Email a colleague    

February 2015

Combating SIM Box Fraud: Network Protocol Analysis to the Revenue Rescue

Combating the SIM Box Fraud Threat: Network Protocol Analysis to the Revenue Rescue

International call bypass is one of telecom’s toughest fraud problems.

The fraud is primarily accomplished through SIM boxes equipped with dozens to hundreds of SIM cards that disguise international calls toward wireless operators as local subscribers making domestic phone calls.

These SIM boxes are causing major revenue damage to wireless operators in many countries.  Interestingly though, no one quite knows the actual volume and magnitude of the revenue lost from SIM boxes because detecting the bypass is an art, and not yet a science.  Compounding the problem, the fraudsters constantly develop new techniques to avoid detection.

Operators are not the only losers by the way.  Many countries impose a tax on telecom services, so the governments in those countries lose tax revenue when calls are illegally bypassed.

One of the innovators in the fight to curtail SIM box fraud is a U.S.-based company, LATRO Services.  Their company’s CEO, Lex Wilkinson, now joins us to give a backgrounder on SIM box detection techniques and tells us about LATRO’s new technology, Protocol Signature™ detection data analytics based on network protocol analysis that detects SIM boxes as they sign onto the network.

Dan Baker: Lex, what percent of the countries in the world experience this SIM box fraud?

Lex Wilkinson: It’s difficult to identify the exact percentage of countries, Dan, but I think that the percentage is very high.  A major misconception is that SIM box fraud happens in countries with very high termination rates, but based on our experience, we’ve seen it occurring even in countries where the rates wouldn‘t be considered very high.

The money-making opportunity for the fraudsters is the differential between the international termination rate and the local termination rate.  So even in countries where that is only a few cents, there’s still enough margin for fraudsters to make money.

The biggest hotbeds for SIM box fraud that we see are Africa, the Middle East, Central and South Asia, Latin America, the Caribbean, and Eastern Europe.

Gee, you didn‘t leave many continents out of the picture.  I’m curious: how do these fraudsters get into the business anyway?

For a fraudster to set up a profitable SIM box operation, the proper infrastructure needs to be there.  For instance, there needs to be reasonably good Internet service such as DSL, satellite, or fixed wireless like WiMAX.  We’re also finding that some of the wireless 3G and 4G data services deployed in the developing world are good enough to support termination of VoIP traffic to the SIM Boxes.  There also needs to be a plentiful supply of SIM cards because the fraudsters need to access a large volume of SIM cards on a regular basis.

We usually see fraud operations set up in urban areas within developing countries.  It’s rare — but not unheard of — to see SIM box operations in rural areas: broadband Internet connections and readily available supplies of SIM cards tend to be in the bigger cities.  Often times, access to the SIM cards in volume is made possible through dealer fraud.  A lot of countries require registration to get a SIM card, such that buyers need to show an ID in order to purchase a SIM.  In our experience.  However registration controls do little to stop SIM Boxes, but result in a criminal business around fake and stolen IDs used to acquire SIM cards.

Lex, I’m eager to learn about your new SIM box detection technology.

Well, I think the most effective way of explaining our solution is to review the evolution of SIM box detection solutions.  Let me walk you through the strengths and weaknesses of the two primary solutions used in the past 10+ years — test call generation (TCG) and fraud management systems (FMS).  Then I’ll discuss some of the advantages of what our new technology — Protocol Signature™, data analytics based on network protocol analysis — brings to the table.

SIM Box Detection Technologies

Test Call Generation (TCG) Systems

When the SIM box bypass problem was first identified in the late 2000’s, test call generation was the first detection technique that proved effective.  The idea behind test calls is to set up test phone numbers in your network and make calls to those test number from lots of different countries, through many different interconnect voice routes around the world.  In this way, you can find out where the grey routes are originating and the paths they use to reach SIM Boxes in your country.

Test Call Generation is all about probability.  The more routes and the more test calls you make, the higher the chances of finding SIM boxes.  Once you find routes that have a high volume of SIM box terminations, you can focus your call campaigns on those routes in order to maximize detections as much as possible.

