Don't let the fraudster win: Telecoms fraud is here to stay. However, companies can significantly reduce their exposure to it by putting detection measures in place - Industry & Market Update - Brief Article

Despite the recent slump in the stock market, telecom companies are big business. They represent the future from everything to enabling closer links with customers through e-commerce to next-generation wireless networking for business communications. However, this capability comes at a price - part of which is ever increasing levels of fraud.

Getting accurate figures for the scale of fraud in the telecoms industry is extremely difficult. Partly because it covers such a large and diverse base, making it tough for companies to detect the true scale of the problem but also because so many organisations are not prepared to comment openly on their experiences. This in turn makes it difficult for lessons to be learnt.

The cost of fraud alone is increasingly becoming a worrying business issue. At a recent conference on fraud detection and prevention, Jack Wraith, MBE, and chief executive of the Telecommunications United Kingdom Fraud Forum (TUFF), estimated that the scale of fraud for the UK alone is over [pounds sterling]1 bn ([euro]1.7 bn).

What is certainly true is that the same technologies, which are bringing companies' customers and vendors closer together, are also making it easier for fraudsters to operate. Take the internet as a simple example. In one survey alone, there were estimated to be over 1,900 illicit websites dealing with fraud, providing not only descriptions of how the frauds were and are committed, but also revealing the software, tools and plans required for committing such crimes.

Some of the misdemeanours encountered are unique to the industry (e.g. call selling). There are others, however, which are just new, mobile versions of established ones.

Some common types of fraud

So what does the industry hove to face? A common example is line surfing where a fraudster uses another person's or company's lines to make calls. They are often only identified when calls appear on itemised bills, which cannot be accounted for. Then there is subscription fraud where a fraudster obtains a subscription to a service, typically by applying in the normal way but by using counterfeit or false documentation. Another example (which has been previously mentioned) is call selling where access is sold to high-value calls (such as international or premium rate services) by not paying for these services directly (for example, at work or when me surfing).

A further option for the fraudster is ghosting. This is where they us technology to make free calls across networks by deceiving the billing systems. There is also accounting fraud, which is probably what the public understands by frau and often involves insiders, the reduction of charges or fraudulently claiming discounts.

Shoulder surfing calling cards are also popular. This is where access/PIN codes are observed first-hand of calling card users. And finally, there is premium rate number frauds which involves high levels of calling to companies' own premium rate numbers or by diverting calls (sometimes using insiders in the victims organisation) to place calls.

Methods available to combat fraud

So what can be done about all of this fraud? Most counter-fraud strategies are reliant on three key strands. Firstly, the security issue of trying to stop the crime from happening in the first place. Auditing is also beneficial in that it builds the procedures to detect fraud when it does happen and picks up on insider-collusion. And then there is detection and prevention where companies look for fraud, which they don't know about, and prevent it from happening again.

Some may say there is a fourth strand - deterrence - but that only works when there is a high expectation of detection and meaningful penalties. For many organisations, the experience of successfully prosecuting a fraudster is far from ideal. Firstly, they have to find the fraud (and the fraudster is working hard to cover his tracks) and then they have to get an arrest. There's also the need to obtain and document evidence sufficient for the police to take it to court where a jury may not understand the nature of the crime or even have a misplaced regard for the 'Robin Hood' fraudster. Finally, even if a conviction is secured, it is unlikely that the criminal will ever receive a severe sentence.

Looking at each of the strands in more detail, security doesn't work unless it is part of a concerted counter-fraud strategy. Hackers have developed powerful techniques for bypassing even sophisticated security provision and many organisations don't even take those measures. In a survey last year, 100 companies (which included telecoms companies) were interviewed about their thoughts on internet fraud. The findings were worrying because while 84 per cent thought that the internet is insecure, 72 per cent will continue to invest in e-business - even though 62 per cent had no measures in place to combat internet fraud.

Some of the new security measures recently introduced to combat fraud include biometrics, which is a direct measurement of physical characteristics (eg, thumbprint as a means of identifying an individual). There is also address verification, which checks that someone is who they claim to be by comparing known facts about them. And there is also smart cards or chips which add intelligence. The problem with all of these is that they do not offer 100 per cent coverage and the fraudster is always looking for a chink in a companies' armour.

Undertaking an audit does help to control the levels of fraud, but this is easily circumvented by insiders who know what the auditors are looking for and how to avoid setting off the alarms. As the Nick Leeson case shows, an audit and procedures do not necessarily protect a company.

