Mobile Fruad Detection

8/8/2019 Mobile Fruad Detection

1/23

Mobile fraud detection

1

INTRODUCTION

A mobile phone is an electronic device used for mobile telecommunications over a

cellular network of specialized base stations known as cell sites. A cell phone offers full Duplex

Communication and transfer the link when the user moves from one cell to another. As the

phone user moves from one cell area to another, the system automatically commands the mobile

phone and a cell site with a stronger signal, to switch on to a new frequency in order to keep the

link.

It is estimated that the mobile communications industry loses several million customers

per year due to fraud. Therefore, prevention and early detection of fraudulent activity is an

important goal for network operators. It is clear that the additional security measures taken in

GSM and in the future UMTS (Universal Mobile Telecommunications System) make these

networks less vulnerable to fraud than the analogue networks. Nevertheless, certain types of

commercial fraud are very hard to preclude by technical means. It is also anticipated that the

introduction of new services can lead to the development of new ways to defraud the system.

The use of sophisticated fraud detection techniques can assist in early detection of commercial

frauds,and will also reduce the effectivity of technical frauds.

Three types of fraud prevention methods are currently available for mobile apps:

The first, mobile device identification, is server-based JavaScript. The script captures

information about a user's browser and phone when he or she logs in. If the app is browser-

based, the script captures unique browser identification information and data to identify the

phone. If the app is native on the device, it can also gather the phone's serial number and network

card number to forward to the e-commerce entity, but only after the user opts-in.

The second method uses the phone's location information, and only requires that the

device be turned on. Using location information can help specifically authenticate the user


2/23


2

through correlation with other systems such as a user's address in a directory. Mobile phones can

forward location information based on GPS data, but it also requires the user to opt-in. Gartner

says locations can also be received by mobile network operators employing software tools that

don't require user opt-in.

The third strategy is to customize the company's risk scoring and rule-based models for

mobile applications. This approach, which Gartner said some online fraud detection vendors are

beginning to implement, looks at the device itself, its location and the usage patterns of an app

on the phone. Right now, theres a dearth of experience to draw upon, which makes it difficult to

build resilient risk models.Both users and service providers should have a better and more secure

experience enabled through the use of rich contextual information coming from mobile phones.

Normal mobile teliphone system


3/23


3

POSSIBLE FRAUDS AND THEIR INDICATORS

POSSIBLE FRAUDS:

We can classify the frauds into two types:

Types of frauds

The first stage of the work consists of the identification of possible fraud scenarios in

telecommunications networks and particularly in mobile phone networks. These scenarios have

been classified by the technical manner in which they are committed; also an investigation has

been undertaken to identify which parts of the mobile telecommunications network are abused in

order to commit any particular fraud. Other characteristics that have been studied are whether

frauds are technical fraud operated for financial gain, or they are fraud related to personal use -


4/23


4

hence not employed for profiteering. A further classification is achieved by considering whether

the network abuse is the result of administrative fraud, procurement fraud, or application fraud.

Indicators:

Subsequently, typical indicators have been identified which may be used for the purposes

of detecting fraud committed using mobile telephones. In order to provide an indication of the

likely ability of particular indicators to identify a specific fraud, these indicators have been

classified both by their type and by their use.

The different types are: -

usage indicators, related to the way in which a mobile telephone is used;

mobility indicators, related to the mobility of the telephone;

deductive indicators, which arise as a by-product of fraudulent behaviour (e.g., overlapping

calls and velocity checks).

Indicators have also been classified by use: -

primary indicators can, in principle, be employed in isolation to detect fraud;

secondary indicators provide useful information in isolation (but are not sufficient by

themselves);

tertiary indicators provide supporting information when combined with other indicators.

A selection has been made of those scenarios which cannot be easily detected using existing

tools, but which could be identified using more sophisticated approaches.


5/23


6/23


6

TOLL TICKET

The potential fraud indicators have been mapped to network data required to measure

them. The information required to monitor the use of the communications network is contained

in the toll tickets.