Test Call Generation technology worked very successfully for many years.  Yet in the last two to three years we feel the effectiveness of that approach has dropped off significantly.  There are a few reasons for that.  First, the SIM boxers have figured out how to avoid detection by test calls.  For instance, they perform analysis on the voice call traffic coming toward their SIM boxes.  Based on usage patterns and other patterns, they can determine which calls are real subscriber calls and which are originating from a test call generation system.

Then they can either block the test calls and prevent them from reaching the SIM box to begin with, or reroute the calls to a legitimate route in order to avoid detection.

We’ve also heard cases of fraudsters allocating pools of their SIM Box cards to be sacrificed.  That is, they allow these allocated SIM cards to be detected in order to make the losing wireless operators feel like their controls are producing adequate results.  This is really only a diversion.  Meanwhile, other undetected SIM cards are driving the bypass revenue losses.

Bottom line: test calls are a technology and methodology that’s now well-understood by the fraudsters.  You still need it.  We don‘t recommend anyone stop using test calls.  Test calls do get some results and allow a wireless operator to profile their interconnect partners and understand who’s sending bypass traffic toward their networks.

Fraud Management Systems (FMS)

Another solution traditionally used to detect SIM boxes is the Fraud Management System (FMS), an enterprise wide data analysis platform that works well in detecting many different types of fraud.  In SIM box detection, the FMS uses Call Data Records (CDRs) to create usage-based analysis profiles that detect SIMs being used in SIM boxes versus those used in legitimate subscriber handsets.

FMS and similar CDR Analysis platforms have been effective in detecting SIM boxes, but in recent years, fraudsters have figured out ways to evade usage profile detection.  For instance, SIM Box manufacturers have developed something called HBS — Human Behavioral Simulation software — that allows the SIM boxer to simulate the behavior of real mobile subscriber behavior.  HBS techniques involve automating features on the SIM Box such as SMS messaging, self-calling, and international dialing in order to frustrate detection algorithms used by FMS and CDR analysis.

Now in both cases — test calls and the FMS — by nature of their methodology, the fraud has been committed by the time you detect it.  So you are already losing money before the detections occur.  This is a major limitation.

Data Analytics based on Network Protocol Analysis

At LATRO Services, we figured there must be a better way to attack this problem.  Our expertise and background is in mobile network architectures and systems: we know a lot about protocol signaling and systems integration of network elements within a wireless network.

So we developed algorithms that use information available within the network itself to help detect SIM box fraud.  In fact, we can detect SIM Boxes on the network at the moment they connect.  So as soon as the SIM box is powered up and the SIMs are inserted, we can do the detection regardless of usage analysis and test calls.

As a wireless operator, you’re never quite sure when a SIM box is going to turn on within your network.  You have to always be looking in real-time for the patterns in individual protocol messages of all the wireless devices on your network.  So we developed a technology that allows us to flag what we call the Protocol Signatures of SIM box devices vs. the devices a normal mobile subscriber uses.

Now the information we are processing and analyzing is based on signaling data that is not available in CDRs.  So we feel we are offering something unique to the market.  Something that test calls, FMS, and CDR Analysis cannot leverage.

Lex, this rundown of the different kinds of detection platforms is very valuable.  And I would love to hear the FMS and test call vendors chime, too, so I invite them to comment.  Where do you feel operators need to modify their methods of combating the SIM Box?

I think too many operators assume their current suite of tools is sufficient to detect and control the SIM box problem in their network.  Yes, they are getting some results, but my hunch is the results are not really mitigating the problem effectively.

Looking at this from a revenue perspective, if a wireless operator is doing a good job of stopping SIM boxes on its network, the volume of international traffic to that network should be increasing.  We know there should be a strong correlation here: if you do a good job at SIM box detection, yet your international call revenue is decreasing, there’s a disconnect somewhere.

In fact, many operators are frustrated by revenue declines and are looking for SIM Box control solutions that go beyond what’s available today.  And that’s where we are looking to add value.