One attractive proposition is to detect all the possible forms of fraud we can and then prevent them happening again. Techniques like forensic data mining are used to look through the huge volumes of transactional and operational data to spot the hidden patterns, trends and clusters that reveal fraud. Neural networks are used to build profiles of a customer's unique behaviour so that radical changes to this behaviour (which may indicate fraud) can be detected. However, it takes time for the neural network to 'learn' about an individual subscriber and as the plastic card companies know, there are certain periods when the sensitivity of these models has to be lowered (such as in the lead up to a major holiday). Finally, comparative analysis works on the premise that people tend to behave in predictable ways. If we compare individual subscribers against well-understood benchmarks, we should be able to spot the 'outliers' that may be fraudsters. However, without the ability to translate detection and prevention into effective security or audit, this has the potential to be a sterile academic exercise.

The real advantage of an effective counter-fraud strategy is that it makes the crime 'go away', releasing resources to focus on the hard core crimes, and avoiding the pain and expense of trying to secure a conviction and redress.

Scale of internet fraud

Let there be no doubt, all forms of fraud and especially internet fraud are increasing rapidly. The Internet Fraud Complaint Centre (IFCC) recently announced charges against 90 individuals and organisations that had defrauded 56,000 victims to the tune of US$177 m (209 m) in losses. In its six month report (to November 2000) it revealed that complaints of internet fraud were broken down as 64.1 per cent auction fraud, 22.3 per cent non-delivery of goods, 4.8 per cent involving credit/debit cards, 4.6 per cent to other 'confidence' fraud and 1 .2 per cent investment fraud. When comparing this to UK figures for plastic card fraud, the British Bankers Association put it at just under [pounds sterling]200 m (236 m) for 1999.

In a recent Report to the Nation by the Association of Certified Fraud Examiners, fraud and abuse cost US organisations US$400 bn ([euro]473 bn) a year -- the equivalent of US$9 ([euro]l0.60) per US employee per day. The average loss due to fraud equates to 6 per cent of revenue.

Finally, there is dramatic growth in identity theft, which is the taking over of someone else's identity for fraudulent or other criminal purposes. This crime is becoming easier to commit because of the rapid increase in the amount of data that is held on individuals. From a small seed, a skilled identity thier can quickly build a portfolio of information about the victim, including supporting documentation. For example, from just one credit slip in a garage, it is possible to get the account-holder's name, the sort code of their bank branch (likely to be a local branch) and account number. By consulting the electoral roll address, the name of any spouse can be identified. A telephone directory will reveal a telephone number and genealogy resources may well identify the name of parents (importantly, the mother's maiden name, a common security question). Fraudsters can even call the victim, posing as their bank and ask the 'routine' security questions (they know all the questions that banks use to verify iden tity) just to 'update our records'. Without immediately using the data to attempt a fraud, it is unlikely to cause alarm. Fraudsters can scan, alter and print official looking documents to support the folio and begin a victim's criminal life as another person. It is even possible to buy camouflage/economic passports or international driving licences -- all of which add up to a formidable set of documents to present when applying for an account or service.

As an indicator of the scale of the problem, the US Federal Trade Commission receives 2,330 calls about identity theft to their call centre per week.

In conclusion, we all know that this is not a perfect world and will probably never be. So unfortunately, fraud is here to stay. However, it can be reduced and companies need to act on this by putting detection measures in place. After all, none of us wants the fraudster to win.

Peter Dorrington, business solutions manager, SAS Institute

RELATED ARTICLE: Are you the weakest link?

So if you are one of the few who think you know everything there is to know about telecoms crime, test your wits against our definitive guide to the latest cyber crime terms. Here is a dictionary of terms that the UK government's new national hi-tech crime unit will came up against.

Hacking

This is something that is very much in the public's mind. But in telecoms, hacking is much more than lust gaining access to somebody's web server. If a private branch exchange (PBX) is hacked, calls can be redirected to a premium/high cost destination. Attacks of this kind can result in losses of thousands of pounds, especially if the fraud is perpetrated overnight or at the weekend.

War Dialling

This often accompanies hacking where all the extensions on a PBX are tried to identify which are connected to modems, thereby providing another leg in a convoluted trail.

Teeing-in

This is where a hacker physically connects a phone to someone else's lines. This is a particular problem far multi-occupancy buildings like apartment blocks and flats. Instructions on how to do this are widely available on the internet.

Theft

In the UK, many market stalls are now selling data cables to connect mobile phones to home computers. On the internet, software exists to remove locking from subscriber identity module (SIM) chips on stolen mobile phones.

Roaming

If a user has reached their billing limit on one network they can force the phone to roam to another network provider which may not yet be aware of the billing situation.

Cloning

This has become less common with the advent of all-digital networks. Nonetheless, it is still common in some countries where the details of a victim's phone are copied into a second mobile thereby enabling the user to make calls at the victim's expense.

Pre-payment

A small but significant amount of all internet fraud is attributed to 'card not present' transactions or even counterfeit prepayment cards.

COPYRIGHT 2002 Horizon House Publications, Inc.
COPYRIGHT 2002 Gale Group