Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
FRAUD REPORT 2019 The Evolution of Fraud Management
October 2019
in partnership with
This report has been commissioned by:
ITW Global Leaders’ Forum (GLF) is a network of the leaders from the world’s largest international carriers, who convene to discuss strategic issues and to agree collaborative activities with the aim of driving the next phase of growth for the industry.
For more information please contact Jussi Makela at:
The report has been compiled and written by:
Delta Partners is a leading advisory and investment integrated platform globally. We are a unique hub for people, capital and knowledge to address challenges and opportunities in a transforming TMT industry. Our unique business model enables us to serve our TMT clients through our three business lines, Management Consulting, Corporate Finance and Private Equity.
For more information please contact Sam Evans at:
3
Daniel Kurgan CEO, BICS and Chair of GLF Fraud Working Group
This is the second of what has now become the benchmark annual report on fraudulent traffic in the international telecoms industry. It demonstrates the on-going leadership on this topic which we in the GLF seek to take to ensure that reducing fraudulent traffic is a key focus on the executive agendas. In this year’s report we have expanded industry engagement, with both carriers and technology providers, to take a deeper look at the trends of the past twelve months and what we, as an industry, need to be focused on going forward.
Industry collaboration continues to be critical in our fight against fraud – not only do we as carriers need to engage with each other to identify and stop fraudulent traffic but we need to continue to strengthen the dialogue with technology providers so that they are developing the solutions that will serve us in the 5G IoT era. Defeating fraudulent traffic is an area we should work collectively for the greater industry and societal good.
I sincerely thank my colleagues in the GLF for their support in raising the fight against fraudulent traffic higher in their agendas, taking action within their own organizations and participating in this industry initiative. The initial results from the past 12 months demonstrate we are moving in the right direction as we strive, together, towards a fraud-free future!
Jussi Makela Director, GLF
The ITW Global Leaders Forum exists to be the “voice of the global carrier industry providing leadership and direction to interconnect the digital world”. Its efforts on the reduction of fraudulent traffic is one such embodiment of this mission. Since the Code of Conduct was launched in March 2018 many of the leading international carriers have signed and through collaboration with the CFCA, GLF is seeking to expand its efforts beyond purely the international carriers.
This year’s report is produced from feedback from over 30 international carriers as well as an extensive interview program with technology providers who are developing solutions to reduce fraudulent traffic. We look at the evolution of fraud from the past 12 months based on the carrier survey but we also take a forward-looking view of how both the evolution in networking such as 5G and IoT, and technologies such as blockchain, automation and artificial intelligence are changing the landscape.
We aim that this GLF report becomes the annual ‘temperature check’ for the telecoms industry on its fight against fraudulent traffic as well as helping organizations set their priorities going forward. We have seen how the 2018 report stimulated strong dialogue within and between carriers and we hope that this will continue through this year’s report.
FOREWORD
Report contributors
4
Executive SummaryList of ExhibitsPart 1: Evolution of fraudulent traffic
1. A sustained carrier priority2. Growth in IRSF, and the on-going Wangiri challenge3. The rise of robocalling
Part 2: Enhancing carriers’ response1. Increase in awareness of the importance of fraud management2. In from the cold: integrating fraud management into normal business decisions3. It adds up: the business case of fraud prevention
Part 3: Moving beyond voice1. Threats from new technology: if not today, in the near future2. IoT’s massive scale – creating a new fraud risk?3. IP centered threat with the emergence of 5G
Part 4: Impact of technology evolution1. As network technology advances, so must fraud management systems2. Answer to “scale”: Layered security in IoT to scale fraud management3. Answer to “analog”: eSIM technology to digitize fraud management4. Answer to “slow”: NFV for real-time fraud management
Part 5: Harnessing innovation1. The evolution of fraud management systems2. Big Data: helping find the needle in a stack of needles3. Blockchain: early stage but future potential4. Machine learning and automation: getting in-front of the fraudsters
Part 6: The on-going need for collaboration1. The criticality of enabling greater information sharing 2. GLF Code of Conduct: from commitment to enforcement3. Industry collaboration: looking beyond the Code of Conduct
578
101215
17192022
26283233
3436373839
4042434445
47495052
CONTENTS
5
EXECUTIVE SUMMARY1. Fraud continues to be a key topic for international carriers - 80% of carriers cite fraudulent traffic management
as a “strategic” or “top priority”. In over 50% of carriers, it has increased its importance in the past year.
2. While International Revenue Share Fraud (IRSF) is experiencing the greatest growth, Missed Call Campaign, or Wangiri, continues to be a top-of-mind concern for many carriers given the challenges to identify and block the traffic. However, its value is significantly reducing.
3. Robocalling is an increasingly prevalent form of fraudulent traffic. While the nature of robocalling differs from other fraudulent traffic types, its impact is from the behavior, such as social security scams, which it enables.
4. Awareness of the impacts of fraud and the actions taken to manage fraud has grown much more common – at all levels in the organization including the CEO – with an increase in importance within 58% of surveyed organizations.
5. Awareness of fraud is becoming less contained solely in fraud management teams and being increasingly integrated into the course of normal business.
6. Carriers are associating successful fraud management with improved service quality. Direct financial benefit is being recognized as some customers are willing to pay a premium to avoid high-risk carriers.
7. The technology advancements of IoT, 5G, and edge computing have opened potential opportunities for new fraud types such as Virtual machines/emulators, bots, man-in-the-middle attacks, and distributed device hacks.
8. IoT’s future scale presents a threat multiplier as more devices bring more vulnerabilities to the network and the volume of traffic and transactions occurring on the network complicate fraud management .
9. The digitization of traffic widens the pool of potential fraudsters as internet-based hackers’ knowledge and methods find applicability on telecoms networks.
10. As network technology advances, fraud management tools and practices must adapt to new requirements by improving along three requirements: scale, digitization and speed.
11. Scale: To address the massive scale of the future network security must be embedded from components all the way to network architecture in a layered approach and following the principle of least privilege.
12. Digitization: eSIMs are a simple but effective measure to digitize a fraud management practice, eliminate a common fraud use-case, and enable more security control over the network by carriers.
13. Speed: Network Function Virtualization (NFV) opens several new opportunities for fraud management enabling flexible architecture to manage fraud better and enable specific solutions to combat specific fraud types.
14. Carriers perceive fraud management tools to have a significant potential impact on reducing fraud with the most potential associated with AI/ML, big data, automation, and blockchain.
6
15. Big data is foundational to effectively deploy AI/ML and automation due to their reliance on timely, accurate data with enough volume to build algorithms to discern legitimate from fraudulent traffic.
16. Blockchain is in its early stages but shows promise to overcome the conflicting goals of sharing fraud management information between carriers while protecting proprietary routes.
17. Machine learning and automation are effective due to advancements in capabilities including blocking traffic on a call by call basis, and development of trust in the accuracy or machine-generated decisions to block traffic.
18. Information sharing between carriers is critical with carriers aspiring to build a global dialing number reference and a pooled dataset of documented fraudulent traffic.
19. Beyond signing the GLF Code of Conduct carriers seek an accountability mechanism to ensure signatories meet commitments. Recommendation that signatories incorporate fraud management and dispute reconciliation in all contracts with suppliers and customers.
20. Carriers recognize that collectively the industry is much more capable of reducing fraud than any carrier in isolation; the short-term objectives of collaboration and aligned reporting can lead to a formal communication network and database on white-/black- listed number ranges and networks.
7
1. Evolution of fraudulent traffic
EXHIBIT 1:
EXHIBIT 2:
EXHIBIT 3:
EXHIBIT 4:
EXHIBIT 5:
EXHIBIT 6:
2. Enhancing carriers’ response
EXHIBIT 7:
EXHIBIT 8:
EXHIBIT 9:
EXHIBIT 10:
EXHIBIT 11:
3. Moving beyond voice
EXHIBIT 12:
EXHIBIT 13:
EXHIBIT 14:
EXHIBIT 15:
EXHIBIT 16:
4. Impact of technology evolution
EXHIBIT 17:
EXHIBIT 18:
EXHIBIT 19:
5. Harnessing innovation
EXHIBIT 20:
EXHIBIT 21:
EXHIBIT 22:
EXHIBIT 23:
6. The on-going need for collaboration
EXHIBIT 24:
EXHIBIT 25:
EXHIBIT 26:
LIST OF EXHIBITS
Comparing importance of fraudulent traffic in carriers
Assessing the change in volume and impact of fraudulent traffic
Perceptions of volume by type of fraudulent traffic
Perceptions of financial impact by type of fraudulent traffic
Overview of Missed Call Campaign (Wangiri) process
Overview of robocalling process
Changing organizational importance of fraudulent traffic management
Fraud management staff: change in last 12 months and next 12 months
Comparing prioritization of fraud with the number of FTE allocated to fraudulent traffic
Adoption of i3 Forum KPIs
Carriers’ correlation of value lost to fraud and organizational behavior
Evidence of emerging fraud types
Overview of virtual machine / emulator fraudulent traffic process
Overview of fraudulent identity (bot) process
Overview of man-in-the-middle attack process
Comparison of PBX hack and distributed device hack process
Three requirements of future FMS
Depiction of security implemented in each of the logical layers in a network
Depiction of model network organized by physical location vs logical organization
Predicted impact of emerging technologies
Growing trend in big data ask
Current state and future use-cases of blockchain
OODA loop improvement the AI/ML and automation
Adherence to GLF Code of Conduct
Comparing the organisational importance and commitment to the CoC
Self attesting as the next step of signatories
10
12
13
13
14
15
19
20
21
24
25
28
29
30
31
31
36
37
39
42
43
44
45
50
50
51
8
PART 1
EVOLUTION OF FRAUDULENT TRAFFIC
THE EVOLUTION OF FRAUD MANAGEMENT
9
3
2
1
Robocalling is an increasingly prevalent form of fraudulent traffic. While the nature of robocalling differs from other fraudulent traffic types, its impact is from the behavior, such as social security scams, which it enables
While International Revenue Share Fraud (IRSF) is experiencing the greatest growth, Missed Call Campaign, or Wangiri, continues to be a top-of-mind concern for many carriers given the challenges to identify and block the traffic. However, its value is significantly reducing.
Fraud continues to be a key topic for international carriers - 80% of carriers cite fraudulent traffic management as a “strategic” or “top priority”. In over 50% of carriers, it has increased its importance in the past year
PART 1: EVOLUTION OF FRAUDULENT TRAFFIC
10
The telecom industry’s approach to fraud has undergone significant change within the last few years. Historically, fraud was viewed as a “nuisance” or “annoyance” but one that was simply the cost of doing business. However, there have been increasing efforts made to manage fraudulent traffic given the increasing cost that it can cause underpinned by the proliferation of access to technology.
In the last 12 months, since the publication of the first GLF Fraud Report in October 2018, fraud continues to be a priority for the majority of carriers. In the 2019 GLF Fraud Survey, 80% of carriers noted that fraud is a ‘strategic’ or ‘top’ priority compared with 85% in 2018. Furthermore, 56% of carriers said that the importance of fraud was increasing in their organization, compared with 74% in 2018. Much of the seeming apparent reduction in priority and importance comes from the new respondents to the fraud survey suggesting that prioritization is highest in the core GLF membership that participated in 2018 also.
When comparing a subset of carriers who answered in both years, 80% said that fraud is a ‘strategic’ or ‘top’ priority in both 2018 and 2019. This reduction in priority and importance did not come across in the interviews with carriers and vendors who unanimously spoke of greater use and acceptance of a Fraud Management System (FMS) and a general, gradual shift in carriers’ attitude towards fraud.
