By-pass fraud in mobile telecom sector is a major challenge and wide spread all around the world, particularly in countries having higher interconnect rates. The motives behind this fraud are; earning money, money laundering and fund generation for terrorist activities. By-pass fraud is committed using various methods such as SIM box, transit service, domestic interconnect by licensed operators, PRIs etc. SIM box fraud is the most common of all because of ease indeploying/expanding fraud network,its continuously declining operating cost and poor/inefficient controls by the operators and/or government agencies.
The SIM box fraud is conducted byanOrganized Crime Group (OCG) using smart SIM box equipment available at cheap rates, updated analytical toolsand VOIP as medium on 3G/4G network.The OCG comprises of the following:
- The financer who is responsible for arranging the funds, deploying the network in the country and interacting with the traffic carriers outside the country
- International by-pass traffic carriers which takes traffic from the originators and pass on to the SIM box networks using internet media. At times some operators deliberately provide their traffic to such carriers to manage the cost.
- The SIM box network operators hired by the financers who are responsible to operate the SIM boxes, interacting with SIM suppliersand balance rechargers
- The SIM suppliers who ensure uninterrupted supply and activation of prepaid SIMs faking biometric (fingerprint) verification system, where applicable
- The balance recharging team, which ensures that the SIMs always have sufficient balance to remain usable
This fraud is causing huge losses to the operators, who spend huge money to prevent this by deploying expensive solutions. Unfortunately, most of them keep struggling and only few may be succeeding on perpetual basis. The reason for this formidable success is the dependence on deployment isolated unidimensional solutions which are limited to detection and blocking of SIMs, whereas the success lies in deployment of a composite framework. Thereare two major categories of solutions to combat SIM box fraud (1) Call pattern and (2) Test Call Generator.
The call patterns solutions are built around the fact that unlike human calls, the SIM box always make calls on a certain pattern called machine behavior. The key characteristicsof machine behavior include continuous calls, high “B” party dispersion, frequent call drop, common IMEI for multiple calls, specific cell sites etc. Thecall pattern solution is believed to be the most effective method for the simple reason that no matter what,eliminationof machine behavior is never economically and/or technically feasible for the fraudsters. However, this solution has some inherent challenges, such as:
- Long gap between the time, first call was originated of a SIM and the time it was identified and blocked. This gap is unavoidable as identification is only possible when the suspected SIM crosses given thresholds in a given time, after which the suspected CDRs are to be analyzed to remove false positive before the numbers are blocked. The more the gap the better for the fraudsters
- The fraudsters are using smarter SIM boxes trying to get closer to human behavior, meaning changing the calling patterns by gauging/analyzing the possible parameters used by the operators such as spoofing IMEIs’, lowering “B” party dispersion, call tumbling, lowering number of calls per SIM, changing location etc.
- Slow counter corrective measures by the operator mainly because of dependence on the solution provider
- The existence of high false positive level could raise subscriber complaints and regulatory risks
The Test Call Generator (TCG) is considered to be the most efficient tool in terms of accuracy, identification and blocking of the Grey SIMs, but it has its own challenges:
- It has very low coverage limited to the percentage of grey traffic landing on the small number of TCG SIMs
- The fraudsters, very soon identify such TCG SIMs and start by-passing them leaving the operators for quick replacement
- Call originating plan for TCG probes, being vendor dependent is usually not dynamic and becomes less effective as the fraudsters start using alternate destinations and routs
The TCG therefore may be useful for small operators for short time but is never the ultimate solution for long time for any size of operator.It is however, very usefulwhen used complementing the Call Pattern solution.
In addition to the above conventional techniques, analysis of bulk recharge, single or multiple SIM activation activity using query analyzer is also used to identify the grey SIMs, (used and in stock) and unearthing the fraudsters network.
Unfortunately, in most of the cases, success rate starts declining very soon after the solution(s) are deployed. The major reason for not having a sustainable success is dependence on a unidirectional approach i.e., detection and blocking only by fraud management team. The other relevant departments in most of the cases may chose either to resist or provide lukewarm supportbecause of conflicting KPIs such as increased churn because of SIM blocking, possibility ofunearthing colluding sales staff, decline in domestic on-net revenue for commercial, and avoiding engaging government agencies to save on reputation loss.It is therefore important that SIM box fraud management is done under a well-definedframework (tried and tested), built on four pillars;(1) having a charter, (2) a dedicated skillful team, (3) efficient tools and (4) set of preventive controls.
Thefirst pillar is having a charter, signed and approved by CEO and all the relevant top management to ensure that SIM box fraud management becomes a collective responsibility.It states the responsibilities and roles and authorities of all the relevant functions under a RACI matrix. A SIM box steerco or board comprising of usually top management is formed to prepare the strategy and doing a progress review on periodic or as and when basis.
The second pillar is having a dedicated team of highly skillful data analysts under fraud management function capable of developing logics, defining parameters, preparing TCG call plans, report writing and coordinating with other departments. The team is authorized to access any requisite data,support from other departments in terms of deployment of controls/tools development, investigation and ensuring actions are taken.
The third pillar is having highly efficient and flexible set of detective tools. The common practice is using vendor solutions as they have expertise.This however, entailscertain challenges (1) non-awareness of local situation (2) inflexibility to counter rapidly changing tactics of fraudsters, (3) being expensive (4) declining performance over period and/or (4) delayed response from vendor to change/update logics, parameters and thresholds, which in most of the cases are defined by the vendors, leaving the operators to always remain dependent. It must be remembered that time is money for the fraudsters. The trends show that a SIM used for about 3 hours has already paid back to them and rest being bonus saving them on recouping of SIM stock. The good practice (tried and tested) therefore is to develop and use own tools (not a rocket science),may be in parallel, covering call pattern, recharge and activation along with TCG. This will ensure less dependency, more flexibility,efficiency in time to react and less cost.
The fourth and most important pillar is deployment of preventive controls. This includes (1) cutting the SIM supply line engaging sales department (2) non-permission of new SIM activation by querying black listed “Citizen Identification Data” (3) deactivating active sold but not used SIMs. The control on new activation could be both proactive or reactive. This may include (1) making sales channels responsible to make quality sales and taking punitive actions against violators, (2) verification of new activations against blacklisted subscribers before issuance and (3) deactivating SIMs issued to blacklisted subscribers in near real time after issuance.
This framework,deployed at a very large GSM operator, produced sustainable long term success only after years of continuous struggle on isolated solutions.
By Ahmad Nadeem Syed
DISCLAIMER: Comments expressed here do not reflect the opinions of FraudXpose or any employee thereof.