Simboxes, SIM Servers and Protocol Signatures


When fraud managers implement techniques that successfully counter fraud, organized criminals are forced to innovate to safeguard their income. Bypass is not a new phenomenon, and fraud managers have made great progress at detecting simboxes through the use of test calls, and by configuring their FMS to recognize telltale call patterns. But have the fraudsters adapted, and are they now deceiving the fraud managers by deliberately allowing some of their SIMs to be identified, whilst using clever new methods to ensure the remainder escape detection? That is the argument made by Jan Vervloet, Chief Commercial Officer at LATRO Services, who was our guest for episode 22 of the Commsrisk podcast.

In outline, the risk is that SIM servers are increasingly used by fraudsters in order to alternate which SIMs are used for terminating international calls, so none of them trips the alarms set up in the FMS. In addition, ordinary user behavior is being effectively simulated, confusing fraud managers and encouraging them to whitelist the fraudster’s SIMs.

Jan has extensive experience of simbox detection after working for Meucci, the test call firm acquired by Keynote SIGOS in 2014. Now Jan is with LATRO, and he believes the technique of gathering technical data to determine the ‘signature’ of the device connected to the network – and hence directly distinguishing between a gateway and an ordinary mobile phone – should now be integrated into the arsenal of detective controls deployed by modern fraud managers.

Dan Baker once again joined me as co-host of the podcast. He provided his own insights into simbox fraud, based on research he recently conducted. You can download Dan’s white paper about simbox detection and network protocol analysis from here.

To learn more, listen to the podcast! You can play this podcast by pressing the button on this webpage, or by downloading the mp3 file from here. Or if you like iTunes, visit our page at the iTunes Store, where you will be able to subscribe to the podcast and have all future episodes automatically downloaded to your computer, phone or mp3 player.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

3 Comments on "Simboxes, SIM Servers and Protocol Signatures"

  1. Avatar Mike Willett | 6 Jul 2015 at 11:46 am |

    Thanks for an interesting podcast and just a couple of observations more than anything.

    The idea of protocol signatures, as I think I understood it, is perhaps the application of an older approach to a newer problem. To show my age, back in the analogue days (that’s 1G for everyone’s reference), there was the use of RF Fingerprinting to prevent cloning, using products such as Corsair to create a unique identity for each MIN/ESN pair. When a pair presented itself to the network but did not match the fingerprint, the call was not allowed to proceed (on the basis that this was not the “real” customers phone but must be in a cloned ESN). This, I believe, was built off military technology to identify friend or foe in aerial combat and while it did have some issues for telcos (too much detail for this comment), it was generally a reasonable deterrent to analogue cloning.

    I note the podcast used the word fraud a lot for this activity. Of course, this is not always fraud and is sometimes arbitrage. In some jurisdictions, it can be difficult to prove this as a fraud and that can explain low level of law enforcement interest in pursuing such cases that are seen as commercial.

    There was an interesting comment that no margin (based on wholesale and retail rate differentials) for the perpetrator means no more SIM boxing. Of course, I don’t believe this is true. This statement makes the assumption that the SIM boxer will pay the bill for the SIMs they are using. But if they don’t pay, potentially through either subscription or payment fraud, then they can still make margin as they have all revenue and no costs.

    Lastly, it is worth noting about cases of more legitimate SIM box usage. Organisations, generally corporates, can use a SIM box for disaster recovery if their PBX goes down; or I have seen mobile carriers negotiate fixed line PBX traffic away from the PSTN network and through a gateway device. In both these cases, the profile may look very similar to a SIM box.

  2. Avatar Dan Bakr | 7 Jul 2015 at 4:55 pm |

    Good to hear your comments.

    When you mentioned military friend or foe, it brought memories of my many hours of seaboard watches in the radar/combat room aboard U.S. Navy destroyers back in the late 1970’s.

    I absolutely remember peering my head over the shoulders of the electronic warfare techs who were looking for the “squawked” signals from transponders aboard aircraft up to about 300 miles away. The “friendly” codes returned on the large radar scope — no screens at that time:- ) — allowed you to understand what type of aircraft it was, etc.

    This Wikipedia article on identification friend or foe may be what you were referring to.

    It was interesting talking to LATRO Services about their “Protocol Signatures” technology. And it seems to operate similar to the fraud fingerprint detected by a fraud management system. It’s the peculiar behavior of a SIM box — the characteristic signaling messages it sends — that gives the SIM box’s identity away.

    But it certaimly brings up the issue of “friendly” SIM boxes out there. How do you determine which SIM box to block and which to let its traffic pass? Maybe the guys from LATRO can help us understand that.

    • Avatar Jan Vervloet | 19 Nov 2015 at 10:32 am |

      Hi Gentlemen,
      Thank you for your elaborate remarks and with regards to differentiating “friendly SIMboxes” from “fraudulent ones” please drop me a mail on Our system and software can perfectly differentiate fraudulent ones from non-fraudulent ones but due to the technicality of the matter I will introduce you to my CTO for a more in-depth technical answer.
      Have a nice day!

Comments are closed.