4
MICHAEL J. RIEZENMAN Senior Engineering Editor SERVICE PROVIDERS HAVE LARGELY SOLVED THE CLONING PROBLEM, BUT EAVESDROPPING IS STILL A N ISSUE, AND E-COMMERCE HAS BARELY BEEN ADDRESSED Cellu I a r security: better, but foes still lurk NOT HIlINC. PRINCE CHARLES or Newt Gingrich, most oi LIS givr littlc thought to crll phone cavec- dmpping. Aftcl- all, who cam ii someone nvcrlicars yuu telling your hiisband yno'rc stuck in trsfiic. Oi COURC, it the convenation is oi a sensitive iiaturc, thcn oiic ni y w r coiiccriis iq-or ih<iuld be-the sccutiry Cellular sewice providers liavc a diifcrrnr secw rity problem Thcir grcat coiiccrn is scrvice thcil, through wliich criminals siiccccd in using a cell phone withum paying [or it. ni y ~ r phollc. 111 thc carly days oi cellular tclephony, scrvice thcft inostly meant cloning. Pcoplc with radio scan- nrn would simply "sniil" thc cellular frrguency bandc, pick up cell phone idcntilication numbrrs, and program tlrem into other phonrr. That proh- lem Ins bccn rcduced hy almost two orders oi mag- nitudc iliroiiph thc application oi soiiie thoughtful technology. Ilut it has bccn replaced Ihy nthcr prob- Iciiis: subscription iraud (thc same problcim that bcdcvils issiicrs oi credit cards) arid the misappli- ciitiuii ui scrvicc provider rubridics on handacts.

Cellular security: better, but foes still lurk

  • Upload
    mj

  • View
    216

  • Download
    1

Embed Size (px)

Citation preview

Page 1: Cellular security: better, but foes still lurk

MICHAEL J RIEZENMAN

Senior Engineer ing

Editor

SERVICE PROVIDERS HAVE LARGELY SOLVED

THE CLONING PROBLEM BUT EAVESDROPPING I S STILL A N ISSUE

A N D E-COMMERCE HAS BARELY BEEN ADDRESSED

Cellu I a r security better but foes still lurk NOT HIlINC PRINCE CHARLES or Newt Gingrich most oi LIS givr littlc thought to crll phone cavec- dmpping Aftcl- all who c a m ii someone nvcrlicars yuu telling your hiisband ynorc stuck i n trsfiic Oi COURC i t the convenation is oi a sensitive iiaturc thcn oiic ni y w r coiiccriis iq-or ihltiuld be-the sccutiry

Cellular sewice providers liavc a diifcrrnr secw rity problem Thcir grcat coiiccrn i s scrvice thcil through wliich criminals siiccccd i n using a cell phone withum paying [or it

ni y ~ r phollc

111 thc carly days o i cellular tclephony scrvice thcft inostly meant cloning Pcoplc with radio scan- nrn would simply sniil thc cellular frrguency bandc pick up cell phone idcntilication numbrrs and program tlrem into other phonrr That proh- l em Ins bccn rcduced hy almost two orders o i mag- nitudc iliroiiph thc application oi soiiie thoughtful technology Ilut i t has bccn replaced Ihy nthcr prob- Iciiis subscription iraud (thc same problcim that bcdcvils issiicrs oi credit cards) arid the misappli- ciitiuii ui scrvicc provider rubridics on handacts

Subscriptioii fraud has several forms pretending to bc another real person preten ding to be a inonrxistent pcrson and even just being yourself and pretending you intend to pay your bill Subsidy fraud involves taking a phone whose cost has been heavily subsidized by a cellular carrier and activating it on a different carricis nctwork

Solutions to these problenls exist How- ever the iiewest and best of them cannot be implemented on old handsets so the tcchnical situation i s clot without interest Some of the solutions particularly those used to fight subscription fraud tend by their very nature to inhibit sales-after all the idea i s to eliminate deadbeats-which presents the executives of cellular compa- nics with a dilemma On the one hand many of them need the revenue stream from a large number of subscribers to help them pay off the huge investments they made when they bid wildly for spectrum space back in 1995 On the other they have no desire to be cheatcd

As the practice of Conducting serious business over tlic lntcrnet continucs to grow 0 t h security issues will arise In particular soniconc conducting business on a CKII phone needs to bc confident of the identity of the other instruments uscr Thc tcchni~ cal solutions to be discussed here like RF fingerprinting and authentication do a good job of giiarantccing that thc handset i s what it claims to be hut they guarantee nothing about the person using it

Several approaches are being pursued to user identitication The problem in fact i s not finding solutions but getting evrryonc to agree on which to use To do banking over a cell phone your bank your cellular ser- vice provider and your phone must agree upon thc same end-to-end solution And we as an industly must standardize that solution to drive mass-market end-user accessibility

pointed out Tom Dcitrich vice president for business operations at Ericsson Inc Rcscarch Triangle Park NC among uthcrs

Biometrics may play a rolc hue In lact one company AuthenTcc Inc Mclbournc Fla i s devcloping a fingcrprint scnsor that can bc intcgratcd into a cell phone without adding noticeably to the phones weight price or energy consumption [see How a phone can check fingerprints facing page]

ANALOG YES DIGITAL NO Whcn it comcs to eavesdropping the si t -

uation i s pretty simple Analog phones are casy to bug digital arc hard Although it i s illcgal to sel l scanners in thc United States today that arc capablc of receiving the frc- qiiency bands uscd for ccllular tclcphony (824-849 MHz 869-894 MHz 185- 191 CHzand 193-199GHz)oldcriinirs that can rcceive them are readily available Moreover it i s hardly rocket science to mod- ib a new compliant receivcr to add the cxtra bands (Thc scanners are inherently capable of receiving a t least the lower bands they have just been rigged to block them)

Lest anyone think that analog cellular tclrphony i s an old dead technology as of June 1999 over 70 percent of thr rubscri- bers in the Uniced States s t i l l used analog handsets according to Bostons Yankee Group And many who havc dual-modc phones (capable of analog and digital oper- ation) turn to thr analog inode when roam ing cspccially in rural arcas

The latest figurcs from the Ccllular Tele- commiinications Industry Association (CTIA) Washington DC say merely that digital penetration today exceeds 50 percent Uut the CTIA counts dual-mode handscts as digital so its number may not he so differ- ent from the Yankee Groupi Whatever t l ie precise numbers the message is clear eaves- dropping i s not oi only historical intercst

Digital phones be they of the time- or code-division multiplc-acccss (TDMA or CDMA) varicty arc unlikc analog units quite proof against eavesdropping by ordi- nary mortals Would-be listenersin for one thing have to know what system they are trying to tap into since TDMA and CIIMA are utterly dilferent Tor TDMA what can be snatched out of the cther i s a digital data stream reprercnting one side of each of three multiplexed conversations Eavcs- droppers nced to lock onto thc correct time slot to gct thc conversation they want

