FRAUD REPORT 2019 · 2019. 10. 30. · common fraud use-case, and enable more security control over...

FRAUD REPORT 2019 The Evolution of Fraud Management

October 2019

in partnership with

This report has been commissioned by:

ITW Global Leaders’ Forum (GLF) is a network of the leaders from the world’s largest international carriers, who convene to discuss strategic issues and to agree collaborative activities with the aim of driving the next phase of growth for the industry.

For more information please contact Jussi Makela at:

[email protected]

The report has been compiled and written by:

Delta Partners is a leading advisory and investment integrated platform globally. We are a unique hub for people, capital and knowledge to address challenges and opportunities in a transforming TMT industry. Our unique business model enables us to serve our TMT clients through our three business lines, Management Consulting, Corporate Finance and Private Equity.

For more information please contact Sam Evans at:

[email protected]

3

Daniel Kurgan CEO, BICS and Chair of GLF Fraud Working Group

This is the second of what has now become the benchmark annual report on fraudulent traffic in the international telecoms industry. It demonstrates the on-going leadership on this topic which we in the GLF seek to take to ensure that reducing fraudulent traffic is a key focus on the executive agendas. In this year’s report we have expanded industry engagement, with both carriers and technology providers, to take a deeper look at the trends of the past twelve months and what we, as an industry, need to be focused on going forward.

Industry collaboration continues to be critical in our fight against fraud – not only do we as carriers need to engage with each other to identify and stop fraudulent traffic but we need to continue to strengthen the dialogue with technology providers so that they are developing the solutions that will serve us in the 5G IoT era. Defeating fraudulent traffic is an area we should work collectively for the greater industry and societal good.

I sincerely thank my colleagues in the GLF for their support in raising the fight against fraudulent traffic higher in their agendas, taking action within their own organizations and participating in this industry initiative. The initial results from the past 12 months demonstrate we are moving in the right direction as we strive, together, towards a fraud-free future!

Jussi Makela Director, GLF

The ITW Global Leaders Forum exists to be the “voice of the global carrier industry providing leadership and direction to interconnect the digital world”. Its efforts on the reduction of fraudulent traffic is one such embodiment of this mission. Since the Code of Conduct was launched in March 2018 many of the leading international carriers have signed and through collaboration with the CFCA, GLF is seeking to expand its efforts beyond purely the international carriers.

This year’s report is produced from feedback from over 30 international carriers as well as an extensive interview program with technology providers who are developing solutions to reduce fraudulent traffic. We look at the evolution of fraud from the past 12 months based on the carrier survey but we also take a forward-looking view of how both the evolution in networking such as 5G and IoT, and technologies such as blockchain, automation and artificial intelligence are changing the landscape.

We aim that this GLF report becomes the annual ‘temperature check’ for the telecoms industry on its fight against fraudulent traffic as well as helping organizations set their priorities going forward. We have seen how the 2018 report stimulated strong dialogue within and between carriers and we hope that this will continue through this year’s report.

FOREWORD

Report contributors

4

Executive SummaryList of ExhibitsPart 1: Evolution of fraudulent traffic

1. A sustained carrier priority2. Growth in IRSF, and the on-going Wangiri challenge3. The rise of robocalling

Part 2: Enhancing carriers’ response1. Increase in awareness of the importance of fraud management2. In from the cold: integrating fraud management into normal business decisions3. It adds up: the business case of fraud prevention

Part 3: Moving beyond voice1. Threats from new technology: if not today, in the near future2. IoT’s massive scale – creating a new fraud risk?3. IP centered threat with the emergence of 5G

Part 4: Impact of technology evolution1. As network technology advances, so must fraud management systems2. Answer to “scale”: Layered security in IoT to scale fraud management3. Answer to “analog”: eSIM technology to digitize fraud management4. Answer to “slow”: NFV for real-time fraud management

Part 5: Harnessing innovation1. The evolution of fraud management systems2. Big Data: helping find the needle in a stack of needles3. Blockchain: early stage but future potential4. Machine learning and automation: getting in-front of the fraudsters

Part 6: The on-going need for collaboration1. The criticality of enabling greater information sharing 2. GLF Code of Conduct: from commitment to enforcement3. Industry collaboration: looking beyond the Code of Conduct

578

101215

17192022

26283233

3436373839

4042434445

47495052

CONTENTS

5

EXECUTIVE SUMMARY1. Fraud continues to be a key topic for international carriers - 80% of carriers cite fraudulent traffic management

as a “strategic” or “top priority”. In over 50% of carriers, it has increased its importance in the past year.

2. While International Revenue Share Fraud (IRSF) is experiencing the greatest growth, Missed Call Campaign, or Wangiri, continues to be a top-of-mind concern for many carriers given the challenges to identify and block the traffic. However, its value is significantly reducing.

3. Robocalling is an increasingly prevalent form of fraudulent traffic. While the nature of robocalling differs from other fraudulent traffic types, its impact is from the behavior, such as social security scams, which it enables.

4. Awareness of the impacts of fraud and the actions taken to manage fraud has grown much more common – at all levels in the organization including the CEO – with an increase in importance within 58% of surveyed organizations.

5. Awareness of fraud is becoming less contained solely in fraud management teams and being increasingly integrated into the course of normal business.

6. Carriers are associating successful fraud management with improved service quality. Direct financial benefit is being recognized as some customers are willing to pay a premium to avoid high-risk carriers.

7. The technology advancements of IoT, 5G, and edge computing have opened potential opportunities for new fraud types such as Virtual machines/emulators, bots, man-in-the-middle attacks, and distributed device hacks.

8. IoT’s future scale presents a threat multiplier as more devices bring more vulnerabilities to the network and the volume of traffic and transactions occurring on the network complicate fraud management .

9. The digitization of traffic widens the pool of potential fraudsters as internet-based hackers’ knowledge and methods find applicability on telecoms networks.

10. As network technology advances, fraud management tools and practices must adapt to new requirements by improving along three requirements: scale, digitization and speed.

11. Scale: To address the massive scale of the future network security must be embedded from components all the way to network architecture in a layered approach and following the principle of least privilege.

12. Digitization: eSIMs are a simple but effective measure to digitize a fraud management practice, eliminate a common fraud use-case, and enable more security control over the network by carriers.

13. Speed: Network Function Virtualization (NFV) opens several new opportunities for fraud management enabling flexible architecture to manage fraud better and enable specific solutions to combat specific fraud types.

14. Carriers perceive fraud management tools to have a significant potential impact on reducing fraud with the most potential associated with AI/ML, big data, automation, and blockchain.

6

15. Big data is foundational to effectively deploy AI/ML and automation due to their reliance on timely, accurate data with enough volume to build algorithms to discern legitimate from fraudulent traffic.

16. Blockchain is in its early stages but shows promise to overcome the conflicting goals of sharing fraud management information between carriers while protecting proprietary routes.

17. Machine learning and automation are effective due to advancements in capabilities including blocking traffic on a call by call basis, and development of trust in the accuracy or machine-generated decisions to block traffic.

18. Information sharing between carriers is critical with carriers aspiring to build a global dialing number reference and a pooled dataset of documented fraudulent traffic.

19. Beyond signing the GLF Code of Conduct carriers seek an accountability mechanism to ensure signatories meet commitments. Recommendation that signatories incorporate fraud management and dispute reconciliation in all contracts with suppliers and customers.

20. Carriers recognize that collectively the industry is much more capable of reducing fraud than any carrier in isolation; the short-term objectives of collaboration and aligned reporting can lead to a formal communication network and database on white-/blacklisted number ranges and networks.

7

1. Evolution of fraudulent traffic

EXHIBIT 1:

EXHIBIT 2:

EXHIBIT 3:

EXHIBIT 4:

EXHIBIT 5:

EXHIBIT 6:

2. Enhancing carriers’ response

EXHIBIT 7:

EXHIBIT 8:

EXHIBIT 9:

EXHIBIT 10:

EXHIBIT 11:

3. Moving beyond voice

EXHIBIT 12:

EXHIBIT 13:

EXHIBIT 14:

EXHIBIT 15:

EXHIBIT 16:

4. Impact of technology evolution

EXHIBIT 17:

EXHIBIT 18:

EXHIBIT 19:

5. Harnessing innovation

EXHIBIT 20:

EXHIBIT 21:

EXHIBIT 22:

EXHIBIT 23:

6. The on-going need for collaboration

EXHIBIT 24:

EXHIBIT 25:

EXHIBIT 26:

LIST OF EXHIBITS

Comparing importance of fraudulent traffic in carriers

Assessing the change in volume and impact of fraudulent traffic

Perceptions of volume by type of fraudulent traffic

Perceptions of financial impact by type of fraudulent traffic

Overview of Missed Call Campaign (Wangiri) process

Overview of robocalling process

Changing organizational importance of fraudulent traffic management

Fraud management staff: change in last 12 months and next 12 months

Comparing prioritization of fraud with the number of FTE allocated to fraudulent traffic

Adoption of i3 Forum KPIs

Carriers’ correlation of value lost to fraud and organizational behavior

Evidence of emerging fraud types

Overview of virtual machine / emulator fraudulent traffic process

Overview of fraudulent identity (bot) process

Overview of man-in-the-middle attack process

Comparison of PBX hack and distributed device hack process

Three requirements of future FMS

Depiction of security implemented in each of the logical layers in a network

Depiction of model network organized by physical location vs logical organization

Predicted impact of emerging technologies

Growing trend in big data ask

Current state and future use-cases of blockchain

OODA loop improvement the AI/ML and automation

Adherence to GLF Code of Conduct

Comparing the organisational importance and commitment to the CoC

Self attesting as the next step of signatories

10

12

13

13

14

15

19

20

21

24

25

28

29

30

31

31

36

37

39

42

43

44

45

50

50

51

8

PART 1

EVOLUTION OF FRAUDULENT TRAFFIC

THE EVOLUTION OF FRAUD MANAGEMENT

9

3

2

1

Robocalling is an increasingly prevalent form of fraudulent traffic. While the nature of robocalling differs from other fraudulent traffic types, its impact is from the behavior, such as social security scams, which it enables

While International Revenue Share Fraud (IRSF) is experiencing the greatest growth, Missed Call Campaign, or Wangiri, continues to be a top-of-mind concern for many carriers given the challenges to identify and block the traffic. However, its value is significantly reducing.

Fraud continues to be a key topic for international carriers - 80% of carriers cite fraudulent traffic management as a “strategic” or “top priority”. In over 50% of carriers, it has increased its importance in the past year

PART 1: EVOLUTION OF FRAUDULENT TRAFFIC

10

The telecom industry’s approach to fraud has undergone significant change within the last few years. Historically, fraud was viewed as a “nuisance” or “annoyance” but one that was simply the cost of doing business. However, there have been increasing efforts made to manage fraudulent traffic given the increasing cost that it can cause underpinned by the proliferation of access to technology.

In the last 12 months, since the publication of the first GLF Fraud Report in October 2018, fraud continues to be a priority for the majority of carriers. In the 2019 GLF Fraud Survey, 80% of carriers noted that fraud is a ‘strategic’ or ‘top’ priority compared with 85% in 2018. Furthermore, 56% of carriers said that the importance of fraud was increasing in their organization, compared with 74% in 2018. Much of the seeming apparent reduction in priority and importance comes from the new respondents to the fraud survey suggesting that prioritization is highest in the core GLF membership that participated in 2018 also.

