Email a colleague    

February 2019

Safety in Numbers and NRTRDE: Syniverse’s Strategy to Constantly Enrich Its Mobile Fraud Intelligence

Safety in Numbers and NRTRDE: Syniverse’s Strategy to Constantly Enrich Its Mobile Fraud Intelligence

Staying abreast of the latest intelligence in telecom fraud control is vital.  A great deal of that intelligence is communicated in working groups like the Communications Fraud Control Association (CFCA), the GSMA Fraud and Security Group (FASG), and the Risk Assurance Group (RAG).

Then too, country-specific working groups are formed in many parts of the world.  Fraud system vendors hold user forums, and other groups hold regular meetings, allowing fraud experts to mingle and share fraud intelligence.

Of course, cooperation between fraud-fighters doesn’t require meeting in person.  Consider the intelligence shared in online magazines and vendor websites.  And if you’re combating IRSF, you can buy fraud-fighting intelligence in the form of blacklists and databases from firms like iconectiv, Yates Consulting, and Biaas.

Finally, a less-talked-about but powerful form of fraud protection is the “safety in numbers” variety.  In the animal kingdom, for example, the herding of elephants, flocking of birds, and schooling of fish provide defense against predators.

In the telecom kingdom, global wholesalers like Tata Communications, BICS, and iBasis carefully monitor the traffic and fraud control practices of the hundreds of operator partners in their ecosystems.  And as fast as bad apples are spotted, they’re tossed out before they spoil the barrel.

Syniverse is another fraud control player that leverages safety in numbers.  As the world’s largest roaming and mobile data clearing house provider, it constantly collects data that update its global fraud intelligence.

Here to discuss Syniverse’s anti-fraud ecosystem is James Stewart, Product Management Director for Fraud and Revenue Assurance solutions.  In our discussion, James strongly emphasizes NRTRDE, the Near Real Time Roaming Data Exchange, an international standard he helped to define several years ago that is pivotal to Syniverse’s solution set.

Dan Baker, Editor, Black Swan: James, when we spoke several years back, NRTRDE was a relatively new initiative, but today the standard is well-established.

James Stewart: It is, Dan.  Roughly 90% of mobile operators use NRTRDE, while some operators use CAMEL as their means of getting data back quickly.

The reason fraudsters love the roaming environment is that they hope to maximize the period of time between when they complete their calls and when the records get back to the home operator.  So the key is to detect fraud as fast as possible.  If you block it quickly, your network becomes a much less attractive target to the fraudsters.

At Syniverse, we supply more operators with NRTRDE service than anyone else — about 65% of mobile operators.  In addition, of course, we’re one of the leaders in cloud-based fraud protection on both the roaming and domestic traffic sides.

What’s the competitor landscape look like in terms of the NRTRDE business?

Dan, 65% of mobile GSM, mobile operators around the world use us for NRTRDE.  Then there are other firms, like Starhome, Comfone, EDCH, and ARCH in China, that we compete against.

So for the sake of simplicity, let’s say there are six companies providing NRTRDE services.  If Syniverse is processing 65% of the NRTRDE messages, that means the other five companies are processing 35% of NRTRDE traffic between them, making our global view of fraud patterns far greater than any of our competitors.

And that global view is really important.  It gives us insight into fraud patterns in all parts of the world.  So, if we see one operator suffering from a particular kind of fraud in the Asia Pacific region and have never seen it before, then we put that information into our protection criteria to say this: when someone in another part of the world — like the Latin America region — hits the same problem, use that global intelligence to make sure we detect the fraud faster.

When we learn a new number is associated with IRSF fraud, we add it to our database, where that knowledge benefits all operators in our fraud protection network.

Maintaining hot lists over time is also crucial.  The GSMA might publish a number on their hot list, but a few years later that number may need to be withdrawn because the number is now used for legitimate traffic.  Telephone number allocation is pretty dynamic, so good grooming of the list is key to not wasting time chasing false positives.

The intelligence we gather can then be applied in many different ways.  NRTRDE is certainly not the only data type to use.  We can use signaling to prevent fraud in real time, using the intelligence we gather to prevent people from connecting to numbers that are known to be fraudulent.

What are the mechanics of NRTRDE?  How does the process work behind the scenes?

Well, when a subscriber visits a foreign network and makes calls while roaming, NRTRDE records are sent from the visited network, back to their home network in near-real time.  This process has been well-established for many years, but it is important that the data is also analyzed in near-real time, and compared to information that is gathered through global intelligence.  Syniverse will analyze the data, 24/7, and in some cases operators also ask us to send the data to them, and they use it in their own fraud systems as well.

Let’s say an operator in the U.K. subscribes to our NRTRDE service.  Since we act as their NRTRDE agent, the data that is transferred from the visited network to the home network comes to us.  And from there we can process the data for fraud detection and the operator may also use the data in its own systems.

If you are a subscriber based in the U.S. and you travel to Spain, when you roam in Spain, you may be on Telefónica’s network.  In that case, Telefónica is the visited network and it sends the NRTRDE to us as its agent.  We take that raw data, convert it and send it back to the home network in America.  We may also be the home network’s NRTRDE agent, or the data may be sent to a competitor agent.  It is the home network that usually wants the NRTRDE analyzed for fraud.  However, analysis is often done for the visited network as well.