Toll Tickets are data records containing details pertaining to every mobile phone call

attempt. Toll Tickets are transmitted to the network operator by the cells or switches that the

mobile phone was communicating with. They are used to determine the charge to the subscriber,

but they also provide information about customer usage and thus facilitate the detection of any

possible fraudulent use. It has been investigated which fields in the GSM toll tickets can be used

as indicators for fraudulent behaviour.

Before use in the fraud detection engine, the toll tickets are being preprocessed. An

essential co-mponent of this process is the encryption of all personal information in the toll

tickets (such as tel-ephone numbers). This allows for the protection of the privacy of users durig

the evelopment of the fraud detection tools, while at the same time the network operators will be

able to obtain the identity of fraudulent users.

USER PROFILING:

ABSOLUTE OR DIFFERENTIAL ANALYSIS:

ABSOLUTE ANALYSIS:

Existing fraud detection systems tend to interrogate sequences of Toll Tickets comparing

a function of the various fields with fixed criteria known as triggers. A trigger, if activated, raises

an alert status, which cumulatively would lead to an investigation by the network operator. Such

fixed trigger systems perform what is known as an absolute analysis of the Toll Tickets and are

good at detecting the extremes of fraudulent activity.


7/23


7

DIFFERENTIAL ANALYSIS:

Another approach to the problem is to perform a differential analysis. Here we monitor

behavioural patterns of the mobile phone comparing its most recent activities with a history of its

usage. Criteria can then be derived to use as triggers that are activated when usage patterns of the

mobile phone change significantly over a short period of time. A change in the behaviour pattern

of a mobile phone is a common characteristic in nearly all fraud scenarios excluding those

committed on subscription where there is no behavioural pattern established.

There are many advantages to performing a differential analysis through profiling the

behaviour of a user. Firstly, certain behavioural patterns may be considered anomalous for one

type of user, and hence potentially indicative of fraud, that are considered acceptable for another.

With a differential analysis flexible criteria can be developed that detect any change in usage

based on a detailed history profile of user behaviour. This takes fraud detection down to the

personal level comparing like with like enabling detection of less obvious frauds that may only

be noticed at the personal usage level. An absolute usage system would not detect fraud at this

level. In addition, however, because a typical user is not a fraudster, the majority of criteria that

would have triggered an alarm in an absolute usage system will be seen as a large change in

behaviour in a differential usage system. In this way a differential analysis can be seen as

incorporating the absolute approach.


8/23


9/23


9

important concern here is the potential creation of false behaviour patterns. Several decaying

systems are currently being investigated.

RELEVANT TOLL TICKET DATA:

There are two important requirements for user profiling. At first, efficiency is of the

foremost concern for storing the user data and for performing updates. Secondly, user profiles

have to realise a precise description of user behaviour to facilitate reliable fraud detection. All

the information that a fraud detection tool will need to handle is derived from the toll tickets

provided by the network operator.

The following toll ticket components have been viewed to be the most fraud relevant

measures:

Charged_IMSI identifies the user) First_Cell_Id(location characteristic for mobile originating

calls) Chargeable_Duration(base for all cost estimations).

B_Type_of_Number(for distinguishing between national / international calls).

Non_Charged_Party(the number dialled).

These components will continually be picked out of the toll tickets and incorporated into the user

profiles in a cumulative manner.It is also anticipated that the analysis of cell congestion can

provide useful ancillary information.


10/23


10

MOBILE DEVICE IDENTIFICATION

This is enabled through a JavaScript on the server that the user logs in to, which captures

whatever information it can get from the user's browser and phone, depending on whether the

user is using a browser or native application. If the application is browser-based, then the

JavaScript application captures whatever information it can get from the user's browser to

uniquely identify that particular user's browser and mobile device. If the mobile application is

native and residing on the mobile handset, native applications can additionally gather the phone's

serial number and network card number. This will require opt-in by the user.