When comparing a subset of carriers who answered in both years, 80% said that fraud is a ‘strategic’ or ‘top’ priority in both 2018 and 2019. This reduction in priority and importance did not come across in the interviews with carriers and vendors who unanimously spoke of greater use and acceptance of a Fraud Management System (FMS) and a general, gradual shift in carriers’ attitude towards fraud.

Many carriers noted a recent upward trend in companies’ appetite to combat fraud. It was reported by carriers that “absolutely yes, there has been an upward trend for the last three years with an increased interest in combating fraud. MNO used to be the only ones that cared, but recent history has shown that more wholesalers are getting more involved as well.” One carrier went as far as to say fraud was comparable to price in importance noting that “more people realize that fraud is just as important as cost/quality.”


1. A SUSTAINED CARRIER PRIORITY

EXHIBIT 1: COMPARING IMPORTANCE OF FRAUDULENT TRAFFIC IN CARRIERS

2%7%

26%

34%

37%

20%

37% 36%

2018 2019

Significantly reducing Slightly reducing Staying the same Marginally increasing Significantly increasing

5% 2%

11% 18%

53%51%

32% 29%

2018 2019

Same as Business as Usual Strategic priority

Top priority Total

Mar

gina

lly o

r sig

nific

antly

in

crea

sing

Where would you rank the importance of fraudulent traffic as a topic in your organization? 1

(% responses)

How has the importance of fraudulent traffic management in your organization changed over the past 12 months? 2

(% responses)

n= 20 n= 45 n= 20 n= 44

Notes: 1 n=45, 2 n=44, respondents without a response were not counted; Source: GLF Survey 2019, Delta Partners Analysis

Stra

tegi

c or

top

prio

rity

11

Beyond carriers, technology providers have seen an evolution in the telecom industry’s focus on fraudulent traffic. One vendor noted that “historically [carriers] were comfortable with losing a certain amount but now we are running auto ID block at switch level before a call is even connected.” Through interview discussions, carriers shared their increasing take-up of fraud management systems (“FMS”) noting that FMS has a demonstrable return-on-investment.

“Absolutely yes, there has been an upward trend for the last three years with an increased interest in

combating fraud.”

When pressed on the value of FMS many carriers commented of the reputational impact of their relationship with fraud as well as the benefits in call quality from proactively removing fraudulent traffic. One explained that “no customer will come directly to you because of fraud management, but, let them get wooed away for an on-paper margin improvement, when they come back fraud will be just as important to them as cost and quality”. There are limits to the value of an FMS; carriers noted that cost continues to be the primary driver of competition in the industry. However, there has been a shift in the past year with the increasing importance of non-cost factors including reputation for ‘clean’ traffic in particular.


12

In the on-going arms race of combating fraud, the effectiveness of different fraud type changes over time. Efforts to reduce or eliminate one fraud type can push fraudsters to pursue other options. It is evident in the GLF Fraud Survey responses where we see that the techniques are evolving, and the sophistication level is increasing over time of both the fraud perpetrators as well as carrier’s efforts to detect and eliminate fraud. An increase in

awareness, changes in fraud management practice, and implementation of an FMS were all efforts made by carriers. Conversely, a shift of fraud traffic to Wangiri and scam robocalling, as well as evolving techniques and more sophisticated methods of frauds were mentioned as the opposition from fraudsters shifts to the lowest hanging fruit.

At an overall level, this year’s survey showed a reduction in the share of carriers that said fraudulent traffic was increasing in terms of volume and impact from 45% in 2018 to 33% in 2019. Where fraudulent traffic was ‘significantly increasing’ in 2018 for 25% of carriers, this has reduced to 13% in 2019.

In speaking to carriers, it is evident that there have been reductions in instances of False Answer Supervision and Call Hijacking, while there has been an increase in Missed Call Campaigns, also known as Wangiri, PBX hack, and IRSF. IRSF growth tended to coincide with an improvement of fraud detection capabilities. The majority

of respondents reported an increase of IRSF after a new implementation of FMS, an upgrade of an FMS, or an increase in vigilance/awareness. Wangiri lost the top spot as the fastest-growing fraud type based on the survey data but was listed as one of the most prevalent fraud types by nearly every carrier interviewed.


2. GROWTH IN IRSF, AND THE ON-GOING WANGIRI CHALLENGE

EXHIBIT 2: ASSESSING THE CHANGE IN VOLUME AND IMPACT OF FRAUDULENT TRAFFIC

13% 20% 20% 34% 13%

25% 20% 5% 30% 20%

Significantly Increasing

Marginallyincreasing

Staying the same

Slightly Reducing

Significantly Reducing

How has the VOLUME AND IMPACT of fraudulent traffic hitting your organization CHANGED in the past 12 months?(% responses)

Notes: 1 n=45, respondents without a response were not countedSource: GLF Survey 2018-2019, Delta Partners Analysis

2018

2019

13

EXHIBIT 3: PERCEPTIONS OF VOLUME BY TYPE OF FRAUDULENT TRAFFIC

EXHIBIT 4: PERCEPTIONS OF FINANCIAL IMPACT BY TYPE OF FRAUDULENT TRAFFIC


By use-case, what level of VOLUME are you experiencing?(from 1-5, with one being lowest and 5 being highest)(% responses)

36% 41% 10% 8% 5%

15% 41% 12% 15% 17%

24% 21% 16% 21% 18%

22% 14% 17% 26% 21%

10% 20% 22% 24% 24%

17% 10% 10% 31% 32%

Very High Somewhat High Moderate Somewhat Low Very Low

IRSF1

PBX hacking2

Missed Call Campaigns3

Calls to manipulated B numbers4

Call Hijacking5

FAS6

Notes: 1 n=39, 2 n=41, 3 n=38, 4 n=42, 5 n= 41, 6 n= 41, respondents without a response were not countedSource: GLF Survey 2019, Delta Partners Analysis

Very High Somewhat High Moderate Somewhat Low Very Low

By fraud use-case, what level of FINANCIAL IMPACT are you experiencing?1

(% responses)

32% 29% 10% 12% 17%

15% 32% 15% 13% 25%

14% 17% 19% 19% 31%

12% 12% 20% 20%

17%3%

8% 22% 50%

3%16% 11% 32% 38%

36%

IRSF1

PBX hacking2

Call Hijacking3

Calls to manipulated B numbers4

FAS5

Missed Call Campigns6

Notes: 1 n=41, 2 n=40, 3 n=42, 4 n=41, 5 n=40, 6 n=38, respondents without a response were not countedSource: GLF Survey 2019, Delta Partners Analysis

14

Missed Call Campaign

Call flow

Money flow Missed call Legitimate

Fraudulent

Subscriber returns phone call

Terminatingoperator

Wholesalecarrier

Call routed internationally or domestically or to mobile line but with spoofed caller IDFraudster places call

$FraudCo

$

``Called

subscribers

Fraudster ends call after one ring

Premium rate

service

$$$$$

$$$$$$$$

Subscriber unknowingly calls a

premium-rate number and is held on the phone for as

long as possible

Call routed to premium-rate number

Originatingoperator

6

12

3

54

Source: Delta Partners Analysis

Wangiri continues to be reported by international carriers as one of the most widespread fraud types. However, its instance has reportedly reduced relative to last year with 43% of respondents compared to 61% in 2018 reporting a high level of volume, and only 19% seeing a high volume impact.

The disparity between volume found in Exhibit 3 compared to financial impacts in Exhibit 4 demonstrates the high frequency but low in value nature. Wangiri relies on the lack of a global number registry in that carriers do not necessarily know that a number is a premium-rate.

Outside of knowing the country destination, carriers do not currently have a system in place to identify premium-rate numbers. Carriers have to collect enough data through identified fraud destinations – typically after one or more successful fraud transactions occur – before they can establish a pattern and block calls. Once a number is blocked, the fraudsters can then just migrate to another premium-rate number and restart the pattern. Wangiri can be difficult to identify and block because the nature of the fraud takes advantage of customer behavior to return missed calls. The customer unknowingly end-up being the initiating source of the fraudulent traffic.

Current efforts to stop Wangiri attacks have focused on improving information flow between carriers; the intent is to flag a potential Wangiri sources and share information on premium-rate numbers so that, collectively, carriers can build a more complete picture and more quickly shut down Wangiri fraud operations. Technology providers are developing solutions that target Wangiri in some cases leveraging blockchain technology (See Chapter 3 for a detailed assessment of emerging technologies). Beyond blockchain, some success in reducing Wangiri has been

delivered through a ‘shared blacklist’ approach where carriers share information between each other on confirmed sources of Wangiri. To be blacklisted, there needs to be evidence, which due to the nature of the fraudulent traffic can be challenging but customers are reporting cases to each other. Further efforts in addressing Wangiri are focused on improving the information available to identify and block the sources of fraud (See Chapter 5 for a detailed assessment of two different strategies to address Wangiri and see Chapter 6 for industry collaboration).

Source: i3 Forum fraud definitions


EXHIBIT 5: OVERVIEW OF MISSED CALL CAMPAIGN (WANGIRI) PROCESS

15


Robocalling was a new ‘use-case’ of fraudulent traffic which was mentioned in this year’s survey in open response

sections that did not appear in the 2018 survey results or in the interviews conducted during last year’s report.

Robocalling, as a practice, is one used by telemarketing campaigns throughout the world legitimately. Robocalling becomes fraudulent when it is utilized to disseminate a fraud instead of a legitimate service or product. While the call, by itself, does not meet the traditional definition of fraud in line with other types in this report, rather the content of the call is what defines the call as fraudulent. Research from this report identified that robocalling is increasingly top of mind for many carriers given its recent increase in proliferation, profile, and impact. Once a customer is on the phone, the robocalling perpetrators seek to deploy several activities as different types of entities to gather personal identifiable information, access a computer, or obtain financial access. Examples of these kinds of frauds in the US are:

1) Tech support scams1 – Fraudsters will call posing as tech support from a large tech company a subscriber is likely to have some contact with, such as Microsoft. Fraudsters might spoof the caller ID to a legitimate tech support line. The call will request the user install a seemingly innocent program, such as a virus scan, but the download will give the fraudsters access to the user’s files and personal info, such as PII, credit card information, login credentials, or bank information.

1 https://support.microsoft.com/en-us/help/4013405/windows-protect-from-tech-support-scams2 https://www.consumer.ftc.gov/blog/2018/12/what-social-security-scam-sounds3 https://www.consumer.ftc.gov/articles/0131-credit-card-interest-rate-reduction-scams

2) Social security scams2 – Posing as a government entity (potentially spoofing the agencies caller ID), fraudsters will present a plausible scenario where a user’s tax return is vulnerable, or further information is needed to process a payment. During the conversation the fraudsters will try to get the user to confirm a social security number and/or a number of personal or bank details.

3) Credit card interest rate reduction scams3 – Fraudsters will pose as a debt consolidation service or other financial service firms (potentially spoofing a legitimate purveyor of the service). The fraudster will then try to get the user to divulge persona or bank details.

