Unfortunately, sophisticated criminal activity often is an adjunct of technological innovation. Such is the case for cellular telecommunications.
Ramifications include lost revenue from fraudulent phone use-costing the industry nearly $1.5 million per day, according to the Cellular Telecommunications Industry Association-and the support and stimulation of other crimes like drug trafficking.
As an industry whose products and services are derived from cutting-edge technologies, law enforcement initially was ill-prepared to tackle cellular fraud and prosecute its criminals. In fact, before Congress passed a law addressing cellular fraud last year, the Secret Service depended on a credit-card statute to prosecute hackers.
Nonetheless, industry members-who compete fiercely against each other in the marketplace-along with law enforcement agencies and companies founded specifically to fight fraud are uniting to combat fraudulent activity.
CTIA’s Fraud Task Force has taken a leading role educating the industry, law enforcement agencies and consumers about cellular fraud and in organizing a cooperative effort to combat fraud and prosecute hackers.
Alias John Smith
One approach integrating carriers’ firepower is the work of Lightbridge Inc. The Waltham, Mass.,-based company fights subscription identity fraud, where violators supply phony names and identification to set up cellular accounts, with no intention of paying the bills. Lightbridge’s proprietary computer program compiles bad credit information gathered from participating carriers to create what the company calls an intercarrier negative file.
Using algorithms, the program seeks matches between tidbits of information. “If one carrier is approached by a fraud that’s been reported by another carrier, they can share the fraud’s latest location with the other carrier,” noted Pam Reeve, Lightbridge president and chief executive officer. Earlier this year, the company reported 25 carrier clients in 424 U.S. markets.
Copycats
Cloning or access fraud, in which thieves create bogus phones by capturing and copying electronic serial numbers and mobile identification numbers from legitimate phones, is the most damaging type of phone fraud, according to Tom McClure, CTIA director of fraud management. These sophisticated hackers use stolen test equipment to detect registered phones’ ESN-MIN combinations and copy them to other phones. Once the menu-driven cloning software is created, it easily can be copied and some phones can hold up to 100 cloned ESN-MIN pairs, he added. Consequently, the average street price for a cloned phone has dropped from $1,500 to $500 or less, commented McClure.
Digital signal processing or radio frequency “fingerprinting ” technology is at the industry forefront for combating cloning fraud. Cellular Technical Services Inc.’s Blackbird platform integrates hardware and software technology to equip service providers with pre-call information management applications for fighting fraud. PreTect, Blackbird’s application, reads a phone’s unique frequency pattern at the cell site, before a call reaches a service provider’s system, explained Seattle-based CTS. It compares the pattern and other data to computer-stored customer profiles and calculates the probability of whether a phone is counterfeit, said David Hoogerwerf, vice president for development at CTS. Without a proper match, a call automatically is shut down in less than seven seconds, according to the company.
Registering a phone’s fingerprint with the carrier is the most vulnerable part of the security system, added Hoogerwerf, noting there are as many as five methods of signal collection. Hoogerwerf doubts hackers will clone the signal fingerprint itself, at least not on a mass basis, because it would be too expensive.
In alpha tests conducted in a controlled environment, Blackbird detected more than 90 percent of fraudulent calls, claimed CTS.
CTS has letters of intent with AirTouch Communications Inc., U S West Inc., Bell Atlantic Corp. and Nynex Corp.-the latter two which recently merged mobile operations to form Bell Atlantic Nynex Mobile-and the Chinese Ministry of Transportation and Communications to conduct trials of Blackbird and PreTect.
FraudBuster, by Longmont, Colo.-based Coral Systems Inc. and PhonePrint, by Corsair Communications (formerly TRW Wireless Communications) also employ digital signal analysis or radio frequency fingerprinting technology.
In addition to U.S.-based cellular fraud, Coral Systems is working to offer fraud solutions in the Asia-Pacific region’s booming cellular market. At the end of 1994, industry sources reported more than 7 million cellular phone subscribers throughout the Asia-Pacific region, said Coral, and the figure is expected to reach 17 million by year-end 1997. Taiwanese officials estimate fraudulent access ties up as much as 15 percent of system capacity, the company stated.
