4. TM FORUM AND
Fraud Group Overview
TM Forum Fraud Group works to assemble and maintain best
practices from operators around the world relating to Fraud
Management. This information will continue to be updated and
expanded to account for evolving fraud tactics.
TM Forum is a global, non-profit industry association focused on enabling
service provider agility and innovation, through the development of several
projects at key business areas:
65,000 Member Professionals
900+ Member Companies
195 Countries Represented
4
5. TM FORUM FRAUD GROUP
Fraud Management Guidebooks
GB954 Fraud Classification Guide
Arm operators with fraud information
and offers them a best practice for the
properly Classification of Fraud Cases:
o Fraud Classification Model
o Fraud Enablers Definitions
o Fraud Types Definitions
o Categories and Atributes
ZonOptimus attended TMForum Fraud Group sessions and proposed the development of
a Fraud Classification Model for the benefit of Telecom Industry
- Project started in January, 2012
5
6. 2. Reason for FCM Project
Why the Telecom Industry Requires a Model
6
7. TMForum 2012 Fraud Survey results, highlighted the lack
of a common Fraud Classification at Industry level:
o Distinct names for the same Fraud Types
o Distinct interpretations of same fraud incidents
o Multiple Frauds perpetrated in the same case
There is a clear need for a Multi-Dimensional Analysis
with different levels of abstraction.
Telecommunications
Industry was
presented with many
different and not
synchronized ways of
Fraud Classification
Roaming Fraud
Internal Fraud
Subscription Fraud
PaymentFraud
Credit Card Fraud
Hacking
SIM Cloning
Mobile Malware
Prepaid Fraud
Dealer Fraud
Wangiri
SS7 Tampering
Handset Subsidy Loss
PROBLEM AT INDUSTRY LEVEL
(at the time of project start up, January 2012)
7
9. 3. Core Concept of FCM
The Baseline for Fraud Classification Model
9
10. TECHNOLOGYFRAUDSTER OBJECTIVE ENVIRONMENT ATTACK CUSTOMER SERVICE PAYMENT IMPACTS
AAA
ViG
WLAN
Network
UTRAN
CS-CSCS-MS
CS-DS CS-WS
CS-AS
EFWS
SRD
EMA
Portal FOCAMN-OSS
MM
RSS-CSCF
S-CSCFI-CSCF
ENUM/
DNS
MGCF/SG
MG
N-SBGA-SBG
HSS
PSTN
PLMN
HTT
P/H
TTP
S
FTP
H.248
SIP
SIP
DIAMETER
ISC LDAP
DNS
SIP
ISUP
TDM
IMT
LDAP
HTTP/HTTPS
HTTP/HTTPS
BRI
PRI
BRI
POTS
SIP
H.323
SIP RTP
RTP
IP
Backbone
RTP
/SI
P/H
323
RT
P/
SIP
/H
32
3
GGSN
SGSN
PDG
WAG
P-CSCF
PCRF
Gx+
Rx+
Gm
(SIP)
DIAMETER
DIAMETER
PPS
DIAMETER
OSS-RC
Other VoIP
Networks
CORBA
Fraud Classification Attributes
FRAUD CASES CLASSIFICATION
FRAUD
TYPE
ENABLER
TECHNIQUE
The core concept of the “Fraud Classification Model” is a clear differentiation at the Classification of Fraud Cases between the:
o ENABLER TECHNIQUE
What was the vulnerability method explored to get access to network, products or services?
versus
o FRAUD TYPE
What was the fraud committed at network, products or services by exploring the vulnerability above?
