- Email: [email protected]
Mobile phone fraud — Are GSM networks secure?
FEATURE
Mobile Phone Fraud - - Are GSM Networks Secure? Ken Wong Insight Consulting ~raud on mobile analogue networks has grown
F dramatically in the last few years. In the US, cellular fraud is reckoned to cost the telecommunications industry a million dollars a day. In the UK, many of the hot destinations for call selling are in the Indian sub-continent. The root of the problem lies with population migration from Indian sub-continent to the rest of the world; and emigrants want to talk to their relatives back home. Frauds in the Middle East are also tied to that. In the Far East and South America, many of the frauds are drug related. Frauds in North America are also related to population migration.
overseas roaming partners for their bogus and genuine subscribers' fraudulent domestic and international calls. The management of stolen handsets, subscription fraud or fraudulent calls on the network can be very d e m a n d i n g on resource. For instance, a real-time network fraud management system could cost upwards of £1-2 million to implement and administer. In the UK, when a subscriber lost his handset, he would forfeit his equipment subsidy and have to pay the full cost of a replacement handset, which is between £200 and £300. From the time a handset was reported stolen or a network fraud was detected, a subscriber's services would be turned off until the problems had been resolved and a replacement handset issued. In the mean time, inability to receive or make calls can lead to i n c o n v e n i e n c e and f r u s t r a t i o n , t h e r e b y straining customer relations to the extreme. Small traders and mobile workers who are deprived of their mobile phone could suffer serious business disruption and even loss of revenue. Corporate subscribers could also lose business and business opportunities. On the other hand, over-enthusiasm of security staff to cut fraud could result in customers making long business calls being c u t - o f f in mid-stream. Staff insensitivity in the mishandling of the situation could increase churn and loss of future revenue from good customers.
Fraud losses
Downward trend
Losses incurred could range Dom airtime losses for network operators to loss of revenue and equipment for s e r v i c e p r o v i d e r s and d e a l e r s f r o m f r a u d u l e n t subscriptions to obtain mobile services and handsets without payment.
V o d a f o n e in the UK r e c e n t l y i n t r o d u c e d a PIN authentication system on its analogue network. The 16-digit PIN is entered by the subscriber on request from Vodafone, usually when the phone is first turned on. The PIN is then used as an encryption key to scramble the electronic serial number (ESN) of the phone as it is transmitted in the air interface. Whenever the phone is turned on, or an outgoing call to a new number is made, the broadcast ESN is changed. Using this approach e n s u r e s that a n y o n e c a p t u r i n g the E S N and its associated mobile identity number (MIN) from the air interface only has a small window of opportunity to make an unauthorized call using the data, before it is scrambled again.
For network operators, fraudulent traffic causes channel congestion and thereby inability to fully exploit channel capacity to increase revenue. In one call selling operation, the network detected a high growth rate in call traffic in East London and decided to build a new exchange to cope with the increased calls - - only to find that no one was paying for the services afterwards. N e v e r t h e l e s s , o p e r a t o r s still h a v e to p a y f o r inter-connect charges to fixed networks or to their
Computer Fraud & Security © 1996 Elsevier Science Ltd
November 1996
11
FEATURE There is evidence to show that user authentication does cut down on fraud. In March 1996, Vodafone found the number of calls from cloning has been reduced by 50%. The company says phones manufactured after May 1993 for connection to analogue should support the authentication system. At the same time, companies providing a recovery service to service providers after their subscribers' handsets have been cloned or stolen have also reported a noticeable downturn in their business.
encryption process to transmit the TMSI details, in an encrypted form, to the mobile handset, where it is decrypted. The TMSI conceals the identity of the subscriber, and his whereabouts on the network cannot be determined from eavesdropping on the air interface.
GSM security
Value-added services
The family of mobile digital systems - - GSM, PCN and PCS operating at 900, 1800 and 1900 MHZ frequency bands respectively - - all have the same security architecture built into the system's design. There are three key aspects to GSM security: message secrecy is preserved over the air interface. The 64-bit key, Kc, used to encrypt call and signal data c h a n g e s e v e r y time the cal l er communicates with the network's base station at the cell site. As a result, the key used to encrypt the forward data from the base station to the Ilandset is different from the key for encrypting the return data from the handset to the base station. Note that normally there is no data encryption in the microwave or wireline transmission from the base station to the base station controller, and the onward transmission to the mobile switch centre - nor on any of the fixed components of the mobile network. Encryption
--
pre-call subscriber identity verification is done via a challenge response system - using a 128-bit key, Ki, which is specific to the subscription, to generate a 32-bit response to a 128-bit random challenge. The use of one-time passwords is similar to the Vodafone authentication scheme above. Authentication
--
the International Mobile Subscriber I d e n t i t y (IMSI), which u n i q u e l y i dent i f i e s the subscriber, is used to set up a call session if there are no other means to identify the subscriber. After the initial successful authentication, the network assigns an anonymous Temporary Mobile Subscriber Identity (TMSI) to the Subscriber Identity Module (SIM) s m a r t c a r d l a t c h e d to the m o b i l e handset. T he authentication process automatically activates the Anonymit
12
3, - -
Fraud exposures in GSM services These include a number of value-added services and international roaming.
G SM v a l u e - a d d e d servi ces such as third party conference calls and call transfers, have been misused by criminals to support their call selling business. In conference calling, a fraudster sets up the call by calling a customer and a third party - - and he then drops off. In a call transfer, the call seller sets up a call between two parties and then is available to set up another call. This is a serious fraud instrument in GSM and GSM handsets have often been used this way in a number of analogue handsets in call selling operations. Criminals have enhanced their fraud business by making multiple call-forwarding to sell simultaneous calls on a single SIM. In one case, a UK network operator discovered that 110 call forwards had been made in two hours, and one SIM had produced 12.5 hours of calls in those two hours. In another case, they found the forwarded number had changed every 16 hours, and £12 000 of calls had been made to destinations outside Europe. The advice of charge feature on the SIM card was used as a basis for charging customers for their calls. These are not possible with analogue phones. An operator providing insecure services could lead to loss of privacy or confidentiality, e.g. short message service (SMS) details deposited by subscribers could be o p e n to b r o w s i n g and t a m p e r i n g at the SMS management centre. Premium Rate Services (PRS) are often used for f r a u d u l e n t p u r p o s e s . A PRS o w n e r c o u l d ask collaborators to dial in with stolen or cloned phones to, e.g. a PRS in Hong Kong or Ireland, and build up the fraudulent income of the PRS owner.
