The Commsrisk Review of 2016

Out with the old, in with the new… that seems to be the motto of the comms industry. The pace of change is increasing to the point where old strategies and technologies barely last a quarter, never mind a year. In this frantic world, let us take a few minutes to reflect on the turbulence we encountered in 2016, and how well we responded to it. Here is the review of 2016’s highlights, low-downs and everything in-between.

January

Billing giant Amdocs finally bought failing RA vendor Cvidya. They hinted to the Israeli press that the price was a miniscule USD30mn but the same people exaggerated every other number, and this story was no different.

OTT bypass continued to be the hottest topic in our field, and Araxxe shared some useful data about infection rates in different regions. They pulled no punches when identifying who was to blame, stating that Viber was the main driver of OTT bypass.

A consumer survey by the UK regulator showed that customers were not happy with Vodafone UK and their many billing errors. Vodafone UK insisted that they were working hard to improve. After screwing up their billing migration, would Vodafone’s remediation program prove to be another example of telco investment in assurance always being too little, and too late?

Zain Group set a positive example for other telcos by appointing a Chief Risk Officer.

February

PwC reported a 45 percent rise in telco security incidents and losses.

Demonstrating that they have no foresight, the UK regulator decided not to take any action after investigating Vodafone’s postpaid billing errors. Meanwhile, they queried if EE might have overcharged some customer service calls.

March

Dodgy Indian conference companies went to war, throwing wild accusations around the internet and threatening to sue everybody, including Commsrisk. But nobody sued anybody, partly because one of the firms was lying about having a lawyer.

The TM Forum published the results of its global revenue assurance survey. The report concluded that average losses represent 1.5 percent of revenues and about half of these losses are recovered.

There were great leaps forward for virtual reality, augmented reality and technology in the home, as showcased at Wearable Tech 2016. Astute observers would have identified increased risks (hackable IoT devices) and opportunities to mitigate risk with improved technology (better monitoring and advice for telecoms field engineers).

April

American academics and intelligence experts reported on the possibility that encryption and other techniques would make comms networks ‘go dark’, and so prevent law enforcement from doing their jobs. They concluded the dangers were overstated.

After lots of argument about who should conduct Ghana’s national revenue assurance audit, the incoming firm claimed to have cut 300,000 simbox lines. Looking past the hype, the relevant question is whether testing for simboxes can ever be effective, if previous tests had left so many simboxes in operation.

Hackers stole and sold data belonging to 1.5 million Verizon customers.

Vodafone UK received an avalanche of bad press after customers continued to complain about billing errors in record numbers.

One of the respected professionals listed as a speaker at a Quintus conference claimed he had never agreed to speak, nor given permission for his name to be used in their brochures.

Netflix was caught throttling their own videos, but no action arose because net neutrality rules only apply to telcos, not to the big businesses that use (and abuse) telcos.

May

Subex, one of the ‘big two’ RAFM vendors, announced their FY16 financial results. The figures continued the trend of previous years: a small profit was generated by cutting costs to offset falling revenues.

The dodgy conference scandal rumbled on and on. Well-known senior manager Shane Fryer denied he had agreed to let his name be used in the brochure of a Falcon conference.

In contrast, WeDo’s user event continued to grow as the market leader attracted over 400 attendees from 55 telcos to their annual party in Lisbon. Although WeDo is the largest supplier of RAFM tools overall, much of the event was designed to support their goal of overtaking Subex to become the leading supplier of fraud management systems.

Fraudstrike published a list of the top countries for selling International Premium Rate Numbers (IPRNs). Cuba was top of the list.

Vendor and professional services firm Cartesian suffered a mauling as investors complained about their poor results, worsening cash situation and lack of strategy.

The UK press was ‘terrified’ by a new kind of wangiri fraud. I observed that all the victims of this supposedly novel high-tech crime were old women who did not understand how to use their phones.