FRAUD CLASSIFICATION MODEL
(BASIC PRINCIPLES)
10
11. In some circumstances the “Enabler Technique” is not a fraudulent attack but the exploitation of a risk
vulnerability from other Business Assurance areas, such as Revenue Assurance and Security
Management:
o The FCM assumes the relationship of the Fraud Management activity to Security Management; Revenue
Assurance and Risk Management Functions
The Fraud Classification Model assures CSPs/Operators with data collection to allow the
Understanding of Fraud and the development of Mitigation Strategies at the following levels:
o Revision of Internal Procedures, Processes and Products/Services
o Implementation of Technical Solutions at Network and Service Platforms
o Development, Enhancement and Updated Configuration of Fraud Management Systems (FMS)/Control Solutions
11
FRAUD CLASSIFICATION MODEL
(BASIC PRINCIPLES)
12. “Fraud Classification Model Brain-Center”
- Revision of Internal Procedures, Processes
and Products/Services
- Implementation of Technical Solutions at
Network and Service Platforms
Development, Enhancement and Reconfiguration of
Fraud Management Systems (FMS)/Control Solutions
Subscription Fraud
Hacking
Customer Account Take-Over
Mobile Malware
FRAUD ENABLER
(fraudulent way to obtain/access service)
FRAUD TYPE
(fraudulent scheme)
TELECOMSSERVICEFRAUD
SIM Card Cloning
Network/Protocol/Signalling
Manipulation
Tariff Rates/Pricing Plan Abuse
Social Engineering
Arbitrage
International Revenue Share Fraud
Service Reselling
Wholesale Fraud
Private Use
Commissions Fraud
Traffic Inflation for Credits/Bonus
Charging Bypass
Interconnect Bypass
SIMBox Gateway
Theft of Company
Handsets/Equipments
OBJECTIVE
(Scope)
Make Money/Profit
Obtain Free
Services/Goods
Obtain Credits/Bonuses
Obtain Commissions
Access User Bank
Account
Access Subscriber
Information
……….
BUSINESS
ASSURANCE AREAS
Security
Management
Fraud
Management
Revenue
Assurance
12
FRAUD CLASSIFICATION MODEL (BASIC PRINCIPLES)
13. The Effective Relation Between “Fraud Enablers” and “Fraud
Types”
Fraud Types
Advance Payment Fraud a a
Charging Bypass a a a a
Commissions Fraud a a a a
Interconnect Bypass / SIMBox Gateway a a a a
International Revenue Share Fraud (IRSF) a a a a a a a a a a a a a a a a a a
Toll Free Number Fraud a a a a
Money Laundering a
Online Banking Fraud a a a a a a a
Premium Rate Service Fraud a a a a a a a a a a a a a a a a a a
Private Use a a a a a a a a
Service Reselling a a a a a a a a a a a
Spamming a a a a a a a a a
Theft of Company Handsets / Equipment a a a a
Theft of Information a a a a a a
Traffic Inflation for Credits / Bonus a a a a a a
Wholesale Fraud a a a a a
TariffRates/PricingPlansAbuse
ClipOnAbuse
TechnicalFailureatNetwork/ServicePlatforms
SocialEngineering
SubscriptionFraud
FraudEnablers
Network/Protocol/SignalingManipulation
OpenSMS-CAbuse
Operator/Company/Brand/StaffImpersonation
Phishing
CustomerHandset/EquipmentTheft
FalseBaseStationAttack
Hacking
MaliciousApplication/Software
MisconfigurationofNetwork/ServicePlatforms
MobileMalware
AbuseofCompanyProcedures/Processes
Arbitrage
Cloning
CompromisedCreditCards
CustomerAccountTake-Over
Relational Matrix | Fraud Enablers vs Fraud Types
Fraud Classification Model (Basic Principles)
13
GB954 Fraud Classification Guide
15. GSMA Fraud Forum | Ireland and Malta Meetings
May and September 2012
ZonOptimus presented the Core Concept of the Fraud
Classification Model at the GSMA Fraud Forum event held in
Ireland (May 2012).
Fraud Forum updated its Fraud Incident Reporting
template, readapting it to include FCM Core Concept and
issued a new version at the FF meeting held in Malta
(September 2012).
15
MODEL SHARING WITH GSMA FRAUD FORUM
16. FF Classification before September, 2012 FF Classification after September, 2012
BEFORE AFTER
16
MODEL SHARING WITH GSMA FRAUD FORUM
17. CFCA Educational Event | Scottsdale, USA | September 2012
Presentation of Fraud Classification
Model to CFCA (Communications
Fraud Control Association)
organisation.
CFCA updated its Fraud Reporting
template, readapting it to include FCM
Core Concept.
CFCA (Communications Fraud Control Association)
17
MODEL SHARING WITH CFCA
18. Fraud Classification before October, 2012 Fraud Classification after October, 2012
BEFORE AFTER
18
MODEL SHARING WITH CFCA
19. 2013 CFCA Worldwide Communications Industry Fraud Survey
Released at 5th September, 2013 the annual CFCA Fraud Survey, is now reflecting the Core Concept
(Fraud Enablers vs Fraud Types) of the Fraud Classification Model, but still some adjustments need to
be made to the survey in the future.