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
FEATURE International roaming International roaming fraud is unique to GSM as analogue handsets cannot be used to make calls in another country. One fraud scam involved setting up an international call selling operation in one country, say the UK, and using SIM cards from a German or French network. Not so long ago, one of the popular frauds was to make fraudulent roaming calls or to run call selling operations using stolen or de-commissioned handsets from another country. This scam took advantage of the late reporting and billing calls from roaming partners at the time. In fact, a popular scam was to cancel the subscription before travelling to another country where the visited network has a roaming agreement with the home network. All overseas calls would then be made fraudulently on the visited network. A c c o r d i n g to the G S M M e m o r a n d u m of Understanding (MoU) guidelines, where a large number of calls was made by a visitor roaming in another country, e.g. exceeding 100 units a day, the visited network must fax a call report to the home network within 24 hours, detailing the calls made. In addition, if the full roaming call reports were not received by the home operator, by EDI or by tape, within 72 hours of call completion - - to be shortened to 36 hours after September 1996, and then to 24 hours some time in 1997. If the home operator does not receive the call reports within 72 hours, then he would not be liable for the fraudulent calls from his roaming subscribers. Clearing houses such as MACH and ROMEO are providing facilities to operators to speed up the forwarding of bills to the respective home operators for roaming calls made by visitors to their country, and also to affect the financial clearing of bill payments. They will undertake to provide the high roller fax reports as well as the EDI transfer of call records to roaming partners. Roaming fraud could also be perpetrated by dishonest operators - - by deliberately sending out incorrect bills to their roaming partners. This could be a small operator recently set up in business who did not have enough traffic volume to make the network viable.
Computer Fraud & Security November1996 © 1996 Elsevier Science Ltd
In a desperate attempt to make ends meet, he could review his past highest monthly bills to other operators, pretending that these calls had been made by their subscribers recently. Or he would simply delay or refuse paying his bills due to roaming partners.
Fraud exposure in GSM business processes A logical way to analyse your business and technology risks of a GSM system is to examine the fraud potential and security weaknesses inherent in the various business processes: subscriptions, network operation, billing, security management and management of SIMs and handsets.
Subscription fraud and control This type of fraud is procedural, not technical, in nature, and tends to be included with bad debt figures. But the scams are becoming increasingly sophisticated and organized. There are growing trends in compromised credit card usage and genuine customers selling their subscriptions into the black market. Investigators found criminals often worked in gangs using a paging network to pass information to each other, using a coding system to communicate with each other in secret. The names which are being used to apply for handsets and network connections are no longer simple extractions from telephone directories. For some time now, fraudsters have used the names and addresses of people who have moved recently. Fraudulent identities are easy to obtain, e.g. birth certificates of deceased persons reported in obituary, columns. Personal details of people who have recently emigrated, or gone into sheltered accommodation or mental homes, have also been used. Organized criminals would operate black markets at international level to supply credit-worthy names and addresses with supporting details to obtain successful subscription - - using other people's details (e.g. buying computer screen prints of genuine subscriber details on computerized application forms from dishonest service provider or dealer staff, using pensioner's details from credit bureaux, or customer details from mail order or hire purchase companies.
13
FEATURE S e r v i c e p r o v i d e r s have also d i s c o v e r e d some unscrupulous people were effectively selling their credit ratings to criminals. This allows a perfectly legitimate name and address to be used to obtain mobile phone subscriptions repeatedly: the owners of the names and addresses would be paid to keep out of the way and not to respond to any welcome messages to check the bona fide details of subscribers. Service providers also remind sales staff not to always believe the claims of some subscribers that they did not have a subscription with the company. Given the level of personal information required in the application form, it would be difficult for an impostor to supply such details. T h e p r i n c i p a l s a f e g u a r d against all forms of subscription fraud is based on validation: validation of the order, the customer, the contract and the business. Service providers often insist on customer service staff making welcome calls and sending out welcome packs to all customers with new connections. Welcome letters and welcome calls are very effective in finding instances w h e r e names and addresses have been misused. If the call has to be made to the mobile phone, then some very open questions have to be asked to check that the user can repeat the same information given on the order form. Staff should consider barring a customer if contact cannot be made. People who have simply bought a phone from a dubious source who are not expecting a bill will not know the answers to these questions. W h e r e the c o n t r o l c h e c k s f a i l e d or p r o v e d c o n c l u s i v e , t h e n an i n v o i c e w o u l d a l w a y s get someone's attention. The first invoice, whether for a connection charge or the first month's access charges, however small, should be sent off quickly. People tend to react to being billed whereas they could overlook anything which resembles junk mail. All p h o n e s s h o u l d be d e s p a t c h e d w i t h an international and premium rate bar in place - - unless they are going to a known corporate account. This will not prevent airtime fraud but will at least limit the damage. As long as customers are given a proper explanation, they are happy with such restrictions.
14
When a subscription fraud was discovered, the airtime commission would be clawed back from the dealer.
SIM personalization and activation SIM personalization is often done at the point-of-sale, to enter the new subscriber's details onto the SIM card. Some networks now offer pre-paid SIMs. A criminal could steal or illegally obtain such SIMs and sell them on to others as drug currency. To use the SIMs to make calls, handsets would need to be found. The use of pre-paid SIMs, or SIMs sale-on-demand, means a handset should not be locked to one particular SIM. This would negate the current practice of operators blacklisting dubious/stolen handsets which are locked to their specific group of SIMs. If it was a churn customer, he would have one handset and two or more SIMs. He would have to pay the former operator a fee to unlock the handset from his network, i.e. the first SIM. Providing pre-paid SIMs will create too many SIMs and will lead to a growing demand for stolen handsets. The cost of setting up a fraudulent account could be significantly r e d u c e d - - as the biggest overhead was the purchase of the handset, which could be circumvented with the use of a stolen handset. This would increase the number of fraudulent accounts. Where SIM personalization is completed at the SIM card manufacturer, service provider or dealer' s location, t h e r e is an a s s o c i a t e d risk o f d i s h o n e s t s t a f f personalizing the SIMs in stock for fraudulent use. Securing SIMs means addressing personnel security, in particular, to check the integrity of personalization department staff. Poor communication or lack of audit trails on the network for SIM activation/deactivation could provide opportunities for dishonest operation staff to illegally restore the de-activated SIMs of some ex-subscribers or bad debtors on the network.