In parallel with that, you’ve got the data clearing house (DCH) function, which happens a little while later, so the TAP records are passed through a similar route.  These, too, can be useful in fraud detection.  Then, financial clearing happens later on to make sure that all the transactions are correctly paid and the funds are transferred from operator to operator.  Syniverse is the leader by market share in all these areas of NRTRDE, DCH and financial clearing.

There’s quite a number of data handoffs going on.  And it’s interesting that the end-to-end process fully combines fraud control and revenue assurance.

Yes, and another complexity we manage is GDPR, which requires us to handle the data in a secure and sensitive way.  There are rules we need to follow on how we handle data and how long we hold it.  We are regularly audited for compliance.

In practice, as soon as a customer sends us its data, we convert it, and, within minutes, the data is processed by Syniverse and analyzed for fraud.  If someone calls a hot-listed number on our hot list, then we immediately process the record and generate a case for it.

In some situations, we apply automated commands that operators use to automatically take action, such as cutting subscribers who are committing fraud.

In other cases, we just send the operator an alert (through VPN, messaging or email).  One of the key values of our fraud service is having our analyst team filter out the false alarms so the cases we refer to them have been pre-screened, ensuring that operators focus on the frauds that matter.

What’s your assessment of the worldwide effort to block telecom voice fraud?  How are we doing?

Dan, the mobile operators that use NRTRDE and have a solid fraud control solution are generally doing a good job.  But you’d be surprised at how many operators don’t use NRTRDE effectively, either because they don’t man their fraud desks outside business hours, or because they don’t use any fraud detection mechanisms to analyze NRTRDE.  That’s kind of unbelievable at a time when businesses are threatened 24/7.

If I’m going to come and rob your house, am I going to do that when you’re home?  No, I’m going to rob your house when the lights are off and you’re not there.  So long weekends are a time when operators are vulnerable to fraud.

What’s more, part of the problem is that telecom fraud rarely reaches the newspapers.  Fraud can impact innocent subscribers as well, and there is still too much complacency.  Many fraud networks are well-organized and extremely capable.

Law enforcement in many countries works in close cooperation with operators.  In the U.S., cooperation has resulted in successful resolution of frauds worth many tens of millions of dollars being perpetrated from various parts of the world.  Spain is a country that is often singled out as a country with a considerable problem in roaming fraud, and it is only through cooperation between various parties (operators and law enforcement) that the problem can be successfully addressed.

In some regions of the world, a high proportion of fraud may involve internal collusion, meaning that the fraudsters either have contacts working within operators, or people have left operators and provide intelligence to fraudsters, or fraudsters find ways through social engineering to gather intelligence.

Intelligence works both ways.  The fraudsters are well-organized in gathering intelligence, and they use it effectively in attacking operators that are more vulnerable and less vigilant in defending themselves from fraud.  At the same time, telecommunications operators, working with law enforcement and industry groups, work to share intelligence to defend against fraud.

The great majority of operators suffer from fraud to some extent, but some operators are not as proactive as they should be in addressing the problem.  They may rely on luck, assuming that because they don’t have a problem today, they won’t suffer from the problem tomorrow.  However when operators are successful in pushing fraud from their networks, the fraudsters don’t give up.  They find themselves fresh victims, attacking those who are less proactive.

So our mission at Syniverse is to serve the operators that highly value the latest fraud intelligence on threats and the recent fraud experience of other operators.

At Syniverse, we use many different kinds of data sources, not just NRTRDE, and by virtue of being the most widely used NRTRDE exchange for mobile operators, we collect and analyze that intelligence for the benefit of all our fraud customers.  By coming to us, an operator gets the benefit of having all that critical fraud being brought together without any confidential information being divulged to unauthorized parties.

And where do we go from here?  We use the intelligence gathered to prevent fraud from occurring.  We use signaling to stop calls from connecting to those fraudulent numbers, in real time.  It works, and it’s long been effective.

Great perspective, James.  Thanks for this fine briefing.

Copyright 2019 Black Swan Telecom Journal


About the Experts

James Stewart

James Stewart

James Stewart joined Syniverse in 2008 and brings more than 25 years of experience in the mobile industry, with a particular specialization in fraud prevention.  In addition to being Director for Product Management at Syniverse, he serves as the Chairman of the GSMA’s Roaming and Interconnect Fraud and Security Subgroup.

Before joining Syniverse, James was a Client Partner at Fair Isaac, in its telecoms division.  It was during his tenure with Fair Isaac that he became directly involved in the creation of the near-real-time roaming data exchange (NRTRDE).  Prior to his position at Fair Isaac, James worked at Neural Technologies and Cerebrus Solutions, and specialized in fraud and risk management.

Previously, he was with Nortel Networks, where he spent 10 years working in Nortel’s e-business group to help operators overcome revenue assurance challenges.  He holds a Bachelor of Science in electronics and electrical engineering from Brunel University in the U.K.

Recent Articles