In t he case of CDMA what they wind up with i s an even thornier problem-a mishmash of half a dozen conversations each modulated by a dilferent pseudoram dom code al l occupying t l ie same band So the signal has to be decoded with the same code which has been obtaincd in somc mysterious fashion

Plus in digital systcms voice i s vocodcd

The sound is not only digitized but coni- prcsscd as wcll As belore someone inter- estcd in decumprrsring it needs to know the comprcssion algorithm used

In short cavcsdroppers need to build what amounts to thc rcceiving part of a cel- lular phone base station in order to havc a chance of overhearin$ a call Sinall woii- der that iione of the system operators or phone manulactiirers interviewed for this report regards eavesdroppinaon digital cell phoncs as a problcm

ETHEREAL SIGNATURES Thc fight against cloning analog hand-

sets has gonc a lot bcttcr than cfforts to combat cavcsdropping Conceivcd in inno- ccncc carly analog phones were almost comicallywlnerable to security attacks l o r one thing the signaling between handsct and base station takes place in the clear so anyone with a suitable RF scanner can sim- ply listen in and learn the phone numbers (called mobile identity nunbcrs or MINs) of handsets in the vicinity and thc electronic serial numbers (ESNs) that go with them To program tlimr numbers into another handset is the work of a minute and behold anuthrr clonrd phonr is ready for usc

Once the ~prohlem maniierted itsell s e r ~ vice providen began taking steps tn protcct thcmsclves Working with the US Sccrct Service they persuaded Congress i n 1998 to amend tl ie law pertaining to Fraud and rclatcd activity in conncction with access dcviccs (Ttle 18 Scction 1029 uf the US Code) so as to make it a Fedcral crime to own a scanning receiver or a cell phone pro^

granimer wirh intent to delraud That same law also makcs it a clinic knowingly and with intent to defraud to use a counterfeit phone to traffic in such phones or to pus- s a 15 o r inore of them The law i s serious spccilying niaximunl prison terms ol 10 or I 5 years (for first-time offenden) depend- ing on thc cxact nature ol the crime

Thc seivice providers also institiitcd tlic use of personal identification numbers (PINS) that a user had to key in before a call could be completed PINS certainly made it tougher for thieves to use stolen phones But since the PINS were transmitted in the clear they were not vety cffectivc against cloning

What did help was a technology pio- neered by the military for keeping track of encmy troop movemcnts namcly RI fingcrprinting Corsair Communications Inc Palo Alto Calif i s currently the only company activc in thc ficld As cxplained by John Martin its senior director of prod- uct management the technology involves measuring several (unspecified) parameters associated with RT signals and character- izing them (again in a proprietary manner) to prodiicc a signaturc uniquc to the trans- mitter being studicd Even nominally iden-

40 IEEE SPECTRUM JUNE 2000

Sensor arrav (U

Analog circuitrv

Digital circuitry

Cross section of finger skin

Living SL n cells 10 CD~UJCIIIC

cpony 11111

4 ~ oead skin Cdh

I

Excitation generator

t Cellohone interface

How a phone can ch s everyone knows the time-tested A way t o verify a personrsquos identity i s

through his or her fingerprints For the present application the question is can it be done quickly without expert assis- tance when the person is out in the field somewhere using a cell phone

The answer according to the people a t AuthenTec Inc Melbourne Fla i s yes All it takes is the companyrsquos FingerLoc fingerprint sensor i t s accom- panying software and a microproces- sor on which the software can run

Finding a microprocessor is no prob- lem according t o Peter Sherlock vice president for product development who has overall responsibility for AuthenTecrsquos engineering operations Modern digital handsets he points out contain quite powerful processors that have nothing to do when a cell call is not in progress

The FingerLoc sensor [see drawing1 is a monolithic silicon chip comprising a sensing array and its associated circuitry all covered by a fairly thick (75 pm) pro- prietary coating It can be easily embed- ded in the surface of a cell phone where the robust coating will protect it from the rigors of normal usage

FingerLocrsquos key advantage over other (optical) fingerprint sensors Sherlock said is that it ignores the external fin- gerprint which is often dirty or dam- aged or has even disappeared Instead

it senses the fingerprint in a buried layer of living cells where fingerprints are created and where they are found in pristine condition

What i t does is apply a low-voltage ac signal t o the f ingert ip and then measure how the resulting electric field varies in amplitude over the fin- gertip surface The signal i s applied by means of a conductive epoxy ring sur- rounding the sensor area [see photo] i t is defined and measured w i th respect t o a reference plane wi th in the chip [see drawing again]

The electric field i s set up between the reference plane and a thin layer of highly conductive saline liquid that resides at the interface of the living skin tissue and the dead skin The saline layer has the same shape as the living tissue-the shape of the fingerprint Being highly conductive i t imposes its shape as a boundary condition on the field thereby spatially modulating the field into an analog of the fingerprint

An array of tiny antennas arranged in a square matrix o f 96 rows and columns does the actual sensing Located above the reference plane the array measures about 65 mm on a side giving the sensor a linear resolution of about 15 pixels per millimeter

The sensed analog electric field val- ues are scanned from the sensor matrix

Saline layer

Damaged external fingerprint

Pixel sensor plate array

Excitation signal reference plane

Sense amalifier

a row at a time digitized and sent from the FingerLoc chip t o the cell phonersquos microprocessor for further processing

In the cell phone a module from AuthenTecrsquos software suite analyzes the fingerprint pattern and extracts infor- mation from it which it converts into a unique representation of the finger- printlsquos owner To ldquoenrollrdquo a user that representation called a template is stored in nonvolatile memoryfor future use To authenticate a user it i s com- pared with all o f the stored templates t o determine his or her identity

What happens next depends on how the cell phone manufacturer and selvice provider have set things up If the hand- set does not recognize the applicant service will probably be denied It gets more interesting when the system does recognize the fingerprint because each user can have a stored profile which personalizes the phone for him or her

For example a child may have the phone set so that it can do nothing but call home no matter which button i t presses Older users may have their per- sonal phone books automatically loaded and certain calling privileges activated or blocked And of course with the right standards in place the sensor can be part of a verification and authentication system for electronic commerce -MJR

RIEZENMAN I CELLULAR SECURITY BETTER BUT FOES STILL LURK 41

t ical transmittcn manufacturedon tlie same assembly line to the same specifications have slight dilfcrcncci which are sufficient for Ihonelrint (as Corsair named its prod- uct) to tell thcm apart

PhonePrint i s a combination vf hard- ware and software that cellular opcrators install in basc stations in high~fraud areas Oncc installed i t characterizes a l l t l ic handsets that ask it for scrvice (by nioni- toring the reverse control channcl) and cre- ates a database oi their RF signaturcs or fingerprints The database soon acquires entries for almost a l l of the active users in the area On subscqucnt servicr requests PhonePrint compares the stored signature with the live one If they fail to match the cal l i s torn down-that IS hruken before it can be completed