Polish and Dutch internet activists used the example of Anne Frank’s diary to show the confusing inconsistency of copyright laws in the internet era. The laws are so confusing that even the activists failed to understand them correctly.

June

French police raided the offices of Lycamobile and arrested 19 people. A relatively simple investigation by Buzzfeed showed that huge volumes of Lycamobile prepaid calling cards were supposedly being sold by businesses whose offices could not be found, suggesting the sales were used as a cover for money laundering.

After a lot of negotiation, MTN Nigeria succeeded in reducing their fine for not disconnecting unregistered SIMs from USD 5.2 billion to a mere USD 1.7 billion!

US Senator Rob Portman blasted telcos for failing to reimburse customers for overcharges. Two firms, Time Warner Cable and Charter, were singled out for criticism. This was ironic for their customers, because the two providers subsequently merged.

The TM Forum surveyed telecoms fraud, and the resulting report questioned if telcos had understated the amount of fraud they suffered. I questioned what could be gained by suggesting some survey numbers are wrong, whilst treating others as reliable.

In an alarming video, hackers demonstrated how they could use SS7 to hijack Whatsapp.

COSO published a new draft of their Enterprise Risk Management framework, and made it available for comment.

Telstra gave one customer a multi-million dollar overdraft after withdrawing a huge amount from the customer’s bank account. The customer only owed 225 dollars but a double screw-up caused Telstra to massively overcharge the customer and ignore the customer’s complaints.

The dodgy conference scandal became heated as an employee of Falcon turned abusive. Meanwhile, the Vienna conference of rivals Quintus disappeared without trace.

Fraud expert Dave Morrow published a new guide on how to prevent Missing Trader Intra-Community (MTIC) fraud in particular, and assess the risk of sales tax frauds in general. The publication was reviewed by the Risk & Assurance Group and became the first guidebook to receive their approval.

July

July began with the biggest ever conference of the Risk & Assurance Group, attracting a wide array of speakers and attendees to BT’s offices in London. The strongest message from the audience was a demand for better professional education.

A vulnerability was identified in the software library of ASN.1, a common standard for encoding network data. The weakness allows hackers to execute their own malicious code on routers, switches and radio towers.

Though the technology received little mention at WeDo’s user event in Lisbon, a short Commsrisk post about WeDo using artificial intelligence lead to a viral explosion in interest. WeDo wants to let businesses review the riskiness of potential customers by automatically evaluating their social media footprint. The article was easily the most widely-read Commsrisk post of 2016.

Vodafone UK continued to receive a deluge of complaints about postpaid billing errors, leading to even more reputation damage from the UK press.

August

Light bulb manufacturer Osram were found to have sold internet-connected lightbulbs that were not only easy to hack, they also made other devices easier to hack. The implications for the Internet of Things were obvious.

Dave Morrow started a campaign to convince UK police and telcos to use the Proceeds of Crime Act (POCA) to confiscate the profits made by telco fraudsters.

Notorious fraud expert and online troublemaker Daniel Flöckinger became the first person to cyberstalk himself. He then threatened to sue Commsrisk for laughing at his absurdity, but no legal action materialized.

September

Research by Kaspersky Lab concluded that telco employees have been blackmailed into helping cybercriminals. They reported that 28 percent of all cyberattacks involved inside help.

Bug bounty hunter Arne Swinnen identified weaknesses in Google, Microsoft and Instagram products that could enable premium rate telephony fraud.

Subex received a boost from one credit agency that increased the rating of their debt. This followed the improvement of the vendor’s balance sheet after the renegotiation of their relationship with investors.

WeDo saw the funny side of RAFM, launching a comic strip that features a fraud management ninja and a revenue assurance superwoman.

October

Vodafone UK finally received their comeuppance, receiving unprecedented regulatory fines worth GBP4.6mn (USD5.6mn) relating to prepaid charging errors and the failure to respond to complaints about billing mistakes.