Robocalling is increasingly prevalent, in part, due to its mimicry of legitimate telemarketing as well as the reduction in other types of fraud. As was stated in last year’s report, there is always a back and forth battle against fraud; as one weakness is resolved, another weakness will likely be exploited. Robocalling exploits the fact that it’s perpetrated from international jurisdictions with little or no chance for legal repercussions for the fraudsters, and it is low-cost to deploy with a low-level of technology sophistication


3. THE RISE OF ROBOCALLING

EXHIBIT 6: OVERVIEW OF ROBOCALLING PROCESS

Robocalling

Call flow


Fraudulent

Terminatingoperator

Wholesalecarrier

Call routed internationally or domestically or to mobile line but with spoofed caller IDFraudster places call

$

FraudCo

$

``Called

subscribers

Called subscriber answers and is

conned by a variety of different

scams

12

3

$$$$

16

required. Similar in nature to traditional telemarketing, robocalling has relied on VoIP to reduce the cost of voice connectivity and spoofed numbers (strategically spoofed to be similar in area code as your own telephone number). These practices, while irritating to the customer, become a top-of-mind issue for carriers due to the scale of the problem. As customers are agitated, they direct their displeasure towards their carrier in turn. One carrier noted “fraudulent robocalling is difficult to detect and combat. To stop it, I have to involve sales and network teams… Robocalling has become a daily problem for me personally because of the volume of calls involved. There is a real impact on customers. We definitely don’t want our brand associated with that traffic.” Other research validates this notion; YouMail estimated4 that in only one month (August 2019) approximately 2.1 billion scam robocalls were placed in the US.

“...fraudulent robocalling is difficult to detect and combat. To stop it, I have to involve sales and network teams… Robocalling has become a

daily problem for me.”

This volume of robocalling has induced responses from local, state, and national governments in the US with a program launched by the Federal Trade commission targeting robocalls with “Operation Call it Quits” which includes a surge in legal actions directed at the operations of robocalls in the US. To combat the rise of robocalling, North American carriers are reportedly focused on creating standards5 to eliminate the possibility of caller ID spoofing called “Signature-based Handling of Asserted Information Using toKENs (SHAKEN)”, and the Secure Telephone Identity Revisited (STIR) standards The results of this implementation as well as the effectiveness of the standard, will be closely watched by carriers around the world, especially in Europe and Asia where the problem of robocalling is smaller but building.

4 https://robocallindex.com/5 https://www.fcc.gov/call-authentication


17

PART 2

ENHANCING CARRIERS’ RESPONSE


18

PART 2: ENHANCING CARRIERS’ RESPONSE

3

2

1

Carriers are associating successful fraud management with improved service quality. Direct financial benefit is being recognized as some customers are willing to pay a premium to avoid high-risk carriers

Awareness of fraud is becoming less contained solely in fraud management teams and being increasingly integrated into the course of normal business.

Awareness of the impacts of fraud and the actions taken to manage fraud has grown much more common – at all levels in the organization including the CEO – with an increase in importance within 58% of surveyed organizations

19


1. INCREASE IN AWARENESS OF THE IMPORTANCE OF FRAUD MANAGEMENT

Awareness of fraudulent traffic is increasing across the industry. Interviewees for this report held roles which require significant time devoted to fraud management, and the vast majority spoke of a general increase in awareness from their colleagues with little to no direct involvement in fraud management.

One fraud management system (FMS) professional noted “A few years ago FMS just wasn’t taken very seriously. I have pushed training and regularly present case studies in broader team meetings and quarterly meetings. At this point, everyone is now aware [of fraud, fraud impacts, and the function of the FMS team] from the clerk in accounting all the way to the CEO.” Survey respondents corroborated this statement with fraud management seeing an increase in importance within 58% of organizations in the last 12 months.

“...today [fraud] is viewed much more seriously than it was in the past only

a few years ago.”

Multiple interviewees mentioned the fact that awareness of fraud and the potential impact of fraud on the business has become top-of-mind for managers of international traffic. A few years ago, a region manager might have been aware of fraud as merely a cost of doing business. Today, the trade-offs involved in different levels of fraud risk have become real considerations and, in some cases, significant selection criteria for route selection by customers as some customers are willing to pay more for routes with less fraudulent traffic. One particularly vocal supporter of FMS went as far as to say, “I have educated and demonstrated at every chance possible for years…today [fraud] is viewed much more seriously than it was in the past only a few years ago.” As the knowledge of the impact that fraud has on the end user as well as the carrier itself becomes more widespread, the potential for more business decisions to be influenced by fraud outcomes and prevention practices increases.

EXHIBIT 7: CHANGING ORGANIZATIONAL IMPORTANCE OF FRAUDULENT TRAFFIC MANAGEMENT

36% 21% 34% 7% 2%

Significantly Increasing

Marginallyincreasing

Staying the same

Slightly Reducing

Significantly Reducing

How has the IMPORTANCE of fraudulent traffic management in your organization CHANGED over the past 12 months?1

(% responses)

Notes: 1 n=44, respondents without a response were not countedSource: GLF Survey 2019, Delta Partners Analysis

20

Survey respondents and interviewees noted FMS topics being incorporated into more normal commercial discussions as indirect and direct economic repercussions or working with partners without an FMS are more top-of-mind. Vendors noted that at some carriers “the cost of fraud is now falling into purview of interconnect manager.” These managers have become more aware of the risks of entering into potential risky deals as the repercussions of opening up themselves to fraud are clearer.” As the impacts of fraud are being attributed directly and indirectly to specific sources of fraud, carriers become more likely to begin implementing internal accountability measures for employees. One carrier noted that in after-actions after the discovery of significant fraud that the regional manager responsible for the agreement that led to significant fraud are held accountable. Along with internal

accountability, carriers who can show direct and indirect impacts of fraudulent traffic are also attributing that fraud to the sources. Another carrier noted “the top three dispute sources are reported to district management. When we identify fraud sources, we report it to business managers.” With general awareness of the impact of fraud on the business increasing and the sources of that fraud being attributed to the sources of fraud, it follows that some carriers will begin to exert pressure on improving their fraud profile.

“The cost of fraud is now falling into purview of interconnect manager.”

EXHIBIT 8: FRAUD MANAGEMENT STAFF: CHANGE IN LAST 12 MONTHS AND NEXT 12 MONTHS


2. IN FROM THE COLD: INTEGRATING FRAUD MANAGEMENT INTO NORMAL BUSINESS DECISIONS

Distribution of Employee Allocation1

(Number of FTEs)

37%

26%

5%8%

11%13%

% of respondents by fraud FTE allocation

<2 2-4 4-6 6-8 8-10 10+

Notes: 1 n=38, 2 n=42, 3 n=43, respondents without a response were not countedSource: GLF Survey 2019, Delta Partners Analysis

17% 50% 33%

Lower Same Higher

How does the number of FTE focused on fraudulent traffic compare to 12 months ago? 2

(% responses)

14% 46% 40%

Lower Same Higher

Do you foresee it changing in the next 12 months? 3

(% responses)

21

EXHIBIT 9: COMPARING PRIORITIZATION OF FRAUD WITH THE NUMBER OF FTE ALLOCATED TO FRAUDULENT TRAFFIC


This years’ survey showed a higher degree of bi-modal staff sizes relative to last year with a more substantial portion of respondents with staff fewer than two as well as a larger proportion with a staff size over 10. Along with a higher degree of extremes, more carriers also reported partial participation of a greater number of adjacent employees (e.g., NOC, Sales manager). Comparing carriers with reported staff sizes in both years shows that

two out of 14 carriers had a reduction in staff while eight carriers reported a larger fraud management staff in 2019 relative to 2018. These trends are corroborated by a net positive reported growth in fraud management staff as seen in Exhibit 9 (33% higher vs. 17% lower). Respondents generally see a very similar trend expected in the next 12 months with 40% of respondents expecting to increase their staff working on fraudulent traffic management.

“The top three dispute sources are reported to district management.

When we identify fraud sources we report it to business managers.”

Comparing the reported fraud management staff size with the reported prioritization afforded fraud management shows a slight positive relationship. Outliers in the top left corner and bottom right corner aside, carriers that prioritize

fraud management tend to have larger staff sizes working on fraud management. The mixed feedback to the relation comes from the previously mentioned outliers as well as anticipated reductions of staff at companies who report fraud as a strategic or top priority. The survey results are unclear whether this is a tradeoff between investments in personnel and technology/tools, but past interviews largely agreed that this is not normally the case.

Low Priority Same as “Business as

Usual”

Strategic Priority Top Priority

Comparison of prioritization and number of FTEs allocated to managing fraud1

(Number of FTEs, bubble size denotes number of respondents, color denotes plans to change headcount)

Num

ber o

f FTE

s Al

loca

ted

to F

raud

Notes: 1 n=36, respondents without a response were not counted

Planning to decrease headcount No plans to change headcount Planning to increase headcount

22

Several interviewees noted that fraud management is frequently seen as linked to call quality. Sometimes it is a direct relationship as fraud management reduces the usage of grey routes that may have CODEC translation errors and low-quality connections (e.g., SIM boxes). “When I travel in Africa I can tell when I am obviously behind a grey route as the voice quality drops significantly. It is obvious that the calls are being bypassed and routed as IP calls to a SIM box; the experience just isn’t the same, and a good FMS would solve that.” Other times fraud management is indirectly linked with quality as one carrier stated, “we do not want our brand associated with [fraudulent traffic].” This carrier, in particular, felt that fraudulent traffic put some of their long-term business relationships at risk as the prevalence of fraudulent traffic was associated with poor quality of service by their customers.

Reputational risk was cited as one of the primary motivations for fraud management. As a representative example of this, one carrier stated that, “we just don’t want our brand associated with that traffic. Our efforts can sometimes come at the cost of a short-term profit impact, but we believe it is worthwhile in the long run. Dubious carriers will propose traffic at a better rate because behind the proposal there will be a grey route.” Another carrier noted that “when managers propose going forward with what looks like a higher-risk partner, we make the GLF fraud amendment a requirement in the contract. This requirement has prevented several riskier deals from happening, and, when we do proceed with an agreement, there is a clear mechanism in place to address any issues.”

From the interviews, it seems clear that the positive benefits of fraud detection and prevention are being felt by end users and carriers both to some extent. By delivering the same service, but with fewer instances of fraud, carriers have a potential lever with which to differentiate themselves relative to competitors. Once this difference is felt and registered by wholesalers, retail carriers, and end users, there is a potential for a clear incentive for further investment in fraud detection and prevention. Avoided costs are, by nature, difficult to measure, but, over time, as fraud prevention becomes more established into carrier selections criteria, direct consequences will be attributed to the effectiveness of a carrier’s FMS.

In the interests of encouraging the share of information and a greater degree of collaborating, reporting standards are necessary. Without standards, measuring the success of fraud prevention efforts would be limited to internal results making collective assessments of carrier performance nearly impossible.

As reported in the 2018 Fraud Report, the i3 Forum has established KPIs that are conducive to information sharing. These KPIs are not meant to be exhaustive, but rather provide a platform for further measure to be based on. Survey responses shows a significant portion (see Exhibit 12) of respondents who don’t report on the Forum’s KPIs were unaware of the KPIs. Awareness is one obstacle to overcome, but the survey pointed to internal reporting inertia as a slightly larger barrier to greater adoption. The GLF recommends adoption of the i3 Forum’s KPI to facilitate greater cooperation. Signatories of the Code of Conduct (CoC) are especially encouraged to adopt the KPIs – the survey shows that tracking the KPIs correlates with a nearly twice as high a proportion of signatories as not.