PhonePrint had its origins at TRW Inc from which Corsair spun oii in 1994 The Cleveland Ohio company developed sini- ilar systems lor military use Such system can tell that an encmy unit supposedly sta- tioned at position X has in fact moved to position Y by recognizing the RI signatures associatcd with the unitk radios Ohviously as this feat implies RF fingerprinting will work with any phone and indeed with any transmitter It i s therefore particularly su i t - able for legacy analog cell phones which havr no built-in fraud-fighting provisions

How effective is it against cloning fsaud According to Martin Corsair to date has torn down ovcr 300 million c a l k

AUTHENTICATION SECRETS With the advent of digital and more

advanced analog phones an even more effective fraud-fighting technology canie into ase~authentication A sort of hand- shaking process authentication makes use of secret numbers that arc stored in the phone and known to thc network hut nevrr passed over the air Evcly timr a call is made the network sends thc handset a random number which the handset then comhinrs with i t s secret numhcr using an algorithm designed for the task Thc result i s another random numbcr that thc handset sends back to the network which has mcanwhilc pcrfor- med thc same calculations If tl ie numbers match the call i s completed i f not it i s not

The algorithm is designed to avalanche vrly quickly If thr input numhen are ofl by even a single bit the resulting number will not even be close to the right answcr Since a different random number i s used for each challenge an eavesdropper would have a hard time figuring out a phoncc secrct nuni- hcr This i s not to suggcst that sophisticated code crackrrs could iiot do it (the expcrts at the National Security Agency would pro- bably consider it a warm-up cxcrcisc) but evcn high-levcl criminals rarcly havc access to the rcquired cxpcrtisc or equipment

Criminals by the way generally clonc

42

cell phones not for economic reasons but rather in the pursuit of anonymity Mary lliley a spccial agent with the Sccrrt Ser- vice told 1EEES~rctmiit that 80 percent of narcotics dealcrs arrestcd in 1998 were found to bc in possession of cloned phones according to testimony from thc Drug En- forccmcnt Administration Arlington Va

Call counting is another technique that can be urrd insteadof-marc oltcn in addi- tion to-authentication l i k e authentica- tion it requires a phonc capable of per- forming its part of the process With c a l l counting both thc handset and the iietwork track the number of calls made by the h a d set Those nunibcrs are comparrd whenever a call is made If they do not match or i f they disagrcc by inore than a specified amount (gcnerally one call) then the call i s iiot allowed Obviously ii someone has cloncd a phone then both he and the legitimate users will be inaking calls so the network will liave their conibincd number while each handset will havc only i t s own

RI fingerprinting and authentication hctwccn hm have proven extremely e f ~ iectivc According to Rick Keinper CTlA dircctor for wireless tcchnology and secti~ rity cloning fraud l ias dropped about 95 percent over the ]past four to five years It has been rcplaccd however by another kind of fraud called identity theft also known as subscription fraud

WHO ARE YOU Criminals likc clcctrons tend to take the

path of least resistancr Make it really hard to stral what they want one way and they find a diffrrent way to gct it In thc caw of ccll phone-r more accuratrly cell phonr scrvicc-the dcfcnscs in place against c l o ~ ning have motivated criminals to adopt tlie various techniques used by credit card thirves which are all lumped togcthcr undcr the rubric of suhscribcr fraud

As with cloning the industlyi first defen- sive inove was to persuadc Congress to strcngthcn tlie relevant statute ( i n t h i s casr Titlc I x Section 1028 oi the US Code Fraud and related activity in connection with identification documents and infor- mation) As the law now stands it i s a lcderal criinc incrcly tn steal romrones idcntity inforination with intent to defraud Previously thc Government had to wait till fraud was committed before it could act

The industry brcame particularly sus- crptiblc to ubscriber fraud when it started pursuing new custoiners through such non- traditional channels a i telemarketing and the Internet Previously cell phone scwicc was mostly purchased in face-ta~facc trans- actions in company-owned stores and clerks could do things like check photo IDS to verify a customers identity Now com- panies arc finding they will have to get back to the basics i f they are to keep subscriber

iraud losses a t a tolerable level They are going to havc to verify addrcsscs against credit card data bases for example Iht as Steven Lum director of fraud detection at ATkT Wirelcss Services Inc Paramus NJ pointed out there are legitimate reasons for discrepancies since peoplc may have just moved or thcy may iniaintaiii multiplc rcs- idences So inethods must be developed for screcning nut had risks without turning off legitimate customers

Technology an such i s of limited value in this area One thing computers arc being used to do i s keep track of subscriber cal l- ing patterns-the numberr they tend to call or receive calls frorn I f a subscribcr is tcr- niinatcd [or nonpayment ai bills and if a 7 subscribcr shows up with prctty much the samc calling pattern thcn an alarm caii bc raised calling attention to the possibility that this inay be the same person and t l ie company caii look inore closcly at him

SUBSIDY LOSS According to Ericssoni Tom Deitrich a

inajor problcm cspccially in Latin America i s what h e calls phoncs moving sideways through the distribution channels Cellular handsets are often hcavily subsidized by ser- vice providcrr who supply thcm to SUII~ scribers on condition that the subscrihcrr remain with thc company lor a specific period typically a year But what sometimes happens i s that the phones wind up bcing activated 011 some other carriers nctwork

Adistrihutor lor cxample who has pur- chaced a hatch of suhsidizcd handsets a t a low price from one carrier may find that hc can se l l them at a hand~mie profit to a dealer who i s iiot aiiil iatcd with that carrier In Latin Anicrica that dcalcr may not evcn he in thc same country as thc distributor The result the carrier loses the money i t inverted in subsidizing the phone

As with subscriber fraud the reiiicdy i s mostly a inatter of running a tighter ship But Deitrich expects some sort of techno- logical fix will also bc developed which he described as an authentication kind of all- proach for the activatiun process We fore- sees it showing up in suine second-gener~ ation phones and believes it will hc part of any third-generation deploymcnt

TO PROBE FURTHER For some statistical highlights on cellular phone fraud see the Web page maintained by the Cellular Telecommunicationr Industry Association a t httpllwwwwow-comcomi conrumerfaqsifaq_fraudcfm

To learn about third-generation cellular tele~ phony (and also some baric cell phone history) see The Mobile Phone Meets the Internet by Malcolm W Oliphant IEEESpectrum August 1999 pp 20-28 I t is on the Web a t httpll tearerieeeorglpubrhpectrum19908lcelIhtml

IEEE SPECTRUM JUNE 2000

Page 2: Cellular security: better, but foes still lurk

Subscriptioii fraud has several forms pretending to bc another real person preten ding to be a inonrxistent pcrson and even just being yourself and pretending you intend to pay your bill Subsidy fraud involves taking a phone whose cost has been heavily subsidized by a cellular carrier and activating it on a different carricis nctwork