FRAUD TYPE
(fraudulent abuse)
Wholesale Fraud | USD$ 5.32 B
Premium Rate Service | USD$ 4.73 B
Cable or Satellite Signal | USD$ 3.55 B
Hardware Reselling | USD$ 2.96 B
Hacking | USD$ 8,04 Billion
- PBX (USD$ 4.42B)
- VoIP System (USD$3.62B)
Account Take Over | USD$ 3.62 B
FRAUD ENABLER
(fraudulent way to obtain/access service)
TELECOMSSERVICEFRAUD
(ValuesinUSD$Billions)
Subscription Fraud | USD$ 5.22 B
USD$ 6.11 Billion of the frauds have been committed in Roaming
USD$ 3.35 Billion of the frauds have been perpetrated by Dealers
NOTES
Estimated Global Fraud Losses
o USD$ 46.3 Billion
Estimated Global Telecoms Revenues
o USD$ 2.214 Trillion
Fraud Losses as % of Telecoms Revenues
o 2.09%
19
20. FIINA Plenary | Port Louis, Mauritius | November 2012
Presentation of Fraud Classification
Model to the FIINA (Forum for Irregular
Network Access) plenary meeting held
in Mauritius.
Liaison Agreement signed between
TMForum and FIINA for future
cooperation and joint activities on FCM
(project running).
MODEL SHARING WITH FIINA
20
22. GENERAL
DATE:
CUSTOMER TYPE:
CUSTOMER SUB TYPE:
ACQUISITION SALES CHANNEL:
PAYMENT METHOD:
PAYMENT TYPE:
LOSSES QUALITATIVE:
LOSSES QUANTITATIVE:
MAIN IMPACTS:
CASE DESCRIPTION:
OPERATOR:
COUNTRY:
REGION:
FMS STATUS:
ENABLERFRAUDTYPE
FRAUD ENABLER:
ATTACK TYPE -
FRAUDSTER TYPE -
LOCATION -
ENVIRONMENT -
FRAUD ABUSE/TYPE:
LOCATION -
ENVIRONMENT -
OBJECTIVE -
TECHNOLOGY -
SERVICE -
SUPPLEMENTARY SERVICE -
FRAUD CLASSIFICATION FRAUD MITIGATION
DETECTION:
DETECTION SYSTEM -
PREVENTION:
PREVENTION SYSTEM -
MITIGATION DESCRIPTION:
22
Fraud Classification Model RegisterModel Concept Template
23. Fraud Classification Model Register
ENABLERTECH
FRAUDTYPE
FRAUD ENABLER: …..
ATTACK TYPE -
FRAUDSTER TYPE –
LOCATION –
ENVIRONMENT –
FRAUD ABUSE/TYPE: …..
LOCATION –
ENVIRONMENT –
OBJECTIVE –
TECHNOLOGY -
SERVICE –
SUPPLEMENTARY SERVICE -
FRAUD CLASSIFICATIONFRAUD ENABLERS
Abuse of Business Procedures/Processes Weaknesses
Abuse of Technical Failure at Network/Service Platforms
Arbitrage
Cloning
Compromised Credit Cards
Customer Account Take-Over
Customer Handset/Equipment Theft
Customer Handset/Equipment Configuration Abuse
False Base Station Attack
Hacking
Malicious Application/Software
Misconfiguration Abuse of Network/Service Platforms
Mobile Malware
Network/IT Systems Access Abuse
Network/Protocol/Signalling Manipulation
Open SMS-C Abuse
Operator/Company/Brand/Staff Impersonation
Phishing
Social Engineering/Single Ring Solicitation
Subscription Fraud
Tariff Rates/Pricing Plans Abuse
Clip On Abuse
Abuse of Contract Terms and Conditions
ATTACK TYPE
External
Internal
FRAUDSTER TYPE
Hacker
Dealer
Business Partner
Service User
Third Party
Employee
Service Provider
…….
LOCATION
Home Network
Visited Network
Home and Visited
Network
National Network
International Network
Customer Offices
Dealer Offices
World Wide Web
…….
ENVIRONMENT
National Territory
International Territory
Roaming IN
Roaming OUT
…..