Many carriers noted a recent upward trend in companies’ appetite to combat fraud. It was reported by carriers that “absolutely yes, there has been an upward trend for the last three years with an increased interest in combating fraud. MNO used to be the only ones that cared, but recent history has shown that more wholesalers are getting more involved as well.” One carrier went as far as to say fraud was comparable to price in importance noting that “more people realize that fraud is just as important as cost/quality.”
PART 1: EVOLUTION OF FRAUDULENT TRAFFIC
1. A SUSTAINED CARRIER PRIORITY
EXHIBIT 1: COMPARING IMPORTANCE OF FRAUDULENT TRAFFIC IN CARRIERS
2%7%
26%
34%
37%
20%
37% 36%
2018 2019
Significantly reducing Slightly reducing Staying the same Marginally increasing Significantly increasing
5% 2%
11% 18%
53%51%
32% 29%
2018 2019
Same as Business as Usual Strategic priority
Top priority Total
Mar
gina
lly o
r sig
nific
antly
in
crea
sing
Where would you rank the importance of fraudulent traffic as a topic in your organization? 1
(% responses)
How has the importance of fraudulent traffic management in your organization changed over the past 12 months? 2
(% responses)
n= 20 n= 45 n= 20 n= 44
Notes: 1 n=45, 2 n=44, respondents without a response were not counted; Source: GLF Survey 2019, Delta Partners Analysis
Stra
tegi
c or
top
prio
rity
11
Beyond carriers, technology providers have seen an evolution in the telecom industry’s focus on fraudulent traffic. One vendor noted that “historically [carriers] were comfortable with losing a certain amount but now we are running auto ID block at switch level before a call is even connected.” Through interview discussions, carriers shared their increasing take-up of fraud management systems (“FMS”) noting that FMS has a demonstrable return-on-investment.
“Absolutely yes, there has been an upward trend for the last three years with an increased interest in
combating fraud.”
When pressed on the value of FMS many carriers commented of the reputational impact of their relationship with fraud as well as the benefits in call quality from proactively removing fraudulent traffic. One explained that “no customer will come directly to you because of fraud management, but, let them get wooed away for an on-paper margin improvement, when they come back fraud will be just as important to them as cost and quality”. There are limits to the value of an FMS; carriers noted that cost continues to be the primary driver of competition in the industry. However, there has been a shift in the past year with the increasing importance of non-cost factors including reputation for ‘clean’ traffic in particular.
PART 1: EVOLUTION OF FRAUDULENT TRAFFIC
12
In the on-going arms race of combating fraud, the effectiveness of different fraud type changes over time. Efforts to reduce or eliminate one fraud type can push fraudsters to pursue other options. It is evident in the GLF Fraud Survey responses where we see that the techniques are evolving, and the sophistication level is increasing over time of both the fraud perpetrators as well as carrier’s efforts to detect and eliminate fraud. An increase in
awareness, changes in fraud management practice, and implementation of an FMS were all efforts made by carriers. Conversely, a shift of fraud traffic to Wangiri and scam robocalling, as well as evolving techniques and more sophisticated methods of frauds were mentioned as the opposition from fraudsters shifts to the lowest hanging fruit.
At an overall level, this year’s survey showed a reduction in the share of carriers that said fraudulent traffic was increasing in terms of volume and impact from 45% in 2018 to 33% in 2019. Where fraudulent traffic was ‘significantly increasing’ in 2018 for 25% of carriers, this has reduced to 13% in 2019.
In speaking to carriers, it is evident that there have been reductions in instances of False Answer Supervision and Call Hijacking, while there has been an increase in Missed Call Campaigns, also known as Wangiri, PBX hack, and IRSF. IRSF growth tended to coincide with an improvement of fraud detection capabilities. The majority
of respondents reported an increase of IRSF after a new implementation of FMS, an upgrade of an FMS, or an increase in vigilance/awareness. Wangiri lost the top spot as the fastest-growing fraud type based on the survey data but was listed as one of the most prevalent fraud types by nearly every carrier interviewed.
PART 1: EVOLUTION OF FRAUDULENT TRAFFIC
2. GROWTH IN IRSF, AND THE ON-GOING WANGIRI CHALLENGE
EXHIBIT 2: ASSESSING THE CHANGE IN VOLUME AND IMPACT OF FRAUDULENT TRAFFIC
13% 20% 20% 34% 13%
25% 20% 5% 30% 20%
Significantly Increasing
Marginallyincreasing
Staying the same
Slightly Reducing
Significantly Reducing
How has the VOLUME AND IMPACT of fraudulent traffic hitting your organization CHANGED in the past 12 months?(% responses)
Notes: 1 n=45, respondents without a response were not countedSource: GLF Survey 2018-2019, Delta Partners Analysis
2018
2019
13
EXHIBIT 3: PERCEPTIONS OF VOLUME BY TYPE OF FRAUDULENT TRAFFIC
EXHIBIT 4: PERCEPTIONS OF FINANCIAL IMPACT BY TYPE OF FRAUDULENT TRAFFIC
PART 1: EVOLUTION OF FRAUDULENT TRAFFIC
By use-case, what level of VOLUME are you experiencing?(from 1-5, with one being lowest and 5 being highest)(% responses)
36% 41% 10% 8% 5%
15% 41% 12% 15% 17%
24% 21% 16% 21% 18%
22% 14% 17% 26% 21%
10% 20% 22% 24% 24%
17% 10% 10% 31% 32%
Very High Somewhat High Moderate Somewhat Low Very Low
IRSF1
PBX hacking2
Missed Call Campaigns3
Calls to manipulated B numbers4
Call Hijacking5
FAS6
Notes: 1 n=39, 2 n=41, 3 n=38, 4 n=42, 5 n= 41, 6 n= 41, respondents without a response were not countedSource: GLF Survey 2019, Delta Partners Analysis
Very High Somewhat High Moderate Somewhat Low Very Low
By fraud use-case, what level of FINANCIAL IMPACT are you experiencing?1
(% responses)
32% 29% 10% 12% 17%
15% 32% 15% 13% 25%
14% 17% 19% 19% 31%
12% 12% 20% 20%
17%3%
8% 22% 50%
3%16% 11% 32% 38%
36%
IRSF1
PBX hacking2
Call Hijacking3
Calls to manipulated B numbers4
FAS5
Missed Call Campigns6
Notes: 1 n=41, 2 n=40, 3 n=42, 4 n=41, 5 n=40, 6 n=38, respondents without a response were not countedSource: GLF Survey 2019, Delta Partners Analysis
14
Missed Call Campaign
Call flow
Money flow Missed call Legitimate
Fraudulent
Subscriber returns phone call
Terminatingoperator
Wholesalecarrier
Call routed internationally or domestically or to mobile line but with spoofed caller IDFraudster places call
$FraudCo
$
``Called
subscribers
Fraudster ends call after one ring
Premium rate
service
$$$$$
$$$$$$$$
Subscriber unknowingly calls a
premium-rate number and is held on the phone for as
long as possible
Call routed to premium-rate number
Originatingoperator
6
12
3
54
Source: Delta Partners Analysis
Wangiri continues to be reported by international carriers as one of the most widespread fraud types. However, its instance has reportedly reduced relative to last year with 43% of respondents compared to 61% in 2018 reporting a high level of volume, and only 19% seeing a high volume impact.
The disparity between volume found in Exhibit 3 compared to financial impacts in Exhibit 4 demonstrates the high frequency but low in value nature. Wangiri relies on the lack of a global number registry in that carriers do not necessarily know that a number is a premium-rate.
Outside of knowing the country destination, carriers do not currently have a system in place to identify premium-rate numbers. Carriers have to collect enough data through identified fraud destinations – typically after one or more successful fraud transactions occur – before they can establish a pattern and block calls. Once a number is blocked, the fraudsters can then just migrate to another premium-rate number and restart the pattern. Wangiri can be difficult to identify and block because the nature of the fraud takes advantage of customer behavior to return missed calls. The customer unknowingly end-up being the initiating source of the fraudulent traffic.
Current efforts to stop Wangiri attacks have focused on improving information flow between carriers; the intent is to flag a potential Wangiri sources and share information on premium-rate numbers so that, collectively, carriers can build a more complete picture and more quickly shut down Wangiri fraud operations. Technology providers are developing solutions that target Wangiri in some cases leveraging blockchain technology (See Chapter 3 for a detailed assessment of emerging technologies). Beyond blockchain, some success in reducing Wangiri has been
delivered through a ‘shared blacklist’ approach where carriers share information between each other on confirmed sources of Wangiri. To be blacklisted, there needs to be evidence, which due to the nature of the fraudulent traffic can be challenging but customers are reporting cases to each other. Further efforts in addressing Wangiri are focused on improving the information available to identify and block the sources of fraud (See Chapter 5 for a detailed assessment of two different strategies to address Wangiri and see Chapter 6 for industry collaboration).
Source: i3 Forum fraud definitions
PART 1: EVOLUTION OF FRAUDULENT TRAFFIC
EXHIBIT 5: OVERVIEW OF MISSED CALL CAMPAIGN (WANGIRI) PROCESS
15
Source: Delta Partners Analysis
Robocalling was a new ‘use-case’ of fraudulent traffic which was mentioned in this year’s survey in open response
sections that did not appear in the 2018 survey results or in the interviews conducted during last year’s report.
Robocalling, as a practice, is one used by telemarketing campaigns throughout the world legitimately. Robocalling becomes fraudulent when it is utilized to disseminate a fraud instead of a legitimate service or product. While the call, by itself, does not meet the traditional definition of fraud in line with other types in this report, rather the content of the call is what defines the call as fraudulent. Research from this report identified that robocalling is increasingly top of mind for many carriers given its recent increase in proliferation, profile, and impact. Once a customer is on the phone, the robocalling perpetrators seek to deploy several activities as different types of entities to gather personal identifiable information, access a computer, or obtain financial access. Examples of these kinds of frauds in the US are:
1) Tech support scams1 – Fraudsters will call posing as tech support from a large tech company a subscriber is likely to have some contact with, such as Microsoft. Fraudsters might spoof the caller ID to a legitimate tech support line. The call will request the user install a seemingly innocent program, such as a virus scan, but the download will give the fraudsters access to the user’s files and personal info, such as PII, credit card information, login credentials, or bank information.
1 https://support.microsoft.com/en-us/help/4013405/windows-protect-from-tech-support-scams2 https://www.consumer.ftc.gov/blog/2018/12/what-social-security-scam-sounds3 https://www.consumer.ftc.gov/articles/0131-credit-card-interest-rate-reduction-scams
2) Social security scams2 – Posing as a government entity (potentially spoofing the agencies caller ID), fraudsters will present a plausible scenario where a user’s tax return is vulnerable, or further information is needed to process a payment. During the conversation the fraudsters will try to get the user to confirm a social security number and/or a number of personal or bank details.
3) Credit card interest rate reduction scams3 – Fraudsters will pose as a debt consolidation service or other financial service firms (potentially spoofing a legitimate purveyor of the service). The fraudster will then try to get the user to divulge persona or bank details.