Solutions to these problenls exist How- ever the iiewest and best of them cannot be implemented on old handsets so the tcchnical situation i s clot without interest Some of the solutions particularly those used to fight subscription fraud tend by their very nature to inhibit sales-after all the idea i s to eliminate deadbeats-which presents the executives of cellular compa- nics with a dilemma On the one hand many of them need the revenue stream from a large number of subscribers to help them pay off the huge investments they made when they bid wildly for spectrum space back in 1995 On the other they have no desire to be cheatcd

As the practice of Conducting serious business over tlic lntcrnet continucs to grow 0 t h security issues will arise In particular soniconc conducting business on a CKII phone needs to bc confident of the identity of the other instruments uscr Thc tcchni~ cal solutions to be discussed here like RF fingerprinting and authentication do a good job of giiarantccing that thc handset i s what it claims to be hut they guarantee nothing about the person using it

Several approaches are being pursued to user identitication The problem in fact i s not finding solutions but getting evrryonc to agree on which to use To do banking over a cell phone your bank your cellular ser- vice provider and your phone must agree upon thc same end-to-end solution And we as an industly must standardize that solution to drive mass-market end-user accessibility

pointed out Tom Dcitrich vice president for business operations at Ericsson Inc Rcscarch Triangle Park NC among uthcrs

Biometrics may play a rolc hue In lact one company AuthenTcc Inc Mclbournc Fla i s devcloping a fingcrprint scnsor that can bc intcgratcd into a cell phone without adding noticeably to the phones weight price or energy consumption [see How a phone can check fingerprints facing page]

ANALOG YES DIGITAL NO Whcn it comcs to eavesdropping the si t -

uation i s pretty simple Analog phones are casy to bug digital arc hard Although it i s illcgal to sel l scanners in thc United States today that arc capablc of receiving the frc- qiiency bands uscd for ccllular tclcphony (824-849 MHz 869-894 MHz 185- 191 CHzand 193-199GHz)oldcriinirs that can rcceive them are readily available Moreover it i s hardly rocket science to mod- ib a new compliant receivcr to add the cxtra bands (Thc scanners are inherently capable of receiving a t least the lower bands they have just been rigged to block them)

Lest anyone think that analog cellular tclrphony i s an old dead technology as of June 1999 over 70 percent of thr rubscri- bers in the Uniced States s t i l l used analog handsets according to Bostons Yankee Group And many who havc dual-modc phones (capable of analog and digital oper- ation) turn to thr analog inode when roam ing cspccially in rural arcas

The latest figurcs from the Ccllular Tele- commiinications Industry Association (CTIA) Washington DC say merely that digital penetration today exceeds 50 percent Uut the CTIA counts dual-mode handscts as digital so its number may not he so differ- ent from the Yankee Groupi Whatever t l ie precise numbers the message is clear eaves- dropping i s not oi only historical intercst

Digital phones be they of the time- or code-division multiplc-acccss (TDMA or CDMA) varicty arc unlikc analog units quite proof against eavesdropping by ordi- nary mortals Would-be listenersin for one thing have to know what system they are trying to tap into since TDMA and CIIMA are utterly dilferent Tor TDMA what can be snatched out of the cther i s a digital data stream reprercnting one side of each of three multiplexed conversations Eavcs- droppers nced to lock onto thc correct time slot to gct thc conversation they want

In t he case of CDMA what they wind up with i s an even thornier problem-a mishmash of half a dozen conversations each modulated by a dilferent pseudoram dom code al l occupying t l ie same band So the signal has to be decoded with the same code which has been obtaincd in somc mysterious fashion

Plus in digital systcms voice i s vocodcd

The sound is not only digitized but coni- prcsscd as wcll As belore someone inter- estcd in decumprrsring it needs to know the comprcssion algorithm used

In short cavcsdroppers need to build what amounts to thc rcceiving part of a cel- lular phone base station in order to havc a chance of overhearin$ a call Sinall woii- der that iione of the system operators or phone manulactiirers interviewed for this report regards eavesdroppinaon digital cell phoncs as a problcm

ETHEREAL SIGNATURES Thc fight against cloning analog hand-

sets has gonc a lot bcttcr than cfforts to combat cavcsdropping Conceivcd in inno- ccncc carly analog phones were almost comicallywlnerable to security attacks l o r one thing the signaling between handsct and base station takes place in the clear so anyone with a suitable RF scanner can sim- ply listen in and learn the phone numbers (called mobile identity nunbcrs or MINs) of handsets in the vicinity and thc electronic serial numbers (ESNs) that go with them To program tlimr numbers into another handset is the work of a minute and behold anuthrr clonrd phonr is ready for usc

Once the ~prohlem maniierted itsell s e r ~ vice providen began taking steps tn protcct thcmsclves Working with the US Sccrct Service they persuaded Congress i n 1998 to amend tl ie law pertaining to Fraud and rclatcd activity in conncction with access dcviccs (Ttle 18 Scction 1029 uf the US Code) so as to make it a Fedcral crime to own a scanning receiver or a cell phone pro^

granimer wirh intent to delraud That same law also makcs it a clinic knowingly and with intent to defraud to use a counterfeit phone to traffic in such phones or to pus- s a 15 o r inore of them The law i s serious spccilying niaximunl prison terms ol 10 or I 5 years (for first-time offenden) depend- ing on thc cxact nature ol the crime

Thc seivice providers also institiitcd tlic use of personal identification numbers (PINS) that a user had to key in before a call could be completed PINS certainly made it tougher for thieves to use stolen phones But since the PINS were transmitted in the clear they were not vety cffectivc against cloning

What did help was a technology pio- neered by the military for keeping track of encmy troop movemcnts namcly RI fingcrprinting Corsair Communications Inc Palo Alto Calif i s currently the only company activc in thc ficld As cxplained by John Martin its senior director of prod- uct management the technology involves measuring several (unspecified) parameters associated with RT signals and character- izing them (again in a proprietary manner) to prodiicc a signaturc uniquc to the trans- mitter being studicd Even nominally iden-

40 IEEE SPECTRUM JUNE 2000

Sensor arrav (U

Analog circuitrv

Digital circuitry

Cross section of finger skin

Living SL n cells 10 CD~UJCIIIC

cpony 11111

4 ~ oead skin Cdh

I

Excitation generator

t Cellohone interface

How a phone can ch s everyone knows the time-tested A way t o verify a personrsquos identity i s

through his or her fingerprints For the present application the question is can it be done quickly without expert assis- tance when the person is out in the field somewhere using a cell phone

The answer according to the people a t AuthenTec Inc Melbourne Fla i s yes All it takes is the companyrsquos FingerLoc fingerprint sensor i t s accom- panying software and a microproces- sor on which the software can run

Finding a microprocessor is no prob- lem according t o Peter Sherlock vice president for product development who has overall responsibility for AuthenTecrsquos engineering operations Modern digital handsets he points out contain quite powerful processors that have nothing to do when a cell call is not in progress

