Written by AB Handshake
While some parts of the world owe their economic growth to the expansion of telecommunications services, this doesn’t come without a cost. With this expansion comes a rise in telecom fraud, with specific forms of fraud spiking in different regions. Today, we’ll focus on SIM box fraud.
Written by AB Handshake
The cost of SIM box fraud to telecom operators around the world each year is enormous. A CFCA Fraud Loss Survey estimates that operators lost nearly USD $2.71 billion to bypass fraud, alone, in 2019.
The use of SIM boxes also poses a threat to national security. The governments of various countries, such as the UK, Ghana and India fear they are falling into the hands of terrorists.
If both telecom operators and governments wish to stop SIM box fraud, then it begs the questions, “why hasn’t it been done yet?”. Why does this fraud scheme remain such a widespread danger?
There are three interconnected problems that have prevented telcos and their partners from finding an ultimate solution:
- The telecom community still underestimates the scope of SIM box fraud by conflating the fraud they detect with all of the fraud that occurs.
- Operators often associate SIM box fraud with specific operators in specific countries, become complacent and overlook how easy it is for a criminal or terrorist to ramp up SIM box use wherever they are motivated to do so.
- Insufficient fraud monitoring techniques appear successful in the short term because they continuously find new cases of fraud, instead of permanently stopping new attacks from recurring.
One of the biggest mistakes the telecom community has made over the past several decades is widely accepting the notion that SIM box fraud (and most telecom fraud) can be prevented with operators working on protecting themselves in isolation.
In short, it rests on the belief that if an operator can protect their own networks well enough, then the SIM box fraud problem will simply drift away from their business and migrate to other operators’ networks.
This is like believing burglars won’t steal from your home if you put bars on your windows while your neighbors leave their doors unlocked. Fraud is like a virus – the more people are infected, the harder it is for anyone to stay safe.
As such, we began realizing that industry-wide problems like SIM box fraud won’t be stopped by individual operators cleverly trying to protect themselves in isolation.
Below are some specific strategies operators use and why, exactly, they aren’t effective.
Shortcomings of Traditional SIM Box Prevention Techniques
There are several methods currently used by operators to limit SIM box fraud, all of which struggle to stop it completely. In most cases, they simply force fraudsters to evolve their tactics.
Let’s look at each approach individually.
Guaranteed Monthly Detection
Operators often add a point in their contract with Fraud Management System (FMS) vendors guaranteeing the FMS will detect a minimum number of SIM box attacks every month.
This obviously provides a sense of security, since the operator can rest assured that they will be protected from a minimum number of SIM box attacks each month. However, this also poses a problem:
The vendor and the operator both expect (and accept) that the number of attacks will always remain above a certain level.
This strategy simply limits the criminals’ profits by forcing them to continuously switch SIMs. But, it doesn’t ultimately stop SIM box fraud.
Making test calls is a common method operators use to detect SIM box fraud.
Here’s how it works:
An operator sets up a test call generator in a foreign country and uses it to dial one set of the operator’s numbers. Upon receiving the calls, the operator checks if the Calling Line Identity (CLI) matches the real originating number. If a local phone number appears, instead, they know the call has been hijacked by SIM box fraud (routed through a SIM box).
However, this approach isn’t very efficient – the operator has to make repeated calls to find which routes are being manipulated. The cost of each of these calls adds up quickly.
And, moreover, the effectiveness of this approach steadily decreases, over time, for two reasons.
Fraudsters have become more sophisticated in their response to test numbers – they often intentionally avoid re-routing an operator’s test calls via their SIM box.
On the other hand, they sometimes even allow the operator to detect some portion of their SIMs to give the operator a false sense of confidence in their fraud detection techniques. Meanwhile the criminals keep the full extent of their SIM box operation hidden.
Another method of detecting SIM box fraud is via data analytics. After all, the patterns of SIM box calls differ from regular calls and can be detected in this way.
Some companies have suggested using machine learning to advance data analysis and reach a new level of SIM box detection. While such technology helps, the degree of improvement is relatively small – fraudulent calls continue undetected.
In the end, providers are still losing billions of dollars each year to SIM box fraud.
The problems don’t only lie in our detection techniques. We also lack a sufficient way to take action and stop it, once we identify an attack.