Robocalling is increasingly prevalent, in part, due to its mimicry of legitimate telemarketing as well as the reduction in other types of fraud. As was stated in last year’s report, there is always a back and forth battle against fraud; as one weakness is resolved, another weakness will likely be exploited. Robocalling exploits the fact that it’s perpetrated from international jurisdictions with little or no chance for legal repercussions for the fraudsters, and it is low-cost to deploy with a low-level of technology sophistication
PART 1: EVOLUTION OF FRAUDULENT TRAFFIC
3. THE RISE OF ROBOCALLING
EXHIBIT 6: OVERVIEW OF ROBOCALLING PROCESS
Robocalling
Call flow
Money flow Missed call Legitimate
Fraudulent
Terminatingoperator
Wholesalecarrier
Call routed internationally or domestically or to mobile line but with spoofed caller IDFraudster places call
$
FraudCo
$
``Called
subscribers
Called subscriber answers and is
conned by a variety of different
scams
12
3
$$$$
16
required. Similar in nature to traditional telemarketing, robocalling has relied on VoIP to reduce the cost of voice connectivity and spoofed numbers (strategically spoofed to be similar in area code as your own telephone number). These practices, while irritating to the customer, become a top-of-mind issue for carriers due to the scale of the problem. As customers are agitated, they direct their displeasure towards their carrier in turn. One carrier noted “fraudulent robocalling is difficult to detect and combat. To stop it, I have to involve sales and network teams… Robocalling has become a daily problem for me personally because of the volume of calls involved. There is a real impact on customers. We definitely don’t want our brand associated with that traffic.” Other research validates this notion; YouMail estimated4 that in only one month (August 2019) approximately 2.1 billion scam robocalls were placed in the US.
“...fraudulent robocalling is difficult to detect and combat. To stop it, I have to involve sales and network teams… Robocalling has become a
daily problem for me.”
This volume of robocalling has induced responses from local, state, and national governments in the US with a program launched by the Federal Trade commission targeting robocalls with “Operation Call it Quits” which includes a surge in legal actions directed at the operations of robocalls in the US. To combat the rise of robocalling, North American carriers are reportedly focused on creating standards5 to eliminate the possibility of caller ID spoofing called “Signature-based Handling of Asserted Information Using toKENs (SHAKEN)”, and the Secure Telephone Identity Revisited (STIR) standards The results of this implementation as well as the effectiveness of the standard, will be closely watched by carriers around the world, especially in Europe and Asia where the problem of robocalling is smaller but building.
4 https://robocallindex.com/5 https://www.fcc.gov/call-authentication
PART 1: EVOLUTION OF FRAUDULENT TRAFFIC
17
PART 2
ENHANCING CARRIERS’ RESPONSE
THE EVOLUTION OF FRAUD MANAGEMENT
18
PART 2: ENHANCING CARRIERS’ RESPONSE
3
2
1
Carriers are associating successful fraud management with improved service quality. Direct financial benefit is being recognized as some customers are willing to pay a premium to avoid high-risk carriers
Awareness of fraud is becoming less contained solely in fraud management teams and being increasingly integrated into the course of normal business.
Awareness of the impacts of fraud and the actions taken to manage fraud has grown much more common – at all levels in the organization including the CEO – with an increase in importance within 58% of surveyed organizations
19
PART 2: ENHANCING CARRIERS’ RESPONSE
1. INCREASE IN AWARENESS OF THE IMPORTANCE OF FRAUD MANAGEMENT
Awareness of fraudulent traffic is increasing across the industry. Interviewees for this report held roles which require significant time devoted to fraud management, and the vast majority spoke of a general increase in awareness from their colleagues with little to no direct involvement in fraud management.
One fraud management system (FMS) professional noted “A few years ago FMS just wasn’t taken very seriously. I have pushed training and regularly present case studies in broader team meetings and quarterly meetings. At this point, everyone is now aware [of fraud, fraud impacts, and the function of the FMS team] from the clerk in accounting all the way to the CEO.” Survey respondents corroborated this statement with fraud management seeing an increase in importance within 58% of organizations in the last 12 months.
“...today [fraud] is viewed much more seriously than it was in the past only
a few years ago.”
Multiple interviewees mentioned the fact that awareness of fraud and the potential impact of fraud on the business has become top-of-mind for managers of international traffic. A few years ago, a region manager might have been aware of fraud as merely a cost of doing business. Today, the trade-offs involved in different levels of fraud risk have become real considerations and, in some cases, significant selection criteria for route selection by customers as some customers are willing to pay more for routes with less fraudulent traffic. One particularly vocal supporter of FMS went as far as to say, “I have educated and demonstrated at every chance possible for years…today [fraud] is viewed much more seriously than it was in the past only a few years ago.” As the knowledge of the impact that fraud has on the end user as well as the carrier itself becomes more widespread, the potential for more business decisions to be influenced by fraud outcomes and prevention practices increases.
EXHIBIT 7: CHANGING ORGANIZATIONAL IMPORTANCE OF FRAUDULENT TRAFFIC MANAGEMENT
36% 21% 34% 7% 2%
Significantly Increasing
Marginallyincreasing
Staying the same
Slightly Reducing
Significantly Reducing
How has the IMPORTANCE of fraudulent traffic management in your organization CHANGED over the past 12 months?1
(% responses)
Notes: 1 n=44, respondents without a response were not countedSource: GLF Survey 2019, Delta Partners Analysis
20
Survey respondents and interviewees noted FMS topics being incorporated into more normal commercial discussions as indirect and direct economic repercussions or working with partners without an FMS are more top-of-mind. Vendors noted that at some carriers “the cost of fraud is now falling into purview of interconnect manager.” These managers have become more aware of the risks of entering into potential risky deals as the repercussions of opening up themselves to fraud are clearer.” As the impacts of fraud are being attributed directly and indirectly to specific sources of fraud, carriers become more likely to begin implementing internal accountability measures for employees. One carrier noted that in after-actions after the discovery of significant fraud that the regional manager responsible for the agreement that led to significant fraud are held accountable. Along with internal
accountability, carriers who can show direct and indirect impacts of fraudulent traffic are also attributing that fraud to the sources. Another carrier noted “the top three dispute sources are reported to district management. When we identify fraud sources, we report it to business managers.” With general awareness of the impact of fraud on the business increasing and the sources of that fraud being attributed to the sources of fraud, it follows that some carriers will begin to exert pressure on improving their fraud profile.
“The cost of fraud is now falling into purview of interconnect manager.”
EXHIBIT 8: FRAUD MANAGEMENT STAFF: CHANGE IN LAST 12 MONTHS AND NEXT 12 MONTHS
PART 2: ENHANCING CARRIERS’ RESPONSE
2. IN FROM THE COLD: INTEGRATING FRAUD MANAGEMENT INTO NORMAL BUSINESS DECISIONS
Distribution of Employee Allocation1
(Number of FTEs)
37%
26%
5%8%
11%13%
% of respondents by fraud FTE allocation
<2 2-4 4-6 6-8 8-10 10+
Notes: 1 n=38, 2 n=42, 3 n=43, respondents without a response were not countedSource: GLF Survey 2019, Delta Partners Analysis
17% 50% 33%
Lower Same Higher
How does the number of FTE focused on fraudulent traffic compare to 12 months ago? 2
(% responses)
14% 46% 40%
Lower Same Higher
Do you foresee it changing in the next 12 months? 3
(% responses)
21
EXHIBIT 9: COMPARING PRIORITIZATION OF FRAUD WITH THE NUMBER OF FTE ALLOCATED TO FRAUDULENT TRAFFIC
PART 2: ENHANCING CARRIERS’ RESPONSE
This years’ survey showed a higher degree of bi-modal staff sizes relative to last year with a more substantial portion of respondents with staff fewer than two as well as a larger proportion with a staff size over 10. Along with a higher degree of extremes, more carriers also reported partial participation of a greater number of adjacent employees (e.g., NOC, Sales manager). Comparing carriers with reported staff sizes in both years shows that
two out of 14 carriers had a reduction in staff while eight carriers reported a larger fraud management staff in 2019 relative to 2018. These trends are corroborated by a net positive reported growth in fraud management staff as seen in Exhibit 9 (33% higher vs. 17% lower). Respondents generally see a very similar trend expected in the next 12 months with 40% of respondents expecting to increase their staff working on fraudulent traffic management.
“The top three dispute sources are reported to district management.
When we identify fraud sources we report it to business managers.”
Comparing the reported fraud management staff size with the reported prioritization afforded fraud management shows a slight positive relationship. Outliers in the top left corner and bottom right corner aside, carriers that prioritize
fraud management tend to have larger staff sizes working on fraud management. The mixed feedback to the relation comes from the previously mentioned outliers as well as anticipated reductions of staff at companies who report fraud as a strategic or top priority. The survey results are unclear whether this is a tradeoff between investments in personnel and technology/tools, but past interviews largely agreed that this is not normally the case.
Low Priority Same as “Business as
Usual”
Strategic Priority Top Priority
Comparison of prioritization and number of FTEs allocated to managing fraud1
(Number of FTEs, bubble size denotes number of respondents, color denotes plans to change headcount)
Num
ber o
f FTE
s Al
loca
ted
to F
raud
Notes: 1 n=36, respondents without a response were not counted
Planning to decrease headcount No plans to change headcount Planning to increase headcount
22
Several interviewees noted that fraud management is frequently seen as linked to call quality. Sometimes it is a direct relationship as fraud management reduces the usage of grey routes that may have CODEC translation errors and low-quality connections (e.g., SIM boxes). “When I travel in Africa I can tell when I am obviously behind a grey route as the voice quality drops significantly. It is obvious that the calls are being bypassed and routed as IP calls to a SIM box; the experience just isn’t the same, and a good FMS would solve that.” Other times fraud management is indirectly linked with quality as one carrier stated, “we do not want our brand associated with [fraudulent traffic].” This carrier, in particular, felt that fraudulent traffic put some of their long-term business relationships at risk as the prevalence of fraudulent traffic was associated with poor quality of service by their customers.
Reputational risk was cited as one of the primary motivations for fraud management. As a representative example of this, one carrier stated that, “we just don’t want our brand associated with that traffic. Our efforts can sometimes come at the cost of a short-term profit impact, but we believe it is worthwhile in the long run. Dubious carriers will propose traffic at a better rate because behind the proposal there will be a grey route.” Another carrier noted that “when managers propose going forward with what looks like a higher-risk partner, we make the GLF fraud amendment a requirement in the contract. This requirement has prevented several riskier deals from happening, and, when we do proceed with an agreement, there is a clear mechanism in place to address any issues.”
From the interviews, it seems clear that the positive benefits of fraud detection and prevention are being felt by end users and carriers both to some extent. By delivering the same service, but with fewer instances of fraud, carriers have a potential lever with which to differentiate themselves relative to competitors. Once this difference is felt and registered by wholesalers, retail carriers, and end users, there is a potential for a clear incentive for further investment in fraud detection and prevention. Avoided costs are, by nature, difficult to measure, but, over time, as fraud prevention becomes more established into carrier selections criteria, direct consequences will be attributed to the effectiveness of a carrier’s FMS.
In the interests of encouraging the share of information and a greater degree of collaborating, reporting standards are necessary. Without standards, measuring the success of fraud prevention efforts would be limited to internal results making collective assessments of carrier performance nearly impossible.
As reported in the 2018 Fraud Report, the i3 Forum has established KPIs that are conducive to information sharing. These KPIs are not meant to be exhaustive, but rather provide a platform for further measure to be based on. Survey responses shows a significant portion (see Exhibit 12) of respondents who don’t report on the Forum’s KPIs were unaware of the KPIs. Awareness is one obstacle to overcome, but the survey pointed to internal reporting inertia as a slightly larger barrier to greater adoption. The GLF recommends adoption of the i3 Forum’s KPI to facilitate greater cooperation. Signatories of the Code of Conduct (CoC) are especially encouraged to adopt the KPIs – the survey shows that tracking the KPIs correlates with a nearly twice as high a proportion of signatories as not.
“We do not want our brand associated with [fraudulent traffic].”
As awareness increases, fraud becomes attributed to the source, and fraud management becomes linked to quality, carriers began to associate differences in fraud profiles of potential partners and some carrier will begin to value the service associated with lower levels of fraudulent traffic.