The FingerLoc sensor [see drawing1 is a monolithic silicon chip comprising a sensing array and its associated circuitry all covered by a fairly thick (75 pm) pro- prietary coating It can be easily embed- ded in the surface of a cell phone where the robust coating will protect it from the rigors of normal usage

FingerLocrsquos key advantage over other (optical) fingerprint sensors Sherlock said is that it ignores the external fin- gerprint which is often dirty or dam- aged or has even disappeared Instead

it senses the fingerprint in a buried layer of living cells where fingerprints are created and where they are found in pristine condition

What i t does is apply a low-voltage ac signal t o the f ingert ip and then measure how the resulting electric field varies in amplitude over the fin- gertip surface The signal i s applied by means of a conductive epoxy ring sur- rounding the sensor area [see photo] i t is defined and measured w i th respect t o a reference plane wi th in the chip [see drawing again]

The electric field i s set up between the reference plane and a thin layer of highly conductive saline liquid that resides at the interface of the living skin tissue and the dead skin The saline layer has the same shape as the living tissue-the shape of the fingerprint Being highly conductive i t imposes its shape as a boundary condition on the field thereby spatially modulating the field into an analog of the fingerprint

An array of tiny antennas arranged in a square matrix o f 96 rows and columns does the actual sensing Located above the reference plane the array measures about 65 mm on a side giving the sensor a linear resolution of about 15 pixels per millimeter

The sensed analog electric field val- ues are scanned from the sensor matrix

Saline layer

Damaged external fingerprint

Pixel sensor plate array

Excitation signal reference plane

Sense amalifier

a row at a time digitized and sent from the FingerLoc chip t o the cell phonersquos microprocessor for further processing

In the cell phone a module from AuthenTecrsquos software suite analyzes the fingerprint pattern and extracts infor- mation from it which it converts into a unique representation of the finger- printlsquos owner To ldquoenrollrdquo a user that representation called a template is stored in nonvolatile memoryfor future use To authenticate a user it i s com- pared with all o f the stored templates t o determine his or her identity

What happens next depends on how the cell phone manufacturer and selvice provider have set things up If the hand- set does not recognize the applicant service will probably be denied It gets more interesting when the system does recognize the fingerprint because each user can have a stored profile which personalizes the phone for him or her

For example a child may have the phone set so that it can do nothing but call home no matter which button i t presses Older users may have their per- sonal phone books automatically loaded and certain calling privileges activated or blocked And of course with the right standards in place the sensor can be part of a verification and authentication system for electronic commerce -MJR

RIEZENMAN I CELLULAR SECURITY BETTER BUT FOES STILL LURK 41

t ical transmittcn manufacturedon tlie same assembly line to the same specifications have slight dilfcrcncci which are sufficient for Ihonelrint (as Corsair named its prod- uct) to tell thcm apart

PhonePrint i s a combination vf hard- ware and software that cellular opcrators install in basc stations in high~fraud areas Oncc installed i t characterizes a l l t l ic handsets that ask it for scrvice (by nioni- toring the reverse control channcl) and cre- ates a database oi their RF signaturcs or fingerprints The database soon acquires entries for almost a l l of the active users in the area On subscqucnt servicr requests PhonePrint compares the stored signature with the live one If they fail to match the cal l i s torn down-that IS hruken before it can be completed

PhonePrint had its origins at TRW Inc from which Corsair spun oii in 1994 The Cleveland Ohio company developed sini- ilar systems lor military use Such system can tell that an encmy unit supposedly sta- tioned at position X has in fact moved to position Y by recognizing the RI signatures associatcd with the unitk radios Ohviously as this feat implies RF fingerprinting will work with any phone and indeed with any transmitter It i s therefore particularly su i t - able for legacy analog cell phones which havr no built-in fraud-fighting provisions

How effective is it against cloning fsaud According to Martin Corsair to date has torn down ovcr 300 million c a l k

AUTHENTICATION SECRETS With the advent of digital and more

advanced analog phones an even more effective fraud-fighting technology canie into ase~authentication A sort of hand- shaking process authentication makes use of secret numbers that arc stored in the phone and known to thc network hut nevrr passed over the air Evcly timr a call is made the network sends thc handset a random number which the handset then comhinrs with i t s secret numhcr using an algorithm designed for the task Thc result i s another random numbcr that thc handset sends back to the network which has mcanwhilc pcrfor- med thc same calculations If tl ie numbers match the call i s completed i f not it i s not

The algorithm is designed to avalanche vrly quickly If thr input numhen are ofl by even a single bit the resulting number will not even be close to the right answcr Since a different random number i s used for each challenge an eavesdropper would have a hard time figuring out a phoncc secrct nuni- hcr This i s not to suggcst that sophisticated code crackrrs could iiot do it (the expcrts at the National Security Agency would pro- bably consider it a warm-up cxcrcisc) but evcn high-levcl criminals rarcly havc access to the rcquired cxpcrtisc or equipment

Criminals by the way generally clonc

42

cell phones not for economic reasons but rather in the pursuit of anonymity Mary lliley a spccial agent with the Sccrrt Ser- vice told 1EEES~rctmiit that 80 percent of narcotics dealcrs arrestcd in 1998 were found to bc in possession of cloned phones according to testimony from thc Drug En- forccmcnt Administration Arlington Va

Call counting is another technique that can be urrd insteadof-marc oltcn in addi- tion to-authentication l i k e authentica- tion it requires a phonc capable of per- forming its part of the process With c a l l counting both thc handset and the iietwork track the number of calls made by the h a d set Those nunibcrs are comparrd whenever a call is made If they do not match or i f they disagrcc by inore than a specified amount (gcnerally one call) then the call i s iiot allowed Obviously ii someone has cloncd a phone then both he and the legitimate users will be inaking calls so the network will liave their conibincd number while each handset will havc only i t s own

RI fingerprinting and authentication hctwccn hm have proven extremely e f ~ iectivc According to Rick Keinper CTlA dircctor for wireless tcchnology and secti~ rity cloning fraud l ias dropped about 95 percent over the ]past four to five years It has been rcplaccd however by another kind of fraud called identity theft also known as subscription fraud

WHO ARE YOU Criminals likc clcctrons tend to take the

path of least resistancr Make it really hard to stral what they want one way and they find a diffrrent way to gct it In thc caw of ccll phone-r more accuratrly cell phonr scrvicc-the dcfcnscs in place against c l o ~ ning have motivated criminals to adopt tlie various techniques used by credit card thirves which are all lumped togcthcr undcr the rubric of suhscribcr fraud

As with cloning the industlyi first defen- sive inove was to persuadc Congress to strcngthcn tlie relevant statute ( i n t h i s casr Titlc I x Section 1028 oi the US Code Fraud and related activity in connection with identification documents and infor- mation) As the law now stands it i s a lcderal criinc incrcly tn steal romrones idcntity inforination with intent to defraud Previously thc Government had to wait till fraud was committed before it could act

