|© 2016 Black Swan Telecom Journal||•||protecting and growing a robust communications business||• a service of|
|Email a colleague|
Telecom fraudsters thrive on complex, multi-party schemes to steal money from operators and governments.
One of the most successful of these fraud practices is to bypass licensed carriers by terminating international calls onto mobile networks through unlicensed operators.
The technique is to send calls via the internet to SIM boxes (machines that house 8 to 32 illegal SIM cards) which redirect this illegal VoIP traffic onto mobile networks.
In fact, at the biggest wholesale conference in the world I saw one company openly selling these SIM boxes on the exhibit floor. So this is an integral part of a SIM boxer’s strategy — to attract “pirate” operators among legally licensed carriers.
Recently, Ahmad Nadeem Syed, Head of Revenue Assurance and Fraud Management at Mobilink in Pakistan, discussed with me the gravity of the grey traffic fraud situation. And he has provided to Black Swan readers an excellent overview of the threat scenario, current SIM box fraud management tactics, and some suggested international measures to bring this fraud under greater control. Ahmad’s hope is to stir up interest in having bodies like the ITU and GSMA take more action
|Dan Baker: Ahmad, thanks for taking the time to reach out and help the operator community. Exactly what corner of the market is affected by the SIM box threat?|
Ahmad Nadeem Syed: Happy to help, Dan. This “grey market” of international call bypass is a major issue in many, many countries. It’s particularly serious in countries where the incoming international traffic rate is high and controls are loose in terms of availability of SIMs and law enforcement help.
The SIM box fraudsters mainly use the pre-paid SIM, the ownership and address of which is hard to know whereas post-paid SIMs are easily traceable because of address verification at the time of connection.
The affected stakeholders are the mobile operators, the legal international carriers, and the government.
|What are the mechanics behind SIM box fraud?|
To begin, traffic aggregator carriers sit outside the target country where the interconnect rate is high, such as Pakistan, India, Bangladesh, Indonesia, and many others.
In some cases, these traffic aggregators are getting traffic directly from operators too, and their interest is simply to make a profit by terminating traffic at a much lower rate. And they do that by handing over traffic to illegal terminators in the target country.
Two years back it was common to see traffic coming through satellites, and that may still be true in certain countries even today, but now the common approach is to use broadband links. The SIM Boxes are widely available and sold prices ranging between $500 to $10,000.
The idea is take the traffic from abroad at cheap rates, pass the calls over the internet cloud, and bypass the international gateway exchange. The VoIP phone call is directed to a SIM box which makes an on-net call within the country.
The diagram shows the typical scenario. The fraudsters usually take advantage of cheap packages including bundle offers, which earns lower per minute revenue to the operators than the interconnect rate they can earn from the international carriers.
In Pakistan’s case, for example, the operators are losing about half a cent compared to one cent per minute on the interconnect rate. The loss to licensed international carriers is about 5 cents and the government about 2 cents per minute. The winners are the fraudsters, who need a very small investment to steal big money.
|Any indication of the size of this grey market worldwide?|
Estimating the loss due to by-pass traffic is not easy. It varies from country to country depending on: international termination rates, controls in place, and traffic volume. The grey traffic estimates I tend to believe are in the range of 10 to 30% of the mobile markets in countries affected by this issue.
|What’s the profile of the fraudster operators?|
There are two major players involved in this activity: (1) the fraudsters inside the terminating country; and (2) the illegitimate international carriers from across the border.
The fraudster could be a SIM box operator, a local loop operator or a national carrier license holder. The SIM box fraudster basically sets up everything -- the SIM boxes, the connectivity, the manpower, and fresh supplies of SIMs.