Cartesian’s shares dropped to a lower tier of the Nasdaq exchange as a result of the precipitous fall in the company’s value. The business needs to take drastic action to turn around its share price, or may be forced off the stock market completely.

Awards for excellence in RAFM were announced at Subex’s user conference in Jaipur. The winners in the telco category were Viva Kuwait, whilst MTN’s Tony Sani won the award for most outstanding contribution by an individual. Inspired by MTN’s education program, Subex CEO Surjeet Singh took to the stage to offer USD25,000 in sponsorship for a new global RAFM education program.

November

Researchers from Oxford University showed how to turn WiFi into a kind of IMSI-catcher. Cheap WiFi technology can be used to track phones, though it cannot be used to listen to calls.

Neural Technologies became the first foundation sponsor of the Risk & Assurance Group (RAG), providing financial support and agreeing to a partnership that will see them participate in all four of RAG’s major international conferences in 2017.

The threat to telcos posed by OTT providers was ranked the most important issue per a ten-week ‘reverse survey’ of Commsrisk readers.

December

Verizon tried to negotiate a better price for their acquisition of Yahoo, following further revelations about security breaches at the troubled internet firm. Yahoo revealed that an attack in 2013 had compromised 1 million user accounts, the biggest recorded hack in history.

David Morrow’s Freedom of Information investigation shows that the UK authorities hardly ever use the law to confiscate the profits of telecoms fraud.

The Road Ahead

We all have a lot of work to do. Whilst old telecoms business models are crumbling, new risks are gaining ground. Telcos find themselves threatened by OTT and the transition from a voice-based retail revenue model to the content and data-driven world of internet connectivity. Meanwhile, as telcos try to exploit innovative technologies like the Internet of Things they will also open the door for new kinds of crime and network abuse. The scandal circulating Yahoo shows that bad news can be suppressed for a while, but is likely to come out eventually. Governments are becoming more proactive in turn; they engage in revenue assurance audits and they collect biometric data on a national basis in order to fight crime. There has never been a time when risk and assurance has been so important, but its definition and status is in a state of flux. New methods must replace the old. We must prepare to step away from old ways of securing value. Rising to new challenges means retooling and upskilling practitioners. Those who are unwilling to change are likely to be replaced.

Our work should never have been considered synonymous with running a single ‘system’, but the idea that all problems can be solved with a single system has now become untenable. This is why failing brands like Cvidya have disappeared, whilst large outfits like Subex continue to face downward pressure on revenues. It also explains why the ‘big two’ of Subex and WeDo are seeking to diversify by offering a wider range of tools and services such as test calling. Innovation will matter greatly, and this is reflected in the interest shown in WeDo’s plans to use automatically use social media to profile potential telco customers.

It is not clear what route people will follow, or should follow. Uncertainty is high. Leadership is vital. I believe these factors help to explain why the global popularity of Commsrisk has risen sharply over the year. People come here to find out about dramatic industry changes which are likely to affect them, whether the impact will hit sooner or later. We all need to plan for our own careers, as well as anticipating new issues and risks as telcos upgrade their technology and transform their revenue streams. These factors also explain the demand for the Risk & Assurance Group to extend its remit, covering not just revenue assurance and fraud management but also the challenges that fall outside of traditional definitions of scope. Telcos cannot afford to ignore OTT bypass, capex management or reputation risk, and we need to play our part.

I perceive that a younger breed of professional is currently breaking through, taking charge of existing RAFM and ERM functions and leading them in new directions. The baton of leadership may also move between regions; we should spend more time listening to the voices of Asian and African risk and assurance practitioners, not least because their telcos may be racing ahead with new kinds of products and services.

Risk and assurance practitioners should thrive in a world of uncertainty. I look forward to the obstacles we will encounter in 2017. They may be daunting, but they will also lead to exciting opportunities to add more value and enhance the stature of our discipline.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.