The industry brcame particularly sus- crptiblc to ubscriber fraud when it started pursuing new custoiners through such non- traditional channels a i telemarketing and the Internet Previously cell phone scwicc was mostly purchased in face-ta~facc trans- actions in company-owned stores and clerks could do things like check photo IDS to verify a customers identity Now com- panies arc finding they will have to get back to the basics i f they are to keep subscriber

iraud losses a t a tolerable level They are going to havc to verify addrcsscs against credit card data bases for example Iht as Steven Lum director of fraud detection at ATkT Wirelcss Services Inc Paramus NJ pointed out there are legitimate reasons for discrepancies since peoplc may have just moved or thcy may iniaintaiii multiplc rcs- idences So inethods must be developed for screcning nut had risks without turning off legitimate customers

Technology an such i s of limited value in this area One thing computers arc being used to do i s keep track of subscriber cal l- ing patterns-the numberr they tend to call or receive calls frorn I f a subscribcr is tcr- niinatcd [or nonpayment ai bills and if a 7 subscribcr shows up with prctty much the samc calling pattern thcn an alarm caii bc raised calling attention to the possibility that this inay be the same person and t l ie company caii look inore closcly at him

SUBSIDY LOSS According to Ericssoni Tom Deitrich a

inajor problcm cspccially in Latin America i s what h e calls phoncs moving sideways through the distribution channels Cellular handsets are often hcavily subsidized by ser- vice providcrr who supply thcm to SUII~ scribers on condition that the subscrihcrr remain with thc company lor a specific period typically a year But what sometimes happens i s that the phones wind up bcing activated 011 some other carriers nctwork

Adistrihutor lor cxample who has pur- chaced a hatch of suhsidizcd handsets a t a low price from one carrier may find that hc can se l l them at a hand~mie profit to a dealer who i s iiot aiiil iatcd with that carrier In Latin Anicrica that dcalcr may not evcn he in thc same country as thc distributor The result the carrier loses the money i t inverted in subsidizing the phone

As with subscriber fraud the reiiicdy i s mostly a inatter of running a tighter ship But Deitrich expects some sort of techno- logical fix will also bc developed which he described as an authentication kind of all- proach for the activatiun process We fore- sees it showing up in suine second-gener~ ation phones and believes it will hc part of any third-generation deploymcnt

TO PROBE FURTHER For some statistical highlights on cellular phone fraud see the Web page maintained by the Cellular Telecommunicationr Industry Association a t httpllwwwwow-comcomi conrumerfaqsifaq_fraudcfm

To learn about third-generation cellular tele~ phony (and also some baric cell phone history) see The Mobile Phone Meets the Internet by Malcolm W Oliphant IEEESpectrum August 1999 pp 20-28 I t is on the Web a t httpll tearerieeeorglpubrhpectrum19908lcelIhtml

IEEE SPECTRUM JUNE 2000

Page 3: Cellular security: better, but foes still lurk

Sensor arrav (U

Analog circuitrv

Digital circuitry

Cross section of finger skin

Living SL n cells 10 CD~UJCIIIC

cpony 11111

4 ~ oead skin Cdh

I

Excitation generator

t Cellohone interface

How a phone can ch s everyone knows the time-tested A way t o verify a personrsquos identity i s

through his or her fingerprints For the present application the question is can it be done quickly without expert assis- tance when the person is out in the field somewhere using a cell phone

The answer according to the people a t AuthenTec Inc Melbourne Fla i s yes All it takes is the companyrsquos FingerLoc fingerprint sensor i t s accom- panying software and a microproces- sor on which the software can run

Finding a microprocessor is no prob- lem according t o Peter Sherlock vice president for product development who has overall responsibility for AuthenTecrsquos engineering operations Modern digital handsets he points out contain quite powerful processors that have nothing to do when a cell call is not in progress

The FingerLoc sensor [see drawing1 is a monolithic silicon chip comprising a sensing array and its associated circuitry all covered by a fairly thick (75 pm) pro- prietary coating It can be easily embed- ded in the surface of a cell phone where the robust coating will protect it from the rigors of normal usage

FingerLocrsquos key advantage over other (optical) fingerprint sensors Sherlock said is that it ignores the external fin- gerprint which is often dirty or dam- aged or has even disappeared Instead

it senses the fingerprint in a buried layer of living cells where fingerprints are created and where they are found in pristine condition

What i t does is apply a low-voltage ac signal t o the f ingert ip and then measure how the resulting electric field varies in amplitude over the fin- gertip surface The signal i s applied by means of a conductive epoxy ring sur- rounding the sensor area [see photo] i t is defined and measured w i th respect t o a reference plane wi th in the chip [see drawing again]

The electric field i s set up between the reference plane and a thin layer of highly conductive saline liquid that resides at the interface of the living skin tissue and the dead skin The saline layer has the same shape as the living tissue-the shape of the fingerprint Being highly conductive i t imposes its shape as a boundary condition on the field thereby spatially modulating the field into an analog of the fingerprint

An array of tiny antennas arranged in a square matrix o f 96 rows and columns does the actual sensing Located above the reference plane the array measures about 65 mm on a side giving the sensor a linear resolution of about 15 pixels per millimeter

The sensed analog electric field val- ues are scanned from the sensor matrix

Saline layer

Damaged external fingerprint

Pixel sensor plate array

Excitation signal reference plane

Sense amalifier

a row at a time digitized and sent from the FingerLoc chip t o the cell phonersquos microprocessor for further processing

In the cell phone a module from AuthenTecrsquos software suite analyzes the fingerprint pattern and extracts infor- mation from it which it converts into a unique representation of the finger- printlsquos owner To ldquoenrollrdquo a user that representation called a template is stored in nonvolatile memoryfor future use To authenticate a user it i s com- pared with all o f the stored templates t o determine his or her identity

What happens next depends on how the cell phone manufacturer and selvice provider have set things up If the hand- set does not recognize the applicant service will probably be denied It gets more interesting when the system does recognize the fingerprint because each user can have a stored profile which personalizes the phone for him or her

For example a child may have the phone set so that it can do nothing but call home no matter which button i t presses Older users may have their per- sonal phone books automatically loaded and certain calling privileges activated or blocked And of course with the right standards in place the sensor can be part of a verification and authentication system for electronic commerce -MJR

RIEZENMAN I CELLULAR SECURITY BETTER BUT FOES STILL LURK 41

t ical transmittcn manufacturedon tlie same assembly line to the same specifications have slight dilfcrcncci which are sufficient for Ihonelrint (as Corsair named its prod- uct) to tell thcm apart

PhonePrint i s a combination vf hard- ware and software that cellular opcrators install in basc stations in high~fraud areas Oncc installed i t characterizes a l l t l ic handsets that ask it for scrvice (by nioni- toring the reverse control channcl) and cre- ates a database oi their RF signaturcs or fingerprints The database soon acquires entries for almost a l l of the active users in the area On subscqucnt servicr requests PhonePrint compares the stored signature with the live one If they fail to match the cal l i s torn down-that IS hruken before it can be completed