Device identification in Wireless communication relies on various cryptographic

mechanisms. The impact of those cryptographic schemes again depends on various challenges of

key distribution by robustly detecting and revoking compromised keys. A Network Access

Identifier (NAI) is used to uniquely identify the device. The use of a temporary NAI allows the

system to allocate resources more flexibly. Once a given mobile device has received the

provisioning parameters, the NAI used to access the Provisioning Server (PS) can be assigned to

another device.

Mobile device identification


11/23


11

LOCATION OF DEVICE

This is based on the phone's location information independent of the browser (IP

address), so the user does not have to have his or her mobile browser application open for this to

work; the phone only needs to be turned on. Enterprises may want to check and correlate the

location of the device relative to anything else they know about the user's location through other

systems they may interact with at the enterprise. For mobile phones, there are two architectures

that are used to obtain location information: One relies on device information (e.g., using the

GPS-API applications that the user must opt into); the other employs APIs provided through

mobile network operators that don't require the users to opt in to releasing this information.

TECHNOLOGY USED:

The technology of locating is based on measuring power levels and antenna patterns and

uses the concept that a mobile phone always communicates wirelessly with one of the closest

base stations, so if you know which base station the phone communicates with, you know thatthe phone is close to the respective base station.

Advanced systems determine the sector in which the mobile phone resides and roughly

estimate also the distance to the base station. Further approximation can be done by interpolating

signals between adjacent antenna towers. Qualified services may achieve a precision of down to

50 meters in urban areas where mobile traffic and density of antenna towers (base stations) is

sufficiently high. Rural and desolate areas may see miles between base stations and therefore

determine locations less precisely.

GSM localization is the use of multilateration to determine the location of GSM mobile

phones, usually with the intent to locate the user.

Localization-Based Systems can be broadly divided into:


12/23


12

Network-based Handset-based SIM-based Hybrid

NETWORK-BASED:

Network-based techniques utilize the service provider's network infrastructure to identify

the location of the handset. The advantage of network-based techniques (from mobile operator's

point of view) is that they can be implemented non-intrusively, without affecting the handsets.

The accuracy of network-based techniques varies, with cell identification as the least

accurate and triangulation as moderately accurate, and newer "Forward Link" timing methods asthe most accurate. The accuracy of network-based techniques is both dependent on the

concentration of base station cells, with urban environments achieving the highest possible

accuracy, and the implementation of the most current timing methods.

One of the key challenges of network-based techniques is the requirement to work

closely with the service provider, as it entails the installation of hardware and software within the

operator's infrastructure. Often, a legislative framework, such as E911, would need to be in place

to compel the cooperation of the service provider as well as to safeguard the privacy of the

information.

HANDSET-BASED:

Handset-based technology requires the installation of client software on the handset to

determine its location. This technique determines the location of the handset by computing its

location by cell identification, signal strengths of the home and neighboring cells, which is

continuously sent to the carrier. In addition, if the handset is also equipped with GPS then

significantly more precise location information is then sent from the handset to the carrier.

The key disadvantage of this technique (from mobile operator's point of view) is the

necessity of installing software on the handset. It requires the active cooperation of the mobile

subscriber as well as software that must be able to handle the different operating systems of the


13/23


13

handsets. Typically, smart phones, such as one based on Symbian[4]

, Windows Mobile, iPhone

and iPhone OS, or Android, would be able to run such software.

One proposed work-around is the installation of embedded hardware or software on the

handset by the manufacturers, e.g. E-OTD. This avenue has not made significant headway, due

to the difficulty of convincing different manufacturers to cooperate on a common mechanism

and to address the cost issue. Another difficulty would be to address the issue of foreign handsets

that are roaming in the network.

SIM-BASED:

Using the SIM in GSM and UMTS handsets, it is possible to obtain raw radio

measurements from the handset.The measurements that are available can include the servingCell-ID, round trip time and signal strength. The type of information obtained via the SIM can

differ from what is available from the handset. For example, it may not be possible to obtain any

raw measurements from the handset directly, yet still obtain measurements via the SIM.