For an effective mitigation strategy, you need to approach the problem from multiple angles.  For example, though SIM registration and distribution control is a good strategy, it needs to be complemented by other strategies.  We would never say our solution alone is a silver bullet.  But we do feel we have an innovative technology that strongly complements and even outperforms other solutions currently in use.  Clients that implement our solution as part of their overall bypass fraud control strategy, gain incremental revenue to their top lines.

Now I understand that recently some fraudsters have been arrested thanks to results from your platform.

If you scan Google under “SIM box arrests” you will find a few stories of SIM boxer arrests in countries like Senegal, Ghana, Haiti, and Morocco.

And yes, some of our clients have asked us to do investigation work.  Using our technology, we are able to physically locate SIM Box equipment within the wireless network.  Then in cooperation with our clients, we support local police to make arrests.  We use our analytics platform to calculate initial location estimates based on network data and tower locations, then we have RF-based equipment used in drive testing to pinpoint the exact location of the equipment via direction-finding techniques.

In cases where the fraud has been prosecuted and equipment confiscated, we’ve seen fraud operations with tens of thousands of SIM cards found on-site.  These are SIM cards that were blocked by control techniques like test calls and FMS.  So all the fraudsters do is throw away the blocked SIM cards and replace them with new ones in their SIM Box equipment.  Clearly, the fraudsters expect a large number of SIMs to be blocked and they know how to get their hands on more and more SIM cards.

The quicker you can detect and block, the higher the cost to the fraudster — in both money and potential jail time.

Lex, thanks for a timely briefing and advice in this important SIM box area.  And good luck in your quest to find better ways to combat this fraud.

Copyright 2015 Black Swan Telecom Journal

Lex Wilkinson

Lex Wilkinson

William “Lex” Wilkinson is the Chief Executive Officer of LATRO Services, Inc., a privately funded company based in Easton, PA.  He was a pioneer in fighting fraud during the cellular market explosion of the early 1990’s and was an original member/founder of the CTIA Fraud Task Force in 1991.  As a security consultant to industry associations and wireless operators around the world, Lex has seen first-hand the many ways fraud can affect organizations and cost millions in lost revenue.

Later as an executive with Rural Cellular Corporation, he participated in the sale and integration of RCC to Verizon Wireless where he remained until 2010.  Based on his years of experience in the industry and as a Tier 1 telecom executive, he created LATRO Services, a company that develops and implements next generation fraud analysis tools and managed services for wireless operators around the world.

Mr.  Wilkinson is a U.S.  Army Veteran, retired Police Detective and a graduate of DeSales University in Center Valley, Pennsylvania.  Today, LATRO Services operates in over twenty-five markets on four continents.   Contact Lex via