Cross-referencing the survey data identified that carriers that identified fraud as a ‘strategic’ or ‘top’ priority in many cases saw a higher impact of fraud on their networks. This was then drawn through to their measurement of fraud where ‘top priority’ ranking carriers were most likely to already be tracking the i3 Forum KPIs for fraudulent traffic and reporting to a C-level. Where carriers did not rate fraudulent traffic management as a priority only 25% stated that they are tracking the i3 Forum KPIs and in 40% of cases no metrics on fraudulent traffic were being reported to the C-level.
Some carriers will select partners based primarily on cost, and they may continue to do so regardless of fraud levels. One carrier provided the following anecdote “I recently had contract negotiations with a number of carriers from the same country destination. There was only one carrier that was only looking for the absolute cheapest route… but I think there already is some willingness to pay for fraud management. We need to show customers the value of it.” One of the challenges, much like breaches in cyber security, is that the value of fraud management is only directly measured after a significant event. Customers’ risk calculation might underestimate the chance of significant
PART 2: ENHANCING CARRIERS’ RESPONSE
3. IT ADDS UP: THE BUSINESS CASE OF FRAUD PREVENTION
23
• Answer key questions: How much have the carriers saved the industry? How much fraud value is?
• Data provided every 6 months with monthly breakdown• Provide information on fraud type trends and other trends detected in the industry
Definitions:No estimation on future losses - actual fraud onlyPeriod = 1 month
a) Actual fraud amount / wholesale cost (mandatory to be anonymised)b) % of fraud traffic (volume minutes) vs. of total traffic of the carrier in the period
Definitions:Dispute = dispute of claim opened by a sending partySuccessful dispute = CNs acceptedPartial successful disputes are considered as successfulIn the value calculation we only consider the wholesale cost relative to the amounts credited back
a) Sum of total value (wholesale cost) of disputes (mandatory to be anonymised)b) Sum of total value (wholesale cost) on successful disputes (mandatory to be
anonymised) --> how much money we prevented from reaching criminals?c) Ratio on successful value of disputes vs. total value of disputes
Definitions:Traffic confirmed as non-fraud by the sending party is not considered as fraudStart time = switch time of 1st call of the carrier detecting the eventEnd time = time of action triggered by fraud department (traffic stop / inform sending party / etc.)
Measurement:Average time from start time to end time
Goal:Determine the value of fraud prevented
Measurement:The length of time it takes a carrier to detect a fraud through other processes if the fraud team were not in place
Example:Fraud starts 1st JuneFraud ends 3rd June18,000 minutes and cost of 600 EUR (average 200 per day)Next billing event is on 1st July so there is a 28 day time lag between the fraud ending and the next triggered eventCalculation of fraud prevented is therefore 28 days x 200 EUR
PART 2: ENHANCING CARRIERS’ RESPONSE
GLF ENDORSED I3 FORUM FRAUDULENT TRAFFIC KPIS
Goal
Value of detected fraud
Fraud disputes
Capability to react on fraud
Fraud potential losses reduction
KPI 1
KPI 2
KPI 3
KPI 4
Source: i3 Forum
24
fraud events or underestimate the impact as a result of fraud. One carrier noted that their FMS efforts have had a positive impact on customer relations that is felt over time “I have seen a number of customers leave because of price [our being too high], but then they get burned by a low-cost competitor and come back a year later specifically because of our FMS. Carriers that don’t have an FMS are a time bomb for customers and themselves to be compromised.” Another carrier furthered this claim “If [my company] just accepted fraud as the cost of doing business, then I would be worried that long-term suppliers will eventually lose their trust in us and block us. Fraud definitely affects our relationship with long term suppliers and might jeopardize them if we weren’t as diligent.” The financial impact of a successful FMS may not have an easily measured, directly attributed return, but, in these cases and others, FMS can be shown to indirectly generate revenue by increasing customer stickiness, win new or repeat business as a selection criteria, or avoid costly fraud events.
“I think there already is some willingness to pay for fraud
management. We need to show customers the value of it.”
This observed return on investment in FMS coupled with an increase in general awareness has coincided with a reported greater number of carriers with an FMS system in place. One vendor stated, “Recently there are a greater number of carriers with detection solutions. More buying decisions are happening across the board. I have seen a number of fairly straightforward deployments of rules-based systems carriers didn’t have in the past as well as a greater appetite for more advanced systems and add-ons.” A majority of survey respondents, when asked about what system or process they have in place specifically cited an internal or third-party automated, data-based FMS. A vendor noted “most operators, I would estimate maybe 80%, will have a traditional FMS” Having an effective FMS in places is becoming part of the table stakes required to conduct business in the space. In the same way that cyber security has become a basic requirement for many transactions, FMS could become show-stopping requirement in the future.
It should be noted, however, that the financial benefit is not quite so simple. As explained by one vendor “fraud prevention can almost be seen as controversial. While terminating carriers bear the brunt of the fraudulent financial impact, that isn’t always the case further up the route. Preventing fraud can kill revenue which is going to hurt for a carrier with lower margins.” Another added, “[in
EXHIBIT 10: ADOPTION OF I3 FORUM KPIS
Notes: 1 n=29; 2 n=19, respondents without a response were not counted
65%
35%
Does your organisation track thei3 Forum KPIs endorsed by GLF?
No Yes
Does your organization track the i3 Forum KPIs endorsed by GLF?1
(% responses)
10%
90%
No Yes
Has you company signed the Code of Conduct?1
(% responses)
55% 45%
No Yes
37%
42%
21%
Does your organisation track thei3 Forum KPIs endorsed by GLF?
If ‘no’, what is the reason?2
(% responses)
Not relevant of feasible
Already tracking other KPIs
Unaware of the KPIs
PART 2: ENHANCING CARRIERS’ RESPONSE
25
general carriers] are more effective in combatting fraud. However, fraud still exists, and that is due to some turning a blind eye toward fraud or maybe those that aren’t as incentivized to eliminate fraud.”
“Carriers that don’t have an FMS are a time bomb for customers and themselves to be compromised.”
These pressures contribute to some distrust within the industry as mentioned previously, as, without collective reporting, it is difficult to measure the effectiveness of external partners with only internal data. To combat this uncertainty, it requires greater transparency pushing all carriers to realize a positive financial feedback cycle for successful fraud management.
EXHIBIT 11: CARRIERS’ CORRELATION OF VALUE LOST TO FRAUD AND ORGANIZATIONAL BEHAVIOR
Low Priority or Same as “Business as Usual”
Strategic Priority
Top Priority
Comparison of prioritization and estimated % or revenue lost to fraud 1
(Number of FTEs, bubble size denotes number of respondents)
% o
f Rev
enue
att
ribut
ed to
frau
d
Notes: 1 n=29, respondents without a response were not countedSource: GLF Fraud Survey 2019, Delta Partners analysis
Does your organization track the i3 Forum KPIs endorsed by GLF?1
(% responses)
Do you include fraudulent traffic metrics in reporting to the CEO / Head of International Wholesale?2
(% responses)
56% 44%11%
89%
No Yes No Yes
82%
18% 15%
85%
No Yes No Yes
75%
25%40%
60%
No Yes No Yes
PART 2: ENHANCING CARRIERS’ RESPONSE
26
PART 3
MOVING BEYOND VOICE
THE EVOLUTION OF FRAUD MANAGEMENT
27
PART 3: MOVING BEYOND VOICE
3
2
1
The digitization of traffic widens the pool of potential fraudsters as internet-based hackers’ knowledge and methods find applicability on telecoms networks
IoT’s future scale presents a threat multiplier as more devices bring more vulnerabilities to the network and the volume of traffic and transactions occurring on the network complicate fraud management
The technology advancements of IoT, 5G, and edge computing have opened potential opportunities for new fraud types such as Virtual machines/emulators, bots, man-in-the-middle attacks, and distributed device hacks
28
PART 3: MOVING BEYOND VOICE
1. THREATS FROM NEW TECHNOLOGY: IF NOT TODAY, IN THE NEAR FUTURE
The convergence between voice and data traffic is to the benefit of the customer experience. VoLTE service and the increase in the number of VoIP calls has provided increased flexibility and usability to end users. With the change in technology, however, comes an evolution in fraud risk as new types of fraud become possible and the total number of connections increases. Many of these impacts are yet to be fully realized, but, from speaking with carriers and technology vendors through the creation of this report, it is evident that there is a high level of awareness. As noted by one carrier providing a common view “I’m sure we will see unique fraud but it hasn’t matured to the point that we see
more fraud specific to these technologies. They just aren’t big enough yet to make enough money on it to attract fraud, but it will eventually happen.”
While the impact of IoT, edge computing, and 5G hasn’t changed the fraud landscape of today, the potential impact of novel fraud types coupled with the scale of IoT, the speed of edge computing, and the traffic volume of 5G mean is potentially massive if insufficient preventative steps are taken. Carriers need to think about and plan for significant changes in the way they manage fraud as networks change to adapt to new technologies.
While carriers noted that new use-cases are yet to impact their networks at scale, almost half reported issues with virtual machines / emulators and a quarter had experienced false identity (bot) issues. As network technology evolves,
it will be critical that carriers and technology providers pre-emptively address these newer use-cases.
EXHIBIT 12: EVIDENCE OF EMERGING FRAUD TYPES
Beyond voice, what use-cases of fraud are you experiencing on your network?(% responses)
74%87%
51%
26%13%
49%
False identity (bots) ‘Man in the middle’ attacks (e.g., IoT device commandeering)
Virtual machines / emulators
Have not experienced Have experienced
Source: Delta Partners Analysis
29
EXHIBIT 13: OVERVIEW OF VIRTUAL MACHINE / EMULATOR FRAUDULENT TRAFFIC PROCESS
PART 3: MOVING BEYOND VOICE
Emerging use-case 1: Virtual Machines / Emulators
Emulators are typically used in the development of software applications. Developers use emulators to simulate traffic in an attempt to debug and test software before broader release to the public. Fraudsters take advantage of the flexible nature of virtual machines to instigate fraud or multiply the impact of a given fraud type. In some cases, emulations are used to obscure location as well as create a “new” device in the case when fraud has been detected and a device has been blocked. This allows fraudsters to lower the cost of perpetuating fraud as emulators can be used as a disposable device with virtually no cost to the fraudster. Other times fraudsters will use multiple copies of a compromised device or SIM to generate as much fraudulent traffic as possible.
Emerging use-case 2: Fraudulent Identity (Bots)
The convergence of voice and data has ushered in improved quality of service and more flexibility to end users, but it has also opened carriers and end users alike to cybercriminals that might have previously been contained online. One common tool of cybercriminals is the use of robots, or bots, which are simple programs intended to probe and test as many entry points as they can find though absent, default, or weak login credentials and access points. While simple in nature, bots are launched in volumes of multiple billions a year in search of any and all login credentials and entry points that are not secured property. Once an
6 https://arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/
entry point into an account is found, identities are either stolen or synthesized and used to access a wide array of post-paid services offered by carriers (e.g., TV, internet, retail, banking). It also enables the fraudulent order for the highest value device on the market. These devices and services are obtained to perpetuate other frauds, such as IFRS, steal more of an end user’s identity, or to leverage a fraudulent identity onto other carriers’ networks.