PhonePrint had its origins at TRW Inc from which Corsair spun oii in 1994 The Cleveland Ohio company developed sini- ilar systems lor military use Such system can tell that an encmy unit supposedly sta- tioned at position X has in fact moved to position Y by recognizing the RI signatures associatcd with the unitk radios Ohviously as this feat implies RF fingerprinting will work with any phone and indeed with any transmitter It i s therefore particularly su i t - able for legacy analog cell phones which havr no built-in fraud-fighting provisions

How effective is it against cloning fsaud According to Martin Corsair to date has torn down ovcr 300 million c a l k

AUTHENTICATION SECRETS With the advent of digital and more

advanced analog phones an even more effective fraud-fighting technology canie into ase~authentication A sort of hand- shaking process authentication makes use of secret numbers that arc stored in the phone and known to thc network hut nevrr passed over the air Evcly timr a call is made the network sends thc handset a random number which the handset then comhinrs with i t s secret numhcr using an algorithm designed for the task Thc result i s another random numbcr that thc handset sends back to the network which has mcanwhilc pcrfor- med thc same calculations If tl ie numbers match the call i s completed i f not it i s not

The algorithm is designed to avalanche vrly quickly If thr input numhen are ofl by even a single bit the resulting number will not even be close to the right answcr Since a different random number i s used for each challenge an eavesdropper would have a hard time figuring out a phoncc secrct nuni- hcr This i s not to suggcst that sophisticated code crackrrs could iiot do it (the expcrts at the National Security Agency would pro- bably consider it a warm-up cxcrcisc) but evcn high-levcl criminals rarcly havc access to the rcquired cxpcrtisc or equipment

Criminals by the way generally clonc

42

cell phones not for economic reasons but rather in the pursuit of anonymity Mary lliley a spccial agent with the Sccrrt Ser- vice told 1EEES~rctmiit that 80 percent of narcotics dealcrs arrestcd in 1998 were found to bc in possession of cloned phones according to testimony from thc Drug En- forccmcnt Administration Arlington Va

Call counting is another technique that can be urrd insteadof-marc oltcn in addi- tion to-authentication l i k e authentica- tion it requires a phonc capable of per- forming its part of the process With c a l l counting both thc handset and the iietwork track the number of calls made by the h a d set Those nunibcrs are comparrd whenever a call is made If they do not match or i f they disagrcc by inore than a specified amount (gcnerally one call) then the call i s iiot allowed Obviously ii someone has cloncd a phone then both he and the legitimate users will be inaking calls so the network will liave their conibincd number while each handset will havc only i t s own

RI fingerprinting and authentication hctwccn hm have proven extremely e f ~ iectivc According to Rick Keinper CTlA dircctor for wireless tcchnology and secti~ rity cloning fraud l ias dropped about 95 percent over the ]past four to five years It has been rcplaccd however by another kind of fraud called identity theft also known as subscription fraud

WHO ARE YOU Criminals likc clcctrons tend to take the

path of least resistancr Make it really hard to stral what they want one way and they find a diffrrent way to gct it In thc caw of ccll phone-r more accuratrly cell phonr scrvicc-the dcfcnscs in place against c l o ~ ning have motivated criminals to adopt tlie various techniques used by credit card thirves which are all lumped togcthcr undcr the rubric of suhscribcr fraud

As with cloning the industlyi first defen- sive inove was to persuadc Congress to strcngthcn tlie relevant statute ( i n t h i s casr Titlc I x Section 1028 oi the US Code Fraud and related activity in connection with identification documents and infor- mation) As the law now stands it i s a lcderal criinc incrcly tn steal romrones idcntity inforination with intent to defraud Previously thc Government had to wait till fraud was committed before it could act

The industry brcame particularly sus- crptiblc to ubscriber fraud when it started pursuing new custoiners through such non- traditional channels a i telemarketing and the Internet Previously cell phone scwicc was mostly purchased in face-ta~facc trans- actions in company-owned stores and clerks could do things like check photo IDS to verify a customers identity Now com- panies arc finding they will have to get back to the basics i f they are to keep subscriber

iraud losses a t a tolerable level They are going to havc to verify addrcsscs against credit card data bases for example Iht as Steven Lum director of fraud detection at ATkT Wirelcss Services Inc Paramus NJ pointed out there are legitimate reasons for discrepancies since peoplc may have just moved or thcy may iniaintaiii multiplc rcs- idences So inethods must be developed for screcning nut had risks without turning off legitimate customers

Technology an such i s of limited value in this area One thing computers arc being used to do i s keep track of subscriber cal l- ing patterns-the numberr they tend to call or receive calls frorn I f a subscribcr is tcr- niinatcd [or nonpayment ai bills and if a 7 subscribcr shows up with prctty much the samc calling pattern thcn an alarm caii bc raised calling attention to the possibility that this inay be the same person and t l ie company caii look inore closcly at him

SUBSIDY LOSS According to Ericssoni Tom Deitrich a

inajor problcm cspccially in Latin America i s what h e calls phoncs moving sideways through the distribution channels Cellular handsets are often hcavily subsidized by ser- vice providcrr who supply thcm to SUII~ scribers on condition that the subscrihcrr remain with thc company lor a specific period typically a year But what sometimes happens i s that the phones wind up bcing activated 011 some other carriers nctwork

Adistrihutor lor cxample who has pur- chaced a hatch of suhsidizcd handsets a t a low price from one carrier may find that hc can se l l them at a hand~mie profit to a dealer who i s iiot aiiil iatcd with that carrier In Latin Anicrica that dcalcr may not evcn he in thc same country as thc distributor The result the carrier loses the money i t inverted in subsidizing the phone

As with subscriber fraud the reiiicdy i s mostly a inatter of running a tighter ship But Deitrich expects some sort of techno- logical fix will also bc developed which he described as an authentication kind of all- proach for the activatiun process We fore- sees it showing up in suine second-gener~ ation phones and believes it will hc part of any third-generation deploymcnt

TO PROBE FURTHER For some statistical highlights on cellular phone fraud see the Web page maintained by the Cellular Telecommunicationr Industry Association a t httpllwwwwow-comcomi conrumerfaqsifaq_fraudcfm

To learn about third-generation cellular tele~ phony (and also some baric cell phone history) see The Mobile Phone Meets the Internet by Malcolm W Oliphant IEEESpectrum August 1999 pp 20-28 I t is on the Web a t httpll tearerieeeorglpubrhpectrum19908lcelIhtml

IEEE SPECTRUM JUNE 2000

Page 4: Cellular security: better, but foes still lurk

t ical transmittcn manufacturedon tlie same assembly line to the same specifications have slight dilfcrcncci which are sufficient for Ihonelrint (as Corsair named its prod- uct) to tell thcm apart

