ORLANDO, Fla.-Despite the reluctance of some carriers to report fraud figures and the inability of many to distinguish fraud from bad debt, a popular consensus is that fraud against wireless telecom providers appears to be declining, at least for now.
“If we think we can rest on our laurels, we are wrong,” said Thomas E. Wheeler, president and chief executive officer of the Cellular Telecommunications Industry Association, at the group’s Wireless Security conference earlier this month.
CTIA said it anticipates fraud losses for domestic carriers will comprise 0.5 percent of 1998 revenues, down dramatically from 3.9 percent of revenues in 1995. Total losses attributable to fraud are expected to be just under $200 million this year, according to CTIA.
Dave Daniels, director of corporate fraud prevention for AirTouch Cellular, Irvine, Calif., offered a variation on this theme. He said fraud losses this year will total $450 million, about 1.5 percent of revenues, down 62 percent from 1996 levels when they were $840 million, or 4 percent of revenues, he said.
Worldwide, fraud “is a $12 billion business,” with subscription fraud gaining fast on technical fraud as the leading variety, said Ray Davis, vice president of business for telecommunications and utilities at Equifax, Atlanta.
“I’m not so sure (fraud loss) will go too far below 1 percent because the energy and resources that management is willing to put into (controlling fraud) after that will decline,” Daniels said.
CTIA said it attributes the reduction in wireless fraud to an “arsenal of containment tools rather than a single magic bullet.” These measures include authentication, radio-frequency fingerprinting, roamer verification and reinstatement, profilers, personal identification numbers and prepaid (calling) cards.
Coming, new kinds of fraud
A variety of new criminal techniques are works in progress, and carriers remain vulnerable. New avenues for fraud include ” `vampires’, which load new numbers into a phone after each call, and profilers don’t see them,” Daniels said.
The much ballyhooed dual-mode phone poses security threats to personal communications services carriers that have not implemented authentication technologies.
The newly launched and about-to-be launched satellite telecommunications services can be a gold mine for thieves who insert stolen subscriber identity module cards into them, then roam worldwide seamlessly and unseen by carrier networks.
The Internet, toward which both commerce and telecommunications transmission is headed, offers criminals a wide open opportunity to steal services from carriers and the identities of their customers.
Roaming arrangements between United States carriers and those in Asia and South America are stymied by the reluctance and even inability of many foreign counterparts to account for and discourage fraud in their own markets.
“There is a business case to be made for getting out ahead of the next generation of fraud because fraudsters will continue to innovate,” said David Thompson, president and chief executive officer of Corsair Communications Inc., Palo Alto, Calif.
Help from the Hill
The fraud-fighting arsenal received two new weapons from Congress and President Clinton last session, Wheeler said. The first closes some of the loopholes that permitted illegal scanning and handset cloning devices to be used.
“For the first time, the law allows the (law enforcement community) to pursue people who traffic in identification information, including [electronic serial numbers] and [mobile identification numbers],” said Glenn Schmitt, counsel to the U.S. House of Representatives Subcommittee on Crime.
The teeth that give the new statute its bite come from the fact that law enforcement officials no longer need to prove a suspect intended to defraud anyone in order to prosecute him or her for trafficking in identification information, said Albert Gidari, an attorney with the Seattle law firm of Perkins Coie.
“Prosecutors were reluctant to pursue this because intent is difficult to prove,” he said.
“This law also will help carriers stop Internet site owners from posting cloning and identity theft products.”
However, the legislation deliberately left it to the Federal Communications Commission to determine whether mom-and-pop shops should be allowed to continue cloning of extension phones for legitimate wireless customers, Schmitt said.
“The communications industry itself liked the cloning of ESNs (for a single MIN) because it’s a good marketing tool,” said Gerald Vaughan, deputy chief of the FCC Wireless Telecommunications Bureau.
“The people in this room may not want it, but the people in your marketing department like it.”
Legal punch against ID theft
The second new legal arrow in the wireless fraud-fighting quiver strengthens laws against identity theft, Wheeler said. This is a subset of subscription fraud, which is increasing in all its variations as a percentage of total wireless fraud.
According to U.S. Rep. Bill McCollum, there are 2,000 reported identity thefts each week in this country from financial services institutions, like credit-card companies. The overall total is closer to 1,200 cases daily, according to Deborah Ruffin, manager of customer assurance operations for GTE Wireless, Roswell, Ga. Insurance against these losses made financial services companies reluctant to pursue the perpetrators, according to U.S. Sen. Jon Kyl (R.-Ariz.).
“The new federal law against identity theft is in essence a subscribers’ bill of rights because they can pursue on their own some cases that carriers don’t. You will see a lot more calls from customers who received their first bill with inordinate charges,” Gidari said.
“There is some carrier confusion over whether they can release (to a subscriber his or her) records without a subpoena from a law-enforcement agency. There is no coherent answer.”
A wireless service provider probably can release a customer’s records if that customer has been a victim of identity fraud, Gidari said. However, there are situations in which law-enforcement agents ask the victimized subscriber to request his or her records from the carrier. In those instances, the question is whether a formal subpoena is required for release of records.
