How to Sell a Simbox

At a conference I attended years ago, I floated the suggestion that telcos should counter fraud by employing old fraudsters. That idea went down badly. Very badly. The response could be summed up with four words: “you can’t trust them.” That was the end of that conversation. But I still think I was right.

It is true that a telco cannot trust an ex-fraudster. But then, you cannot really trust anybody, and it might be easier to monitor the old fraudsters you employ than the old fraudsters you do not employ. In the world of IT security, bug bounties are paid to people who find new exploits. That is because developers want the hackers to be working for them, instead of making their money by taking advantage of their products. And I think there is some truth to the old proverb: set a thief to catch a thief. Thieves anticipate how other thieves think. So who is best placed to educate your fraud management team?

It may seem morally wrong to turn to the dark side for advice. But what if the dark side gives the best advice? To illustrate, let me take snippets from the website of SysMaster, a business that sells industrial GSM Gateways, a.k.a. simboxes. Their website is full of great advice – if you are an ‘entrepreneur’ who wants to keep terminating calls on a GSM network, despite the best efforts of the telco’s fraud management team.


VOIP operation wants to expand the business into GSM call termination utilizing locally purchased SIM cards for cheaper termination rates. The available GSM termination solutions do not present reliable termination options because they do not address the main GSM termination problems such as SIM card suspension, number traps, number probes, blacklist management, and human behavior emulation.

If that is the problem, then what is the solution?

SysMaster is the first GSM solution provider that provides solution to all GSM termination problems by introducing a distributed GSM termination solution allowing VOIP providers to easily enter the GSM termination market with minimal financial risk. The solution is integrated to include GSM channels, VoIP Billing, and Softswitch Routing functionality in one GSM Pilot Server.

What is in the box?

The Pilot GSM Server consists of the following three components in one server.

  • VOIP Billing and Account Management – used to bill and account for all calls
  • GSM Termination Softswitch – used to process GSM traffic and avoid Number Traps/Pings
  • GSM Gateway – used to terminate and originate GSM calls.

What ‘problems’ does the Pilot GSM Server overcome?

  • Destination Number Traps/PINGs
  • IMEI Switching and Management
  • SIM Card Sharing Among Remote GSM Modules
  • GSM Call Termination Detection
  • Uneven GSM Traffic Distribution
  • Outbound-to-Inbound Call Ratio
  • GSM Call Termination Mobility
  • Automatic SIM Card Management

Hmmm… so it solves the problems posed by typical fraud detection techniques! And then they go into detail, explaining how they overcome each individual problem…

Destination Number Traps/PINGs

This is the most popular, quickest and undetectable method to suspend SIM cards that terminate GSM traffic. The method relies on calling specific Destination Number numbers that belong to the GSM Network operator that record the caller id (ANI) of the SIM card that terminates the GSM call. Once such a SIM card has one or more recordings of calling the Destination Number Trap numbers, it is automatically suspended in a matter of minutes. Since the GSM Network operators automatically call these numbers on frequent basis and they have a large pool of such numbers, the chances of getting a SIM card to terminate such a call within 24 hour period are over 90%. In most cases such cards are identified and suspended in less than 5 minutes. The important role of the Pilot GSM Server is to isolate such numbers (Destination Number Traps) and enter them into the Black List. This is done automatically even for a very large amount of such numbers in a matter of hours if there is a sufficient volume of traffic. Once the detection of Destination Number Traps is completed the chances of SIM card suspensions are reduced dramatically to lower than 1%.

In other words, to avoid being detected by test calls, the entrepreneur is advised to terminate calls, and see which SIMs are suspended. Then he will know which numbers were used for the test calls, and these numbers are used to populate a blacklist, so the server will never connect calls to those numbers again. The advice even explains how to build up the test call blacklist:

Black List Build-Up

This is the phase that will require between several days based on the volume of traffic that the GSM termination provider is processing. It is important, however, that the GSM termination provider routes traffic form at least 3 different VOIP origination operators, so that all possible Destination Number Trap numbers are routed at least once by the GSM SofSwitch and are automatically entered into the Black List. The GSM SofSwitch will look for traffic patterns and will even identify GSM area codes that represent such Destination Number Trap numbers. The procedure will require at least 12 GSM channels (one Pilot GSM Server) so calls are properly processed and the Black List is completely built-up. The SIM Card termination period and SIM card suspension rate may vary but initially it will be high, and in a couple of days it will drop dramatically, as most of the Destination Number Traps numbers will be captured.

But what if the telco fraud department checks the IMEI of the device making the call?