Black Swan Solution Guides & Papers

cSwans of a Feather

Related Articles

  • Black Swan Guide: Araxxe’s Revenue Assurance Consulting, Testing, and High Definition Billing Analysis Service by Dan Baker — How Araxxe’s end-to-end revenue assurance complements switch-to-bill RA  through telescope RA (external and partner data) and microscope RA (high-definition analysis of complex services like bundling and digital services).
  • Subex’s IDcentral Monetizes Telco & Enterprise Data to Deliver Digital ID & Risk Metric Services for Financing, KYC & More interview with Shankar Roddam — A new digital intelligence service that monetizes the idle data of telecoms and enterprises while also earning a good return for the owner of the data.
  • Opportunities & Obstacles: Consultant Luke Taylor Muses on the State of the Telecom Risk Assurance Business interview with Luke Taylor — A rambling discussion on the state of the risk assurance business with Luke Taylor, independent consultant in telecom revenue/fraud assurance and solution requirements and marketing.
  • LATRO’s Tips for Launching a Successful Revenue & Fraud Assurance Program for Mobile Money Operations in Developing Countries interview with Don Reinhart — A company building mobile money RA/FM tools and  managed services gives a concise, but detailed tutorial on how the Mobile Money Ecosystem works.  Revenue assurance pros will get tips on  what to look for in analytics/assurance tools, controls, and professional services.
  • A WeDo Conference Talk: Consulting & Analytics: Improving your Business Today, Enhancing it Tomorrow interview with Carla Cardoso & Bernado Lucas & Thomas Steagall — Leading risk management consultants explain their mission and walk-through RA, subscription fraud, and collections cases.  They also explain how analytics and machine learning can supplement process optimization.
  • PrologMobile’s Simple and Brilliant Plan to Save US MNOs Billions a Year in Recovered Phones & Retained Customers interview with Seth Heine — An expert in the mobile phone reverse supply chain explains how MNOs — via a neutral third party information exchange — can recover their original phones on the used market and save huge sums in multi-year customer retention.
  • WeDo Explores the IoT Ecosystem in Search of Tomorrow’s Pivotal Fraud & Business Assurance Solutions interview with Carlos Marques — A veteran product manager scans the IoT terrain, discusses key fraud and assurance challenges, and explains the preparatory steps WeDo is taking to become a key player in this emerging market.
  • New Report: Telecom Fraud & Business Assurance Solutions, Services & Strategies by Dan Baker & Luke Taylor & Colin Yates — TRI publishes a new market research report, Telecom Fraud & Business Assurance Solutions, Services & Strategies.  Free executive summary available.
  • Subex Juggles a Wide Variety of Business Assurance and Big Data Analytics Use Cases interview with Rohit Maheshwari — A expert in business assurance solutions explains top use cases such as: IoT security, big data analytics/AI, network asset optimization, multi-player gaming assurance, onboarding mobile subs, and AI customer analytics.
  • MTN Agility: Mastering Exponential Technologies in Revenue/Fraud Assurance and Beyond interview with Danie Maritz & Tony Sani & Luke Taylor — An in-depth look at RAFM operations and innovation at the MTN Group.  Topics discussed include RA/fraud control challenges, strategies, and MTN’s journey to exploit exponential tech (AI, robotics, and ML) in its RAFM program and support of internal non-telco businesses.
  • From Byzantine Software Contracts to Simple & Flexible RA Managed Services interview with Philippe Orsini — Is the way B2B/enterprise software is sold and delivered today progressive — or is it Byzantine in the age of cloud?  An expert lays out the case for managed services in RA and billing verification.
  • Premiere Experts Set to Speak at Summer RAG Conference in London, July 7th and 8th by Dan Baker — The Risk and Assurance Group (RAG) has announced that its 2016 summer conference will expand into a two-day event and feature many premiere experts. 
  • WeDo Hosts Revenue Assurance & Fraud Management Conference in Washington DC by Dan Baker — Black Swan is pleased to announce what looks to be a first class revenue assurance and fraud management conference being put on by WeDo Technologies, on October 1st and 2nd in beautiful Washington DC.
  • Test Call Generators: An Essential Test & Debugging Tool in Mobile Billing Assurance interview with Steffen Öftring — An “active” test call generator (TCG) can see problems that a “passive” revenue assurance system is blind to.  Here’s a discussion on the test call RA  process, over-the-air calls versus core call injection, and test call networks in global roaming RA.
  • The Revenue Assurance Game: How the Rules Change in the Era of IoT & Mobile Broadband interview with Rene Felber & Gadi Solotorevsky — Revenue assurance is perhaps the hardest of telecom functions to define because the term is used in so many different senses.  This discussion on the evolving role of revenue assurance was catalyzed by a survey of experts in the profession.
