By: Bernardo Lucas
Like criminals who cross physical borders, hackers look for the places where border controls are the weakest and use fake IDs and false keys to hack their way inside. They may even corrupt border security, exploiting weaknesses in a firewall to hijack the network. Because borders can be compromised, it is vital to counter fraudsters through a deep and layered strategy that involves both detection and prevention, in the same way that national security does not stop when you pass through airport security.
Though your network borders will never provide the perfect barrier to fraudsters, CSPs must make access controls as effective as possible. Many good security controls are simple and unsophisticated. For example, you usually ask prospective customers to show an ID card or document every time they want to sign a new contract. However, where good fundamental protections like checking a customer’s identity can be a robust and cost-effective way of obstructing fraudsters, analytical intelligence and the manipulation of information can cut both ways. We know that fraudsters often try to evade simple checks by making small changes to details, such as the spelling of their name or providing different middle initials.
When you allow a customer to pass through your borders and enter your network, you can still use your initial risk assessment to improve how you monitor network activity. This is where the concentration of access controls at the firewall and the gathering of data by Security Information and Event Management (SIEM) come together to provide both real-time insights and the forensic capability to determine who is sending which traffic, and what their objective is. An example of this is if somebody with a similar name to a known fraudster calls the same numbers that a fraudster previously called, you can safely suspect that they are one and the same person.
To win the war against fraudsters, intelligence cannot exist in a vacuum, but instead requires the collaborative sharing of information at every level within an organization, and also between organizations.
Within a single telco, different departments must pool their combined knowledge resources. Sales staff, for example, may identify concerns with a customer whilst conducting credit checks. With corporate policies that encourage whistle-blowers, they will be encouraged to pass on the details and give fraud managers the ability to unveil fraud that may not have been otherwise detected. When data breaches occur, fraud managers need to play a heightened role in monitoring for fraud that exploits the data which was compromised.
The charging team can also provide intelligence of potential fraud from data collected by the Policy and Charging Rules Function (PCRF). Some operators offer their subscribers special bundles that allow free access to social networking sites. In this instance, the operator zero-rates the URLs it wants to provide for free. However, attackers may manipulate requests to make it appear as if they are visiting free sites, when they are not. This is called Free URL Bypass and gives the attacker free unrestricted access to the entire internet. CSPs can identify fraud by monitoring the charging rules, correlating them with the information coming from the deep packet inspection (DPI) system, and cross-referencing the free URLs to the destination server IP.
The DPI system can also play a role in identifying one-click billing fraud schemes that target smartphone users by tricking victims into registering and paying for a certain service after they have visited the fraudster’s website. More recent variations of this fraud have plagued Android users who have downloaded malicious apps. Whilst closing the browser is enough to escape a fraudster’s website, apps can repeatedly demand payment. By integrating your fraud management system with DPI and security information, CSPs can identify fraud by observing outlier trends for the user experience, such as apps which pop-up every few minutes.