Network operation If" the network switch has little or no intelligence, the system functionalities available may not be able to detect fraudulent traffic and/or terminate fraudulent calls whilst in progress.
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
FEATURE Also network staff could go into the system's authentication centre to obtain lists of IMSI, Ki pairs for individual subscribers and pass to criminals to copy to blank SIM cards. However, the fraud scheme would only work if they also have access to the encryption and authentication algorithms used on the network. Dishonest network staff could turn off the system's alarms for certain subscriber accounts when they detected the breaching of pre-set service limits or attempts to use any barred network services. Where the network uses an intelligent network (IN) system, weak security on the IN platform could allow dishonest operation staff to misuse network facilities through unauthorized hidden access to the home location register, the authentication centre, visitor location register, the equipment identity register, or the network management system. For instance, they could misuse the network management system to disable the link between the switch and the billing system to render all fraudulent calls made from a subscriber account non-chargeable. Or they could illegally connect SIMs to the network in such a way that no service provider is billed for the airtime (known as ghosting). Not all networks employ encryption in the traffic channel; some countries with strict Data Protection laws would disallow the use of strong encryption schemes anyway. In these cases, someone equipped with a radio scanner and a digital decoder could eavesdrop on the phone conversation and even capture the IMSI when the phone was switched on the fist time to make or receive calls. When Mercury One-2-One offered free off-peak local calls to its first subscribers, some parents were using the network for ingenious purposes, e.g. to baby-sit while they were out. Parents would leave their babies at home alone with a mobile in the cot as a makeshift intercom. They would buy two cheap phones, sometimes even charged to their employees, leave one with the child and dial in from their night out on the other and take advantage of the offer of tree evening calls.
Computer Fraud & Security November1996 © 1996 Elsevier Science Ltd
Billing and debt collection Corrupt billing staff could tamper with the billing process to send out reduced bills, grant illegal refunds or credits to friends and accomplices' accounts. Some corporate subscribers have witnessed the receipt of inflated bills from operators, dealers or service providers, but the onus was on subscribers to prove that some of the call records were fraudulent. Sometimes dishonest billing staff could be in collusion with dishonest accounts Staff of corporate customers. For instance, they could suppress or delay the invoking of debt collection procedures to allow fraudulent calls to continue unchecked, or even write off the debts illegally in return for a sweetener. Then there was the creation of ghost customers - phones were connected to the network independently of the billing system. The fraudster would pretend that the phone was for the internal use of the service provider staff and the addressee may be his own finance department. The service provider was thus charged on a wholesale basis but there was no retail bill produced. Ghosting would only be spotted by meticulously c o m p a r i n g w h o l e s a l e and r e t a i l bills f o r the discrepancies to come to light. Commission fraud was sometimes committed by d i s r e p u t a b l e dealers e x p l o i t i n g the d i s t r i b u t i o n c h a n n e l ' s financial i n c e n t i v e s - - to e n c o u r a g e customers to churn so as to collect commission for each connection.
Use/handling of handsets and SIM cards This could be equipment fraud, i.e. trying to obtain equipment fraudulently. One recent example involved a well known public company placing an order, on letter-headed paper, for a quantity of handsets and SIMs. The dealer called back to the number and confirmed the order. However, security staff got suspicious and followed the delivery van. They found the address to be a warehouse where the fraudsters would collect the equipment. One example in South Africa involved the use of false credit cards to purchase handsets. A simple credit card refusal was traced to its links with a series of other requests. A police ambush at the warehouse ended up
15
FEATURE with the arrest of a major credit card criminal when he turned up to collect the goods. International credit cards take longer for fraud to be discovered because of longer credit periods. There are many stolen credit cards in circulation and no delivery address would be required for buying a mobile phone. Another recent scam involved a dishonest dealer obtaining several mobiles for one customer. The customer supplied proof of identity and bought his phone in the normal way. Those same proofs of identity were again used repeatedly on the order forms of several service providers. More numbers were provided and connected and, incidentally, more commission was paid. The customer would respond positively to welcome calls and letters since he did buy a phone from the dealer. It was only much later that he discovered that he was being billed for more than one unit. GSM handsets are expensive to purchase in countries with new GSM networks being set up. A GSM handset costs from £200 and could be stolen to sell to China and India at a high price. Developing countries could produce fake Nokia or Motorola handsets at low cost and flood the market with counterfeit handsets. The press reported recently that dishonest dealers have broken up the heavily subsidized handsets of one PCN operator to ship parts to other countries where they could command premium prices. Handsets were also smuggled out of the country to be stockpiled for the introduction of GSM/PCN networks in Russia and China. The cost of the handsets to the dealer was around £20-25. They could sell off components and accessories such as batteries and cllargers alone in Germany for much higher prices. The GSM MoU requires operators to maintain an equipment identity register of blacklisted subscribers handsets which either do not operate properly (e.g. reserved for emergency use only) or equipment which has been reported lost or stolen. Recently, one GSM operator found PCN equipment was used on their network, suggesting that digital blacklisted handsets from other networks were being recycled by replacing the PCN circuit board with a GSM board from another, possibly stolen, handset. Stolen handsets or SIM cards which are not immediately reported to operators or
16
service providers could be sold to dealers trading in illegitimate handsets before services are switched off. SIM card cloning has so far proved to be both technically difficult and expensive to do and there was no evidence of criminals exploiting such techniques to perpetrate fraud. On the other hand, poor SIM card management would help the criminal by allowing an applicant to obtain several subscriptions - - some were even found with consecutive IMSIs - - or selling pre-paid SIMs which were illegally obtained. Some users do not use PIN codes to protect access to their SIM cards. This means that someone who stole the phone could use it to make calls unimpeded. In the Far East, PIN protection is often not activated and users are not made aware of such a protection facility. Also the thief could obtain the personal details and SMS details of the subscriber on the stolen SIMs.
Manufacture and distribution of SIMs F r a u d o p p o r t u n i t i e s c o u l d a r i s e f r o m SIM manufacturers operating an insecure manufacturing process. SIMs could be replicated or compromised by criminals forcing manufacturing staff to do a repeat run on the same batch of SIMs, or obtaining sensiti ve details from company files and databases to assist fraud schemes, e.g. details of customers' authentication and encryption algorithms. There would also be exposures if there were little or no controls to account for waste - allowing blank SIMs to be released to criminals. Poor controls in SIM and/or PIN distribution could lead to SIMs and the associated PINs falling to the wrong hands. There is no guarantee that SIM manufactures have adequate personnel security policy or procedures and enforce segregation of sensitive duties. This is seen by some operators to be the weakest link in SIM protection. Employees could be targeted by threat or inducement and encryption is useless against such threats. Operators rarely undertake a review of the technical security, physical security and personnel security practices on SIM manufactures. Many SIM manufacturers would also be producing banking smartcards and could already have been through security audits by their bank
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
FEATURE customers. Nevertheless, good security procedures for banking cards, which by and large relate to physical security, do not give the same level of protection to phone services.
for international cooperation among operators and service providers to work together to combat fraud.
