Fraud in Short Messaging in

Mobile Networks
Kari-Matti Puukangas / TeliaSonera
14.4.2010

Supervisor: Professor Raimo Kantola

Instructor: M.Sc Niko Kettunen

Contents

Background
Scope of the study
Different Types of Fraudulent SMS

How Fraudster Connects to the Network

Why Fraudulent Messaging Should be Prevented
How to Prevent Fraudulent Messages

Spoofing
Faking
3rd party faking
Spamming and Flooding
GT scanning and Mobile malware

TCAP Handshake
TCAP Sec
SMS Firewall

Conclusion

Kari-Matti Puukangas

Background

SMS fraud around the world

Asia

USA

SMS spamming is very common, cheap messages

China 6-10 Spam messages per day per user
India 20% of the short messages is Spam
E-mail to SMS is the biggest source to Spam
Not a problem yet

Europe

Quite expensive messages

Operators control all connected links
Phishing and call to premium number type of
attacks
Not a problem yet

Kari-Matti Puukangas

Background

Kari-Matti Puukangas

Background

Kari-Matti Puukangas

Scope of the study

Describe the different fraud scenarios

How the fraud can be identified and
prevented
Describe the fraud prevention methods
Give a recommendation of the most
suitable method based on a SWOT
analysis

Kari-Matti Puukangas

Different Types of Fraudulent SMS

Spoofing
Faking
3rd party faking
Spamming
Flooding
GT scanning
Mobile malware

Kari-Matti Puukangas

Spoofing

Illegal use of the home SMSC

Mobile Originated SMS with a manipulated A-MSISDN
(real or wrong) is coming from a roaming subscriber.

Kari-Matti Puukangas

Faking

Originated from the international SS7 Network and

is terminated to home mobile network.
SMSC number or A-MSISDN are manipulated (can
be existing numbers).

Kari-Matti Puukangas

3rd Party Faking

A special case of Faking

Happens in third partys network
Termination fees to home network

Kari-Matti Puukangas

10

Spamming and Flooding

Spamming

Unsolicited SMS
The spam SMS content can include:

Commercial information
Bogus contest
Messages intended to invite a response from the
receiver (e.g. to call a premium number)

Flooding
A large number of messages sent to one or more
destinations
Messages may be either valid or invalid.
Purpose to slow down the operator network or jam
one ore more mobile terminals
Usually combined with spoofing or faking
Kari-Matti Puukangas

11

GT Scanning and Mobile Malware

GT Scanning

A lot of MO_Forward_SM or SRI messages with

SMSC or MSC address incremented by one in
each message
Fraudster tries to find unprotected SMSC or
MSC

Mobile malware

All kinds of binary messages, e.g. viruses or

service settings

Kari-Matti Puukangas

12

How Fraudster Connects to the Network

Increased number of parties connected to

SS7 network

Bulk connections from small operators

Do not care how the connection is used

Hacking a short messaging entity

Interfaces to SS7 and Internet

Potential thread by hackers

May be noticed quite soon

Pribe the operator employees

May be possible in some less developed

countries
Kari-Matti Puukangas

13

Why Fraudulent Messaging Should be

Prevented

Subscribers point of view

Receiving spam is very annoying

Spoofed number may cause charges to innocent user
Spoofed subscriber may get angry calls and messages
from message receivers (blocking the handset)

Operators point of view

Loss of messaging income

Wrongly charged customers
Increased customer care contacts
Increased churn
Loss of termination fees
Termination of roaming agreements
Increased signaling network load

Kari-Matti Puukangas

14

How to Prevent Fraudulent Messages

GSMA has created a criteria to detect the

fraud and basic actions for stopping it
Means to prevent fraudulent messages

TCAP Handshake
TCAP Sec
SMS Firewall

Kari-Matti Puukangas

15

TCAP Handshake

3GPP specification 33.200

Based on the TCAP
segmentation used in the
long messages
First two messages used for
the authentication
Requires MAP version 2 or 3
Protection against faking

Kari-Matti Puukangas

16

TCAP Handshake

SWOT analysis for TCAP Handshake

Strengths
-

Weaknesses

No big investments
Good protection against faking
Standardized by 3GPP

Opportunities
-

Applies only to the Fake cases

Requires MAP version 2 or 3
Software of all SMS related elements
needs to be upgraded
All parties need to use the handshake
Maintenance of the policy table

Threats

Fast results if taken widely into use

Kari-Matti Puukangas

The other operators are not going to

implement this solution
Spoofing and flooding may increase

17

TCAP sec

3GPP specifications 33.204 and 29.204.

Requires new component to the network

SS7 Security Gateway (SEG) with databases for security policy (SPD) and security
association (SAD)

SEG secures the TCAP transactions with the help of the

Policy Database

Protected or unprotected mode

Kari-Matti Puukangas

18

TCAP sec

SWOT analysis for TCAPsec

Strengths
-

Weaknesses

Good protection against Faking

Possibility to secure all SS7 traffic
Standardized by 3GPP

Opportunities
-

Needs a lot of interworking between operators

Applies only to the Faking cases
All operators need to use TCAPsec
New network element (SS7-SEG)
Currently not many SS7-SEG manufacturers
Price may be high
Maintenance of the new element need dedicated
personnel
A lot of work in maintaining the policy tables

Threats

If all operators implement TCAPsec it will

give perfect protection against faking

If not implemented completely by all operators

fraudsters will have possibility to use spoofing
and flooding types of messages

Kari-Matti Puukangas

19

SMS Firewall

GSMA document IR.82 gives the guidelines to

prevent SMS threats with a firewall
SMS Firewall can stop all known threats
Spoofing and faking prevention by comparing
messages or location
Spamming and flooding prevention by checking
the content
Virus check
Can be implemented without the actions of the
other operators

Kari-Matti Puukangas

20

SMS Firewall

Preventing SMS Spoofing with Firewall

Kari-Matti Puukangas

21

SMS Firewall

Preventing SMS faking with Firewall

Kari-Matti Puukangas

22

SMS Firewall

SWOT analysis for SMS Firewall

Strengths
-

Weaknesses

Full fills all fraud cases described by GSMA

Not dependent on other operators actions
Many Firewall manufacturers
Can be integrated to the SMSC system
If part of the SMSC system there is no need for
new personnel
After installation, there is minimal configuration
needed
The Firewall can also be used for other business
purposes
Reporting tools available

Opportunities
-

For the complete protection home routing needs to

be activated
New element needs to be installed

Threats

Easy and fast deployment will give good

protection against existing threads

New kind of fraud that possibly could bypass the

firewall

Kari-Matti Puukangas

23

Conclusion

Requirements

The system must be able to protect against all

known fraud cases
The system needs to have an ability to collect the
reports of the incidents
The system must to be able to work regardless of
the actions of other operators.

Conclusion

The only available solution that fulfils all of the

requirements is the SMS Firewall. With the firewall
solution the operator can implement a solid line of
defence against all known fraudulent SMS threats.

Kari-Matti Puukangas

24

Thank You

Questions?

Kari-Matti Puukangas

25