  • Day in the Life of a Revenue Assurance Analyst interview with Michael Lazarou — Revenue assurance is much more than a software category.  It’s individual analysts struggling to help their larger organizations get a handle on system errors and coordination problems.  In this interview, an analyst reveals the many challenges of getting the revenue assurance job done at a small GSM operator in Europe.
  • Revenue Assurance: History and New Beginnings in RA Maturity interview with Daniela Giacomantonio & Gadi Solotorevsky — The Roman Forum was the center of commercial life in ancient Rome.  Now, two millennia later, the Forum lives on in the exchange of ideas across countless professions and  media.  In this interview, two Revenue Assurance experts discuss both the new RA Maturity initiative of the TM Forum and the value of telco/solution vendor collaboration.
  • Migrating systems or launching LTE next year?  Don‘t forget transformation assurance & optimisation by Efrat Nissimov — System transformations and network migrations are major  revenue impacting events and they should raise a big red flag.  Why?  Because data integrity issues are bound to crop up as CSPs move vital data from a legacy system to something new.  It’s time for transformation assurance.
  • How can Cable/DSL Internet Providers Meet the Usage-Based Billing Mandate? interview with Ryan Guthrie — The popularity of YouTube, Netflix, and Hulu other video outlets has turned the tables on service profitability for cable/DSL service providers.  Many are moving to usage-based billing, but that largely unprepared for the revenue assurance aspects of this move.  This interview explains the technical challenge and points to solutions in billing, speed caps, and traffic revenue monitoring.
  • CABS Revenue Assurance: How Rural LECs can Recover $284 Million in Revenue Shortfalls interview with Kelly Cannon & Darrell Merschak — Independent rural LECs in the U.S. still rely on the AMA/EMI billing formats for CABS billing, even as that format has proven to be highly inaccurate as a source of inter-carrier records.  This interview includes an analysis and discussion of revenue recovery techniques ILECs can use by leveraging SS7 probes.  Also discussed are billing strategies, traffic dumping threats, and the possible fallout from the FCC’s bill-and-keep mandate.
  • Make Business Assurance Progress Every Day: How to Set Goals, Automate, and Energize Your Team interview with Kathleen Romano — Business assurance (BA) skills have wide applicability outside the revenue assurance and fraud mangement domains.  In this article, a telecom executive explains how she’s applying her BA skills in the Payments area.  In addition to discussing the key operational challenges in Payments, the interview also provides keen insights on setting goals in business assurance, leading a team, and making critical decisions.
  • LTE Rollout: Make it a Smashing Success with Risk Assessment, Controls, and Marketing Offer Analytics by Gadi Solotorevsky — LTE brings splendid new capabilities to mobile users.  But like 2G and 3G deployments before, operators can only make money if they successfuly plan, coordinate, deploy fast, and pay attention to pricing plans and the customer experience.  This article lays out a 3-phase tactical guide on  how revenue analytics professionals can add value in LTE service risk assessment, controls, and marketing offer analytics.
  • RA Prevention: How to Manage Revenue Risks and Communicate RA’s Value to Senior Execs by Shaul Moav — The era of revenue assurance prevention and risk assessment is here.  Several of the mature operators of the world have developed their own methodologies and tools.  Using firefighting and fire prevention as a metaphor, the article details a new commercial software approach explaining the goals, method of risk evaluation, and senior executive dashboards developed for the process.
  • Precision Clockworks: How Revenue Assurance Synchronizes with the Business at Swisscom interview with Marco Pollinger — An expert revenue assurance department is one whose work dovetails well with the lines of businesses it supports.  In this interview you’ll learn how Swisscom manages its revenue assurance function for maximum effect.  The article discusses: the operator’s innovative RA organization, the screening and RA approval of new services, its pre-production bill audits, and its coordination with corporate risk management.
  • Versatile, Portable & Corrections-Savvy: Quest for the Swiss Army Knife of Revenue Assurance Software by Mark Yelland — Revenue assurance maturity models are not cast in stone.  Since  best practices will change over time, it’s healthy to explore moving maturity models forward.  For example, great gains have been made in leakage detection, but RA corrections has been harder to master.  The author dreams about seven functions that should ideally come together in a single all-purpose revenue assurance software tool.
  • Bringing Strategic Planning & Value Engineering to Revenue Assurance interview with Maged Fawzy — Engineering and architectural techniques have a role in revenue assurance.  This interview with a top Egyptian RA consultant explains how continuous risk assessment and long range — yet flexible — RA planning can sharpen a carrier’s RA program and lead to better use of revenue assurance software and integration services.