“We do not want our brand associated with [fraudulent traffic].”

As awareness increases, fraud becomes attributed to the source, and fraud management becomes linked to quality, carriers began to associate differences in fraud profiles of potential partners and some carrier will begin to value the service associated with lower levels of fraudulent traffic.

Cross-referencing the survey data identified that carriers that identified fraud as a ‘strategic’ or ‘top’ priority in many cases saw a higher impact of fraud on their networks. This was then drawn through to their measurement of fraud where ‘top priority’ ranking carriers were most likely to already be tracking the i3 Forum KPIs for fraudulent traffic and reporting to a C-level. Where carriers did not rate fraudulent traffic management as a priority only 25% stated that they are tracking the i3 Forum KPIs and in 40% of cases no metrics on fraudulent traffic were being reported to the C-level.

Some carriers will select partners based primarily on cost, and they may continue to do so regardless of fraud levels. One carrier provided the following anecdote “I recently had contract negotiations with a number of carriers from the same country destination. There was only one carrier that was only looking for the absolute cheapest route… but I think there already is some willingness to pay for fraud management. We need to show customers the value of it.” One of the challenges, much like breaches in cyber security, is that the value of fraud management is only directly measured after a significant event. Customers’ risk calculation might underestimate the chance of significant


3. IT ADDS UP: THE BUSINESS CASE OF FRAUD PREVENTION

23

• Answer key questions: How much have the carriers saved the industry? How much fraud value is?

• Data provided every 6 months with monthly breakdown• Provide information on fraud type trends and other trends detected in the industry

Definitions:No estimation on future losses - actual fraud onlyPeriod = 1 month

a) Actual fraud amount / wholesale cost (mandatory to be anonymised)b) % of fraud traffic (volume minutes) vs. of total traffic of the carrier in the period

Definitions:Dispute = dispute of claim opened by a sending partySuccessful dispute = CNs acceptedPartial successful disputes are considered as successfulIn the value calculation we only consider the wholesale cost relative to the amounts credited back

a) Sum of total value (wholesale cost) of disputes (mandatory to be anonymised)b) Sum of total value (wholesale cost) on successful disputes (mandatory to be

anonymised) --> how much money we prevented from reaching criminals?c) Ratio on successful value of disputes vs. total value of disputes

Definitions:Traffic confirmed as non-fraud by the sending party is not considered as fraudStart time = switch time of 1st call of the carrier detecting the eventEnd time = time of action triggered by fraud department (traffic stop / inform sending party / etc.)

Measurement:Average time from start time to end time

Goal:Determine the value of fraud prevented

Measurement:The length of time it takes a carrier to detect a fraud through other processes if the fraud team were not in place

Example:Fraud starts 1st JuneFraud ends 3rd June18,000 minutes and cost of 600 EUR (average 200 per day)Next billing event is on 1st July so there is a 28 day time lag between the fraud ending and the next triggered eventCalculation of fraud prevented is therefore 28 days x 200 EUR


GLF ENDORSED I3 FORUM FRAUDULENT TRAFFIC KPIS

Goal

Value of detected fraud

Fraud disputes

Capability to react on fraud

Fraud potential losses reduction

KPI 1

KPI 2

KPI 3

KPI 4

Source: i3 Forum

24

fraud events or underestimate the impact as a result of fraud. One carrier noted that their FMS efforts have had a positive impact on customer relations that is felt over time “I have seen a number of customers leave because of price [our being too high], but then they get burned by a low-cost competitor and come back a year later specifically because of our FMS. Carriers that don’t have an FMS are a time bomb for customers and themselves to be compromised.” Another carrier furthered this claim “If [my company] just accepted fraud as the cost of doing business, then I would be worried that long-term suppliers will eventually lose their trust in us and block us. Fraud definitely affects our relationship with long term suppliers and might jeopardize them if we weren’t as diligent.” The financial impact of a successful FMS may not have an easily measured, directly attributed return, but, in these cases and others, FMS can be shown to indirectly generate revenue by increasing customer stickiness, win new or repeat business as a selection criteria, or avoid costly fraud events.

“I think there already is some willingness to pay for fraud

management. We need to show customers the value of it.”

This observed return on investment in FMS coupled with an increase in general awareness has coincided with a reported greater number of carriers with an FMS system in place. One vendor stated, “Recently there are a greater number of carriers with detection solutions. More buying decisions are happening across the board. I have seen a number of fairly straightforward deployments of rules-based systems carriers didn’t have in the past as well as a greater appetite for more advanced systems and add-ons.” A majority of survey respondents, when asked about what system or process they have in place specifically cited an internal or third-party automated, data-based FMS. A vendor noted “most operators, I would estimate maybe 80%, will have a traditional FMS” Having an effective FMS in places is becoming part of the table stakes required to conduct business in the space. In the same way that cyber security has become a basic requirement for many transactions, FMS could become show-stopping requirement in the future.

It should be noted, however, that the financial benefit is not quite so simple. As explained by one vendor “fraud prevention can almost be seen as controversial. While terminating carriers bear the brunt of the fraudulent financial impact, that isn’t always the case further up the route. Preventing fraud can kill revenue which is going to hurt for a carrier with lower margins.” Another added, “[in

EXHIBIT 10: ADOPTION OF I3 FORUM KPIS

Notes: 1 n=29; 2 n=19, respondents without a response were not counted

65%

35%

Does your organisation track thei3 Forum KPIs endorsed by GLF?

No Yes

Does your organization track the i3 Forum KPIs endorsed by GLF?1

(% responses)

10%

90%

No Yes

Has you company signed the Code of Conduct?1

(% responses)

55% 45%

No Yes

37%

42%

21%

Does your organisation track thei3 Forum KPIs endorsed by GLF?

If ‘no’, what is the reason?2

(% responses)

Not relevant of feasible

Already tracking other KPIs

Unaware of the KPIs


25

general carriers] are more effective in combatting fraud. However, fraud still exists, and that is due to some turning a blind eye toward fraud or maybe those that aren’t as incentivized to eliminate fraud.”

“Carriers that don’t have an FMS are a time bomb for customers and themselves to be compromised.”

These pressures contribute to some distrust within the industry as mentioned previously, as, without collective reporting, it is difficult to measure the effectiveness of external partners with only internal data. To combat this uncertainty, it requires greater transparency pushing all carriers to realize a positive financial feedback cycle for successful fraud management.

EXHIBIT 11: CARRIERS’ CORRELATION OF VALUE LOST TO FRAUD AND ORGANIZATIONAL BEHAVIOR

Low Priority or Same as “Business as Usual”

Strategic Priority

Top Priority

Comparison of prioritization and estimated % or revenue lost to fraud 1

(Number of FTEs, bubble size denotes number of respondents)

% o

f Rev

enue

att

ribut

ed to

frau

d

Notes: 1 n=29, respondents without a response were not countedSource: GLF Fraud Survey 2019, Delta Partners analysis

Does your organization track the i3 Forum KPIs endorsed by GLF?1

(% responses)

Do you include fraudulent traffic metrics in reporting to the CEO / Head of International Wholesale?2

(% responses)

56% 44%11%

89%

No Yes No Yes

82%

18% 15%

85%

No Yes No Yes

75%

25%40%

60%

No Yes No Yes


26

PART 3

MOVING BEYOND VOICE


27

PART 3: MOVING BEYOND VOICE

3

2

1

The digitization of traffic widens the pool of potential fraudsters as internet-based hackers’ knowledge and methods find applicability on telecoms networks

IoT’s future scale presents a threat multiplier as more devices bring more vulnerabilities to the network and the volume of traffic and transactions occurring on the network complicate fraud management

The technology advancements of IoT, 5G, and edge computing have opened potential opportunities for new fraud types such as Virtual machines/emulators, bots, man-in-the-middle attacks, and distributed device hacks

28


1. THREATS FROM NEW TECHNOLOGY: IF NOT TODAY, IN THE NEAR FUTURE

The convergence between voice and data traffic is to the benefit of the customer experience. VoLTE service and the increase in the number of VoIP calls has provided increased flexibility and usability to end users. With the change in technology, however, comes an evolution in fraud risk as new types of fraud become possible and the total number of connections increases. Many of these impacts are yet to be fully realized, but, from speaking with carriers and technology vendors through the creation of this report, it is evident that there is a high level of awareness. As noted by one carrier providing a common view “I’m sure we will see unique fraud but it hasn’t matured to the point that we see

more fraud specific to these technologies. They just aren’t big enough yet to make enough money on it to attract fraud, but it will eventually happen.”

While the impact of IoT, edge computing, and 5G hasn’t changed the fraud landscape of today, the potential impact of novel fraud types coupled with the scale of IoT, the speed of edge computing, and the traffic volume of 5G mean is potentially massive if insufficient preventative steps are taken. Carriers need to think about and plan for significant changes in the way they manage fraud as networks change to adapt to new technologies.

While carriers noted that new use-cases are yet to impact their networks at scale, almost half reported issues with virtual machines / emulators and a quarter had experienced false identity (bot) issues. As network technology evolves,

it will be critical that carriers and technology providers pre-emptively address these newer use-cases.

EXHIBIT 12: EVIDENCE OF EMERGING FRAUD TYPES

Beyond voice, what use-cases of fraud are you experiencing on your network?(% responses)

74%87%

51%

26%13%

49%

False identity (bots) ‘Man in the middle’ attacks (e.g., IoT device commandeering)

Virtual machines / emulators

Have not experienced Have experienced


29

EXHIBIT 13: OVERVIEW OF VIRTUAL MACHINE / EMULATOR FRAUDULENT TRAFFIC PROCESS


Emerging use-case 1: Virtual Machines / Emulators

Emulators are typically used in the development of software applications. Developers use emulators to simulate traffic in an attempt to debug and test software before broader release to the public. Fraudsters take advantage of the flexible nature of virtual machines to instigate fraud or multiply the impact of a given fraud type. In some cases, emulations are used to obscure location as well as create a “new” device in the case when fraud has been detected and a device has been blocked. This allows fraudsters to lower the cost of perpetuating fraud as emulators can be used as a disposable device with virtually no cost to the fraudster. Other times fraudsters will use multiple copies of a compromised device or SIM to generate as much fraudulent traffic as possible.

Emerging use-case 2: Fraudulent Identity (Bots)

The convergence of voice and data has ushered in improved quality of service and more flexibility to end users, but it has also opened carriers and end users alike to cybercriminals that might have previously been contained online. One common tool of cybercriminals is the use of robots, or bots, which are simple programs intended to probe and test as many entry points as they can find though absent, default, or weak login credentials and access points. While simple in nature, bots are launched in volumes of multiple billions a year in search of any and all login credentials and entry points that are not secured property. Once an

6 https://arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

entry point into an account is found, identities are either stolen or synthesized and used to access a wide array of post-paid services offered by carriers (e.g., TV, internet, retail, banking). It also enables the fraudulent order for the highest value device on the market. These devices and services are obtained to perpetuate other frauds, such as IFRS, steal more of an end user’s identity, or to leverage a fraudulent identity onto other carriers’ networks.