Security management and investigation
Technologyconvergence
Fraud prevention and control could be hampered by ineffective management or investigation, or inability to pool intelligence information together, e.g. only handling details on a case by case basis. No fraud database would be kept for statistical analysis of fraudulent behaviour, trends and e f f e c ti v e n e s s of
There are currently a number of corporate initiatives to set up their own virtual private networks (VPNs), or even to construct a super-VPN to span some 25-30 E u r o p e a n b l u e c h i p c o m p a n i e s , to r o u t e all inbound/outbound domestic/international calls via the corporate voice network in order to substantially reduce their telecommunications costs. The calls could break in or break out from the wired network to link to many mobile originating and mobile terminating access points.
"fraud analysis to nt,,y securitv "-s
countermeasures. This could make it difficult for case staff weaknesses" to cross-relate materials with other contemporary investigations to identify any underlying fraud patterns or key players behind a number of fraud scams.
New services development and roll-out In an increasingly crowded and competitive market, the business many be entirely market driven and tight development schedule precludes the proper validation of fraud control security measures in new products and services. To cut costs, security would be given low priority and control features were not designed into new products or services. Fortunately, a number of major operators have learnt their lessons from fraud losses in analogue networks. They now require their staff to be involved in the security design of new products and services; c o n d u c t i n g f r a u d a n a l y s i s to i d e n t i f y s e c u r i t y weaknesses and solutions; and even setting up a tiger team to try to crack the security system. Finally, new products/services must be signed off by the security team before roll-out to the marketplace. However, this is not always the case with new operators or small operators and so they would be more likely to be the fraud targets or organized criminals for the future. Unfortunately, this would have a knock-on effect on their roaming partners. This makes it essential
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
F u t u r e f raud a r e a s
Some VPNs have been setup in an insecure fashion, e.g. the network infrastructure accommodates the use of direct inward service access (DISA) facilities in the PABXs - - to allow employees to dial in to the company's PABX to make outbound international calls at cheap corporate rates. There have been many fraud cases reported of companies losing tens of thousands of pounds in call charges from criminals hacking into these PABXs to operate call selling operations. In one case, a company lost £250 000 in the space of six weeks. As a result many companies have instituted a list of hot countries where fraudulent calls are often directed and barred such destinations on the PABX. However, criminals and hackers have also learnt to get round such defences by using mobiles to make toll-free calls on the first leg - - to cover their tracks - to dial into one PABX in one country, routing the calls to another PABX on the other side of the Atlantic, to circumvent individual hot country lists, and then onward to international destinations. Often these calls were routed to mobile terminating locations to avoid tracing. Inter-continental roaming will grow - - both in terrestrial and in satellite communications. The latter emphasis is to provide access into GSM networks in remote parts of the world. However, there might not be any sophisticated infrastructure in place to detect and combat fraud. Links with satellite networks could lead to new fraud problems. For instance, it would probably
17
FEATURE not be able to support hot b i l l i n g , e.g. the ability to bill customers five minutes after the call is made. T h e s e could be likely future targets for criminals to move away from GSM networks to run their fraud business, as the core network's security architecture no longer offers easy fodder to sustain a trouble-free, profitable venture.
"To cut costs, security would be given low priority"
Multi-purpose SIMs and pre-paid SIMs The future trend is to use SIM cards to support multiple applications. The prospect of including additional services on SIMs, e.g. phone banking, cashpoint, access control, could compromise or weaken the security functionality on SIMs to protect GSM services. For instance, illegal privileged access to change service functionalities could be simulated with a PC and software. Operators are likely to introduce customized services e.g. financial applications. GSM's security a r c h i t e c t u r e was not d e s i g n e d to protect such applications - - only for protecting networks and subscribers when making calls. When everyone is introducing customized services, this could also present new fraud opportunities which are outside the GSM security specifications. The various non-phone services could be targeted by criminals together with GSM services. In the case of pre-paid SIMs, one of the options open to n e t w o r k o p e r a t o r s is to use the n e t w o r k ' s communications to directly recharge the SIM with additional call units from the air interface, e.g. exploiting SMS services to download new call units or even monetary units - - as in the case of electronic purses. If the communication is intercepted, the S1M may not be recharged. Or the SIM owner could claim that he never received the extra units on his mobile. If a crook knows how to recharge SIMs, he will be in business to offer a cut-price illegal recharging service to boost the call units at a fraction of the real cost.
18
International cooperation An international MoU GSM Fraud Forum is in place with many network operators in the world participating to share and exchange intelligence information on frauds and c o u n t e r - m e a s u r e s , e.g. setting up a centralized equipment identity register (CEIR) in Dublin to pool intelligence information from operators' own EIRs, or involving clearing houses and service providers in fraud control. The Federation of Communications Services (FCS), the UK trade body of communications industry organizations, is canvassing the UK Government to introduce legislation to declare phone cloning and the possession of cloning equipment and software illegal. After all, criminals and hackers are using the Internet to exchange information on fraud schemes and ways to penetrate phone security systems. We owe it to ourselves to unite our defences and share best practice to boost our security levels.
Mobile phone as hero Mobile phones have proved themselves to be useful instruments to supply intelligence information to uphold law and order and to fight crime. Witness the case of the North African terrorist on the run in the forests of Lyons following a spate of bombing in Paris. He was quickly tracked down by the network operator when he switched on his mobile to make a call to his accomplice. His precise whereabouts were noted and the police were able to pin him down on the spot within minutes. Then there was the case of the drug trafficker serving a jail sentence in Britain and still using his mobile phone to run his illegal operation. His conversations were overheard by a prison officer and the network operator helped to provide a list of numbers called on his mobile, which effectively helped the police to close down the entire drug ring.
Acknowledgement I am grateful for the valuable input from various speakers at two recent IBC Mobile Fraud Conferences and GSM Security Workshops, notably those from Orange, Vodafone, Vodac and BT.
