The 3G fraud factor: 3G will introduce unfamiliar and complex dimensions to fraud. Without effective prevention mechanisms, mobile operators will lose customer confidence and revenues

3G will be a new world for mobile operators and coping with the next generation of fraudsters will be another steep learning curve. The content-rich nature of 3G services equates to a catalogue of new partners and co-branded hosts for operators. How will these relationships be managed in terms of fraud management and allocating liability? And what are the 3G fraud pitfalls that lie ahead?

"Operators have to be switched-on to the potential 3G fraud risk areas -- I'm not sure they are", says Jack Wraith, chief executive of Telecommunications United Kingdom Fraud Forum (TUFF), which investigates the problems associated with fraud and promotes information sharing among industry bodies. "This is partly due to the fact we don't know what content 3G services will use and how it will be different to 2/2.5G."

He believes following the 3G network launch on the Isle of Man (UK), 3G deployment in Japan and wider development of 3G applications, operators will gain a better insight into the complexities involved. Recognising the new parameters will certainly be the first stage towards effective fraud prevention mechanisms.

The basic dimensions that 3G will introduce to fraud are threefold. Operators will have to face content beyond their existing experience and deal with a growth of partnerships, while the nature of IF networks offer new possibilities for fraudsters.

New 3G dimensions

3G will initiate a high volume of data traffic -- a '10-15 fold' increase -- according to Simon Potts, head of fraud and revenue solutions (EMEA) at Teradata, which offers analytical business solutions for the telecoms market. The services will be more content-rich and provide a lucrative new playing field for fraudsters.

In his paper, Future Frauds (January 2002), Mark Johnson, director of business development at Cerebrus Solutions, which provides fraud and revenue enhancement solutions, states, '... with the introduction of m-commerce there will be a fundamental shift in the relative values of the connection (eg, the telephone call) and the content (eg, the goods or service purchased). This shift will be so extreme that in a matter of a few years, content will form as much as 99 per cent of the total transaction value on a significant percentage of calls.'

Putting this phenomenon into perspective, the attention of the 3G fraudster will focus on how to manipulate and use the content that operators provide rather than access. As Johnson asks in his paper, 'Why sell telephone cards illegally, when you can fraudulently obtain goods that can be re-sold For hard cash?'

Inevitably, these data-rich services will involve operators working with a wider range of partners, such as content providers and billing mediators. Whereas today, the relationship between the operator and the customer is direct, with a web of partners growing it will be harder to define a clear path of liability.

Sophisticated 3G fraudsters can also use the IP network to make attacks at a distance, from within another judicial jurisdic detect them before the damage is already done.

In the past, operators have been criticised for masking the problem of fraud in the dash for growth (figures for how much revenue is lost annually due to fraud are vague and broad -- standing at anything from 3-15 per cent).

Cerebrus' Johnson is concerned that mobile operators -- keen to recoup the huge investment spent an 3G licences -- might throw caution to the wind in order to drive revenues quickly. "1 don't think operators are prepared technically, mentally or judicially," he adds.

So what can operators do to protect themselves against the threat of 30 fraud?

"Any new service on a 3G platform will need a potential risk of fraud assessment," insists TUFF's Wraith. "Operators have made mistakes in the past but they cannot afford to do so anymore. They have to drive revenues and deal with mare technologically aware end-users."

Partnership minefield

One facet of 30 that will have a significant impact on fraud is operators working with a wider range of content providers.

"Inter-relationships between operators and their partners, such as content providers, will need contractual and legislative protection. All the parties involved will need safeguards to protect their interests," warns TUFF's Wraith.

"It will be a legislative minefield because it must all be balanced with the EU parliament's directives in place to protect customers -- the Distant Selling Act and Data Protection Act, for example."

The allocation of liability and risk will depend on the 'value' of the 30 service. The two basic scenarios will be low and high value services.

A low value service could be, for example, if a mobile operator entered into an agreement with Reuters to supply them with stock market information. The value of the content would basically be the cost of access to it and operators would probably be comfortable taking responsibility of liability for such services.

It is in the case of high value services that the issue of liability and apportioning risk between partners will be critical. For instance, with a service that allows 30 users to buy and sell stock via their mobile device, operators will not be so willing to take full responsibility for fraud because the cost of the transaction will more than likely be higher than access to that service.

"When dealing with partners it is very important to start with precise contract conditions, defining responsibilities and procedures in case fraud occurs," stresses Roman Lukes, security manager of mobile operator, RadioMobil. "Operators will not be able to transfer all the responsibility of risk to the content provider. We are responsible to the customers we serve and we cannot stand totally blameless."

However, he also insists, "Content providers will have to shoulder some of the responsibility too -- we need to have a compromise to keep the fraud situation under control."

But are content providers and operators on the same level when it comes to understanding the pitfalls of fraud and allocating liability? Opinion is divided.