Emerging use-case 3: Man-in-the-Middle

Traditionally, Man-in-the-Middle (MitM) attacks occur when the route/media that information is being over (e.g., fiber, coax, Wi-Fi, LTE, 5G) and the protocols utilized to transmit and received are compromised. At some point between traffics origin and destination a gateway has been interjected and allowing a man in the middle to transparently receive and transmit all or some traffic passing through the gateway. This middleman can do anything from simply monitor traffic to delay, add, subtract, or modify the content of the traffic. This opens end users to illegal wiretaps, identity theft, malware injection and more. Specific to telecom networks, MitM attacks occur via cell-site simulators that mimic a tower for you to “roam” on, cell signal sniffers simply acting as a kind of filter-feeder of cell signals that intercepts some of the cell traffic passing between an end user and a tower, or, more concerningly, gaining access to Signaling System No. 7 (SS7) and exploiting the carrier for its failure to adhere to least privileges principle with regards to SS7. With the prevalence of one-time passwords sent via SMS, intercepting only a small amount of traffic can lead to massive value destruction (e.g., Germany 20176).

Virtual machine / emulator flow diagram

Call flow


Fraudulent

Originatingoperator

Call originate from virtual

deviceFraudster hacks device/SIM of an end userFraudCo ``

Called subscribers

Premium rate

service

Fraudster virtualizes the

device to mask origin or to maximize

fraudulent traffic

Call most likely to use international destination to maximize fraud value

2

1 3

4

Terminatingoperator

Wholesalecarrier


High cost int'l

destination

Terminating operator

Wholesale carrier

High-cost int’l

destination


30


Emerging use-case 4: Distributed Device attacks

A new instance of fraud where carriers noted emergence is distributed device. As described by one carrier “I am seeing an increased number of calls made from phones completely without consumer consent. A vendor we are working with says that this is an issue around the world, and that the mechanics of the fraud involve manipulating the native click-to-call option – when a phone number in a text or website can be clicked to automatically call that number – present in most smartphones. Essentially, an application downloaded on the phone is placing a call without any user input.”

Part of what makes the fraud difficult to find is the very low volume of traffic on a user by user basis. Analysis done after aggregation of all this traffic – something a wholesale carrier would be more equipped to do – is much more

feasible. The carrier further described the lack of patterns found: “It ends up being just a few calls made infrequently, but from thousands of phones. Some service providers seem to be disproportionately at risk, but we don’t have a clear idea of why that seems to be the case.” One vendor noted that the fraud sounded similar in nature to how they run their own internal testing “We use those kinds of techniques to conduct test calls via Android phones, but, as far as I know, that kind of fraud wouldn’t be possible on iOS devices.” The author of this report notes that this fraud fits the mold of a PBX hack but with two critical differences. The first is the attack distrusted amongst thousands of devices, and the second being a difference in a timeline. A PBX hack tends to try and extract as much value as quickly as possible while the asset is still compromised. This distributed hack works to fall under the guise of typical traffic for as long as possible.

EXHIBIT 14: OVERVIEW OF FRAUDULENT IDENTITY (BOTS) PROCESS


Fraudulent identity flow diagram

Call flow


Fraudulent

Originatingoperator

Normal fraud monetization

Fraudster utilizes bots to penetrate login/credentials

FraudCo High-value device

Premium rate

service

Fraudster utilizes compromised

identity to obtain

Call most likely to use international destination to maximize fraud value

2

1 3

4

Terminatingoperator

Wholesalecarrier


High cost int'l

destinationCompromised

login/credentials

5 6 7Compromised

login/credentials

Wholesale carrier


High-cost int’l

destination

5 6 7

31

EXHIBIT 15: OVERVIEW OF MAN-IN-THE-MIDDLE ATTACK PROCESS

EXHIBIT 16: COMPARISON OF PBX HACK AND DISTRIBUTED DEVICE HACK PROCESS


PBX hack flow diagram

Call flow


Fraudulent

Terminatingoperator

Call forwarded from hacked

PBXFraudster hacks

PBX of an enterpriseFraudCo Enterprise

PBX system

Premium rate

service

Fraudster forwards calls through PBX

2

1 3

4

Originatingoperator

Wholesalecarrier

High cost int'l

destination

5 6 7

Source: Delta Partners AnalysisSource: Delta Partners Analysis


Wholesale carrier


High-cost int’l

destination

5 6 7Originatingoperator

Man in the middle flow diagram

Call flow


Fraudulent

Originatingoperator

Fraudster interjects a gateway at any point

Possible gateway position

Calling subscriber

1

Terminatingoperator

Wholesalecarrier


$$

Gateway permits all traffic to pass through both ways2

$

Some or all of the traffic is read to extract information3

Receivingsubscriber$




Wholesale carrier



Receiving subscriber$$ $ $

Gateway permits all traffic to pass through both ways

Gateway permits all traffic to pass through both ways

2 3

32

2. IOT’S MASSIVE SCALE – CREATING A NEW FRAUD RISK?

In the past, IoT was seen as a risk because of past devices exhibiting relatively lax security. Historically, manufacturers attempted to keep the cost of devices as low as possible which in some cases was at the expense of security. This trade-off has since moved toward a larger focus on security as lax practices, such as hardcoded passwords that cannot be changed, are phased out, and network operations are pushing regular security updates. It is in carriers’ best interests that security measures are implemented starting at the hardware level. If security is left to the communication infrastructure or communication standards, then any vulnerability would have the potential for massive value loss.

“...with the scale of IoT, it will become less and less viable to monitor all

transactions with a traditional FMS.”

Looking forward, the impact of IoT’s massive scale poses potential issues for fraud management. One carrier reported. “we are most concerned about telecom features linked with handling a massive number of connections, many of which being non-human devices. Traditional Denial of Service (DoS) attacks on devices or toward businesses, data extraction or other fraud types are still valid use cases, but IoT provides a much larger scale to the traditional telecom frauds.” In Ericsson’s 2018 Mobility Report7 the number of cellular-connected IoT devices is projected to reach 3.5 billion devices in 2023 more than tripling today’s estimated total. With that kind of scale and potential growth to a number of vulnerabilities, the fraud risk potential of even a small fraction of those devices becomes daunting for any carrier.

The future scale of IoT has some carriers planning for changes in FMS. One carrier stated, “Classical fraud management systems might not feasibly cover fraudulent attacks; The massive increase in new and cost-effective devices (Smartphones/M2M-/IoT-devices) can lead to massive security breaches in the service chain.” One vendor corroborated this “with the scale of IoT, it will become less and less viable to monitor all transactions with a traditional FMS as they are such a low cost. Because of the number of transactions and the need to process data constantly, carriers will eventually need tools such as AI and Hadoop to manage IoT fraud because of the scale exceeds the capability of current systems.”

7 https://www.ericsson.com/assets/local/mobility-report/documents/2018/ericsson-mobility-report-june-2018.pdf

Today’s current IoT volume is not on the level that would necessitate these changes, and the impact to carriers will vary greatly depending on geographic region and customer segment. However, the fraud potential of IoT’s scale is too great to assume that fraud management will not be impacted and as such this should form part of carriers’ technology plans.

.


33

3. IP CENTERED THREAT WITH THE EMERGENCE OF 5G

The initial stages of 5G are in full force with launches by US carriers in approximately 40 cities, another approximately 40 cities in the EU, Asia set to invest USD$370 billion between 2018-2025, and the first nationwide 5G network in South Korea8.

Most carriers do not see a significant impact in how fraud management is conducted in the 5G network era. The new media of 5G (data vs. voice) is not a major source of concern going forward as many carriers have implemented VoLTE preempting the movement in 5G. One carrier noted “much of fraud management happens at the billing data level so the actual media of usage is irrelevant.”

While the media of 5G is less of a concern, the management of actually delivering the quality of service expected of 5G is an area of focus. One carrier explained, “‘network slicing’ - where there might be instances when service is expected to be at a 5G quality but is being delivered at 4G/3G quality – is a potential for fraud.” Some carriers expressed concern around the requirement to monitor fraud across the emergence of 5G as well as legacy systems while other carriers were less concerned. This variance could be due to resource constraints or customer segments served, but no carrier cited this as a major concern going forward.

Most of carriers’ attention is focused on the result of the convergence of voice and data in 5G and the second and third-order effects that might have on how fraudsters operate. Before, fraudsters perpetuating voice fraud were required to be knowledgeable on voice network architecture, but, with the convergence of voice and data, that requirement is diminished opening voice fraud to a wider pool of potential fraudsters as IP-based attacks become more common. “Evolving threats lately are in VoLTE and SIP. VoLTE has been around a while, but in last two years, there has been a lot more attacks around VoLTE. With the number of private companies connected to their cloud via http… there is just a lot of potential fraud there as hackers already know the internet.”

8 https://www.gsma.com/newsroom/press-release/5g-arrives-in-asia-as-operators-invest-billions-rolling-out-next-generation-networks-finds-new-gsma-study/

“‘Network slicing’ – where there might be instances when service is expected to be at a 5G quality but is being delivered at 4G/3G quality – is

a potential for fraud.”

While the current impact of 5G on fraud management is minimal, most carriers and vendors are looking more towards the detection of currently unknown fraud types. With the prevalence of IP traffic, lessons learned from data networks become more applicable to carriers. One vendor noted “in data networks, no one just buys a firewall. A firewall is the first step towards cybersecurity. There are several layers to cybersecurity and a greater appetite for a best-of-breed approach to protecting against a variety of threats. Advancements like [Network Function Virtualization] allow for a different and distributed network to take advantage of different fraud protections.” While the convergence of voice and data may have opened carriers to a new pool of threats, it has also opened carriers up to a new pool of solutions as well. 5G is currently in its infancy, and the possibility of fraud threats and the solutions to prevent them are coming. It will no doubt be a key area of focus in the 2020 GLF Fraud Report.


34

PART 4

IMPACT OF TECHNOLOGY EVOLUTION


35

PART 4: IMPACT OF TECHNOLOGY EVOLUTION

3

2

4

1

Digitization: eSIMs are a simple but effective measure to digitize a fraud management practice, eliminate a common fraud use-case, and enable more security control over the network by carriers

Scale: To address the massive scale of the future network security must be embedded from components all the way to network architecture in a layered approach and following the principle of least privilege

Speed: Network Function Virtualization (NFV) opens several new opportunities for fraud management enabling flexible architecture to manage fraud better and enable specific solutions to combat specific fraud types

As network technology advances, fraud management tools and practices must adapt to new requirements by improving along three requirements: scale, digitization and speed

36

1. AS NETWORK TECHNOLOGY ADVANCES, SO MUST FRAUD MANAGEMENT SYSTEMS

When it comes to fraudulent traffic carriers see IoT, edge computing, and 5G as threat multipliers. Fraud risks increase with greater bandwidth, devices, and fraud potential and fraud management is complicated by monitoring multiple technologies. In the same way that air-gapped networks are tolerant of vulnerabilities due to the lack of access, legacy networks were more tolerant of vulnerabilities as access was slower, more analog, and the scale was smaller.

With the advance of network technologies, some carriers doubt that traditional FMS approaches are viable to handle the network of the future. Through our research we have heard carriers cite the traffic volume as the primary concern. It has been expressed that, “the volume of data that 5G is expected to handle is over a thousand times more than what was expected from 4G. Many of the security mechanisms found in traditional information technologies are not designed for this volume.” Such data volume increase has the potential to amplify the impact of fraudulent traffic events.

“...due to the low latency as a result of edge computing, the security threats would be much higher.”