HYBRID:

Hybrid positioning systems use a combination of network-based and handset-based

technologies for location determination. One example would be some modes of Assisted GPS,

which can both use GPS and network information to compute the location (although in most A-

GPS systems all computations are done by the handset, and the network is only used to initially

acquire and use the GPS satellites).


14/23


14

Location of device


15/23


15

RULE-BASED APPROACH TO FRAUD DETECTION

This approach works best with user profiles containing explicit information, where fraud

criteria given as rules can be referred. User profiles are maintained for the directory number of

the calling party (A-number), for the directory number of the called party (B-number) and also

for the cells used to make/receive the calls. A-number profiles represent user behaviour and are

useful for the detection of most types of fraud, while B-number profiles point to hot destinations

and thus allow the detection of frauds based upon call forwarding. All deviations from normal

user behaviour resulting from the different analyzing processes are collected and alarms will

finally be raised if the results in combination fulfill given alarm criteria.

The implementation of this solution is based on an existing rule-based tool for audit trail

analysis PDAT (Protocol Data Analysis Tool). PDAT is a rule-based tool for intrusion detection.

PDAT works in heterogeneous environments, has the possibility of on-line analysis, and

provides a performance of about 200 KB input per second. Important goals were flexibility and

broad applicability, including the analysis of general protocol data, which is achieved by the

special language PDAL (Protocol Data Analysis Language). PDAL allows the programming of

analysis criteria as well as a GUI-aided configuration of the analysis at run-time.

Intrusion detection and mobile fraud detection are quite similar problem fields and the

flexibility and broad applicability of PDAT are promising for using this tool for mobile fraud

detection too. The main difference between intrusion detection and mobile fraud detection seems

to be the kind of input data. The recording for intrusion detection produces 50 MB per day per

user, but only for the few users of one UNIX-system. In comparison, fraud detection has to deal

with a huge amount of mobile phone subscribers (roughly 1 Million), each of whom, however,

produces only about 300 bytes of data per day. PDAT was able to keep all interim results in main

memory, since only a few users had to be dealt with. For fraud detection, however, intermediate

data has of course to be stored on hard disc. Because of these new requirements it was necessary

to develop some completely new concepts such as user profiling and fast swapping for the

updating of user profiles. Also, the internal architecture had to be changed to a great extent.


16/23


17/23


17

a high number of elementary units makes it possible to learn arbitrarily complex tasks. For fraud

detection in telephone networks, neural network engines are currently being developed

worldwide. As a closely related application, neural networks are now routinely used for the

detection of credit card fraud.

There are two main forms of learning in neural networks: unsupervised learning and

supervised learning. In unsupervised learning, the network groups similar training patterns in

clusters. It is then up to the user to recognise what class or behaviour has to be associated to each

cluster. When patterns are presented to the network after training, they are associated to the

cluster they are closest to, and are recognised as belonging to the class corresponding to that

cluster. In supervised learning, the patterns have to be a priori labelled as belonging to some

class. During learning, the network tries to adapt its units so that it produces the correct label at

its output for each training pattern. Once training is finished the units are frozen, and when a new

pattern is presented, it is classified according to the output produced by the network.

Unsupervised learning presents some difficulties. The problem is that patterns have to be

presented - that is, encoded - in such a way that the data from fraudulent usage will form groups

that are distinct enough from regular data. On the other hand, these systems can be trained using

clean data only. With supervised learning, the difficulty is that one must obtain a significant

amount of fraudulent data, and label it as such. This represents a significant effort. Further, it is

not clear how such systems will handle new fraud strategies. Therefore, none of the approaches

appears to be a priori superior to the other, and both directions are being investigated.

a new approach called FraudX is used for fraud detection in GSM and ANSI-41 operator


18/23


19/23


19

FEATURES OF FRAUDX:

To identify potentially fraudulent activity, FraudX uses near real-time data from mobile

switches and creates a unique profile for each of your existing subscribers based upon a

subscribers incoming and outgoing call records. After the subscriber profile is established,

FraudX continually compares each subscribers calling activity to his or her profile, constantly

monitoring events. However, FraudX does allow for subtle variations in subscriber activity and

updates the subscribers profile with new, legitimate calling patterns as they emerge. Any

significant deviation from a subscribers normal profile generates a system alarm and a case to

be reviewed by a fraud analyst.