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
Mobile Phone Fraud - - Are GSM Networks Secure? Ken Wong Insight Consulting ~raud on mobile analogue networks has grown
F dramatically in the last few years. In the US, cellular fraud is reckoned to cost the telecommunications industry a million dollars a day. In the UK, many of the hot destinations for call selling are in the Indian sub-continent. The root of the problem lies with population migration from Indian sub-continent to the rest of the world; and emigrants want to talk to their relatives back home. Frauds in the Middle East are also tied to that. In the Far East and South America, many of the frauds are drug related. Frauds in North America are also related to population migration.
overseas roaming partners for their bogus and genuine subscribers' fraudulent domestic and international calls. The management of stolen handsets, subscription fraud or fraudulent calls on the network can be very d e m a n d i n g on resource. For instance, a real-time network fraud management system could cost upwards of £1-2 million to implement and administer. In the UK, when a subscriber lost his handset, he would forfeit his equipment subsidy and have to pay the full cost of a replacement handset, which is between £200 and £300. From the time a handset was reported stolen or a network fraud was detected, a subscriber's services would be turned off until the problems had been resolved and a replacement handset issued. In the mean time, inability to receive or make calls can lead to i n c o n v e n i e n c e and f r u s t r a t i o n , t h e r e b y straining customer relations to the extreme. Small traders and mobile workers who are deprived of their mobile phone could suffer serious business disruption and even loss of revenue. Corporate subscribers could also lose business and business opportunities. On the other hand, over-enthusiasm of security staff to cut fraud could result in customers making long business calls being c u t - o f f in mid-stream. Staff insensitivity in the mishandling of the situation could increase churn and loss of future revenue from good customers.
Fraud losses
Downward trend
Losses incurred could range Dom airtime losses for network operators to loss of revenue and equipment for s e r v i c e p r o v i d e r s and d e a l e r s f r o m f r a u d u l e n t subscriptions to obtain mobile services and handsets without payment.
V o d a f o n e in the UK r e c e n t l y i n t r o d u c e d a PIN authentication system on its analogue network. The 16-digit PIN is entered by the subscriber on request from Vodafone, usually when the phone is first turned on. The PIN is then used as an encryption key to scramble the electronic serial number (ESN) of the phone as it is transmitted in the air interface. Whenever the phone is turned on, or an outgoing call to a new number is made, the broadcast ESN is changed. Using this approach e n s u r e s that a n y o n e c a p t u r i n g the E S N and its associated mobile identity number (MIN) from the air interface only has a small window of opportunity to make an unauthorized call using the data, before it is scrambled again.
For network operators, fraudulent traffic causes channel congestion and thereby inability to fully exploit channel capacity to increase revenue. In one call selling operation, the network detected a high growth rate in call traffic in East London and decided to build a new exchange to cope with the increased calls - - only to find that no one was paying for the services afterwards. N e v e r t h e l e s s , o p e r a t o r s still h a v e to p a y f o r inter-connect charges to fixed networks or to their
Computer Fraud & Security © 1996 Elsevier Science Ltd
November 1996
11
FEATURE There is evidence to show that user authentication does cut down on fraud. In March 1996, Vodafone found the number of calls from cloning has been reduced by 50%. The company says phones manufactured after May 1993 for connection to analogue should support the authentication system. At the same time, companies providing a recovery service to service providers after their subscribers' handsets have been cloned or stolen have also reported a noticeable downturn in their business.
encryption process to transmit the TMSI details, in an encrypted form, to the mobile handset, where it is decrypted. The TMSI conceals the identity of the subscriber, and his whereabouts on the network cannot be determined from eavesdropping on the air interface.
GSM security
Value-added services
The family of mobile digital systems - - GSM, PCN and PCS operating at 900, 1800 and 1900 MHZ frequency bands respectively - - all have the same security architecture built into the system's design. There are three key aspects to GSM security: message secrecy is preserved over the air interface. The 64-bit key, Kc, used to encrypt call and signal data c h a n g e s e v e r y time the cal l er communicates with the network's base station at the cell site. As a result, the key used to encrypt the forward data from the base station to the Ilandset is different from the key for encrypting the return data from the handset to the base station. Note that normally there is no data encryption in the microwave or wireline transmission from the base station to the base station controller, and the onward transmission to the mobile switch centre - nor on any of the fixed components of the mobile network. Encryption
--
pre-call subscriber identity verification is done via a challenge response system - using a 128-bit key, Ki, which is specific to the subscription, to generate a 32-bit response to a 128-bit random challenge. The use of one-time passwords is similar to the Vodafone authentication scheme above. Authentication
--
the International Mobile Subscriber I d e n t i t y (IMSI), which u n i q u e l y i dent i f i e s the subscriber, is used to set up a call session if there are no other means to identify the subscriber. After the initial successful authentication, the network assigns an anonymous Temporary Mobile Subscriber Identity (TMSI) to the Subscriber Identity Module (SIM) s m a r t c a r d l a t c h e d to the m o b i l e handset. T he authentication process automatically activates the Anonymit
12
3, - -
Fraud exposures in GSM services These include a number of value-added services and international roaming.
G SM v a l u e - a d d e d servi ces such as third party conference calls and call transfers, have been misused by criminals to support their call selling business. In conference calling, a fraudster sets up the call by calling a customer and a third party - - and he then drops off. In a call transfer, the call seller sets up a call between two parties and then is available to set up another call. This is a serious fraud instrument in GSM and GSM handsets have often been used this way in a number of analogue handsets in call selling operations. Criminals have enhanced their fraud business by making multiple call-forwarding to sell simultaneous calls on a single SIM. In one case, a UK network operator discovered that 110 call forwards had been made in two hours, and one SIM had produced 12.5 hours of calls in those two hours. In another case, they found the forwarded number had changed every 16 hours, and £12 000 of calls had been made to destinations outside Europe. The advice of charge feature on the SIM card was used as a basis for charging customers for their calls. These are not possible with analogue phones. An operator providing insecure services could lead to loss of privacy or confidentiality, e.g. short message service (SMS) details deposited by subscribers could be o p e n to b r o w s i n g and t a m p e r i n g at the SMS management centre. Premium Rate Services (PRS) are often used for f r a u d u l e n t p u r p o s e s . A PRS o w n e r c o u l d ask collaborators to dial in with stolen or cloned phones to, e.g. a PRS in Hong Kong or Ireland, and build up the fraudulent income of the PRS owner.