For several carriers the increasing speed of the network is viewed as major concern. It was explained that “due to the low latency as a result of edge computing, the security threats would be much higher.” The concern is that the rate of data collection, analysis, fraud identification, fraud elimination cycle of a traditional system is slow enough that fraudsters will have already destroyed significant value even in the case where the fraud is identified and

addressed correctly. This lag time varies greatly from carrier to carrier with some carriers operating at near-real-time and other carriers generating a threat report on an hourly, or sometimes slower, cycle. The lack of a consistent fraud management framework between carriers means that carriers have varying capabilities to identify and stop incidents, and so the impact felt will vary also.

“If 5G will have to fall back to 4G/3G/2G, then we need to keep in

place the monitoring for legacy tech.”

There is a mixed sentiment among carriers around the need to monitor new and legacy systems. One carrier explained, “we foresee some challenges in potential vulnerabilities through Interoperability with legacy technologies (2G to 4G).” Another carrier added, “If 5G will have to fall back to 4G/3G/2G, then we need to keep in place the monitoring for legacy tech.” As highlighted earlier, other carriers do not share the same sentiment. While difficult to speculate on the differences in these two views, the most likely culprit behind these two perspectives is the current state of the carrier’s FMS.

If a carrier is reliant on a traditional FMS that produces threat reports that are manually analyzed before action is taken, that FMS will most certainly have difficulty adapting to the future network. The burden of managing one system designed to monitor the legacy network and another to manage the future network would stretch any fraud management team.

The FMS of the future then must overcome these three obstacles: scale, digitization, and speed.


EXHIBIT 17: THREE REQUIREMENTS OF FUTURE FMS

Speed Scale Digitization

37

The potential scale of IoT is a difficult project, but, even at its most conservative projections, the number of connected devices will quickly overwhelm a traditional FMS. Manual requirements on fraud management teams will need to be minimized as much as possible as connected devices, but equally important is the need to eliminate opportunities for fraud at every level of the network, from component to FMS.

Being proactive and setting standards was brought up by multiple carriers; one carrier stated “Device security and secure transmission methods are critical to maintaining the integrity of IOT network. Secure protocols to ensure the privacy of the data. Use of the private network to ensure protection against DDoS.” The need for layered security is great enough to attract regulators too with movement in the US (the proposed Internet of Things (IoT) Cybersecurity Improvement Act of 20199), the UK (Code of Practice for Consumer Internet of Things (IoT) Security10), and the EU (ENISA’s Good Practices for Security of Internet of Things11) amongst others. In each of these documents,

9 https://www.ftc.gov/news-events/press-releases/2019/06/ftc-law-enforcement-partners-announce-new-crackdown-illegal10 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf11 https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot

a layered approach to security as well as a system by which security can be updated and managed is central to IoT’s security overall.

Embedding security at the basic levels is crucial, and one specific standard highlighted was Manufacturer Usage Description (MUD). MUD is an embedded software standard defined by the IETF that allows IoT device makers to advertise device specifications, including the intended communication patterns for their device when it connects to the network. One carrier stated “[to combat fraud] we need to adopt tech like MUD and start self-provisioning at the network level to alleviate much of the risk from IoT.” Layered security on top of standards like MUD is the principle of least privilege which is the practice of giving an end user access to services required for the IoT device (e.g., roaming restricted, voice restricted, IP restricted, and SMS restricted).


2. ANSWER TO “SCALE”: LAYERED SECURITY IN IOT TO SCALE FRAUD MANAGEMENT

EXHIBIT 18: DEPICTION OF SECURITY IMPLEMENTED IN EACH OF THE LOGICAL LAYERS IN A NETWORK

Saas PaaS IaaS

ERP SCM S&OP CRM MRP TPS ESS

IIoT apps

Dashboards & displays

IIoTplatform

Historian MES WMS

Track & Trace

Manufacturing processes and equipment

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Third parties services

Production and supply chain management and planning (manufacturing and enterprise operations)

Industrial control and supervision devices and systems

Manufacturing processes and machinery

SCADA RTUs PLCs DCS HMI

IIoT sensors IIoT actuators SIS

Raw materials warehouse

Finished goods warehouse

38

3. ANSWER TO “ANALOG”: ESIM TECHNOLOGY TO DIGITIZE FRAUD MANAGEMENT

In a future network, the connectivity opens the network to a greater amount of access to fraudsters as previously discuss. This connectivity also allows for improved visibility and adaptability as the reliance on physical tokens, such as SIM cards, and physical management of the network diminishes. Greater information on devices and the traffic used allows for more data to be used to distinguish legitimate traffic from fraudulent traffic. One carrier noted, “[to adapt FMS to scale] we look at pattern recognition, ML, and big data analytics to profile the devices to detect any deviation from the expected usage & behavior. We later implement strict policy controls on the device’s authorized usage to prevent massive frauds.” Inherent in the use of these tools is the need to access a greater amount of information. One of the most simple but effective digitization efforts has been the adoption of eSIMs.

“SIMs were once a target used for DDOS threats. Lately, eSIMs are more and more difficult to hack. We must tighten up the eSIM security before

we go to general usage.”

SIM cards, in the past, have been a target for fraudsters as a stolen phone could be stripped of its SIM which is then transferred to another device giving full access to the phone account. An eSIM is mounted to the PCB making it impossible to remove and eliminated this simple but effective fraud method. An eSIM can normally not be reprogrammed without the MNO’s consent giving greater control over devices to the carrier. This advantage has been noticed by carriers “SIMs were once a target used for DDOS threats. Lately, eSIMs are more and more difficult to hack. We must tighten up the eSIM security before we go to general usage.”

Implementing a mechanism in place to alert the carrier of possible tampering can further prevent fraud. Another benefit of eSIMs is the GSMA’s certification specifications which have resulted in the SIMBox grey market losing a significant number of SIMs that are no longer compliant. With the adoption of eSIMs the ability to upgrade and adapt security protocols and standards can be pushed down to the device level as devices can accept and execute the application protocol data unit (APDU) commands. Given this ability, the potential for carriers to be able to harden devices with additional security updates, protocols, etc. rather than having to make allowances for legacy SIMs on the network is a step forward in preventing fraud.


39

Carriers think Network Function Virtualization (“NFV”) is the end state of the data and voice consolidation. A fully virtualized network is also a fully digitalized network. The amount of real-time information and the potential for real-time network management is dramatically increased with NFV. Additionally, the scope and type of actions FMS increases as well. One vendor noted “GSMA has recently consolidated fraud and security together and I wonder if it might be indicative of a larger trend. With that consolidation comes the best practices from cybersecurity. In cybersecurity, a firewall is the only piece of network security; similarly, FMS may possibly become only one piece of fraud management as additional layers are brought on to combat specific fraud types. The same vendor stated “in the future, the vast majority carriers will have an FMS. However, I think it will be more apparent to carriers that there is a need for a distributed and a different kind of architecture to take advantage of NFV. It seems to lead to a greater appetite for best of breed in terms of vendors and systems. Not necessarily to replace FMS but to add to them.”

“GSMA has recently consolidated fraud and security together and I

wonder if it might be indicative of a larger trend.”

NFV provides a flexibility in network architecture that allows for compartmentalization and specialization. Combined with end device details provided by an eSIM device types can be logically grouped together to spot atypical traffic/behavior immediately. Concurrently, traffic sources can be logically grouped and monitored together as well, making it easier to group connection by risk level, geography, or other useful groupings. The possibility for implementing different rules for different parts of the network, based on logic and not physical architecture, allows for much greater granularity and flexibility in managing fraud in the future.


4. ANSWER TO “SLOW”: NFV FOR REAL-TIME FRAUD MANAGEMENT

EXHIBIT 19: DEPICTION OF MODEL NETWORK ORGANIZED BY PHYSICAL LOCATION VS LOGICAL ORGANIZATION

Very Low Risk Little Risk Somewhat Risky High Risk

Past Network: Physical layout demands high security level throughout network

Future Network: Network can be organized by traffic type, customer risk, etc. even with the same physical layout

Core Network

Core Network

End users/number blocks Customer/Country

40

PART 5

HARNESSING INNOVATION


41

3

2

4

1

Blockchain is in its early stages but shows promise to overcome the conflicting goals of sharing fraud management information between carriers while protecting proprietary routes

Big data is foundational to effectively deploy AI/ML and automation due to their reliance on timely, accurate data with enough volume to build algorithms to discern legitimate from fraudulent traffic

Machine learning and automation are effective due to advancements in capabilities including blocking traffic on a call by call basis, and development of trust in the accuracy or machine-generated decisions to block traffic

Carriers perceive fraud management tools to have a significant potential impact on reducing fraud with the most potential associated with AI/ML, big data, automation, and blockchain

PART 5: HARNESSING INNOVATION

42


1. THE EVOLUTION OF FRAUD MANAGEMENT SYSTEMS

The tools available to carriers today allow for real-time behavioral modelling, the anticipation of fraudulent behavior before it even starts, continuous improvement as more fraud and normal network behavior is observed, and the adjustment of risk appetite thresholds. However, these capabilities can easily be wasted if the data inputs are of poor quality or limited volume, if the tools themselves are misused or if suppliers or customers fail to share relevant accurate data. Recent shifts in awareness of capabilities have also coincided with an increase in the willingness to trust decisions made by statistics. As articulated by one vendor this recent trust is dependent on the specificity that is possible today: “We can block traffic not only on a number by number basis, but on a situation by situation basis. Instead of blocking traffic at the switch, we are blocking traffic at the behavior. By that I mean a fraudster will be stopped from Wangiri dialing, but they will still be allowed to call their grandmother. This offloads pressure on a carriers investigation group while also being able to

run in real-time and make these decisions every single time 24/7.”

This kind of functionality is built on a data set that is large enough and detailed enough to build out behavioral pattern while also being updated in real-time. Combining these two competing requirements is where today’s FMS tools fit in.

Big data and blockchain are focused on expanding the breadth of data available for analysis. AI/machine learning and automation are focused on executing real-time analysis to fuel fraud. The culmination of these tools is to discern the difference between IRSF, voting for your favorite reality show contestant, an international business call, legitimate telemarketing, and a Wangiri campaign. Being able to prove that traffic is fraudulent has been one of the fundamental issues in fraud management facing carriers – the adoption of advanced technologies can only serve to improve carrier capabilities.

Carriers see AI/ML as having the most potential while expectations for blockchain are relatively low. Several carriers are much less aware of blockchain than AI/ML; “I have heard about blockchain but haven’t seen it in actions or seen the benefit of the tool.” Contrasting with the lack of awareness of blockchain is the near-unanimous commentary on the importance and difficulty

of collaborating with other carriers. It was noted that, “we would like to extend collaboration… [to collaborate with another carrier] sometimes you have to provide routing information which takes a lot of trust.” In interviews it seems that the value of AI/ML is apparent today, while the little awareness and lack of understanding of how blockchain might address this is a core issue in fraud management.