Emerging use-case 3: Man-in-the-Middle
Traditionally, Man-in-the-Middle (MitM) attacks occur when the route/media that information is being over (e.g., fiber, coax, Wi-Fi, LTE, 5G) and the protocols utilized to transmit and received are compromised. At some point between traffics origin and destination a gateway has been interjected and allowing a man in the middle to transparently receive and transmit all or some traffic passing through the gateway. This middleman can do anything from simply monitor traffic to delay, add, subtract, or modify the content of the traffic. This opens end users to illegal wiretaps, identity theft, malware injection and more. Specific to telecom networks, MitM attacks occur via cell-site simulators that mimic a tower for you to “roam” on, cell signal sniffers simply acting as a kind of filter-feeder of cell signals that intercepts some of the cell traffic passing between an end user and a tower, or, more concerningly, gaining access to Signaling System No. 7 (SS7) and exploiting the carrier for its failure to adhere to least privileges principle with regards to SS7. With the prevalence of one-time passwords sent via SMS, intercepting only a small amount of traffic can lead to massive value destruction (e.g., Germany 20176).
Virtual machine / emulator flow diagram
Call flow
Money flow Missed call Legitimate
Fraudulent
Originatingoperator
Call originate from virtual
deviceFraudster hacks device/SIM of an end userFraudCo ``
Called subscribers
Premium rate
service
Fraudster virtualizes the
device to mask origin or to maximize
fraudulent traffic
Call most likely to use international destination to maximize fraud value
2
1 3
4
Terminatingoperator
Wholesalecarrier
Source: Delta Partners Analysis
High cost int'l
destination
Terminating operator
Wholesale carrier
High-cost int’l
destination
Source: Delta Partners Analysis
30
PART 3: MOVING BEYOND VOICE
Emerging use-case 4: Distributed Device attacks
A new instance of fraud where carriers noted emergence is distributed device. As described by one carrier “I am seeing an increased number of calls made from phones completely without consumer consent. A vendor we are working with says that this is an issue around the world, and that the mechanics of the fraud involve manipulating the native click-to-call option – when a phone number in a text or website can be clicked to automatically call that number – present in most smartphones. Essentially, an application downloaded on the phone is placing a call without any user input.”
Part of what makes the fraud difficult to find is the very low volume of traffic on a user by user basis. Analysis done after aggregation of all this traffic – something a wholesale carrier would be more equipped to do – is much more
feasible. The carrier further described the lack of patterns found: “It ends up being just a few calls made infrequently, but from thousands of phones. Some service providers seem to be disproportionately at risk, but we don’t have a clear idea of why that seems to be the case.” One vendor noted that the fraud sounded similar in nature to how they run their own internal testing “We use those kinds of techniques to conduct test calls via Android phones, but, as far as I know, that kind of fraud wouldn’t be possible on iOS devices.” The author of this report notes that this fraud fits the mold of a PBX hack but with two critical differences. The first is the attack distrusted amongst thousands of devices, and the second being a difference in a timeline. A PBX hack tends to try and extract as much value as quickly as possible while the asset is still compromised. This distributed hack works to fall under the guise of typical traffic for as long as possible.
EXHIBIT 14: OVERVIEW OF FRAUDULENT IDENTITY (BOTS) PROCESS
Source: Delta Partners Analysis
Fraudulent identity flow diagram
Call flow
Money flow Missed call Legitimate
Fraudulent
Originatingoperator
Normal fraud monetization
Fraudster utilizes bots to penetrate login/credentials
FraudCo High-value device
Premium rate
service
Fraudster utilizes compromised
identity to obtain
Call most likely to use international destination to maximize fraud value
2
1 3
4
Terminatingoperator
Wholesalecarrier
Source: Delta Partners Analysis
High cost int'l
destinationCompromised
login/credentials
5 6 7Compromised
login/credentials
Wholesale carrier
Terminating operator
High-cost int’l
destination
5 6 7
31
EXHIBIT 15: OVERVIEW OF MAN-IN-THE-MIDDLE ATTACK PROCESS
EXHIBIT 16: COMPARISON OF PBX HACK AND DISTRIBUTED DEVICE HACK PROCESS
PART 3: MOVING BEYOND VOICE
PBX hack flow diagram
Call flow
Money flow Missed call Legitimate
Fraudulent
Terminatingoperator
Call forwarded from hacked
PBXFraudster hacks
PBX of an enterpriseFraudCo Enterprise
PBX system
Premium rate
service
Fraudster forwards calls through PBX
2
1 3
4
Originatingoperator
Wholesalecarrier
High cost int'l
destination
5 6 7
Source: Delta Partners AnalysisSource: Delta Partners Analysis
Source: Delta Partners Analysis
Wholesale carrier
Terminating operator
High-cost int’l
destination
5 6 7Originatingoperator
Man in the middle flow diagram
Call flow
Money flow Missed call Legitimate
Fraudulent
Originatingoperator
Fraudster interjects a gateway at any point
Possible gateway position
Calling subscriber
1
Terminatingoperator
Wholesalecarrier
Source: Delta Partners Analysis
$$
Gateway permits all traffic to pass through both ways2
$
Some or all of the traffic is read to extract information3
Receivingsubscriber$
Possible gateway position
Possible gateway position
Possible gateway position
Wholesale carrier
Possible gateway position
Terminating operator
Receiving subscriber$$ $ $
Gateway permits all traffic to pass through both ways
Gateway permits all traffic to pass through both ways
2 3
32
2. IOT’S MASSIVE SCALE – CREATING A NEW FRAUD RISK?
In the past, IoT was seen as a risk because of past devices exhibiting relatively lax security. Historically, manufacturers attempted to keep the cost of devices as low as possible which in some cases was at the expense of security. This trade-off has since moved toward a larger focus on security as lax practices, such as hardcoded passwords that cannot be changed, are phased out, and network operations are pushing regular security updates. It is in carriers’ best interests that security measures are implemented starting at the hardware level. If security is left to the communication infrastructure or communication standards, then any vulnerability would have the potential for massive value loss.
“...with the scale of IoT, it will become less and less viable to monitor all
transactions with a traditional FMS.”
Looking forward, the impact of IoT’s massive scale poses potential issues for fraud management. One carrier reported. “we are most concerned about telecom features linked with handling a massive number of connections, many of which being non-human devices. Traditional Denial of Service (DoS) attacks on devices or toward businesses, data extraction or other fraud types are still valid use cases, but IoT provides a much larger scale to the traditional telecom frauds.” In Ericsson’s 2018 Mobility Report7 the number of cellular-connected IoT devices is projected to reach 3.5 billion devices in 2023 more than tripling today’s estimated total. With that kind of scale and potential growth to a number of vulnerabilities, the fraud risk potential of even a small fraction of those devices becomes daunting for any carrier.
The future scale of IoT has some carriers planning for changes in FMS. One carrier stated, “Classical fraud management systems might not feasibly cover fraudulent attacks; The massive increase in new and cost-effective devices (Smartphones/M2M-/IoT-devices) can lead to massive security breaches in the service chain.” One vendor corroborated this “with the scale of IoT, it will become less and less viable to monitor all transactions with a traditional FMS as they are such a low cost. Because of the number of transactions and the need to process data constantly, carriers will eventually need tools such as AI and Hadoop to manage IoT fraud because of the scale exceeds the capability of current systems.”
7 https://www.ericsson.com/assets/local/mobility-report/documents/2018/ericsson-mobility-report-june-2018.pdf
Today’s current IoT volume is not on the level that would necessitate these changes, and the impact to carriers will vary greatly depending on geographic region and customer segment. However, the fraud potential of IoT’s scale is too great to assume that fraud management will not be impacted and as such this should form part of carriers’ technology plans.
.
PART 3: MOVING BEYOND VOICE
33
3. IP CENTERED THREAT WITH THE EMERGENCE OF 5G
The initial stages of 5G are in full force with launches by US carriers in approximately 40 cities, another approximately 40 cities in the EU, Asia set to invest USD$370 billion between 2018-2025, and the first nationwide 5G network in South Korea8.
Most carriers do not see a significant impact in how fraud management is conducted in the 5G network era. The new media of 5G (data vs. voice) is not a major source of concern going forward as many carriers have implemented VoLTE preempting the movement in 5G. One carrier noted “much of fraud management happens at the billing data level so the actual media of usage is irrelevant.”
While the media of 5G is less of a concern, the management of actually delivering the quality of service expected of 5G is an area of focus. One carrier explained, “‘network slicing’ - where there might be instances when service is expected to be at a 5G quality but is being delivered at 4G/3G quality – is a potential for fraud.” Some carriers expressed concern around the requirement to monitor fraud across the emergence of 5G as well as legacy systems while other carriers were less concerned. This variance could be due to resource constraints or customer segments served, but no carrier cited this as a major concern going forward.
Most of carriers’ attention is focused on the result of the convergence of voice and data in 5G and the second and third-order effects that might have on how fraudsters operate. Before, fraudsters perpetuating voice fraud were required to be knowledgeable on voice network architecture, but, with the convergence of voice and data, that requirement is diminished opening voice fraud to a wider pool of potential fraudsters as IP-based attacks become more common. “Evolving threats lately are in VoLTE and SIP. VoLTE has been around a while, but in last two years, there has been a lot more attacks around VoLTE. With the number of private companies connected to their cloud via http… there is just a lot of potential fraud there as hackers already know the internet.”
8 https://www.gsma.com/newsroom/press-release/5g-arrives-in-asia-as-operators-invest-billions-rolling-out-next-generation-networks-finds-new-gsma-study/
“‘Network slicing’ – where there might be instances when service is expected to be at a 5G quality but is being delivered at 4G/3G quality – is
a potential for fraud.”
While the current impact of 5G on fraud management is minimal, most carriers and vendors are looking more towards the detection of currently unknown fraud types. With the prevalence of IP traffic, lessons learned from data networks become more applicable to carriers. One vendor noted “in data networks, no one just buys a firewall. A firewall is the first step towards cybersecurity. There are several layers to cybersecurity and a greater appetite for a best-of-breed approach to protecting against a variety of threats. Advancements like [Network Function Virtualization] allow for a different and distributed network to take advantage of different fraud protections.” While the convergence of voice and data may have opened carriers to a new pool of threats, it has also opened carriers up to a new pool of solutions as well. 5G is currently in its infancy, and the possibility of fraud threats and the solutions to prevent them are coming. It will no doubt be a key area of focus in the 2020 GLF Fraud Report.
PART 3: MOVING BEYOND VOICE
34
PART 4
IMPACT OF TECHNOLOGY EVOLUTION
THE EVOLUTION OF FRAUD MANAGEMENT
35
PART 4: IMPACT OF TECHNOLOGY EVOLUTION
3
2
4
1
Digitization: eSIMs are a simple but effective measure to digitize a fraud management practice, eliminate a common fraud use-case, and enable more security control over the network by carriers
Scale: To address the massive scale of the future network security must be embedded from components all the way to network architecture in a layered approach and following the principle of least privilege
Speed: Network Function Virtualization (NFV) opens several new opportunities for fraud management enabling flexible architecture to manage fraud better and enable specific solutions to combat specific fraud types
As network technology advances, fraud management tools and practices must adapt to new requirements by improving along three requirements: scale, digitization and speed
36
1. AS NETWORK TECHNOLOGY ADVANCES, SO MUST FRAUD MANAGEMENT SYSTEMS
When it comes to fraudulent traffic carriers see IoT, edge computing, and 5G as threat multipliers. Fraud risks increase with greater bandwidth, devices, and fraud potential and fraud management is complicated by monitoring multiple technologies. In the same way that air-gapped networks are tolerant of vulnerabilities due to the lack of access, legacy networks were more tolerant of vulnerabilities as access was slower, more analog, and the scale was smaller.
With the advance of network technologies, some carriers doubt that traditional FMS approaches are viable to handle the network of the future. Through our research we have heard carriers cite the traffic volume as the primary concern. It has been expressed that, “the volume of data that 5G is expected to handle is over a thousand times more than what was expected from 4G. Many of the security mechanisms found in traditional information technologies are not designed for this volume.” Such data volume increase has the potential to amplify the impact of fraudulent traffic events.
