review,” Statistical Sci., vol. 17, n. 3, 2002, pp. 235–55.
losses, dimension, operators and subscribers [13] Y. Kou et al., “Survey of Fraud Detection Techniques,”
affected, etc. Second, a key research area Proc. 2004 IEEE Int’l. Conf. Networking, Sensing and
Control, 2004, pp. 749–54.
involves systems to protect against fraud. The [14] P. Estévez, C. Held, and C. Pérez, “Subscription Fraud
problems in this area are similar to those facing Prevention in Telecommunications Using Fuzzy Rules
the IDSs in data networks. Thus, the know-how and Neural Networks,” Expert Sys. with Apps., vol. 31,
gained in this field should help us win the battle 2006, pp. 337–44.
[15] P. Burge and J. Shawe-Taylor, “An Unsupervised Neu-
against fraudsters. Finally, social and political ral Network Approach to Profiling the Behavior of
aspects are relevant to the fight against fraud. Mobile Phone Users for Use in Fraud Detection,” J. Par-
Thus, there is a need to analyze the social impact allel and Distrib. Comp., vol. 61, 2001, pp. 915–25.
of fraud and the political and regulatory mea-
sures that should be deployed. BIOGRAPHIES
G ABRIEL M ACIA -F ERNANDEZ (gmacia@ugr.es) is an assistant
CONCLUSION professor in the Department of Signal Theory, Telematics
and Communications of the University of Granada. He
received an M.S. in telecommunications engineering from
Roaming fraud is an important problem that has the University of Seville and got a Ph.D. in 2007 from the
attracted the attention of many important com- University of Granada. From 1999 to 2005 he worked as a
panies and operators. We have analyzed this specialist consultant with Vodafone Spain. His research was
initially focused on multicasting technologies, but he is
problem in order to highlight two main con- currently working on computer and network security.
cerns: first, the sensitive nature of the problem
has made the industry reluctant to reveal infor- P EDRO G ARCIA -T EODORO (pgteodor@ugr.es) is an associate
mation, and hence little research has been car- professor in the Department of Signal Theory, Telematics
and Communications of the University of Granada, Spain.
ried out in this field. The present article seeks to He received his B.Sc. in physics from the University of
encourage the research community to investigate Granada in 1989 and a Ph.D. degree in physics in 1996.
these issues. Second, we survey fraud techniques His initial research interest was concerned with speech
and protection policies, with the purpose of clar- technologies. Since then, his professional profile has
derived to the field of computer and network security, spe-
ifying and identifying the main questions. We cially focused on intrusion detection and denial of service
show how the technologies in this field are not attacks.
mature, possibly because most work has been
aimed towards data collection mechanisms, leav- JESUS E. DIAZ-VERDEJO (jedv@ugr.es) is an associate profes-
sor in the Department of Signal Theory, Telematics and
ing other aspects unconsidered. Communications of the University of Granada. He received
his B.Sc. in physics in 1989 and a Ph.D. degree in physics
ACKNOWLEDGEMENTS in 1995 from the University of Granada. His initial research
We wish to thank the Inter-American Develop- interest was related to speech technologies, especially
automatic speech recognition. He is currently working on
ment Bank (IDB) and, specially, Jose Maria computer and network security, although he has devel-
Díaz Batanero for motivating and supporting oped some work in telematics applications and e-learning
this work through the IIRSA initiative program. systems.

94 IEEE Wireless Communications • December 2009


Authorized licensed use limited to: UNIVERSIDAD DE GRANADA. Downloaded on January 4, 2010 at 06:58 from IEEE Xplore. Restrictions apply.

View publication stats