EXHIBIT 20: PREDICTED IMPACT OF EMERGING TECHNOLOGIES

How impactful do you believe the following technologies will be for reducing telecoms fraud?1

(score 1-5, with 1 being low, and 5 being high)

4.1 3.8 3.8

2.7

AI/ML Big Data Automation Blockchain

Average Score

Note: 1 n=45, respondents without a response were not countedSource: Delta Partners Analysis

43

Big Data vs. Non-Big Data RFP (%)

14%

64%

32%

65%

Big Data Non-Big data

FY17-18 FY18-19

Regional growth(%)

9%25%

0%

26%25%

57%

20%30%

Africa APAC America Europe & ME

FY17-18 FY18-19


2. BIG DATA: HELPING FIND THE NEEDLE IN A STACK OF NEEDLES

Building an accurate and robust data set to analyze is crucial to the accuracy and effectiveness of a data-driven FMS. One carrier went so far as to say, “Detection is using big data… writing a simple rules-based system just isn’t going to cut it anymore.” With the trend towards digitization of carrier networks fully under way, the access to information continues to improve. That data set is needed to find ever-more-sophisticated frauds being perpetuated. “It really is trying to find a needle in a stack of needles” one carrier noted; to distinguish one “needle” from another more data is needed. One carrier detailed “We have a number of data scientists to help us build detection algorithm in conjunction with our sysadmins and my staff. Our data lake is all internal data right now with 25 billion MOU per year, and I still am running pilots to open up more of our system.”

“It is less and less viable to monitor the transactions...”

With the amount of data being utilized, additional tools are bought in to digest it all. As explained by one carrier, “It is less and less viable to monitor the transactions… Hadoop is required to manage the process.” Another carrier corroborated that “a rules-based model was the classic approach when there were lots of slower, smaller attacks. Today, fraud is much more difficult to find and write rules for.” Fraudsters continue to shift and evolve as their methods are discovered and eliminated. For a carrier to

stay abreast, big data is a requirement of today’s network.

Traditionally, carriers have relied on the billing information found in the Call Detail Record (CDR). This data includes attributes such as call length, source and destination, usage time, billing amount, timestamp, and other relevant information. Several carriers have moved on also to include signaling data. One carrier noted “currently we have a vendor using the CDR data on the billing side. Because of new risks and new types of fraud we are using signal data to detect fraud.” The intention here is to autoblock fraudulent traffic before a call is even completed. Additional data sources that at least one carrier is working to incorporate is a feedback cycle from false-positive instances “We have a DIY system [for an end user to access through an online portal] to unblock false positives. We are re-ingesting those events to fine tune and correct our algorithms.”

“Because of new risks and new types of fraud we are using signal data to

detect fraud”

Using a larger and larger pool of historical data has marginal returns as fraudsters ramp up the pace of shifting tactics and increasing the subtlety and sophistication of their methods over time. As carriers seek to speed up the cycle of fraud detection to fraud prevention additional data sets and attribute will become more utilized.

EXHIBIT 21: GROWING TREND IN BIG DATA ASK

Source: Subex1, Delta Partners Analysis

1 https://www.subex.com/the-growing-interest-in-big-data-technologies-for-fraud-management-revenue-assurance/

44

Inherent in the business of international wholesale is the need to guard route paths. As competition matures and margins are pressured, least-call-routing can be crucial to carriers’ bottom line. In nearly direct opposition, is the need for transparency to trace fraud back to its source. At the intersection of these pressures is where you will find blockchain. One carrier explained the drivers behind carriers’ reluctance to share information “Wholesale is very price sensitive. Price matching is aggressive and driven by deals with easily comparable suppliers. NDAs are extremely important to protect route information.” Finding a way to be able to share information between carriers (the importance of this is discussed in section 6) without disrupting the business model is, obviously, difficult, but many types of fraudulent traffic relies on information asymmetry. One vendor point to two examples “a timely way to share data would eliminate roaming delays. Sharing data between carriers through a blockchain would prevent short stopping and ensure that calls are terminating in the proper destination. We would need multiple carriers to share data, but with blockchain you can anonymize the details on path itself but would have confirmation that it was terminated appropriately.” This is the promise of blockchain; blockchain seeks to find a way to share critical information in a timely manner while allowing for carriers to retain sensitive information.

There are a number of text runs, trails, and initial launches of blockchain solutions preventing fraud today. One vendor, QLC Chain, has recently launched a SMS antifraud solution

that verifies the source of an SMS by treating each SMS as a transaction recording it on a blockchain as well as a blockchain-enhanced two-factor-authentication. An effort lead by Clear seeks to authenticate the origin, destination, and call length without disclosing the route in between to defeat IFRS. CSG sees blockchain’s potential in evidence documentation and easier stop-payments with a goal to stop payment before payment has occurred. Further development might see some future FMS functions pulled into security as a service model allowing a third party to oversee multiple carriers at once. Tomia sees the potential of blockchain facilitating the sharing of CDR data to eliminate short-stopping once and for all. The current limitations of blockchain are reported as a tradeoff between security and cost/speed. Carrier general sentiment is that the potential for blockchain is real but much of it is in the future. Today’s applications are real, but the use-cases and the value that they can protect for the carrier industry are generally untapped so far.

While in early stages most carriers are hopeful but guarded about blockchain. Survey results show that of the technology tools available for FMS, blockchain scores significantly lower (see Exhibit 21) than the other technologies in terms of perceived impact potential. One carrier explained “Blockchain isn’t going to help detection, but I think it will help with evidence of fraud to make it easier to stop payments. Today stop payment might come after payment has occurred, and blockchain might be instrumental in blocking the payment before.”

3. BLOCKCHAIN: EARLY-STAGE BUT FUTURE POTENTIAL


EXHIBIT 22: CURRENT STATE AND FUTURE USE-CASES OF BLOCKCHAIN

DescriptionKey Benefits

Cost Reduction Efficiency Improvement Fraud Mitigation

Roaming

Mobile Number Portability

Identity Management

IoT Device ID

• Automated roaming transactions using smart contracts

• Standard decentralized ledger for data & routing access across operators

• Management of customer’s personal information using decentralized identifies to be offered as-a-service to customers

• Use of distributed ledger to allow identification and activities of IoT devices

• Reduction in backhaul bandwidth

• Elimination of clearing houses

• Single store of data• Centralized database

management

• Reduced cost of ID verification

• Higher throughput on roaming calls (reduction of traffic routed through home network operator)

• Instantaneous porting• Seamless user experience

without disruption

• Easy implementation of ID management systems

• Single ID storage for customers

• Increased visibility while on other networks

• Reduction of roaming fraud loss

• Elevated transparency & security

• Increased security & protection against fraud

• Higher security enabled by instantaneous and orchestrated recognition of connected devices


45

As discussed in the Big Data section, the appetite and need for massive data sets is paramount to finding that “needle” of fraudulent traffic. The speed at which fraudsters adapt further complicates the ability of carriers to continue to rely on traditional rules-based systems. To maintain pace with fraudsters’ pace and to get in front of fraud, carriers are moving towards machine learning (ML) and automation. Detection relies on Big Data but the speed of discovery and the ability to eliminate fraud is where real value can be found.

Besides the speed of detection, ML also affords carriers the ability to set risk thresholds. The risk inherent in auto-blocking traffic is blocking legitimate traffic. In an industry of tight margins, blocking legitimate traffic is a major concern. The ability to set and manage thresholds in accordance with risk profiles. One vendor explained “The clear change that [ML] brings is in modifying classic threshold. Setting this threshold becomes a risk profile question. The real value, or secret sauce, is not in the ability to identify fraud, but, instead, it is in ML’s ability to modify thresholds.” A perfect balance of eliminating 100% of all traffic with no false positives is not possible. One carrier said it plainly, “the only network with no fraud is one with no traffic” and carrier said, “it is just not possible to have waterproof system.” However, setting the risk profile in accordance with the customer segments and geographies serviced places more control in the carriers’ hand and allows the carrier to balance the tradeoffs between blocking fraud and false positives.

One vendor put it simply “it is much better to not get tricked than to find the person that tricked you.” While machine learning focuses on the detection of fraud, automation, or auto-blocking, translates that detection into elimination. It is seen as critical because, the longer the cycle between detection and elimination, the more value is potentially lost to fraudsters. Additionally, fraudsters have historically relied on normal business cycles of the workweek to maximize the volume, and therefore the value, of fraudulent traffic before it can be detected and blocked. One carrier noted, “we used to say fraud starts Friday evening.” Automation relies on standardized inputs and outputs to execute processes. This requirement forces carrier to standardize the data and tasks required to block fraudulent traffic. This obstacle is a small price to pay compared to a manual, report-driven system that is reliant on humans to consume and analyze the data before making a blocking decision. Placing enough trust in a machine decision alleviates much of the pressure on the fraud management team. One vendor agreed, “[automation] offloads pressures from the investigation group.” By automating the process, you remove the human element from the equation and can pair it with ML. This pairing of ML and automation removes the human element further from the system and directs the continuous learning into an ever-increasingly discerning system to detect and block fraud.


4. MACHINE LEARNING AND AUTOMATION: GETTING IN-FRONT OF THE FRAUDSTERS

EXHIBIT 23: OODA LOOP IMPROVEMENT THE AI/ML AND AUTOMATION

Fraudsters OODA loop is smaller: FMS is focused on limiting the amount of value destroyed by fraud; “spoilage” mentality

Carriers’ OODA loop is smaller: FMS is focused on eliminating fraud and preventing fraud from occurring in the first place; “crime-stopping” mentality

Observe

OrientAct

Decide

Carr

ier

Frau

dste

r

Observe

OrientAct

Decide

Carr

ier

Frau

dste

r

Set Amount of Time Set Amount of Time

Observe

OrientAct

Decide

Observe

OrientAct

Decide

Observe

OrientAct

Decide

Observe

OrientAct

Decide

Observe

OrientAct

Decide

Observe

OrientAct

Decide

46

As networks and fraudster grow in their sophistication, FMS tools must keep pace. The ability to speed up the cycle between observation (find the potential fraud), orient (defining traffic as fraud), decide (identify course of action), and action (block or process) is the difference between tolerating fraudulent traffic. It’s the cost of doing business and eliminating as much fraudulent traffic as possible.

“The real value, or secret sauce, is not in the ability to identify fraud, but, instead, it is in ML’s ability to modify

thresholds.”

On today’s network manual processes and reporting cycles are window of opportunity for fraudsters to take advantage of. In the quest to shrink the OODA loop by being faster, smarter, and more accurate, FMS advancements come from better detection capability; found in big data, machine learning, and blockchain; better blocking, found in automation; and better processes, found in automation and blockchain.


47

PART 6

THE ON-GOING NEED FOR COLLABORATION


48

PART 6: THE ON-GOING NEED FOR COLLABORATION

3

2

1

Carriers recognize that collectively the industry is much more capable of reducing fraud than any carrier in isolation; the short-term objectives of collaboration and aligned reporting can lead to a formal communication network and database on white-/blacklisted number ranges and networks

Beyond signing the GLF Code of Conduct carriers seek an accountability mechanism to ensure signatories meet commitments. Recommendation that signatories incorporate fraud management and dispute reconciliation in all contracts with suppliers and customers

Information sharing between carriers is critical with carriers aspiring to build a global dialing number reference and a pooled dataset of documented fraudulent traffic

49

As previously discussed relating to Big Data and Blockchain, greater access to data fuels the accuracy of fraud detection and elimination. Additional data can be found internally by utilizing signaling data as well as other sources. Externally, however many opportunities to expand data available, particularly around sharing suspected or confirmed instances of fraud are met with non-disclosure agreement (NDA) restrictions.