The Local Loop operators, bringing in illegal traffic, may use their switches in place of a SIM box. This makes it look like a local call using their own numbering series to terminate the traffic onto mobile operators. The national carriers may bring in illegal traffic, change the “A” number to fake Local Loop number for each call and terminate the same onto mobile operators on their national trunks instead of international trunks.
|The criminals are definitely well-organized. So what can operators do?|
There’s no doubt that the fraudsters are a step ahead. They are clever enough to scatter their boxes throughout a city and use smart equipment to: mask themselves via “B” party dispersion, spoof the IMEI of SIM box device, and accept no incoming call/SMS, in that way preventing operators from learning the balance available on the SIM.
A single operator cannot control this grey traffic issue on its own. In my opinion and experience, we not only need better SIM box detection solutions, but also greater measures to stop the sale of SIMs to fake subscribers: we need to check multiple SIMs in the same name, prevent the sale of pre-activated SIMs, and verify credentials before SIM activation.
Operators need to work with regulators to devise such policies and controls. In Pakistan’s case, for example, SIMs are activated only after credentials are verified through a national database the operators maintain. The fraudsters, however, have learned to circumvent this control. So in Pakistan we are installing a biometric system where the SIMs can only be obtained through a thumb impression. It’s a step in the right direction: I only hope it proves fool proof.
|How do the fraudsters respond to these control measures?|
The fraudsters are smart, techie and -- being from the same market -- they know how to outfox the local operators. To mask themselves, the fraudsters like to host their equipment in places where their calls can reach multiple cells sites and get widely dispersed. Another trick is to send out artificial SMS messages or accept a few incoming calls. They even use moving vehicles such as vans to make their broadband connections.
|How are the SIM cards themselves obtained? From your average shop or retailer?|
Once again, it varies by nation. In certain countries, obtaining prepaid SIMs is not easy because they require some form of personal documentation and the sale of pre-activated SIMs is prohibited. In other countries, though, there are virtually no checks because the operators are too busy trying to beat their competitors.
In Pakistan, operators sell their SIMs through their own distribution channels -- service centers and franchisees. The operators cannot sell the pre-activated SIMs, so the buyer has to call the operator’s help line (call center) through a special short code called “789”. The call centers are integrated with the Pakistan National Database Authority.
Even still, the fraudsters find ways to get around these roadblocks. They allegedly using personal information from electoral lists (widely available after the recent elections), and bank accounts IDs (in collusion with bankers).
As I said, a biometric system is now being deployed. So the question becomes, what will the fraudsters do next?
|What should international telecom organizations do to address the grey market problem?|
So far, the issue has evolved into a kind of cat vs. rat contest between solution vendors and fraudsters. Unfortunately, the rat is winning all the time because of the fast evolving techniques used by the fraudsters.
It is therefore high time for International Telecommunication Union (ITU) to come forward to design new protocols for communication between handsets and the MSC.
Dan, here I would like to share with your readers my personal experience, which proved very effective for a couple of months till the fraudsters beat me again using smart technology. I started identifying the IMEIs of the devices through link analysis and blocked them at the switch. It worked great until the fraudsters started spoofing the IMEI to make it look like a handset. This forced me to quit the strategy for fear I would block legal calls. So even effective strategies often have a short shelf-life.
But here’s an idea I think has great potential. We know each handset has a unique identity code called IMEI. The IMEI -- which includes information on the origin, model, and serial number of the device -- contains 15 decimal digits: 14 digits plus a check digit.
Now this check digit is not transmitted over the radio interface, nor is it stored in the EIR database at any point. So imagine if we used that check digit to validate the IMEI before letting it go through the switch. Well, in 8 out of 9 chances a spoofed IMEI would fail the test so you can block the call.
To implement a control like this, I think the ITU should step forward, form a working group, and coordinate with the GSMA to develop certain protocols so all 15 digits pass through the radio transmitter so the EIR can validate the IMEI.
This tool could prove effective: blocking 8 out 9 calls will cause the fraudsters some serious financial trouble and mentally frustrate them.
|Thank you, Ahmad, for this highly interesting and authoritative analysis of the grey traffic problem. I hope that your proposal and insights get the industry-wide attention they deserve.|
Copyright 2014 Black Swan Telecom Journal