Categories and Attributes Description – Fraud Classification (1)
23
24. Fraud Classification Model Register
ENABLERTECH
FRAUDTYPE
FRAUD ENABLER: …..
ATTACK TYPE -
FRAUDSTER TYPE –
LOCATION –
ENVIRONMENT –
FRAUD ABUSE/TYPE: …..
LOCATION –
ENVIRONMENT –
OBJECTIVE –
TECHNOLOGY -
SERVICE –
SUPPLEMENTARY SERVICE -
FRAUD CLASSIFICATION
FRAUD TYPES
Advanced Payment/Fee Fraud
Charging Bypass
Commissions Fraud
National Revenue Share Fraud
Interconnect Bypass/SIMBox
Gateway
IRSF (International Revenue Share
Fraud)
Money Laundering
Online Banking Fraud
Premium Rate Service Fraud
Private Use
Service Reselling
Spamming
Theft of Company
Handsets/Equipments
Theft of Information/Content
Toll Free Number Fraud
Traffic Inflation for Credits/Bónus
Wholesale Fraud
LOCATION
Home
Network
Visited
Network
Home and
Visited
Network
National
Network
International
Network
Customer
Offices
Dealer
Offices
ENVIRONMENT
National
Territory
International
Territory
Roaming IN
Roaming OUT
…..
OBJECTIVE
Make Money/Profit
Obtain Free
Services/Goods
Collect
Credits/Bonuses/C
ash
Obtain
Commissions
Access/Steal
Information
Access User Bank
Account
Operator’s
Impersonation
TECHNOLOGY
GSM
GPRS
3G
4G/LTE
IP /IMS
CDMA
ADSL
FTTH
……….
SERVICE
Voice Inbound
Voice Outbound
VoIP Inbound
VoIP Outbound
SMS Inbound
SMS Outbound
MMS Inbound
MMS Outbound
Data
M – Commerce
M – Payments
SUPPLEMENT
SERVICE
Call Conference
Call Forward
Call Hold
……….
Categories and Attributes Description – Fraud Classification (2)
24
25. GENERAL DATE: June, 2013
CUSTOMER TYPE: Postpaid
CUSTOMER SUB TYPE: Corporate
Business
ACQUISITION CHANNEL: NAp
PAYMENT METHOD: Postpaid Invoice
Payment
PAYMENT TYPE: Various
LOSSES QUALITATIVE: Very High
LOSSES QUANTITATIVE: Financials
NAv (150.000 minutes)
MAIN IMPACTS: Financial
CASE DESCRIPTION: Tests performed at Network/Session Border Gateway (SBG) for new VoIP Services left a backdoor at network level.
This vulnerability was used by an IP Address originating from Palestine who hacked SBG and performed 150.000 minutes of calls to Int. Premium Rate Services.
OPERATOR: Eagle Telecom
COUNTRY: USA
REGION: North America
FMS STATUS: In-House FMS
ENABLERTECHFRAUDTYPE
FRAUD ENABLER: Hacking: Session Border Gateway
ATTACK TYPE - External
FRAUDSTER TYPE – Hacker
LOCATION – Home Network
ENVIRONMENT – National Territory
FRAUD TYPE: IRSF (Spain; Somalia and Zimbabwe)
LOCATION – Home Network
ENVIRONMENT – National Territory
OBJECTIVE – Make Money/Profit
TECHNOLOGY – IP IMS
SERVICE – VoIP Outbound
SUPPLEMENTARY SERVICE – NAp
FRAUD CLASSIFICATION FRAUD MITIGATION
DETECTION: Traffic Monitoring/Analysis
DETECTION SYSTEM – Fraud Management System (FMS)
PREVENTION: Network Technical Solution
PREVENTION SYSTEM – Session Border Gateway (SBG)
MITIGATION DESCRIPTION: Engineering Department secured SBG
and blocked calls to International Premium Rate Services for all future
Network testing programs.
Case 1
25
26. 6. FIINA Fraud Reporting Template
The Summary of the Work Made at FIINA
26
30. 7. An Industry Perspective Through the Model?