Upon detection, whether via test calls or Machine Learning, the logical next step operators have always taken is to de-provision the detected SIMs.
In a SIM box, each SIM remains effective until the moment the operator de-provisions it. At this point, the criminals just replace it with another SIM, and continue on, business-as-usual.
The operator is constantly trying to catch up to the criminals while the fraud continues.
This strategy also leads to another problem – natural selection. The most clever criminals with the best innovation survive, creating better methods for evading detection.
This approach merely creates an inconvenience for the criminals but doesn’t stop SIM box fraud altogether.
Stopping Fraud Before it Happens
Both test calling and machine learning help detect criminals who have already successfully connected their SIM box operation and are manipulating connections.
While it has mitigated some level of fraud, the end result has simply been a game of cat-and-mouse between operators and criminals.
What if we had a seal-proof barrier that could lock SIM box fraudsters outside of our networks and stop the attacks before they start?
With real-time, cross-validation of call details, we can absolutely create such a barrier and do away with SIM box fraud (and all other fraud types) once and for all.
Let’s discuss, in detail, what cross-validation is and how it can be used to stop telecom fraud.
Real-Time Cross-Validation – The Key to Stopping Telecom Fraud
This strategy relies on sharing call details of the originating line for both inbound and outbound calls.
This is how it works:
- When a call is initiated, the originating network records important call details to Call Registry A. These details include the A and B numbers and a time stamp for the beginning of the call.
- The terminating network receiving the call sends the respective call details to Call Registry B.
- The two registries then simultaneously exchange encrypted messages via the internet to check if their details match (cross-validation).
The image below illustrates this process:
A similar exchange of call details then takes place when the call ends.
If any third party has interfered with the call while it was taking place, such as spoofing the A-number, stretching its duration or short stopping it, there will be a discrepancy between the registries. Any discrepancy can mean only one thing – fraud.
When this happens, networks can choose to end the call immediately or let the call proceed, which may be wise if one of the registries experiences an outage.
This method is similar to using test calls. However, within the community of operators using the handshake, each operator conducts such testing for all partners by validating its own outgoing traffic.
Cross-Validation to Detect SIM Box Fraud
In the case of SIM box fraud, the CLI in the terminating network’s call details won’t match the CLI recorded in the originating registry, immediately indicating interconnect bypass (SIM box fraud).
The diagram below illustrates this case:
In the diagram above, you can see the following:
- The original call gets intercepted by a criminal, routed via a SIM box and the A-number is replaced with a local number.
- An out-of-band verification request is simultaneously delivered to the terminating operator.
- Since the verification request doesn’t perfectly match any of the calls received by the terminating network, only a partial match is confirmed (containing the timestamp and the B-number).
Such a partial match immediately means the call has been routed through a SIM box. The attack is then blocked, in real time, before the call can be connected.
This new way of detecting SIM box fraud is significantly more efficient than traditional test call techniques because it turns every organic inbound call into a test call.
Every route is tested, round the clock, by organic traffic generated by real end-users. Real-time, immediate cross-validation makes it impossible for fraudsters to develop an effective countermeasure.
Fraudsters also won’t be able to game the validation process by making their traffic appear more authentic.
Instead of minimizing the delay between detecting the manipulation and purging the fraudster’s SIM from your network, the originating and terminating networks can immediately stop a call that’s been manipulated before it connects.
Because none of the fraudulent calls are connected, operators enjoy absolute elimination of revenue leakage. This is an unprecedented level of protection for the telecom industry and makes it an exciting time to be a part of this sphere.
A Universal Solution
Telecom fraud managers are familiar with implementing several different techniques, each with varying weaknesses and strengths for preventing fraud. With today’s technology, we can now test every route with live traffic terminated in every country around the globe.
Operators no longer have to take a reactive approach to fraud, attempting to reduce future attacks.
Real international calls received by a terminating network are immediately validated by the handshake before the call is connected. The result is immediate detection of any SIM box involved in delivering the call.
Validating this traffic also allows operators a glimpse into the scale of SIM box fraud on all inbound traffic.
Operators see the benefits from the first day they install the handshake into their systems.
This technology is a game-changer for the telecommunications industry. Universal adoption of such a handshake would eliminate all SIM box fraud (and all other fraud types) around the globe, once and for all.