The global cost of simbox fraud is massive, with the RAG RAFM Survey estimating operators lost almost 7 billion dollars to bypass fraudsters last year. The use of simboxes is also a national security threat, with governments in such varied countries as the UK, India and Ghana worried about their use by terrorists. If telecoms operators want to stop simboxes, and governments want to stop simboxes, why do they remain such a widespread danger? It is my belief that we have three problems that are intertwined with each other:
- The telecoms industry still underestimates the scale of simbox fraud by confusing the fraud it has detected with all the fraud that occurs.
- Associating simbox fraud with particular operators in particular countries leads others to be complacent about how easy it is to ramp up the use of simboxes wherever criminals and terrorists are motivated to use them.
- Incomplete monitoring encourages operators to use methods that appear successful in the short term because they keep finding new cases of fraud instead of permanently preventing fraud from recurring.
One challenge we face is the erroneous belief that simbox fraud can be solved by operators working in isolation, and that if an operator does a good enough job then the problem of simbox fraud will migrate to another operator’s network. This is like hoping that burglars will not steal from your house if your neighbor leaves their door unlocked whilst you have bars on your windows. Fraud is like a virus – the more of the population that is infected, the harder it is for you to stay safe. An industry-wide problem like this cannot be ‘solved’ by one operator being clever in isolation because the criminals are part of an ecosystem that continually invests in improving the technology of crime.
The problem of simbox fraud has always been at the top of the agenda for African, Asian and South American countries where international termination rates are higher and manufacturers openly advertise the sale of GSM gateways with features designed to evade the fraud detection controls of operators. However, simboxes are also making a comeback in other parts of the world as well. In Europe, the use of origin based wholesale rates has created a fresh incentive to use simboxes that present a local number for what is really an international call. Meanwhile, American fraudsters are set to use simboxes as an effective way of rotating through many genuine phone numbers to work around new restrictions on telemarketing robocalls.
Instead of killing fraud, operators have grown used to simply pushing it from their business to another operator, only to see it keep returning in new disguises. I set up the AB Handshake Corporation to change that, so please let me explain how we can permanently end all simbox fraud.
The Flaws with Existing Simbox Detection Techniques
It is normal practice for operators to write into contracts with vendors that a certain number of simboxes must be detected each month. Think about what that means: the expectation is that simbox fraud will never fall below a certain level. The only goal of an approach like this is to limit the profits of fraudsters by forcing them to keep doing work to change the SIMs they use. Their fraudster’s SIM is effective from the moment it has been put into a simbox or a SIM server, until the moment it is deprovisioned by the operator. Then the criminals simply replace the old SIM with a new SIM and the same cycle begins again. The operator is always playing ‘catch-up’ and the fraud keeps continuing. This leads to a kind of natural selection where the cleverer and more successful fraudsters evolve better methods to avoid detection.
The making of test calls is the most common method used by operators to detect simbox fraud. The idea is that a test call generator set up in a different country will dial one of the operator’s numbers. When the call is received the operator can see if the Calling Line Identity (CLI) is consistent with the real originating number. If they see the number of a local mobile phone instead then they know this call has been routed through a simbox. The problem with this approach is that you have to make many calls to find all the routes that are being abused. Each call has a cost, and these costs soon add up. In the meantime, the effectiveness of the approach is falling. This is because fraudsters are getting more sophisticated as they learn about test numbers through past experience and bribery. They may deliberately choose not to re-route the operator’s test calls through a simbox. Organized criminals may even plan to allow a certain proportion of their SIMs to be detected by the operator’s existing controls to give that operator a false sense of confidence about how successful those controls really are.
The other common method of detecting simbox fraud is through data analytics. There are patterns to simbox calls which distinguish the fraudsters from normal phone users. Some companies propose the use of machine learning to accelerate the development of algorithms used to identify simbox fraud. This technology can improve detection rates, but it is only a percentage improvement and there will still be fraudulent calls that remain undetected. It is our belief that the vendors’ estimates of the effectiveness of these algorithms are probably exaggerated. The suppliers of this technology keep selling upgrades every year because there is no real reduction in the number of fraudsters at work.
Prevention Is Better Than a Cure
Both the test call generator and the analytics methods seek to identify the signs of a fraudster that has already set up their simbox and used it to make fraudulent calls. What if instead of playing a game of cat-and-mouse, you would have a permanent barrier that locks bad actors outside of your network, rendering their SIM inert? This is the thinking behind the AB Handshake.
Our approach relies on knowing the identity of the originating line for every outgoing and incoming call. Here you can see how this works in practice.
The originating network records pertinent details to Call Registry A whenever a new call is initiated. These details include the A and B numbers and the time stamp for the call’s beginning. The terminating network that receives the call sends equivalent details to Call Registry B. The two registries exchange encrypted messages over the internet to verify if their records are consistent. A similar exchange occurs at the end of the call. If any intermediaries have manipulated the call, for example by spoofing the A-number, short-stopping or stretching the duration, then this is identified by the discrepancy between the registries. The networks have the option to end the call as soon as any inconsistency is identified, or they may alternatively proceed with the call, as may be appropriate if one of the registries has an outage.
The handshake validation process means the use of a simbox will become apparent because the CLI will no longer match the record in the originating registry. It is like using test calls, but within the AB Handshake community each operator conducts such testing for all its interconnect partners by validating its own outgoing traffic. The following diagram illustrates how the handshake detects simbox fraud.
In this diagram you can see the original call is intercepted by a fraudster, routed through a simbox, and the A-number is replaced with a local number. An out-of-band verification request is sent to the terminating operator in parallel with the set-up of the call. As the verification request does not perfectly match any call received by the terminating network, a partial match is identified by using the time stamp and the B-number. This partial match tells the terminating network that this is a case of interconnect bypass.
This new way of detecting simbox fraud is significantly more efficient than traditional test call techniques because it turns every inbound call into a test call. All routes are effectively tested on a 24/7 basis by organic traffic from real end users. This makes it impossible for fraudsters to execute effective countermeasures. Fraudsters are incapable of gaming the validation process by trying to make their bypassed traffic look more authentic.
The technology used for the AB Handshake can be easily integrated with your systems, allowing your network to block fraudulent calls in real time. Instead of minimizing the delay when purging the fraudster’s SIM from your network, every call that is routed through a simbox is identified and stopped whilst the call is still being established. The result is the complete elimination of all revenue leakage because none of those calls will be connected to your customers.
A Universal Solution with Instant Results
Telecoms fraud managers are used to implementing multiple techniques that have varying strengths and weaknesses at mitigating different kinds of fraud. How about a solution that tests all the routes with live traffic?
The AB Handshake community handles natural traffic – not test traffic – that terminates in every country in the world. That means you will see the benefit from the day you start using AB Handshake. Real international calls received by your network will be validated using AB Handshake immediately, with the result that any simboxes involved in the delivery of that traffic will instantly become apparent. The validation of this traffic will also give you a new perspective on the scale of simbox fraud for all other inbound traffic.
Universal coverage of the AB Handshake would literally end all simbox fraud and many other kinds of fraud too. That is why we are offering a special incentive for new operators who implement AB Handshake. Contact us to find out more.