PhonePrint i s a combination vf hard- ware and software that cellular opcrators install in basc stations in high~fraud areas Oncc installed i t characterizes a l l t l ic handsets that ask it for scrvice (by nioni- toring the reverse control channcl) and cre- ates a database oi their RF signaturcs or fingerprints The database soon acquires entries for almost a l l of the active users in the area On subscqucnt servicr requests PhonePrint compares the stored signature with the live one If they fail to match the cal l i s torn down-that IS hruken before it can be completed

PhonePrint had its origins at TRW Inc from which Corsair spun oii in 1994 The Cleveland Ohio company developed sini- ilar systems lor military use Such system can tell that an encmy unit supposedly sta- tioned at position X has in fact moved to position Y by recognizing the RI signatures associatcd with the unitk radios Ohviously as this feat implies RF fingerprinting will work with any phone and indeed with any transmitter It i s therefore particularly su i t - able for legacy analog cell phones which havr no built-in fraud-fighting provisions

How effective is it against cloning fsaud According to Martin Corsair to date has torn down ovcr 300 million c a l k

AUTHENTICATION SECRETS With the advent of digital and more

advanced analog phones an even more effective fraud-fighting technology canie into ase~authentication A sort of hand- shaking process authentication makes use of secret numbers that arc stored in the phone and known to thc network hut nevrr passed over the air Evcly timr a call is made the network sends thc handset a random number which the handset then comhinrs with i t s secret numhcr using an algorithm designed for the task Thc result i s another random numbcr that thc handset sends back to the network which has mcanwhilc pcrfor- med thc same calculations If tl ie numbers match the call i s completed i f not it i s not

The algorithm is designed to avalanche vrly quickly If thr input numhen are ofl by even a single bit the resulting number will not even be close to the right answcr Since a different random number i s used for each challenge an eavesdropper would have a hard time figuring out a phoncc secrct nuni- hcr This i s not to suggcst that sophisticated code crackrrs could iiot do it (the expcrts at the National Security Agency would pro- bably consider it a warm-up cxcrcisc) but evcn high-levcl criminals rarcly havc access to the rcquired cxpcrtisc or equipment

Criminals by the way generally clonc

42

cell phones not for economic reasons but rather in the pursuit of anonymity Mary lliley a spccial agent with the Sccrrt Ser- vice told 1EEES~rctmiit that 80 percent of narcotics dealcrs arrestcd in 1998 were found to bc in possession of cloned phones according to testimony from thc Drug En- forccmcnt Administration Arlington Va

Call counting is another technique that can be urrd insteadof-marc oltcn in addi- tion to-authentication l i k e authentica- tion it requires a phonc capable of per- forming its part of the process With c a l l counting both thc handset and the iietwork track the number of calls made by the h a d set Those nunibcrs are comparrd whenever a call is made If they do not match or i f they disagrcc by inore than a specified amount (gcnerally one call) then the call i s iiot allowed Obviously ii someone has cloncd a phone then both he and the legitimate users will be inaking calls so the network will liave their conibincd number while each handset will havc only i t s own

RI fingerprinting and authentication hctwccn hm have proven extremely e f ~ iectivc According to Rick Keinper CTlA dircctor for wireless tcchnology and secti~ rity cloning fraud l ias dropped about 95 percent over the ]past four to five years It has been rcplaccd however by another kind of fraud called identity theft also known as subscription fraud

WHO ARE YOU Criminals likc clcctrons tend to take the

path of least resistancr Make it really hard to stral what they want one way and they find a diffrrent way to gct it In thc caw of ccll phone-r more accuratrly cell phonr scrvicc-the dcfcnscs in place against c l o ~ ning have motivated criminals to adopt tlie various techniques used by credit card thirves which are all lumped togcthcr undcr the rubric of suhscribcr fraud

As with cloning the industlyi first defen- sive inove was to persuadc Congress to strcngthcn tlie relevant statute ( i n t h i s casr Titlc I x Section 1028 oi the US Code Fraud and related activity in connection with identification documents and infor- mation) As the law now stands it i s a lcderal criinc incrcly tn steal romrones idcntity inforination with intent to defraud Previously thc Government had to wait till fraud was committed before it could act

The industry brcame particularly sus- crptiblc to ubscriber fraud when it started pursuing new custoiners through such non- traditional channels a i telemarketing and the Internet Previously cell phone scwicc was mostly purchased in face-ta~facc trans- actions in company-owned stores and clerks could do things like check photo IDS to verify a customers identity Now com- panies arc finding they will have to get back to the basics i f they are to keep subscriber

iraud losses a t a tolerable level They are going to havc to verify addrcsscs against credit card data bases for example Iht as Steven Lum director of fraud detection at ATkT Wirelcss Services Inc Paramus NJ pointed out there are legitimate reasons for discrepancies since peoplc may have just moved or thcy may iniaintaiii multiplc rcs- idences So inethods must be developed for screcning nut had risks without turning off legitimate customers

Technology an such i s of limited value in this area One thing computers arc being used to do i s keep track of subscriber cal l- ing patterns-the numberr they tend to call or receive calls frorn I f a subscribcr is tcr- niinatcd [or nonpayment ai bills and if a 7 subscribcr shows up with prctty much the samc calling pattern thcn an alarm caii bc raised calling attention to the possibility that this inay be the same person and t l ie company caii look inore closcly at him

SUBSIDY LOSS According to Ericssoni Tom Deitrich a

inajor problcm cspccially in Latin America i s what h e calls phoncs moving sideways through the distribution channels Cellular handsets are often hcavily subsidized by ser- vice providcrr who supply thcm to SUII~ scribers on condition that the subscrihcrr remain with thc company lor a specific period typically a year But what sometimes happens i s that the phones wind up bcing activated 011 some other carriers nctwork

Adistrihutor lor cxample who has pur- chaced a hatch of suhsidizcd handsets a t a low price from one carrier may find that hc can se l l them at a hand~mie profit to a dealer who i s iiot aiiil iatcd with that carrier In Latin Anicrica that dcalcr may not evcn he in thc same country as thc distributor The result the carrier loses the money i t inverted in subsidizing the phone

As with subscriber fraud the reiiicdy i s mostly a inatter of running a tighter ship But Deitrich expects some sort of techno- logical fix will also bc developed which he described as an authentication kind of all- proach for the activatiun process We fore- sees it showing up in suine second-gener~ ation phones and believes it will hc part of any third-generation deploymcnt

TO PROBE FURTHER For some statistical highlights on cellular phone fraud see the Web page maintained by the Cellular Telecommunicationr Industry Association a t httpllwwwwow-comcomi conrumerfaqsifaq_fraudcfm

To learn about third-generation cellular tele~ phony (and also some baric cell phone history) see The Mobile Phone Meets the Internet by Malcolm W Oliphant IEEESpectrum August 1999 pp 20-28 I t is on the Web a t httpll tearerieeeorglpubrhpectrum19908lcelIhtml

IEEE SPECTRUM JUNE 2000