  • Forensic Fossils: Is Your Revenue Assurance Shop Fit for Display at a Natural History Museum? interview with Jim Marsh — Without the continuous guiding light of seasoned revenue assurance leaders, even the best teams of RA professionals, technology, and business processes can fossilize and lose their vitality.
  • Revenue Assurance: The Magical Market Cap Multiplier by Van Howard & Curtis Mills — Many operators today consider revenue assurance yesterday’s opportunity.  But this article shows why significant revenue and cost leakage can still go undetected, even in companies with dedicated RA departments.  Also discussed are the benefits of a broader or more “forensic” approach to revenue assurance, an approach that boosts the bottom line regardless of the automated tools already in place.
  • From Risk to Robust: Turning the Big Picture Into a Real Agenda for Change in Telecoms by Eric Priezkalns — Inspired by a Financial Times article written by Nassim Taleb, author of “The Black Swan”, here is an insightful and entertaining primer on telecom risk management.  The article takes ten risk management lessons from Taleb and applies them specifically to the communications industry.  You’ll learn about the value of small scale trials, organization accountability, cures for a blame culture, incentives that work, the power of simplicity, and more.
  • Synthesizing the Telecom Business Assurance Practice With the Analytics World by Dan Baker — Business assurance is a wrapper term that allows you to draw a circle around various telecom assurance, control, and optimization activities.  This article maps business assurance as a subset of telecom analytics, constrasting it with marketing analytics while a diagram shows where biz assurance fits in the larger B/OSS world.
  • CABS Revenue Assurance Disputes: May the Carrier With the Best Data Win by Cheryl Smith Rardin & David West — Revenue assurance innovation is far easier when partners cooperate to make it happen.  This articles shows how a U.S. operator, software vendor, and consultant teamed to develop a breakthrough in Carrier Access Billing (CABS) assurance.  Learn about: the dispute resolution data gap that needed to be filled, the partnering strategy, the implementation challenges, and payback results.
  • Revenue Assurance vs.  Business Assurance: Who’s the Rightful King of Controls Software? interview with Sergio Luis Silvestre — Business controls software, originally developed for RA, is finding application in other areas of the business such as internal audit, collections, security and risk management.  This article argues that “business assurance” is the best term to describe this broader set of  controls software that can find a home in numerous departments or functions of a CSP’s business.
  • PwC on the Business of Revenue Assurance Consulting & Mentoring interview with Tim Banks & Dan Stevens — Revenue assurance consulting firms offer a broad range of services to clients these days.  The article explains the practice of mentoring RA mangers and providing a CFO with visibility on the status of an operator’s business controls.  Perspective is also offered on the value of RA software and the opportunity to broaden the RA practice scope.
  • Robots for Hire: Verifying Accuracy In the Age of Complex Mobile Billing/Charging interview with Xavier Lesage — As real-time charging and complex lifestyle calling plans gain credence across the globe in wireless, billing quality issues will rise in importance.  This article discusses a unique managed services approach to invoice testing and roaming fraud protection that checks results against advertised or published source data for the utmost accuracy.
  • Ericsson: Revenue Assurance Consulting With an NGN Flavor interview with Thomas Steagall — Helping operators detect billing and provisioning problem is merely table stakes in the RA services business these days.  The article discuss why operators need to ramp up their RA function with service experience and group-wide financial health monitoring.  Advise is also offered on: key RA maturity questions, risk-and-reward contracts, and how to extract greater value from software investments.
  • Do-It-Yourself RA for Small Operators and MVNOs interview with Mark Yelland — Budget-minded small operators and MVNOs are no longer hamstrung in RA capability anymore.  This article offers high-leverage strategies for operators who cannot afford expensive RA software tools.  With  data access, brains, and a DIY philosophy, any small operator can map a  path to greater RA savings, maturity, and program growth.
  • Revenue Assurance Maturity: Report From the Arena interview with Eric Nelson — Revenue assurance maturity can‘t be easily computed.  How do you  compare the KPIs of Comcast billing with that of mobile money RA in Western Africa?  Even still, this article offers some universal RA wisdom from a straight-shooting veteran of carriers large and small.  Topics discussed include: dashboard or process, COTS vs. inhouse solutions, and tips on gaining internal support for the RA practice.