FraudX, which is scalable and flexible, also:


20/23


20

Lets you determine the types of fraud most prevalent in your market and the types offraud on the rise.

Allows customization with its threshold, table and parameter value-setting capabilities aswell as with its:

User-defined pattern capabilities, allowing you to define specific conditions foridentifying call

records with certain fraud-associated characteristics. User-defined rule capabilities, allowing you to use if/then statements that alter FraudXs programming logic for assigning fraud types and confidence levels. User-defined automatic actions, allowing you to instruct FraudX to execute certain

routines in

response to defined fraud types and alarms with or without human intervention. Accepts data from your billing system, including customer subscription information, that

is used

to detect subscription fraud and is available for customized user-defined rules. Provides defense against subscription fraud by detecting excessive usage among new subscribers. Accepts a feed from your prepaid platform, monitors recharge activity and evaluates the

information against call activity.

HOW IT WORKS:

When you provision a new mobile subscriber, FraudX starts the process of building a

unique profile for that particular subscriber. Since profile data is based upon actual subscriber

usage,it generally takes about a month for FraudX to collect the data on a new subscriber and to

determine what is normal for each subscriber. In the meantime, FraudX allows you to track a

new subscribers usage during a probationary period against operator-defined thresholds. Once a

historical profile is established, FraudX compares that historical data with each subscribers

current profile data. By taking this cumulative approach, FraudX accounts for fluctuations in call

activity due to activities such as vacations or excessive travel.


21/23


21

Once a profile is determined, the following process takes place:

1. FraudX accepts and performs edits on call records received from fraud data collection

systems.

2. The system evaluates the edited call records for:

Call pattern matching Suspicious dialed digits Suspicious electronic serial numbers (ESNs/MEIDs/IMEIs) Subscription fraud Collision and velocity (SIM cloning detection) Profile-specific variables, such as call cluster, call count and duration, source and

destination, and fraud call area.

3. The profiler assigns fraud probability and creates alarms when the fraud confidence levels you

set are exceeded. It then updates the profile components with the resulting call detail and

sends the alarms for fraud analysis.

4. When an alarm is generated, FraudX applies a set of knowledge-based, system-defined rules,

which can be customized with your additional rules, to determine if a case is presented.

5. When enough fraud evidence is generated, the system creates a case and continually updates

it.

6. The profiler performs the following steps to prioritize highly probable fraud cases:

Tracks by fraud type Accumulates evidence Assigns automatic actions, if needed Assigns confidence level

7. A fraud analyst reviews the cases and performs additional research as needed, following

your companys policies to determine what actions should be taken in response to each

case.


22/23


22

8. As appropriate, a fraud analyst updates and/or closes cases in FraudX and marks calls as

fraudulent. These fraudulent calls can then be sent to your billing system to ensure the charges

from those calls do not appear on the legitimate subscribers bill.

Basic mobile location


23/23


23

CONCLUSION

LIMITATIONS:

Since this system is based on history of user, it is not a foolproof system. There is everypossibility that even stolen mobile can be made similar use as before. But anyhow the

losses by making similar use will be very less.

Usually whenever a mobile is stolen, the user is likely to complaint to the police. So thelimitation mentioned above may not be a major problem.

Another limitation may be that, the user may himself make abnormal use of his mobile.So it is very essential that such false alarms should be prevented.

FUTURE EXPANSION:

The above-mentioned limitation can be overcome very easily. One of the availablemethods is to have a password mechanism.

In password mechanism the user will be provided with a unique code or password. Whennetwork moderator has a doubt of misuse of a particular mobile he can ask for password

confirmation from the user.

Mobile Fruad Detection

Documents

Transcript of Mobile Fruad Detection