"Content providers might have a better understanding of fraud because of their experience with the internet [understanding the principles to prevent hacking or virus attack, for example]," says Cerebrus' Johnson.

In contrast, John Gavan, CEO of Neural Technologies, which provides business solutions to the telecoms industry, emphasises the fact that, "Many content providers rushed web-based services to market and didn't think of security. Operators have a longer tradition of fraud experience and smaller content providers will definitely expect operators to take responsibility."

The problem for operators is that they will be 'the face' of 30 services and first point of call for users who suffer any kind of fraud. Equally, falling prey to fraud itself will affect an operator's market strength, and at a time when the industry is downbeat, user confidence is all important in driving revenues.

"Operators are concentrating on retaining high value customers and increasing ARPU [average revenue per user]," claims Neural's Gavan. "They will weigh the likely return of any content for a 30 service they develop against risk of loss -- negotiations with content providers will be tough."

The potential minefield that operators face in addressing all these issues may have one solution.

"It will be hard for operators to form contractual agreements with so many different content providers who focus on specific content -- what they want is content from the same place," argues Tanja Rauniatio Mitchell, content provider partner manager of Akumiitti, which delivers mobile entertainment software and content to operators.

(sdezoysa@horizonhouse.co.uk)

"We aggregate content for operators -- 'one-stop' shopping. The partnership exists on a revenue sharing model and everyone gets their margin of the revenues and liability will be assessed in the same way.

Content aggregation is one way forward for operators, instead of having numerous ongoing legal negotiations with different providers.

Fraud -- old and new

As much as there is concern about the new threats of 3G fraud, it is worth bearing in mind that the fraud tricks of yesterday will also still exist.

Cerebrus' Johnson refers to an issue of The Economist (October 13-19th 2001) that points out how vendors of pornographic images are already lining up to obtain contracts allowing the establishment of premium rate sites providing images to 3G subscribers.

"We can expect to see fraud committed by a few PRS [premium rate service] suppliers against operators and consumers, as well as fraud, particularly transaction repudiation fraud, by customers who access PRS sites," he claims.

A traditional example of a PRS would be if a vendor wanted to set up a weather information PRS and negotiated with BT to offer a [pounds sterling]1 per minute rate. When a user dials the service, BT keeps 50p and gives the PRS vendor 50p. The operator and PRS vendor divide the income based on the total billed to callers -- not on the total actually collected. This is where the threat of fraud is because the PRS vendor can manipulate the principle.

If they use phones to fraudulently dial into their own service without the intention of paying the bill, they can still collect money from BT for the traffic generated to the PRS. In a 3G scenario, this could evolve into a PRS selling porn across the network.

It is clear, the solution to 3G fraud -- just as its nature -- will be multi-dimensional. Operators will have to combine their knowledge of the fraud they face today with preparation for 3G fraud that lies ahead. The key will be proaction rather than reaction -- assessing and understanding the potential risks they face and using that knowledge to combat the onslaught of new waves of fraud.

Table 1

Types of next-generation mobile fraud

Type of attack    Description

Access frauds     These ore carried out to obtain free

Payment frauds    access to voice or data services.
                  Credit card fraud has already risen
                  over 50 per cent since the introduction
                  of pre-paid. New payment mechanisms
                  will trigger further increase.

Identity frauds   False documentation is already a
                  problem. Enhanced measures, such as
                  biometric security, will trigger
                  attacks on security databases holding
                  biometric records.

Staff fraud       In the next generation of networks, a
                  growing number of databases will hold
                  key management and customer information.
                  Staff intrusion and data exposure
                  will be major issues.

Transaction       This is already a critical issue for
repudiation       credit card issuers, the provision of
fraud             credit on the SIM card will mean that
                  deliberate denial of purchases by
                  customers will become an important
                  issue for operators as well.

Money laundering  The ability of criminal gangs to take
                  out services anonymously and then obtain
                  goods which can be re-sold for cash will
                  make pre-paid mobile e-commerce
                  services a primary target.
                  This will raise new issues for operators
                  related to compliance and collaboration
                  with law enforcement.

IP attacks        Commercial scoms - offers of goods or
                  services with acceptance of payment
                  followed by non-delivery.
                  Destructive attacks - denial of service
                  attacks, viruses or worms, for example.
                  Brand theft - creation of web sites
                  with stolen images and sole of related
                  products with an unauthorised mark-up.
                  Identity theft - use of stolen or
                  borrowed handsets to purchase goods and
                  services without the owners' consent.

Source: Future Frauds (telecom fraud in next generation series),
Cerebrus Solutions (January 2002)

Sanjima DeZoysa, staff editor

If this subject interests you, click 247

Contact Express online at

www.telecommagazine.com

COPYRIGHT 2002 Horizon House Publications, Inc.
COPYRIGHT 2002 Gale Group