IMEI Switching and Management

This is required to allow GSM termination providers to change the IMEI identity of their GSM termination modules. This task is highly unreliable using conventional methods, because GSM providers easily get the make/model of the GSM termination modules and match it to the IMEI database they have, and if there is any discrepancy simply flag the IMEI number. For example most GSM Gateway manufacturers, use industrial (not consumer, e.g. Siemens GSM Module) GSM modules that are known to be used in industrial equipment not mobile phones. If IMEI belonging to a Nokia GSM phone is assigned to this industrial module, the GSM provider will immediately detect the discrepancy. Using inexpensive IMEI management procedure that has consistent make/model of a consumer phone along with the low price of such consumer phone, make the Pilot GSM Server a preferred GSM termination device.

Maybe the entrepreneur should evade detection by remotely switching where the SIM is used to make a terminating call? The advice is that the entrepreneur should think again…

SIM Card Sharing Among Remote GSM Modules

This method is very popular among GSM termination providers but proves to be unreliable because it is easily detected. In most cases the SIM card sharing requires that the GSM module unregistered the SIM card from one GSM cell location and then immediately registers in into another GSM module location even if these two module locations are thousands of kilometers apart. The procedure is easily detectable because of the jump of the SIM card in a matter of seconds from one GSM cell location to the other and the fact that there is no roaming involved in the period of this jump. In addition, the IMEI-SIM card pairing changes in a matter of several seconds which makes the GSM network operator aware that this is a computerized switch. Using SIM Card Sharing is a technology which does not provide reliable results and allows for very simple software isolation and flagging of both the SIM card and the GSM module IMEI.

But telcos can spot the difference between how a human makes calls, and how a machine makes calls. Or can they?

GSM network operators heavily rely on automated call detection to separate human-like GSM call termination from GSM traffic termination. The procedure requires that the operator monitors heavy volume call traffic that has calls without normal call interval between them. A common example is to make 5-6 calls in 20 seconds using the same SIM card, which obviously is not human-like behavior. The Pilot GSM Server takes care of the proper call routing and timing so all processed calls appear normal enough to prevent easy detection. The system spreads out the call volume among all available channels using pre-configured rules to guarantee that all SIM cards are exhibiting human-like call flow.

The Pilot GSM Server requires a larger number of SIM cards to allow proper traffic distribution. If possible it will emulate phone book calling (calling one number from one and the same SIM card every time). It will also do even call distribution among all SIM cards and call minute accounting for minute termination to different networks (in-network and out-network/roaming). In addition, the Pilot GSM Server may control which SIM cards will be used during the day, evening, and night to provide human-like behavior so that corporate cards are used mostly during the day while personal SIM cards make calls during the evening and night. All supported features are configurable.

…it is unlikely for a normal GSM subscriber to only make outbound calls but to reject all inbound calls. The GSM network operators rely on proper mixture between outbound and inbound calls, so the Pilot GSM Server must provide a solution for this problem as well. The Pilot GSM Server will accept inbound GSM calls and call-backs with an automated IVR to allow inbound call support with variable time, thus the ratio of outbound to inbound is kept within the acceptable GSM network operator limits.

What if the entrepreneur is worried about electricity blackouts interrupting his business? And what if he wants to keep his business moving around?

The Pilot GSM Server requires only 60W of power and it can be supplied by any regular automobile battery for several hours (non-rechargeable mode) and indefinitely (rechargeable mode). The Pilot GSM Server can be placed inside any vehicle and fully function under all roaming conditions provided that GSM coverage exists for both voice and data traffic.

Has the business model be proven? Where is the cost-benefit analysis showing that the entrepreneur will make money?

This is a unique, field-tested solution that works in the long run without the need to support frequent SIM card and GSM hardware replacement. Basically this solution will allow you to make a single investment and run your GSM termination business consistently for a long period of time.

And here is the cost-benefit analysis, stating that an investment of USD70,000 to purchase the server may be paid back within just 38 days.

But who is this product aimed at?

…for GSM Termination providers that face technical and regulatory challenges…

Those were their words, not mine.

There is much to learn about simbox fraud, like all frauds. As we discussed in a recent podcast with Jan Vervloet of LATRO, both fraudsters and fraud managers need to keep evolving, because they compete with each other. Jan is one of the good guys, selling products that help fraud managers. I learned a lot from Jan, who talked about a new technique to identify GSM gateways by determining the ‘protocol signature’ of the device making the call. But I also learned a lot from SysMaster’s explanation of how their server can evade detection. To hear the complete story, it is worth listening to the dark side too.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.