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
FEATURE International roaming International roaming fraud is unique to GSM as analogue handsets cannot be used to make calls in another country. One fraud scam involved setting up an international call selling operation in one country, say the UK, and using SIM cards from a German or French network. Not so long ago, one of the popular frauds was to make fraudulent roaming calls or to run call selling operations using stolen or de-commissioned handsets from another country. This scam took advantage of the late reporting and billing calls from roaming partners at the time. In fact, a popular scam was to cancel the subscription before travelling to another country where the visited network has a roaming agreement with the home network. All overseas calls would then be made fraudulently on the visited network. A c c o r d i n g to the G S M M e m o r a n d u m of Understanding (MoU) guidelines, where a large number of calls was made by a visitor roaming in another country, e.g. exceeding 100 units a day, the visited network must fax a call report to the home network within 24 hours, detailing the calls made. In addition, if the full roaming call reports were not received by the home operator, by EDI or by tape, within 72 hours of call completion - - to be shortened to 36 hours after September 1996, and then to 24 hours some time in 1997. If the home operator does not receive the call reports within 72 hours, then he would not be liable for the fraudulent calls from his roaming subscribers. Clearing houses such as MACH and ROMEO are providing facilities to operators to speed up the forwarding of bills to the respective home operators for roaming calls made by visitors to their country, and also to affect the financial clearing of bill payments. They will undertake to provide the high roller fax reports as well as the EDI transfer of call records to roaming partners. Roaming fraud could also be perpetrated by dishonest operators - - by deliberately sending out incorrect bills to their roaming partners. This could be a small operator recently set up in business who did not have enough traffic volume to make the network viable.
Computer Fraud & Security November1996 © 1996 Elsevier Science Ltd
In a desperate attempt to make ends meet, he could review his past highest monthly bills to other operators, pretending that these calls had been made by their subscribers recently. Or he would simply delay or refuse paying his bills due to roaming partners.
Fraud exposure in GSM business processes A logical way to analyse your business and technology risks of a GSM system is to examine the fraud potential and security weaknesses inherent in the various business processes: subscriptions, network operation, billing, security management and management of SIMs and handsets.
Subscription fraud and control This type of fraud is procedural, not technical, in nature, and tends to be included with bad debt figures. But the scams are becoming increasingly sophisticated and organized. There are growing trends in compromised credit card usage and genuine customers selling their subscriptions into the black market. Investigators found criminals often worked in gangs using a paging network to pass information to each other, using a coding system to communicate with each other in secret. The names which are being used to apply for handsets and network connections are no longer simple extractions from telephone directories. For some time now, fraudsters have used the names and addresses of people who have moved recently. Fraudulent identities are easy to obtain, e.g. birth certificates of deceased persons reported in obituary, columns. Personal details of people who have recently emigrated, or gone into sheltered accommodation or mental homes, have also been used. Organized criminals would operate black markets at international level to supply credit-worthy names and addresses with supporting details to obtain successful subscription - - using other people's details (e.g. buying computer screen prints of genuine subscriber details on computerized application forms from dishonest service provider or dealer staff, using pensioner's details from credit bureaux, or customer details from mail order or hire purchase companies.
13
FEATURE S e r v i c e p r o v i d e r s have also d i s c o v e r e d some unscrupulous people were effectively selling their credit ratings to criminals. This allows a perfectly legitimate name and address to be used to obtain mobile phone subscriptions repeatedly: the owners of the names and addresses would be paid to keep out of the way and not to respond to any welcome messages to check the bona fide details of subscribers. Service providers also remind sales staff not to always believe the claims of some subscribers that they did not have a subscription with the company. Given the level of personal information required in the application form, it would be difficult for an impostor to supply such details. T h e p r i n c i p a l s a f e g u a r d against all forms of subscription fraud is based on validation: validation of the order, the customer, the contract and the business. Service providers often insist on customer service staff making welcome calls and sending out welcome packs to all customers with new connections. Welcome letters and welcome calls are very effective in finding instances w h e r e names and addresses have been misused. If the call has to be made to the mobile phone, then some very open questions have to be asked to check that the user can repeat the same information given on the order form. Staff should consider barring a customer if contact cannot be made. People who have simply bought a phone from a dubious source who are not expecting a bill will not know the answers to these questions. W h e r e the c o n t r o l c h e c k s f a i l e d or p r o v e d c o n c l u s i v e , t h e n an i n v o i c e w o u l d a l w a y s get someone's attention. The first invoice, whether for a connection charge or the first month's access charges, however small, should be sent off quickly. People tend to react to being billed whereas they could overlook anything which resembles junk mail. All p h o n e s s h o u l d be d e s p a t c h e d w i t h an international and premium rate bar in place - - unless they are going to a known corporate account. This will not prevent airtime fraud but will at least limit the damage. As long as customers are given a proper explanation, they are happy with such restrictions.
14
When a subscription fraud was discovered, the airtime commission would be clawed back from the dealer.
SIM personalization and activation SIM personalization is often done at the point-of-sale, to enter the new subscriber's details onto the SIM card. Some networks now offer pre-paid SIMs. A criminal could steal or illegally obtain such SIMs and sell them on to others as drug currency. To use the SIMs to make calls, handsets would need to be found. The use of pre-paid SIMs, or SIMs sale-on-demand, means a handset should not be locked to one particular SIM. This would negate the current practice of operators blacklisting dubious/stolen handsets which are locked to their specific group of SIMs. If it was a churn customer, he would have one handset and two or more SIMs. He would have to pay the former operator a fee to unlock the handset from his network, i.e. the first SIM. Providing pre-paid SIMs will create too many SIMs and will lead to a growing demand for stolen handsets. The cost of setting up a fraudulent account could be significantly r e d u c e d - - as the biggest overhead was the purchase of the handset, which could be circumvented with the use of a stolen handset. This would increase the number of fraudulent accounts. Where SIM personalization is completed at the SIM card manufacturer, service provider or dealer' s location, t h e r e is an a s s o c i a t e d risk o f d i s h o n e s t s t a f f personalizing the SIMs in stock for fraudulent use. Securing SIMs means addressing personnel security, in particular, to check the integrity of personalization department staff. Poor communication or lack of audit trails on the network for SIM activation/deactivation could provide opportunities for dishonest operation staff to illegally restore the de-activated SIMs of some ex-subscribers or bad debtors on the network.
Network operation If" the network switch has little or no intelligence, the system functionalities available may not be able to detect fraudulent traffic and/or terminate fraudulent calls whilst in progress.