“...due to the low latency as a result of edge computing, the security threats would be much higher.”
For several carriers the increasing speed of the network is viewed as major concern. It was explained that “due to the low latency as a result of edge computing, the security threats would be much higher.” The concern is that the rate of data collection, analysis, fraud identification, fraud elimination cycle of a traditional system is slow enough that fraudsters will have already destroyed significant value even in the case where the fraud is identified and
addressed correctly. This lag time varies greatly from carrier to carrier with some carriers operating at near-real-time and other carriers generating a threat report on an hourly, or sometimes slower, cycle. The lack of a consistent fraud management framework between carriers means that carriers have varying capabilities to identify and stop incidents, and so the impact felt will vary also.
“If 5G will have to fall back to 4G/3G/2G, then we need to keep in
place the monitoring for legacy tech.”
There is a mixed sentiment among carriers around the need to monitor new and legacy systems. One carrier explained, “we foresee some challenges in potential vulnerabilities through Interoperability with legacy technologies (2G to 4G).” Another carrier added, “If 5G will have to fall back to 4G/3G/2G, then we need to keep in place the monitoring for legacy tech.” As highlighted earlier, other carriers do not share the same sentiment. While difficult to speculate on the differences in these two views, the most likely culprit behind these two perspectives is the current state of the carrier’s FMS.
If a carrier is reliant on a traditional FMS that produces threat reports that are manually analyzed before action is taken, that FMS will most certainly have difficulty adapting to the future network. The burden of managing one system designed to monitor the legacy network and another to manage the future network would stretch any fraud management team.
The FMS of the future then must overcome these three obstacles: scale, digitization, and speed.
PART 4: IMPACT OF TECHNOLOGY EVOLUTION
EXHIBIT 17: THREE REQUIREMENTS OF FUTURE FMS
Speed Scale Digitization
37
The potential scale of IoT is a difficult project, but, even at its most conservative projections, the number of connected devices will quickly overwhelm a traditional FMS. Manual requirements on fraud management teams will need to be minimized as much as possible as connected devices, but equally important is the need to eliminate opportunities for fraud at every level of the network, from component to FMS.
Being proactive and setting standards was brought up by multiple carriers; one carrier stated “Device security and secure transmission methods are critical to maintaining the integrity of IOT network. Secure protocols to ensure the privacy of the data. Use of the private network to ensure protection against DDoS.” The need for layered security is great enough to attract regulators too with movement in the US (the proposed Internet of Things (IoT) Cybersecurity Improvement Act of 20199), the UK (Code of Practice for Consumer Internet of Things (IoT) Security10), and the EU (ENISA’s Good Practices for Security of Internet of Things11) amongst others. In each of these documents,
9 https://www.ftc.gov/news-events/press-releases/2019/06/ftc-law-enforcement-partners-announce-new-crackdown-illegal10 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf11 https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot
a layered approach to security as well as a system by which security can be updated and managed is central to IoT’s security overall.
Embedding security at the basic levels is crucial, and one specific standard highlighted was Manufacturer Usage Description (MUD). MUD is an embedded software standard defined by the IETF that allows IoT device makers to advertise device specifications, including the intended communication patterns for their device when it connects to the network. One carrier stated “[to combat fraud] we need to adopt tech like MUD and start self-provisioning at the network level to alleviate much of the risk from IoT.” Layered security on top of standards like MUD is the principle of least privilege which is the practice of giving an end user access to services required for the IoT device (e.g., roaming restricted, voice restricted, IP restricted, and SMS restricted).
PART 4: IMPACT OF TECHNOLOGY EVOLUTION
2. ANSWER TO “SCALE”: LAYERED SECURITY IN IOT TO SCALE FRAUD MANAGEMENT
EXHIBIT 18: DEPICTION OF SECURITY IMPLEMENTED IN EACH OF THE LOGICAL LAYERS IN A NETWORK
Saas PaaS IaaS
ERP SCM S&OP CRM MRP TPS ESS
IIoT apps
Dashboards & displays
IIoTplatform
Historian MES WMS
Track & Trace
Manufacturing processes and equipment
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Third parties services
Production and supply chain management and planning (manufacturing and enterprise operations)
Industrial control and supervision devices and systems
Manufacturing processes and machinery
SCADA RTUs PLCs DCS HMI
IIoT sensors IIoT actuators SIS
Raw materials warehouse
Finished goods warehouse
38
3. ANSWER TO “ANALOG”: ESIM TECHNOLOGY TO DIGITIZE FRAUD MANAGEMENT
In a future network, the connectivity opens the network to a greater amount of access to fraudsters as previously discuss. This connectivity also allows for improved visibility and adaptability as the reliance on physical tokens, such as SIM cards, and physical management of the network diminishes. Greater information on devices and the traffic used allows for more data to be used to distinguish legitimate traffic from fraudulent traffic. One carrier noted, “[to adapt FMS to scale] we look at pattern recognition, ML, and big data analytics to profile the devices to detect any deviation from the expected usage & behavior. We later implement strict policy controls on the device’s authorized usage to prevent massive frauds.” Inherent in the use of these tools is the need to access a greater amount of information. One of the most simple but effective digitization efforts has been the adoption of eSIMs.
“SIMs were once a target used for DDOS threats. Lately, eSIMs are more and more difficult to hack. We must tighten up the eSIM security before
we go to general usage.”
SIM cards, in the past, have been a target for fraudsters as a stolen phone could be stripped of its SIM which is then transferred to another device giving full access to the phone account. An eSIM is mounted to the PCB making it impossible to remove and eliminated this simple but effective fraud method. An eSIM can normally not be reprogrammed without the MNO’s consent giving greater control over devices to the carrier. This advantage has been noticed by carriers “SIMs were once a target used for DDOS threats. Lately, eSIMs are more and more difficult to hack. We must tighten up the eSIM security before we go to general usage.”
Implementing a mechanism in place to alert the carrier of possible tampering can further prevent fraud. Another benefit of eSIMs is the GSMA’s certification specifications which have resulted in the SIMBox grey market losing a significant number of SIMs that are no longer compliant. With the adoption of eSIMs the ability to upgrade and adapt security protocols and standards can be pushed down to the device level as devices can accept and execute the application protocol data unit (APDU) commands. Given this ability, the potential for carriers to be able to harden devices with additional security updates, protocols, etc. rather than having to make allowances for legacy SIMs on the network is a step forward in preventing fraud.
PART 4: IMPACT OF TECHNOLOGY EVOLUTION
39
Carriers think Network Function Virtualization (“NFV”) is the end state of the data and voice consolidation. A fully virtualized network is also a fully digitalized network. The amount of real-time information and the potential for real-time network management is dramatically increased with NFV. Additionally, the scope and type of actions FMS increases as well. One vendor noted “GSMA has recently consolidated fraud and security together and I wonder if it might be indicative of a larger trend. With that consolidation comes the best practices from cybersecurity. In cybersecurity, a firewall is the only piece of network security; similarly, FMS may possibly become only one piece of fraud management as additional layers are brought on to combat specific fraud types. The same vendor stated “in the future, the vast majority carriers will have an FMS. However, I think it will be more apparent to carriers that there is a need for a distributed and a different kind of architecture to take advantage of NFV. It seems to lead to a greater appetite for best of breed in terms of vendors and systems. Not necessarily to replace FMS but to add to them.”
“GSMA has recently consolidated fraud and security together and I
wonder if it might be indicative of a larger trend.”
NFV provides a flexibility in network architecture that allows for compartmentalization and specialization. Combined with end device details provided by an eSIM device types can be logically grouped together to spot atypical traffic/behavior immediately. Concurrently, traffic sources can be logically grouped and monitored together as well, making it easier to group connection by risk level, geography, or other useful groupings. The possibility for implementing different rules for different parts of the network, based on logic and not physical architecture, allows for much greater granularity and flexibility in managing fraud in the future.
PART 4: IMPACT OF TECHNOLOGY EVOLUTION
4. ANSWER TO “SLOW”: NFV FOR REAL-TIME FRAUD MANAGEMENT
EXHIBIT 19: DEPICTION OF MODEL NETWORK ORGANIZED BY PHYSICAL LOCATION VS LOGICAL ORGANIZATION
Very Low Risk Little Risk Somewhat Risky High Risk
Past Network: Physical layout demands high security level throughout network
Future Network: Network can be organized by traffic type, customer risk, etc. even with the same physical layout
Core Network
Core Network
End users/number blocks Customer/Country
40
PART 5
HARNESSING INNOVATION
THE EVOLUTION OF FRAUD MANAGEMENT
41
3
2
4
1
Blockchain is in its early stages but shows promise to overcome the conflicting goals of sharing fraud management information between carriers while protecting proprietary routes
Big data is foundational to effectively deploy AI/ML and automation due to their reliance on timely, accurate data with enough volume to build algorithms to discern legitimate from fraudulent traffic
Machine learning and automation are effective due to advancements in capabilities including blocking traffic on a call by call basis, and development of trust in the accuracy or machine-generated decisions to block traffic
Carriers perceive fraud management tools to have a significant potential impact on reducing fraud with the most potential associated with AI/ML, big data, automation, and blockchain
PART 5: HARNESSING INNOVATION
42
PART 5: HARNESSING INNOVATION
1. THE EVOLUTION OF FRAUD MANAGEMENT SYSTEMS
The tools available to carriers today allow for real-time behavioral modelling, the anticipation of fraudulent behavior before it even starts, continuous improvement as more fraud and normal network behavior is observed, and the adjustment of risk appetite thresholds. However, these capabilities can easily be wasted if the data inputs are of poor quality or limited volume, if the tools themselves are misused or if suppliers or customers fail to share relevant accurate data. Recent shifts in awareness of capabilities have also coincided with an increase in the willingness to trust decisions made by statistics. As articulated by one vendor this recent trust is dependent on the specificity that is possible today: “We can block traffic not only on a number by number basis, but on a situation by situation basis. Instead of blocking traffic at the switch, we are blocking traffic at the behavior. By that I mean a fraudster will be stopped from Wangiri dialing, but they will still be allowed to call their grandmother. This offloads pressure on a carriers investigation group while also being able to
run in real-time and make these decisions every single time 24/7.”
This kind of functionality is built on a data set that is large enough and detailed enough to build out behavioral pattern while also being updated in real-time. Combining these two competing requirements is where today’s FMS tools fit in.
Big data and blockchain are focused on expanding the breadth of data available for analysis. AI/machine learning and automation are focused on executing real-time analysis to fuel fraud. The culmination of these tools is to discern the difference between IRSF, voting for your favorite reality show contestant, an international business call, legitimate telemarketing, and a Wangiri campaign. Being able to prove that traffic is fraudulent has been one of the fundamental issues in fraud management facing carriers – the adoption of advanced technologies can only serve to improve carrier capabilities.
Carriers see AI/ML as having the most potential while expectations for blockchain are relatively low. Several carriers are much less aware of blockchain than AI/ML; “I have heard about blockchain but haven’t seen it in actions or seen the benefit of the tool.” Contrasting with the lack of awareness of blockchain is the near-unanimous commentary on the importance and difficulty
of collaborating with other carriers. It was noted that, “we would like to extend collaboration… [to collaborate with another carrier] sometimes you have to provide routing information which takes a lot of trust.” In interviews it seems that the value of AI/ML is apparent today, while the little awareness and lack of understanding of how blockchain might address this is a core issue in fraud management.