“With this level of anticipated growth, managing scarce network resources is becoming a critical success factor for most operators within the region,” explained Eric Johnson, president and chief executive officer of Coral. “For example,” he continued, “the ability to control fraudulent access is now viewed by carriers as a new business tool.”
Coral’s FraudBuster is being used by Cellular Communications of Puerto Rico Inc., a private operator in the region.
PhonePrint “has now terminated more than 5.4 million illegally placed cellular telephone calls since its market deployment earlier this year,” reported company spokesperson Julie Chang, “and is now averaging 1.2 million calls per month.” The company’s system is operating in Los Angeles.
“PhonePrint is proving extremely effective at stopping fraudulent calls before they get on the system,” affirmed Dave Daniels, director of fraud management for San Francisco-based AirTouch. “The customer doesn’t have to do anything to make it work-he doesn’t have to remember any PIN numbers or go through any extra steps to place a call. It’s completely transparent.”
Corsair currently is conducting PhonePrint trials with Bell Atlantic Nynex Mobile and Cellular One in New York.
Bell Atlantic Nynex Mobile’s anti-fraud operative, which arms legitimate subscribers with personal identification numbers needed to place calls, was activated in those markets last year. “The beauty of our system is that the PIN number is sent over a separate voice channel from the ESN-MIN number,” said a company spokesperson.
Some industry members disfavor using PIN numbers, contending the burden of fighting cellular fraud should not fall on subscribers’ shoulders. Looking at the big picture, say others, PINs do help and the industry needs all it can get. Corsair said the use of PIN numbers has decreased fraud by 35 percent. Included in Bell Atlantic Nynex Mobile’s territory is the New York metro area, one of the nation’s hardest hit markets for cellular fraud.
AT&T Corp.’ Network Wireless Systems unit developed a set of fraud detection and prevention software tools based on recommendations of many cellular carriers who use the company’s Autoplex System 1000 network infrastructure. The system uses Interim Standard-41 technology-the U.S. standard for interoperability between cellular systems, enabling subscribers who travel to roam between service areas-and internetwork messaging.
This measure has aided in abating tumbler fraud, widespread several years ago. This type of fraud occurs most when bandits pose as roamers traveling outside their home system and, by using the call validation process for roaming, randomly reprogram a phone’s ESN after each call.
Subscriber Computing Inc. in May introduced FraudWatch Profiler that automatically develops customer profiles by “learning” each user’s calling pattern, said the company. Usage deviating from a profile will invoke a review of the account. FraudWatch Profiler is an extension of SCI’s Accellurator software fraud detection system introduced in 199
2. The system fights both cloning and tumbling fraud, said Laguna Hills, Calif.-based SCI.
GTE Telecommunications Services introduced a few years ago its FraudManager product, which used pre-call validation to detect tumbling fraud. To combat cloning fraud a number of carriers now use GTE’s CloneDetector, an open systems graphics-based technology that processes real-time subscriber activities, including calls attempted, and compares that information to a pre-determined factors signalling suspicious activity and caller profiles, said the company. System alarms are preset but can be modified by a carrier at any time. CloneDetector enables carriers to detect counterfeiting activity quickly and before customers are aware of it, notes GTE. Fraudulent callers are shut down immediately.
Latest on the fraud scene is HALT!, a portfolio of pre-call detection and post-call analysis fraud fighting solutions offered to carriers by Motorola Inc. “Enhanced locked mobile” allows subscribers to turn their cellular account on and off, in roaming as well as home markets using a PIN, indicated Steve Lalla, Motorola’s cellular system division product marketing manager. “Target number challenge” compares numbers dialed by callers, including 900 numbers and international area codes, to a list of suspect numbers. If a caller dials a listed number, the system requires PIN entry. If the PIN entry fails, the subscriber record is marked as fraudulent and requires PIN entry for all subsequent calls until further investigation, said Motorola. “Enhanced Clone Clear” detects when more than one phone with the same ESN-MIN combination attempts using the network. Again, in such a situation, a caller must enter the PIN to complete a call and invalid entry blocks further calling without PIN entry.
HALT!’s star player, the authentication feature, is an intelligent network mechanism designed to blitz cloning fraud. When a customer purchases a phone, the carrier will mail separately a number combination the subscriber programs into the phone, explained Lalla. It is programmed only once, after which all calls made from that phone scramble that number along with the ESN and MIN over the air.