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
FEATURE Also network staff could go into the system's authentication centre to obtain lists of IMSI, Ki pairs for individual subscribers and pass to criminals to copy to blank SIM cards. However, the fraud scheme would only work if they also have access to the encryption and authentication algorithms used on the network. Dishonest network staff could turn off the system's alarms for certain subscriber accounts when they detected the breaching of pre-set service limits or attempts to use any barred network services. Where the network uses an intelligent network (IN) system, weak security on the IN platform could allow dishonest operation staff to misuse network facilities through unauthorized hidden access to the home location register, the authentication centre, visitor location register, the equipment identity register, or the network management system. For instance, they could misuse the network management system to disable the link between the switch and the billing system to render all fraudulent calls made from a subscriber account non-chargeable. Or they could illegally connect SIMs to the network in such a way that no service provider is billed for the airtime (known as ghosting). Not all networks employ encryption in the traffic channel; some countries with strict Data Protection laws would disallow the use of strong encryption schemes anyway. In these cases, someone equipped with a radio scanner and a digital decoder could eavesdrop on the phone conversation and even capture the IMSI when the phone was switched on the fist time to make or receive calls. When Mercury One-2-One offered free off-peak local calls to its first subscribers, some parents were using the network for ingenious purposes, e.g. to baby-sit while they were out. Parents would leave their babies at home alone with a mobile in the cot as a makeshift intercom. They would buy two cheap phones, sometimes even charged to their employees, leave one with the child and dial in from their night out on the other and take advantage of the offer of tree evening calls.
Computer Fraud & Security November1996 © 1996 Elsevier Science Ltd
Billing and debt collection Corrupt billing staff could tamper with the billing process to send out reduced bills, grant illegal refunds or credits to friends and accomplices' accounts. Some corporate subscribers have witnessed the receipt of inflated bills from operators, dealers or service providers, but the onus was on subscribers to prove that some of the call records were fraudulent. Sometimes dishonest billing staff could be in collusion with dishonest accounts Staff of corporate customers. For instance, they could suppress or delay the invoking of debt collection procedures to allow fraudulent calls to continue unchecked, or even write off the debts illegally in return for a sweetener. Then there was the creation of ghost customers - phones were connected to the network independently of the billing system. The fraudster would pretend that the phone was for the internal use of the service provider staff and the addressee may be his own finance department. The service provider was thus charged on a wholesale basis but there was no retail bill produced. Ghosting would only be spotted by meticulously c o m p a r i n g w h o l e s a l e and r e t a i l bills f o r the discrepancies to come to light. Commission fraud was sometimes committed by d i s r e p u t a b l e dealers e x p l o i t i n g the d i s t r i b u t i o n c h a n n e l ' s financial i n c e n t i v e s - - to e n c o u r a g e customers to churn so as to collect commission for each connection.
Use/handling of handsets and SIM cards This could be equipment fraud, i.e. trying to obtain equipment fraudulently. One recent example involved a well known public company placing an order, on letter-headed paper, for a quantity of handsets and SIMs. The dealer called back to the number and confirmed the order. However, security staff got suspicious and followed the delivery van. They found the address to be a warehouse where the fraudsters would collect the equipment. One example in South Africa involved the use of false credit cards to purchase handsets. A simple credit card refusal was traced to its links with a series of other requests. A police ambush at the warehouse ended up
15
FEATURE with the arrest of a major credit card criminal when he turned up to collect the goods. International credit cards take longer for fraud to be discovered because of longer credit periods. There are many stolen credit cards in circulation and no delivery address would be required for buying a mobile phone. Another recent scam involved a dishonest dealer obtaining several mobiles for one customer. The customer supplied proof of identity and bought his phone in the normal way. Those same proofs of identity were again used repeatedly on the order forms of several service providers. More numbers were provided and connected and, incidentally, more commission was paid. The customer would respond positively to welcome calls and letters since he did buy a phone from the dealer. It was only much later that he discovered that he was being billed for more than one unit. GSM handsets are expensive to purchase in countries with new GSM networks being set up. A GSM handset costs from £200 and could be stolen to sell to China and India at a high price. Developing countries could produce fake Nokia or Motorola handsets at low cost and flood the market with counterfeit handsets. The press reported recently that dishonest dealers have broken up the heavily subsidized handsets of one PCN operator to ship parts to other countries where they could command premium prices. Handsets were also smuggled out of the country to be stockpiled for the introduction of GSM/PCN networks in Russia and China. The cost of the handsets to the dealer was around £20-25. They could sell off components and accessories such as batteries and cllargers alone in Germany for much higher prices. The GSM MoU requires operators to maintain an equipment identity register of blacklisted subscribers handsets which either do not operate properly (e.g. reserved for emergency use only) or equipment which has been reported lost or stolen. Recently, one GSM operator found PCN equipment was used on their network, suggesting that digital blacklisted handsets from other networks were being recycled by replacing the PCN circuit board with a GSM board from another, possibly stolen, handset. Stolen handsets or SIM cards which are not immediately reported to operators or
16
service providers could be sold to dealers trading in illegitimate handsets before services are switched off. SIM card cloning has so far proved to be both technically difficult and expensive to do and there was no evidence of criminals exploiting such techniques to perpetrate fraud. On the other hand, poor SIM card management would help the criminal by allowing an applicant to obtain several subscriptions - - some were even found with consecutive IMSIs - - or selling pre-paid SIMs which were illegally obtained. Some users do not use PIN codes to protect access to their SIM cards. This means that someone who stole the phone could use it to make calls unimpeded. In the Far East, PIN protection is often not activated and users are not made aware of such a protection facility. Also the thief could obtain the personal details and SMS details of the subscriber on the stolen SIMs.
Manufacture and distribution of SIMs F r a u d o p p o r t u n i t i e s c o u l d a r i s e f r o m SIM manufacturers operating an insecure manufacturing process. SIMs could be replicated or compromised by criminals forcing manufacturing staff to do a repeat run on the same batch of SIMs, or obtaining sensiti ve details from company files and databases to assist fraud schemes, e.g. details of customers' authentication and encryption algorithms. There would also be exposures if there were little or no controls to account for waste - allowing blank SIMs to be released to criminals. Poor controls in SIM and/or PIN distribution could lead to SIMs and the associated PINs falling to the wrong hands. There is no guarantee that SIM manufactures have adequate personnel security policy or procedures and enforce segregation of sensitive duties. This is seen by some operators to be the weakest link in SIM protection. Employees could be targeted by threat or inducement and encryption is useless against such threats. Operators rarely undertake a review of the technical security, physical security and personnel security practices on SIM manufactures. Many SIM manufacturers would also be producing banking smartcards and could already have been through security audits by their bank
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
FEATURE customers. Nevertheless, good security procedures for banking cards, which by and large relate to physical security, do not give the same level of protection to phone services.
for international cooperation among operators and service providers to work together to combat fraud.