One carrier reported, “what we would like to see more of [with regards to collaboration with other carriers] is traceback opportunities to trace fraud back to the source. This generally only happens now when law enforcement gets more involved. However, tracebacks are blocked by NDAs.” This frustration is another example of the distrust discussed previously (see chapter 2). Another carrier reported frustration at use of NDAs “the NDA, when actual fraudulent traffic occurs, should never be used as pretext for not sharing information. Why can’t I say that these 20 customers are my largest sources for a given fraud? Being able to share that kind of information would be a massive step toward reducing fraud.” These frustrations, as well as the potential for significant steps in systematically isolating and eliminating bad actors, have been the motivation behind blockchain efforts as well as other types of pooled information. To this end, two strategies have been most discussed by carriers; Specific or aggregated shared dataset of documented fraudulent traffic and a shared, global dialing number reference.

A shared dataset of documented fraudulent traffic would allow the findings of one carrier to be shared to others. This would serve two purposes: feeding valuable information into tools (e.g., Machine Learning) to better define fraud and collectively blacklist fraud sources from entry to carriers’ networks. One carrier highlighted the need for documented fraud examples “There is not nearly enough information being shared for what good and bad quality traffic looks like.” Other carriers placed more emphasis on blacklisting fraud sources, “There is a common database in France, and something similar in the Netherlands as well, for fraud reporting. The database houses all customer complaints and all operators’ reports. We are able to isolate the bad actors with data domestically, but there is nothing on an international scale. We use this info to specifically avoid dodgy companies.”

However, carriers are also quick to point on the potential for abuse in a shared database, “The problem is that this process could be abused especially since it can be difficult to be able to prove 100 percent exactly where fraud originates

from.” Another carrier shared, “There is some reluctance to publish a blacklist because of the legal risk. We don’t want to be seen as blocking entrants.” Any shared pool of data that can be used to make business has the potential to be abused, and standards and verification would need to be put in place. As initial domestic-level and carrier-to-carrier datasets mature and expand, international examples are sure to follow. One vendor was adamant, “Information sharing is key… I see [a sharing framework] happening in the future. Individual operators have proposed them before, but it hasn’t taken off. GSMA is working to define the platform. In the future, it’s a must.”

“The NDA, when actual fraudulent traffic occurs, should never be used as pretext for not sharing

information. Why can’t I say that these 20 customers are my largest

sources for a given fraud? Being able to share that kind of information would be a massive step toward

reducing fraud.”

A number of carriers brought the lack of a global dialing number reference as a critical driver for the prevalence of fraud today. One carrier stated, “it is astonishing that we don’t have a way to share good numbers.” Another carrier agreed, “I need good intel on international numbering.” While the need is clear to many carriers, the obstacles are also clear “Global number registry” would be a huge step forward. The database would be a few billion entries. If the data is just in a data lake, then who owns it. Who is responsible to update it and make it accessible? Blockchain is a possible solution as it is owned and operated collectively.” This difficulty is corroborated by a vendor, “Number registry is difficult because of ownership.” However, the same vendor went on to highlight the potential reward, “with a global number registry you would be able to stop Wangiri. You don’t even need termination rates, but simply classifying premium vs non premium number would stop Wangiri.” Given the potential to curb one of the most prolific fraud types as well as the potential for blockchain to overcome identified barriers, the outlook, in carriers’ minds, looks positive.


1. THE CRITICALITY OF ENABLING GREATER INFORMATION SHARING

50

The majority of respondents (16/29) have already signed or are in the process of signing the Code of Conduct (CoC). Out of the 13 respondents who have not signed, seven stated willingness to explore further. By most accounts, the acceptance of the CoC has been positive. Many carriers

are recent signatories and are in process of implementing the CoC. As noted by a recent signatory, “We are in the first steps of implementing the Code of Conduct. It is not a requirement for contracts right now, but we have updated our contract templates.”

As more and more carriers sign and align with the goals of the CoC there is a demand for an enforcement mechanism that moves carriers beyond commitment alone. As noted by one carrier, whose view was representative of many,

“There needs to be some a form of audit to make sure signatories are doing what they say they are. Otherwise it is just cosmetic.”


2. GLF CODE OF CONDUCT: FROM COMMITMENT TO ENFORCEMENT

EXHIBIT 24: ADHERENCE TO GLF CODE OF CONDUCT

EXHIBIT 25: COMPARING THE ORGANISATIONAL IMPORTANCE AND COMMITMENT TO THE COC

29%

51%

18%

2%

Notes: 1 n=19, respondents without a response were not counted

Do you request that your customers sign the Code of Conduct?1

(% responses)

Has you company signed the Code of Conduct?1

(% responses)

50% 50% 75%25%

No Yes No Yes

37% 63% 71%29%

No Yes No Yes

40% 60% 80% 20%

No Yes No Yes

Where would you rank the IMPORTANCE of fraudulent traffic as a topic in your organization?1

(% responses)

Top Priority

Strategic Priority

Same as Business as

Usual

Low Priority

Notes: 1 n=37; 2 n=12, 3 n=14, respondents without a response were not counted

46%

54%

Has your company signed the GLFCode of Conduct?

No Yes

Has your company signed the GLF Code of Conduct?1

(% responses)

50%

17%17%16%

Why has your company NOTsigned the CoC?

If ‘no’, what is the reason?2

(% responses)

100%

Why has your company signed theCoC?

Effectively fight fraud

If ‘yes’, what is the reason?3

(% responses)

Unable

Own code

Legal

Awareness

51

Several carriers stated the need for an accountability mechanism, but a clear path to implement one is yet to be found. One possible solution is a shared fraud documentation dataset (see discussion in previous section). This dataset allows participant to hold carriers accountable and identify signatories who are failing to uphold the principals found in the CoC. Another possibility is to include a third-party audit to ensure compliance or to rely on public attestation in the hopes that external pressure would push carriers into compliance. Regarding self-attestation, 81% of survey respondents that have signed the Code of Conduct said that they would be willing to publicly self-attest their compliance.

The GLF’s original intent was for the eventual acceptance of the CoC to reach a point where carriers could begin requiring compliance with the CoC. There are multiple options of accountability mechanisms available, and it is the finding of this report and the position of the GLF that the next step, after wide adoption of the CoC, is for the industry to hold signatories accountable for actions promised by signing the CoC.

Another path toward giving the CoC further impact is through the inclusion of a fraud amendment in carriers’ boilerplate contracts. When implemented successfully carriers report, “The fraud amendment is preventing a lot

of bad deals from being made.” In cases where managers have pushed for riskier deals, the amendment has either given a clearer path toward resolving disputes or has prevented the deal from happening which is indicative of a deal we probably should make in the first place.” Another carrier put it simply, “Our changes to contract and legal agreements are more effective in combatting fraud.”

“There needs to be some form of audit to make sure signatories

are doing what they say they are. Otherwise it is just cosmetic.”

Some pushback to broader implementation comes from disturbing existing relationships. The same carrier went on to say, “that works for new deals, but for established

partners some are just not there yet. Some carriers are not quite ready for [including a fraud amendment].” Another source of pushback come internally from some carriers’ legal department or sales team. “When I asked the sales team to have our customers sign the CoC, I got pushback that it was not something they wanted to raise with customers.” Another carrier pointed to their legal department, “Legal has advised us to not sign for now.” Regardless of the barriers in front for a wider adoption, carrier report positive feedback on the effectiveness of fraud amendments once they are implemented.

As the Code of Conduct gains further signatories, it must be an industry priority to ensure that carriers can be held accountable and can hold their customers accountable for the commitments held within. There is appetite for such steps, and it is seen as the responsibility of the GLF to set the direction.


EXHIBIT 26: SELF ATTESTING AS THE NEXT STEP OF SIGNATORIES

19%

81%

Has your company signed the GLF Code of Conduct?

No Yes

46%

54%

Has your company signed the GLF Code of Conduct?

No Yes

Notes: 1 n=35; 2 n=14, respondents without a response were not counted

Has your company signed the GLF Code of Conduct?1

(% responses)

Are you willing to publicly self-attest compliance with the Code of Conduct?2

(% responses)

52

As more carriers sign on the CoC join a growing group of carriers committed to the systematic reduction of fraud in the industry, it is important to maintain the momentum moving forward. As discussed previously in Section 1 and Section 2 of this report general awareness has increased across the industry and with it the attitude towards fraud has shifted from tolerance to viewing fraud as a reputation risk with potential financial impact.

To move beyond the initial commitment to fraudulent traffic reduction through the Code of Conduct, through the dialogue with carriers to produce this report the following immediate actions can be recommended:

1) Request all suppliers and customers sign the Code of Conduct – having signed, all carriers request or require likewise from their customers and suppliers. If GLF members can take the lead given their scale it can soon become a de-facto expectation that all carriers sign the CoC.

2) Announce organization aspiration for fraud reduction – communicate to own organization and the industry a commitment to fraud reduction through a CEO-shared aspiration. It is critical that within their own organizations carriers communicate their commitment in the same way that they are doing to the broader industry, and then translating that into a tangible action plan.

3) Contribute to and participate in an accountability mechanism – the CoC is only as useful as the degree to which carriers follow the CoC, and the confidence that their peers have that others are adhering. By adding an industry accountability mechanism that attests adherence to the CoC principles the strength of the CoC will increase.

4) Align on KPIs – a requirement of accountability is a set standard to meet or exceed which requires alignment on how and what to measure for industry-wide accepted KPIs. The GLF has endorsed the i3 Forum KPIs and as such it is critical that these are communicated and followed (see further discussion in chapter 2).

The best way to combat the collective methods of fraudsters around the world is learn from as many instances of observed fraudulent traffic. Carriers recognize that collectively they will be more effective in reducing the value and impact of fraud. Creating and sharing data

through the following actions will succeed in creating a fraud-free industry.

Initially, to gain momentum, it is recommended that the focus of collaboration should be at an inter-carrier level, but in time collaboration should cover wholesale carriers, retail operators, OTT communications providers and even regulatory bodies. Each stakeholder group will have a role to play in reducing fraud. Moving beyond adherence to the Code of Conduct as a first step, future collaborative actions could include:

1) Free sharing of data alerting all parties to fraud – a real-time data set, one with relevant details like signaling data, actual source and destination, call time with start and stop, as well as all the historical data that was used to determine it was fraudulent traffic, shared between carriers that is a platform for information sharing and communication between all carriers to work collaboratively to reduce fraudulent traffic.

2) Robust fraud communications network across carriers – formalized relationships between carrier personnel addressing fraudulent traffic to share best-practice and what they are seeing across their networks. GLF has effectively set up such a forum on Network Security, and such a concept could be replicated for fraud engaging with other forums such as the CFCA and the i3 Forum that have convened several experts already.

3) Global database of white-/black-listed number ranges and networks – industry-centralized reference database to allow carriers to have an accurate view of the number ranges and networks where fraudulent traffic may have originated

Internal efforts alone are not adequate in an industry where risk is decentralized and where networks are only as secure as the weakest connected to it. Elevating the lowest common denominator to guarantee a robust industry-wide approach is in the interests of all parties involved.


3. INDUSTRY COLLABORATION: LOOKING BEYOND THE CODE OF CONDUCT

FRAUD REPORT 2019 · 2019. 10. 30. · common fraud use-case, and enable more security control over...

Documents

Transcript of FRAUD REPORT 2019 · 2019. 10. 30. · common fraud use-case, and enable more security control over...