Challenge-response authentication is the best solution for stopping cloning fraud, said McClure. This technology will assign each legitimate user’s phone a 26-digit algorithm and cryptogenic “key” or password. Only the user and the network know the secret key. When a subscriber places a call, the algorithm is scrambled differently each time to avoid detection over the air. Despite strong industry backing, this measure will require altering cellular switches and phones to be authentication-capable, which could take a carrier several years, noted McClure. This anti-fraud scheme is interoperable with current analog and digital air interfaces.
Prosecution
Taking action against cellular phone hackers meets one key barrier, a political and legal system often uneducated about cellular technology and fraud. Passed by Congress late last year, the Communications Assistance for Law Enforcement Act includes technical language, such as “electronic serial number” and “mobile identification number.”
Organizations including CTIA, Bell Atlantic Nynex Mobile and Motorola’s Consulting Services Group work to educate consumers, local, state and federal law enforcement agencies, attorneys, judges and juries about cellular fraud.
Law enforcement has placed additional urgency on fighting this kind of crime, because not only does fraud drain industry revenues, “counterfeit cellular phones have become a major tool for narcotics traffickers and persons associated with other criminal enterprises who need telecommunications in order to conceal their illegal activities from law enforcement authorities,” stated Jeanine Pirro, district attorney in Westchester County, New York.
Cellular fraud now is a federal crime punishable by up to 15 years in jail and $250,000 in fines.
Pennsylvania demonstrated serious action at the state level when it passed a bill last month making cellular phone fraud punishable by up to seven years in prison. The bill raises the crime’s classification from a misdemeanor to a felony.
Behind the action was a coalition of companies including Bell Atlantic Nynex Mobile, Comcast Cellular Communications Inc., Sprint Cellular, Vanguard Cellular Systems Inc. and McCaw Cellular Communications-now a division of AT&T Wireless Services. Together, the companies drafted legislation that establishes penalties for involvement with devices used to illegally intercept ESNs, MINs and other phone coding, and prohibits modifying and reprogramming equipment to fraudulently place or receive calls.
On the flip side of hard crackdowns in the cities of Miami, New York and Los Angeles, are fraudsters who have gravitated to outlying areas of these cities to conduct cloning procedures, said McClure. Consequently, “fraudulent roaming calls have escalated, and home system calls have gone down,” he explained.
2 steps forward, 1 step back
Bill Benton, assistant to the special agent in charge, financial crimes division of the U.S. Secret Service, said a “prolific problem is the inside threat.” With access to accounts, billing, computer software and equipment, industry personnel have the tools to accomplish high volumes of fraudulent activity.
Though employee-committed fraud may have the greatest financial impact, as Benton said, these criminals may be easier to apprehend than outsiders. Through training and education, companies can better equip themselves to detect this fraud early or avoid hiring these people in the first place, he noted.
The changing technology of cellular phones and systems-from analog to digital-will itself diminish certain forms of fraud. Today most users own analog-based phones which make it easier to capture ESNs and MINs.
Advances in fraud-fighting technology and industry-law enforcement cooperation have made cellular fraud more difficult to commit and bolstered penalties for the crimes. Since cloning is one of the most sophisticated and financially draining types of cellular fraud-the tab picked up by carriers-company’s like CTS, Corsair and Motorola concentrate fraud-fighting efforts on this level.
However, one dilemma much of the industry fails to talk about is subscription fraud, which, no matter how amateur its participants, is difficult to conquer. Subscription fraud is among the top few most damaging forms of cellular fraud, according to Benton. “It’s always been up there, and always will be,” he explained. By the time the crime is detected, the perpetrator is long gone.
Growing consumer trends pose increasing risk of subscription fraud. As carriers begin marketing more phones through mass market channels, such as grocery stores and mall kiosks, these fast paced environments and large number of employees could weaken security measures. Additionally, many of these venues plan to offer instant activation to new users. Some cellular phone retailers plan to require payment by credit card-which requires validation-to decrease chances of subscription fraud. But what about customers who wish to pay cash?
McClure noted CTIA is planning to conduct a fraud summit this September to examine wireless fraud and build alliances among carriers and manufacturers to better deal with fraud issues.