Security management and investigation
Technologyconvergence
Fraud prevention and control could be hampered by ineffective management or investigation, or inability to pool intelligence information together, e.g. only handling details on a case by case basis. No fraud database would be kept for statistical analysis of fraudulent behaviour, trends and e f f e c ti v e n e s s of
There are currently a number of corporate initiatives to set up their own virtual private networks (VPNs), or even to construct a super-VPN to span some 25-30 E u r o p e a n b l u e c h i p c o m p a n i e s , to r o u t e all inbound/outbound domestic/international calls via the corporate voice network in order to substantially reduce their telecommunications costs. The calls could break in or break out from the wired network to link to many mobile originating and mobile terminating access points.
"fraud analysis to nt,,y securitv "-s
countermeasures. This could make it difficult for case staff weaknesses" to cross-relate materials with other contemporary investigations to identify any underlying fraud patterns or key players behind a number of fraud scams.
New services development and roll-out In an increasingly crowded and competitive market, the business many be entirely market driven and tight development schedule precludes the proper validation of fraud control security measures in new products and services. To cut costs, security would be given low priority and control features were not designed into new products or services. Fortunately, a number of major operators have learnt their lessons from fraud losses in analogue networks. They now require their staff to be involved in the security design of new products and services; c o n d u c t i n g f r a u d a n a l y s i s to i d e n t i f y s e c u r i t y weaknesses and solutions; and even setting up a tiger team to try to crack the security system. Finally, new products/services must be signed off by the security team before roll-out to the marketplace. However, this is not always the case with new operators or small operators and so they would be more likely to be the fraud targets or organized criminals for the future. Unfortunately, this would have a knock-on effect on their roaming partners. This makes it essential
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd
F u t u r e f raud a r e a s
Some VPNs have been setup in an insecure fashion, e.g. the network infrastructure accommodates the use of direct inward service access (DISA) facilities in the PABXs - - to allow employees to dial in to the company's PABX to make outbound international calls at cheap corporate rates. There have been many fraud cases reported of companies losing tens of thousands of pounds in call charges from criminals hacking into these PABXs to operate call selling operations. In one case, a company lost £250 000 in the space of six weeks. As a result many companies have instituted a list of hot countries where fraudulent calls are often directed and barred such destinations on the PABX. However, criminals and hackers have also learnt to get round such defences by using mobiles to make toll-free calls on the first leg - - to cover their tracks - to dial into one PABX in one country, routing the calls to another PABX on the other side of the Atlantic, to circumvent individual hot country lists, and then onward to international destinations. Often these calls were routed to mobile terminating locations to avoid tracing. Inter-continental roaming will grow - - both in terrestrial and in satellite communications. The latter emphasis is to provide access into GSM networks in remote parts of the world. However, there might not be any sophisticated infrastructure in place to detect and combat fraud. Links with satellite networks could lead to new fraud problems. For instance, it would probably
17
FEATURE not be able to support hot b i l l i n g , e.g. the ability to bill customers five minutes after the call is made. T h e s e could be likely future targets for criminals to move away from GSM networks to run their fraud business, as the core network's security architecture no longer offers easy fodder to sustain a trouble-free, profitable venture.
"To cut costs, security would be given low priority"
Multi-purpose SIMs and pre-paid SIMs The future trend is to use SIM cards to support multiple applications. The prospect of including additional services on SIMs, e.g. phone banking, cashpoint, access control, could compromise or weaken the security functionality on SIMs to protect GSM services. For instance, illegal privileged access to change service functionalities could be simulated with a PC and software. Operators are likely to introduce customized services e.g. financial applications. GSM's security a r c h i t e c t u r e was not d e s i g n e d to protect such applications - - only for protecting networks and subscribers when making calls. When everyone is introducing customized services, this could also present new fraud opportunities which are outside the GSM security specifications. The various non-phone services could be targeted by criminals together with GSM services. In the case of pre-paid SIMs, one of the options open to n e t w o r k o p e r a t o r s is to use the n e t w o r k ' s communications to directly recharge the SIM with additional call units from the air interface, e.g. exploiting SMS services to download new call units or even monetary units - - as in the case of electronic purses. If the communication is intercepted, the S1M may not be recharged. Or the SIM owner could claim that he never received the extra units on his mobile. If a crook knows how to recharge SIMs, he will be in business to offer a cut-price illegal recharging service to boost the call units at a fraction of the real cost.
18
International cooperation An international MoU GSM Fraud Forum is in place with many network operators in the world participating to share and exchange intelligence information on frauds and c o u n t e r - m e a s u r e s , e.g. setting up a centralized equipment identity register (CEIR) in Dublin to pool intelligence information from operators' own EIRs, or involving clearing houses and service providers in fraud control. The Federation of Communications Services (FCS), the UK trade body of communications industry organizations, is canvassing the UK Government to introduce legislation to declare phone cloning and the possession of cloning equipment and software illegal. After all, criminals and hackers are using the Internet to exchange information on fraud schemes and ways to penetrate phone security systems. We owe it to ourselves to unite our defences and share best practice to boost our security levels.
Mobile phone as hero Mobile phones have proved themselves to be useful instruments to supply intelligence information to uphold law and order and to fight crime. Witness the case of the North African terrorist on the run in the forests of Lyons following a spate of bombing in Paris. He was quickly tracked down by the network operator when he switched on his mobile to make a call to his accomplice. His precise whereabouts were noted and the police were able to pin him down on the spot within minutes. Then there was the case of the drug trafficker serving a jail sentence in Britain and still using his mobile phone to run his illegal operation. His conversations were overheard by a prison officer and the network operator helped to provide a list of numbers called on his mobile, which effectively helped the police to close down the entire drug ring.
Acknowledgement I am grateful for the valuable input from various speakers at two recent IBC Mobile Fraud Conferences and GSM Security Workshops, notably those from Orange, Vodafone, Vodac and BT.
Computer Fraud & Security November 1996 © 1996 Elsevier Science Ltd