Cloning a comeback kid
Cloning was issued a death certificate at the CTIA conference, and no one mourned its passing.
However, Gary Bernstein, commercial director for Praesidium, a consulting firm based in Wiltshire, United Kingdom, said reports of its death are premature. Cloning, this time of Global System for Mobile communications SIM cards, likely will rear its ugly head within a few years.
“There have been no commercial cases of SIM card cloning, although it has been done in the lab. But this will become an issue after 2000. Right now, there is no effective means to manage this,” he said.
Roamers as robbers
This concern is just one of many related to the larger problem of roaming fraud, within and between countries, that carriers confront today.
“The key attraction for fraudsters is international dialing, routing calls back to third countries; it’s inevitably linked to call selling,” Bernstein said.
“Roaming adds delay in detection. The key problem is that once a customer roams onto a foreign network, the domestic carrier can’t see what the customer is doing.”
Praesidium concentrates on outbound country-to-country roaming, primarily involving GSM networks, because that is when the home carrier bears all of the risks and only receives a small percentage of the revenues.
“Some proprietary near real-time call details are coming. In 1999, there are plans for an international [intelligent network] platform for GSM to give full control and visibility in near real-time and call cut-off capability,” Bernstein said.
“The big difference from managing fraud in the United States is that int
ernational operators won’t choose an anti-fraud product unless it [follows] a standard, like [those of the European Telecommunications Standards Institute].”
Since it is difficult for a carrier to dictate the infrastructure-based security of its roaming partners, another approach is to focus on in-house software applications to achieve the same goals, said Richard B. Cahill, president of Authentix Network Inc., Tucson, Ariz.
Because of concerns about containing fraud, roaming within and among Latin American countries and between these countries and the United States is now restricted, said Corsair’s Thompson.
“It’s an incredibly fast growth market, very immature about distribution channels, that looks a lot like the United States five to six years ago,” he said.
“The sense of fraud isn’t there or [fraud] is difficult to quantify, so carriers think it doesn’t exist. That couldn’t be farther from the truth.”
Asian nations also have a significant fraud problem, Thompson said.
“What’s heartening about Asia is that carriers are looking at the problem and are beginning to implement solutions.”
National and corporate cultures are as much a factor abroad as are technical capabilities, said Davis of Equifax.
“Mainland China allows no credit check. Japan honors [a person’s] word or a handshake. Korea only ensures citizenship,” he said.
“Italy mimics the [United States’] traditional credit check. Ireland checks banking information.”
Inbound roaming challenges security
While much attention has been focused on fraudulent activity in outbound roaming, dual-mode phones and satellite telephony create a healthy potential for significant inbound roaming fraud.
Dual-mode phones pose a problem because “only a minority of roaming subscribers are authenticated in an optimal way” via an overlapping use of authentication in the inter-system messaging, the serving system infrastructure and the handsets, said Cahill of Authentix.
Roughly two-thirds of the top 50 Metropolitan Statistical Areas in the United States have some sort of authentication in place. However, projections are that “in 2000 there (still) could be more than 90 million non-authenticated handsets in circulation,” he said.
Daniels of AirTouch Cellular said most new PCS carriers “don’t have authentication because it is difficult and expensive to install, especially if you don’t have a cloning problem.
“They will find problems as they get into dual-mode phones.”
Danger from the skies
Satellite telephones are a sleeping giant when it comes to international roaming fraud possibilities, said Praesidium’s Bernstein.
“Satellites will get most of their revenues from inbound roaming where there is no terrestrial GSM service,” he said.
“This is a key risk to terrestrial wireless carriers. The moment a satellite offers roaming, thieves could take an illegally gotten smart card from a phone and put it in a satellite GSM phone, which would then be invisible to the whole network.”
Nefarious deeds on the Internet
“In 1999, most carriers will be conducting face-to-face sales, but there is a search for alternative, low-cost sales channels,” said Ruffin of GTE Wireless.
Internet sales, now a single-digit percentage of a $6 billion market in all industry sectors, are expected to zoom to 42 percent of a $25 billion consumer market in 2000, according to Drew Davis, vice president of fraud for Triton Cellular/PCS Inc., Kirkland, Wash.
“(About) 30 (percent) to 40 percent of transactions on the Internet today are fraudulent. The scariest thing is how do we stay one step ahead (of fraud) as call-in and electronic (customer) activations become more prevalent,” Ruffin said.
Becky Falls, fraud supervisor for US Unwired, Lake Charles, La., said the Internet has the potential to be “one of the worst ways we can be hit and not know it.”
“Everything we do in the very near future will be faceless, and if we don’t have safeguards in place, we won’t continue in this business.”
Not only is commerce headed to the Internet but so is wireless telecommunications transmission, said AirTouch Cellular’s Daniels.
“Today, there is too much latency, (or) delay, in [Internet Protocol] telephony. But within a few years a cell site may become a node for IP telephony, and cell phones will work in totally different ways,” he said.
“Fraud will move from the MIN to the content level, so the issue will be protecting the customer while on your system in order to do electronic commerce.”