EXHIBIT 20: PREDICTED IMPACT OF EMERGING TECHNOLOGIES
How impactful do you believe the following technologies will be for reducing telecoms fraud?1
(score 1-5, with 1 being low, and 5 being high)
4.1 3.8 3.8
2.7
AI/ML Big Data Automation Blockchain
Average Score
Note: 1 n=45, respondents without a response were not countedSource: Delta Partners Analysis
43
Big Data vs. Non-Big Data RFP (%)
14%
64%
32%
65%
Big Data Non-Big data
FY17-18 FY18-19
Regional growth(%)
9%25%
0%
26%25%
57%
20%30%
Africa APAC America Europe & ME
FY17-18 FY18-19
PART 5: HARNESSING INNOVATION
2. BIG DATA: HELPING FIND THE NEEDLE IN A STACK OF NEEDLES
Building an accurate and robust data set to analyze is crucial to the accuracy and effectiveness of a data-driven FMS. One carrier went so far as to say, “Detection is using big data… writing a simple rules-based system just isn’t going to cut it anymore.” With the trend towards digitization of carrier networks fully under way, the access to information continues to improve. That data set is needed to find ever-more-sophisticated frauds being perpetuated. “It really is trying to find a needle in a stack of needles” one carrier noted; to distinguish one “needle” from another more data is needed. One carrier detailed “We have a number of data scientists to help us build detection algorithm in conjunction with our sysadmins and my staff. Our data lake is all internal data right now with 25 billion MOU per year, and I still am running pilots to open up more of our system.”
“It is less and less viable to monitor the transactions...”
With the amount of data being utilized, additional tools are bought in to digest it all. As explained by one carrier, “It is less and less viable to monitor the transactions… Hadoop is required to manage the process.” Another carrier corroborated that “a rules-based model was the classic approach when there were lots of slower, smaller attacks. Today, fraud is much more difficult to find and write rules for.” Fraudsters continue to shift and evolve as their methods are discovered and eliminated. For a carrier to
stay abreast, big data is a requirement of today’s network.
Traditionally, carriers have relied on the billing information found in the Call Detail Record (CDR). This data includes attributes such as call length, source and destination, usage time, billing amount, timestamp, and other relevant information. Several carriers have moved on also to include signaling data. One carrier noted “currently we have a vendor using the CDR data on the billing side. Because of new risks and new types of fraud we are using signal data to detect fraud.” The intention here is to autoblock fraudulent traffic before a call is even completed. Additional data sources that at least one carrier is working to incorporate is a feedback cycle from false-positive instances “We have a DIY system [for an end user to access through an online portal] to unblock false positives. We are re-ingesting those events to fine tune and correct our algorithms.”
“Because of new risks and new types of fraud we are using signal data to
detect fraud”
Using a larger and larger pool of historical data has marginal returns as fraudsters ramp up the pace of shifting tactics and increasing the subtlety and sophistication of their methods over time. As carriers seek to speed up the cycle of fraud detection to fraud prevention additional data sets and attribute will become more utilized.
EXHIBIT 21: GROWING TREND IN BIG DATA ASK
Source: Subex1, Delta Partners Analysis
1 https://www.subex.com/the-growing-interest-in-big-data-technologies-for-fraud-management-revenue-assurance/
44
Inherent in the business of international wholesale is the need to guard route paths. As competition matures and margins are pressured, least-call-routing can be crucial to carriers’ bottom line. In nearly direct opposition, is the need for transparency to trace fraud back to its source. At the intersection of these pressures is where you will find blockchain. One carrier explained the drivers behind carriers’ reluctance to share information “Wholesale is very price sensitive. Price matching is aggressive and driven by deals with easily comparable suppliers. NDAs are extremely important to protect route information.” Finding a way to be able to share information between carriers (the importance of this is discussed in section 6) without disrupting the business model is, obviously, difficult, but many types of fraudulent traffic relies on information asymmetry. One vendor point to two examples “a timely way to share data would eliminate roaming delays. Sharing data between carriers through a blockchain would prevent short stopping and ensure that calls are terminating in the proper destination. We would need multiple carriers to share data, but with blockchain you can anonymize the details on path itself but would have confirmation that it was terminated appropriately.” This is the promise of blockchain; blockchain seeks to find a way to share critical information in a timely manner while allowing for carriers to retain sensitive information.
There are a number of text runs, trails, and initial launches of blockchain solutions preventing fraud today. One vendor, QLC Chain, has recently launched a SMS antifraud solution
that verifies the source of an SMS by treating each SMS as a transaction recording it on a blockchain as well as a blockchain-enhanced two-factor-authentication. An effort lead by Clear seeks to authenticate the origin, destination, and call length without disclosing the route in between to defeat IFRS. CSG sees blockchain’s potential in evidence documentation and easier stop-payments with a goal to stop payment before payment has occurred. Further development might see some future FMS functions pulled into security as a service model allowing a third party to oversee multiple carriers at once. Tomia sees the potential of blockchain facilitating the sharing of CDR data to eliminate short-stopping once and for all. The current limitations of blockchain are reported as a tradeoff between security and cost/speed. Carrier general sentiment is that the potential for blockchain is real but much of it is in the future. Today’s applications are real, but the use-cases and the value that they can protect for the carrier industry are generally untapped so far.
While in early stages most carriers are hopeful but guarded about blockchain. Survey results show that of the technology tools available for FMS, blockchain scores significantly lower (see Exhibit 21) than the other technologies in terms of perceived impact potential. One carrier explained “Blockchain isn’t going to help detection, but I think it will help with evidence of fraud to make it easier to stop payments. Today stop payment might come after payment has occurred, and blockchain might be instrumental in blocking the payment before.”
3. BLOCKCHAIN: EARLY-STAGE BUT FUTURE POTENTIAL
PART 5: HARNESSING INNOVATION
EXHIBIT 22: CURRENT STATE AND FUTURE USE-CASES OF BLOCKCHAIN
DescriptionKey Benefits
Cost Reduction Efficiency Improvement Fraud Mitigation
Roaming
Mobile Number Portability
Identity Management
IoT Device ID
• Automated roaming transactions using smart contracts
• Standard decentralized ledger for data & routing access across operators
• Management of customer’s personal information using decentralized identifies to be offered as-a-service to customers
• Use of distributed ledger to allow identification and activities of IoT devices
• Reduction in backhaul bandwidth
• Elimination of clearing houses
• Single store of data• Centralized database
management
• Reduced cost of ID verification
• Higher throughput on roaming calls (reduction of traffic routed through home network operator)
• Instantaneous porting• Seamless user experience
without disruption
• Easy implementation of ID management systems
• Single ID storage for customers
• Increased visibility while on other networks
• Reduction of roaming fraud loss
• Elevated transparency & security
• Increased security & protection against fraud
• Higher security enabled by instantaneous and orchestrated recognition of connected devices
Source: Delta Partners Analysis
45
As discussed in the Big Data section, the appetite and need for massive data sets is paramount to finding that “needle” of fraudulent traffic. The speed at which fraudsters adapt further complicates the ability of carriers to continue to rely on traditional rules-based systems. To maintain pace with fraudsters’ pace and to get in front of fraud, carriers are moving towards machine learning (ML) and automation. Detection relies on Big Data but the speed of discovery and the ability to eliminate fraud is where real value can be found.
Besides the speed of detection, ML also affords carriers the ability to set risk thresholds. The risk inherent in auto-blocking traffic is blocking legitimate traffic. In an industry of tight margins, blocking legitimate traffic is a major concern. The ability to set and manage thresholds in accordance with risk profiles. One vendor explained “The clear change that [ML] brings is in modifying classic threshold. Setting this threshold becomes a risk profile question. The real value, or secret sauce, is not in the ability to identify fraud, but, instead, it is in ML’s ability to modify thresholds.” A perfect balance of eliminating 100% of all traffic with no false positives is not possible. One carrier said it plainly, “the only network with no fraud is one with no traffic” and carrier said, “it is just not possible to have waterproof system.” However, setting the risk profile in accordance with the customer segments and geographies serviced places more control in the carriers’ hand and allows the carrier to balance the tradeoffs between blocking fraud and false positives.
One vendor put it simply “it is much better to not get tricked than to find the person that tricked you.” While machine learning focuses on the detection of fraud, automation, or auto-blocking, translates that detection into elimination. It is seen as critical because, the longer the cycle between detection and elimination, the more value is potentially lost to fraudsters. Additionally, fraudsters have historically relied on normal business cycles of the workweek to maximize the volume, and therefore the value, of fraudulent traffic before it can be detected and blocked. One carrier noted, “we used to say fraud starts Friday evening.” Automation relies on standardized inputs and outputs to execute processes. This requirement forces carrier to standardize the data and tasks required to block fraudulent traffic. This obstacle is a small price to pay compared to a manual, report-driven system that is reliant on humans to consume and analyze the data before making a blocking decision. Placing enough trust in a machine decision alleviates much of the pressure on the fraud management team. One vendor agreed, “[automation] offloads pressures from the investigation group.” By automating the process, you remove the human element from the equation and can pair it with ML. This pairing of ML and automation removes the human element further from the system and directs the continuous learning into an ever-increasingly discerning system to detect and block fraud.
PART 5: HARNESSING INNOVATION
4. MACHINE LEARNING AND AUTOMATION: GETTING IN-FRONT OF THE FRAUDSTERS
EXHIBIT 23: OODA LOOP IMPROVEMENT THE AI/ML AND AUTOMATION
Fraudsters OODA loop is smaller: FMS is focused on limiting the amount of value destroyed by fraud; “spoilage” mentality
Carriers’ OODA loop is smaller: FMS is focused on eliminating fraud and preventing fraud from occurring in the first place; “crime-stopping” mentality
Observe
OrientAct
Decide
Carr
ier
Frau
dste
r
Observe
OrientAct
Decide
Carr
ier
Frau
dste
r
Set Amount of Time Set Amount of Time
Observe
OrientAct
Decide
Observe
OrientAct
Decide
Observe
OrientAct
Decide
Observe
OrientAct
Decide
Observe
OrientAct
Decide
Observe
OrientAct
Decide
46
As networks and fraudster grow in their sophistication, FMS tools must keep pace. The ability to speed up the cycle between observation (find the potential fraud), orient (defining traffic as fraud), decide (identify course of action), and action (block or process) is the difference between tolerating fraudulent traffic. It’s the cost of doing business and eliminating as much fraudulent traffic as possible.
“The real value, or secret sauce, is not in the ability to identify fraud, but, instead, it is in ML’s ability to modify
thresholds.”
On today’s network manual processes and reporting cycles are window of opportunity for fraudsters to take advantage of. In the quest to shrink the OODA loop by being faster, smarter, and more accurate, FMS advancements come from better detection capability; found in big data, machine learning, and blockchain; better blocking, found in automation; and better processes, found in automation and blockchain.
PART 5: HARNESSING INNOVATION
47
PART 6
THE ON-GOING NEED FOR COLLABORATION
THE EVOLUTION OF FRAUD MANAGEMENT
48
PART 6: THE ON-GOING NEED FOR COLLABORATION
3
2
1
Carriers recognize that collectively the industry is much more capable of reducing fraud than any carrier in isolation; the short-term objectives of collaboration and aligned reporting can lead to a formal communication network and database on white-/black- listed number ranges and networks
Beyond signing the GLF Code of Conduct carriers seek an accountability mechanism to ensure signatories meet commitments. Recommendation that signatories incorporate fraud management and dispute reconciliation in all contracts with suppliers and customers
Information sharing between carriers is critical with carriers aspiring to build a global dialing number reference and a pooled dataset of documented fraudulent traffic
49
As previously discussed relating to Big Data and Blockchain, greater access to data fuels the accuracy of fraud detection and elimination. Additional data can be found internally by utilizing signaling data as well as other sources. Externally, however many opportunities to expand data available, particularly around sharing suspected or confirmed instances of fraud are met with non-disclosure agreement (NDA) restrictions.