The Model Potential
- Graphics hereby presented do not represent an Industry reality
- Fraud varies from region-to-region
30
32. IRSF (International Revenue
Share Fraud)
Interconnect Bypass/SIMBox
GatewayCharging Bypass
Private Use
Wholesale Fraud
Theft of Company
Handsets/Equipments
Commisions Fraud
Theft of Information
Service Reselling
Traffic Inflation for Credits/Bonus
32
World–Wide Fraud Types
33. IRSF (International
Revenue Share Fraud)
Service Reselling
Theft of Information
Premium Rate Service Fraud
Wholesale Fraud
Spamming
What Are the Main Fraud Types
Committed Through Hacking?
Fraud Types Through Hacking
PABX
VoIP Gateway/Switch
SMS - C
IP Broadband Router
Mobile Voice Mail System
Websites
SIP Switch
Network Elements Victim of Hacking?
33
34. 34
Wholesale Fraud Through Hacking
FRAUD OPERATION SCENARIO | TRAFFIC BROKERING | CASE STUDY
Negotiating “Traffic Termination Rates” at
the Wholesale Market.
Traffic Brokers offer the lowest price for call
termination at a specific country.
TRAFFIC BROKERS
(Least Cost Routers)
TELECOM OPERATORS
(Mobile-Fixed-Convergent)
END CUSTOMERS
(Mobile-Fixed-Convergent)
Pays Termination
Hacking Corporate Customers IP-BX Systems to
terminate traffic for free, forcing the Billing of these
calls upon Telecom Clients.
Hacked Corporate Customers pay the termination rate.
Traffic Negotiation
Traffic Negotiation
Traffic Negotiation
CORPORATE CUSTOMER
CORPORATE CUSTOMER
CORPORATE CUSTOMER
HACKING
HACKING
HACKING
35. IRSF (International Revenue Share
Fraud)
Theft of Company
Handsets/Equipments
Commisions Fraud
Traffic Inflation for Credits/Bonus
Premium Rate Service Fraud
Interconnect Bypass/SIMBox
Gateway
Private Use
Fraud Types Through Subscription Fraud
36. IRSF (International
Revenue Share Fraud)
Wholesale Fraud
Interconnect Bypass/
SIMBox Gateway
Traffic Inflation for
Credits/Bonus
Fraud Types Through Arbitrage
38. Service Reselling
Theft of Company
Handsets/Equipments
Premium Rate Service Fraud
HomeBanking Fraud
Commisions Fraud
IRSF (International Revenue Share
Fraud)
Fraud Types Through Customer Account Take-Over
39. Revenue Assurance
- Arbitrage
- Open SMS-C Abuse
- Tariff Rates/Pricing Plans Abuse
- Misconfiguration Abuse of Network/Service Platforms
- Abuse of Technical Failure at Network/Service Platforms
Fraud Management
- Customer Account Take-Over
- Operator/Company/Brand/Staff Impersonation
- Phishing
- Social Engineering
- Subscription Fraud
- Customer Handset/Equipment Theft
- Abuse of Business Procedures/Processes Weaknesses
Security Management
- Cloning
- Compromised Credit Cards
- False Base Station Attack
- Hacking
- Malicious Application/Software
- Mobile Malware
- Network/Protocol/Signalling Manipulation
- Misconfiguration Abuse of Network/Service Platforms
Fraud
Management
Security
Management
Revenue
Assurance
Classification of Enablers by Business Assurance Area
42. Subscription Fraud
Hacking
Arbitrage
Social Engineering
Customer Handset/Equipment Theft
Misconfiguration Abuse of
Network/Service Platforms
Compromised Credit Cards
Customer Account Take-Over
Enablers Contributing to IRSF (International Revenue Share Fraud)
43. Tariff Rates/
Pricing Plans Abuse
Subscription Fraud
Abuse of Business
Procedures/Processes Weaknesses
Arbitrage
Enablers Contributing to SIMBox Gateway Fraud
44. IRSF (International
Revenue Share Fraud)
Interconnect
Bypass/SIMBox
Gateway
Private Use
Charging Bypass
Traffic Inflation
for Credits/Bonus
Wholesale Fraud
Credit Balance
Reselling
Commisions Fraud
Fraud Types at Prepaid
Variations of Fraud Types at Prepaid vs Postpaid Customers
IRSF (International Revenue
Share Fraud)
Theft of Company
Handsets/Equipments
Service Reselling
Premium Rate
Service Fraud
Commisions Fraud
Private Use
Interconnect Bypass/SIMBox
Gateway
Wholesale Fraud
Fraud Types at Postpaid