One carrier reported, “what we would like to see more of [with regards to collaboration with other carriers] is traceback opportunities to trace fraud back to the source. This generally only happens now when law enforcement gets more involved. However, tracebacks are blocked by NDAs.” This frustration is another example of the distrust discussed previously (see chapter 2). Another carrier reported frustration at use of NDAs “the NDA, when actual fraudulent traffic occurs, should never be used as pretext for not sharing information. Why can’t I say that these 20 customers are my largest sources for a given fraud? Being able to share that kind of information would be a massive step toward reducing fraud.” These frustrations, as well as the potential for significant steps in systematically isolating and eliminating bad actors, have been the motivation behind blockchain efforts as well as other types of pooled information. To this end, two strategies have been most discussed by carriers; Specific or aggregated shared dataset of documented fraudulent traffic and a shared, global dialing number reference.
A shared dataset of documented fraudulent traffic would allow the findings of one carrier to be shared to others. This would serve two purposes: feeding valuable information into tools (e.g., Machine Learning) to better define fraud and collectively blacklist fraud sources from entry to carriers’ networks. One carrier highlighted the need for documented fraud examples “There is not nearly enough information being shared for what good and bad quality traffic looks like.” Other carriers placed more emphasis on blacklisting fraud sources, “There is a common database in France, and something similar in the Netherlands as well, for fraud reporting. The database houses all customer complaints and all operators’ reports. We are able to isolate the bad actors with data domestically, but there is nothing on an international scale. We use this info to specifically avoid dodgy companies.”
However, carriers are also quick to point on the potential for abuse in a shared database, “The problem is that this process could be abused especially since it can be difficult to be able to prove 100 percent exactly where fraud originates
from.” Another carrier shared, “There is some reluctance to publish a blacklist because of the legal risk. We don’t want to be seen as blocking entrants.” Any shared pool of data that can be used to make business has the potential to be abused, and standards and verification would need to be put in place. As initial domestic-level and carrier-to-carrier datasets mature and expand, international examples are sure to follow. One vendor was adamant, “Information sharing is key… I see [a sharing framework] happening in the future. Individual operators have proposed them before, but it hasn’t taken off. GSMA is working to define the platform. In the future, it’s a must.”
“The NDA, when actual fraudulent traffic occurs, should never be used as pretext for not sharing
information. Why can’t I say that these 20 customers are my largest
sources for a given fraud? Being able to share that kind of information would be a massive step toward
reducing fraud.”
A number of carriers brought the lack of a global dialing number reference as a critical driver for the prevalence of fraud today. One carrier stated, “it is astonishing that we don’t have a way to share good numbers.” Another carrier agreed, “I need good intel on international numbering.” While the need is clear to many carriers, the obstacles are also clear “Global number registry” would be a huge step forward. The database would be a few billion entries. If the data is just in a data lake, then who owns it. Who is responsible to update it and make it accessible? Blockchain is a possible solution as it is owned and operated collectively.” This difficulty is corroborated by a vendor, “Number registry is difficult because of ownership.” However, the same vendor went on to highlight the potential reward, “with a global number registry you would be able to stop Wangiri. You don’t even need termination rates, but simply classifying premium vs non premium number would stop Wangiri.” Given the potential to curb one of the most prolific fraud types as well as the potential for blockchain to overcome identified barriers, the outlook, in carriers’ minds, looks positive.
PART 6: THE ON-GOING NEED FOR COLLABORATION
1. THE CRITICALITY OF ENABLING GREATER INFORMATION SHARING
50
The majority of respondents (16/29) have already signed or are in the process of signing the Code of Conduct (CoC). Out of the 13 respondents who have not signed, seven stated willingness to explore further. By most accounts, the acceptance of the CoC has been positive. Many carriers
are recent signatories and are in process of implementing the CoC. As noted by a recent signatory, “We are in the first steps of implementing the Code of Conduct. It is not a requirement for contracts right now, but we have updated our contract templates.”
As more and more carriers sign and align with the goals of the CoC there is a demand for an enforcement mechanism that moves carriers beyond commitment alone. As noted by one carrier, whose view was representative of many,
“There needs to be some a form of audit to make sure signatories are doing what they say they are. Otherwise it is just cosmetic.”
PART 6: THE ON-GOING NEED FOR COLLABORATION
2. GLF CODE OF CONDUCT: FROM COMMITMENT TO ENFORCEMENT
EXHIBIT 24: ADHERENCE TO GLF CODE OF CONDUCT
EXHIBIT 25: COMPARING THE ORGANISATIONAL IMPORTANCE AND COMMITMENT TO THE COC
29%
51%
18%
2%
Notes: 1 n=19, respondents without a response were not counted
Do you request that your customers sign the Code of Conduct?1
(% responses)
Has you company signed the Code of Conduct?1
(% responses)
50% 50% 75%25%
No Yes No Yes
37% 63% 71%29%
No Yes No Yes
40% 60% 80% 20%
No Yes No Yes
Where would you rank the IMPORTANCE of fraudulent traffic as a topic in your organization?1
(% responses)
Top Priority
Strategic Priority
Same as Business as
Usual
Low Priority
Notes: 1 n=37; 2 n=12, 3 n=14, respondents without a response were not counted
46%
54%
Has your company signed the GLFCode of Conduct?
No Yes
Has your company signed the GLF Code of Conduct?1
(% responses)
50%
17%17%16%
Why has your company NOTsigned the CoC?
If ‘no’, what is the reason?2
(% responses)
100%
Why has your company signed theCoC?
Effectively fight fraud
If ‘yes’, what is the reason?3
(% responses)
Unable
Own code
Legal
Awareness
51
Several carriers stated the need for an accountability mechanism, but a clear path to implement one is yet to be found. One possible solution is a shared fraud documentation dataset (see discussion in previous section). This dataset allows participant to hold carriers accountable and identify signatories who are failing to uphold the principals found in the CoC. Another possibility is to include a third-party audit to ensure compliance or to rely on public attestation in the hopes that external pressure would push carriers into compliance. Regarding self-attestation, 81% of survey respondents that have signed the Code of Conduct said that they would be willing to publicly self-attest their compliance.
The GLF’s original intent was for the eventual acceptance of the CoC to reach a point where carriers could begin requiring compliance with the CoC. There are multiple options of accountability mechanisms available, and it is the finding of this report and the position of the GLF that the next step, after wide adoption of the CoC, is for the industry to hold signatories accountable for actions promised by signing the CoC.
Another path toward giving the CoC further impact is through the inclusion of a fraud amendment in carriers’ boilerplate contracts. When implemented successfully carriers report, “The fraud amendment is preventing a lot
of bad deals from being made.” In cases where managers have pushed for riskier deals, the amendment has either given a clearer path toward resolving disputes or has prevented the deal from happening which is indicative of a deal we probably should make in the first place.” Another carrier put it simply, “Our changes to contract and legal agreements are more effective in combatting fraud.”
“There needs to be some form of audit to make sure signatories
are doing what they say they are. Otherwise it is just cosmetic.”
Some pushback to broader implementation comes from disturbing existing relationships. The same carrier went on to say, “that works for new deals, but for established
partners some are just not there yet. Some carriers are not quite ready for [including a fraud amendment].” Another source of pushback come internally from some carriers’ legal department or sales team. “When I asked the sales team to have our customers sign the CoC, I got pushback that it was not something they wanted to raise with customers.” Another carrier pointed to their legal department, “Legal has advised us to not sign for now.” Regardless of the barriers in front for a wider adoption, carrier report positive feedback on the effectiveness of fraud amendments once they are implemented.
As the Code of Conduct gains further signatories, it must be an industry priority to ensure that carriers can be held accountable and can hold their customers accountable for the commitments held within. There is appetite for such steps, and it is seen as the responsibility of the GLF to set the direction.
PART 6: THE ON-GOING NEED FOR COLLABORATION
EXHIBIT 26: SELF ATTESTING AS THE NEXT STEP OF SIGNATORIES
19%
81%
Has your company signed the GLF Code of Conduct?
No Yes
46%
54%
Has your company signed the GLF Code of Conduct?
No Yes
Notes: 1 n=35; 2 n=14, respondents without a response were not counted
Has your company signed the GLF Code of Conduct?1
(% responses)
Are you willing to publicly self-attest compliance with the Code of Conduct?2
(% responses)
52
As more carriers sign on the CoC join a growing group of carriers committed to the systematic reduction of fraud in the industry, it is important to maintain the momentum moving forward. As discussed previously in Section 1 and Section 2 of this report general awareness has increased across the industry and with it the attitude towards fraud has shifted from tolerance to viewing fraud as a reputation risk with potential financial impact.
To move beyond the initial commitment to fraudulent traffic reduction through the Code of Conduct, through the dialogue with carriers to produce this report the following immediate actions can be recommended:
1) Request all suppliers and customers sign the Code of Conduct – having signed, all carriers request or require likewise from their customers and suppliers. If GLF members can take the lead given their scale it can soon become a de-facto expectation that all carriers sign the CoC.
2) Announce organization aspiration for fraud reduction – communicate to own organization and the industry a commitment to fraud reduction through a CEO-shared aspiration. It is critical that within their own organizations carriers communicate their commitment in the same way that they are doing to the broader industry, and then translating that into a tangible action plan.
3) Contribute to and participate in an accountability mechanism – the CoC is only as useful as the degree to which carriers follow the CoC, and the confidence that their peers have that others are adhering. By adding an industry accountability mechanism that attests adherence to the CoC principles the strength of the CoC will increase.
4) Align on KPIs – a requirement of accountability is a set standard to meet or exceed which requires alignment on how and what to measure for industry-wide accepted KPIs. The GLF has endorsed the i3 Forum KPIs and as such it is critical that these are communicated and followed (see further discussion in chapter 2).
The best way to combat the collective methods of fraudsters around the world is learn from as many instances of observed fraudulent traffic. Carriers recognize that collectively they will be more effective in reducing the value and impact of fraud. Creating and sharing data
through the following actions will succeed in creating a fraud-free industry.
Initially, to gain momentum, it is recommended that the focus of collaboration should be at an inter-carrier level, but in time collaboration should cover wholesale carriers, retail operators, OTT communications providers and even regulatory bodies. Each stakeholder group will have a role to play in reducing fraud. Moving beyond adherence to the Code of Conduct as a first step, future collaborative actions could include:
1) Free sharing of data alerting all parties to fraud – a real-time data set, one with relevant details like signaling data, actual source and destination, call time with start and stop, as well as all the historical data that was used to determine it was fraudulent traffic, shared between carriers that is a platform for information sharing and communication between all carriers to work collaboratively to reduce fraudulent traffic.
2) Robust fraud communications network across carriers – formalized relationships between carrier personnel addressing fraudulent traffic to share best-practice and what they are seeing across their networks. GLF has effectively set up such a forum on Network Security, and such a concept could be replicated for fraud engaging with other forums such as the CFCA and the i3 Forum that have convened several experts already.
3) Global database of white-/black-listed number ranges and networks – industry-centralized reference database to allow carriers to have an accurate view of the number ranges and networks where fraudulent traffic may have originated
Internal efforts alone are not adequate in an industry where risk is decentralized and where networks are only as secure as the weakest connected to it. Elevating the lowest common denominator to guarantee a robust industry-wide approach is in the interests of all parties involved.
PART 6: THE ON-GOING NEED FOR COLLABORATION
3. INDUSTRY COLLABORATION: LOOKING BEYOND THE CODE OF CONDUCT
53