Mobile Fruad Detection
-
Upload
prasad-penchala -
Category
Documents
-
view
216 -
download
0
Transcript of Mobile Fruad Detection
-
8/8/2019 Mobile Fruad Detection
1/23
Mobile fraud detection
1
INTRODUCTION
A mobile phone is an electronic device used for mobile telecommunications over a
cellular network of specialized base stations known as cell sites. A cell phone offers full Duplex
Communication and transfer the link when the user moves from one cell to another. As the
phone user moves from one cell area to another, the system automatically commands the mobile
phone and a cell site with a stronger signal, to switch on to a new frequency in order to keep the
link.
It is estimated that the mobile communications industry loses several million customers
per year due to fraud. Therefore, prevention and early detection of fraudulent activity is an
important goal for network operators. It is clear that the additional security measures taken in
GSM and in the future UMTS (Universal Mobile Telecommunications System) make these
networks less vulnerable to fraud than the analogue networks. Nevertheless, certain types of
commercial fraud are very hard to preclude by technical means. It is also anticipated that the
introduction of new services can lead to the development of new ways to defraud the system.
The use of sophisticated fraud detection techniques can assist in early detection of commercial
frauds,and will also reduce the effectivity of technical frauds.
Three types of fraud prevention methods are currently available for mobile apps:
The first, mobile device identification, is server-based JavaScript. The script captures
information about a user's browser and phone when he or she logs in. If the app is browser-
based, the script captures unique browser identification information and data to identify the
phone. If the app is native on the device, it can also gather the phone's serial number and network
card number to forward to the e-commerce entity, but only after the user opts-in.
The second method uses the phone's location information, and only requires that the
device be turned on. Using location information can help specifically authenticate the user
-
8/8/2019 Mobile Fruad Detection
2/23
Mobile fraud detection
2
through correlation with other systems such as a user's address in a directory. Mobile phones can
forward location information based on GPS data, but it also requires the user to opt-in. Gartner
says locations can also be received by mobile network operators employing software tools that
don't require user opt-in.
The third strategy is to customize the company's risk scoring and rule-based models for
mobile applications. This approach, which Gartner said some online fraud detection vendors are
beginning to implement, looks at the device itself, its location and the usage patterns of an app
on the phone. Right now, theres a dearth of experience to draw upon, which makes it difficult to
build resilient risk models.Both users and service providers should have a better and more secure
experience enabled through the use of rich contextual information coming from mobile phones.
Normal mobile teliphone system
-
8/8/2019 Mobile Fruad Detection
3/23
Mobile fraud detection
3
POSSIBLE FRAUDS AND THEIR INDICATORS
POSSIBLE FRAUDS:
We can classify the frauds into two types:
Types of frauds
The first stage of the work consists of the identification of possible fraud scenarios in
telecommunications networks and particularly in mobile phone networks. These scenarios have
been classified by the technical manner in which they are committed; also an investigation has
been undertaken to identify which parts of the mobile telecommunications network are abused in
order to commit any particular fraud. Other characteristics that have been studied are whether
frauds are technical fraud operated for financial gain, or they are fraud related to personal use -
-
8/8/2019 Mobile Fruad Detection
4/23
Mobile fraud detection
4
hence not employed for profiteering. A further classification is achieved by considering whether
the network abuse is the result of administrative fraud, procurement fraud, or application fraud.
Indicators:
Subsequently, typical indicators have been identified which may be used for the purposes
of detecting fraud committed using mobile telephones. In order to provide an indication of the
likely ability of particular indicators to identify a specific fraud, these indicators have been
classified both by their type and by their use.
The different types are: -
usage indicators, related to the way in which a mobile telephone is used;
mobility indicators, related to the mobility of the telephone;
deductive indicators, which arise as a by-product of fraudulent behaviour (e.g., overlapping
calls and velocity checks).
Indicators have also been classified by use: -
primary indicators can, in principle, be employed in isolation to detect fraud;
secondary indicators provide useful information in isolation (but are not sufficient by
themselves);
tertiary indicators provide supporting information when combined with other indicators.
A selection has been made of those scenarios which cannot be easily detected using existing
tools, but which could be identified using more sophisticated approaches.
-
8/8/2019 Mobile Fruad Detection
5/23
-
8/8/2019 Mobile Fruad Detection
6/23
Mobile fraud detection
6
TOLL TICKET
The potential fraud indicators have been mapped to network data required to measure
them. The information required to monitor the use of the communications network is contained
in the toll tickets.
Toll Tickets are data records containing details pertaining to every mobile phone call
attempt. Toll Tickets are transmitted to the network operator by the cells or switches that the
mobile phone was communicating with. They are used to determine the charge to the subscriber,
but they also provide information about customer usage and thus facilitate the detection of any
possible fraudulent use. It has been investigated which fields in the GSM toll tickets can be used
as indicators for fraudulent behaviour.
Before use in the fraud detection engine, the toll tickets are being preprocessed. An
essential co-mponent of this process is the encryption of all personal information in the toll
tickets (such as tel-ephone numbers). This allows for the protection of the privacy of users durig
the evelopment of the fraud detection tools, while at the same time the network operators will be
able to obtain the identity of fraudulent users.
USER PROFILING:
ABSOLUTE OR DIFFERENTIAL ANALYSIS:
ABSOLUTE ANALYSIS:
Existing fraud detection systems tend to interrogate sequences of Toll Tickets comparing
a function of the various fields with fixed criteria known as triggers. A trigger, if activated, raises
an alert status, which cumulatively would lead to an investigation by the network operator. Such
fixed trigger systems perform what is known as an absolute analysis of the Toll Tickets and are
good at detecting the extremes of fraudulent activity.
-
8/8/2019 Mobile Fruad Detection
7/23
Mobile fraud detection
7
DIFFERENTIAL ANALYSIS:
Another approach to the problem is to perform a differential analysis. Here we monitor
behavioural patterns of the mobile phone comparing its most recent activities with a history of its
usage. Criteria can then be derived to use as triggers that are activated when usage patterns of the
mobile phone change significantly over a short period of time. A change in the behaviour pattern
of a mobile phone is a common characteristic in nearly all fraud scenarios excluding those
committed on subscription where there is no behavioural pattern established.
There are many advantages to performing a differential analysis through profiling the
behaviour of a user. Firstly, certain behavioural patterns may be considered anomalous for one
type of user, and hence potentially indicative of fraud, that are considered acceptable for another.
With a differential analysis flexible criteria can be developed that detect any change in usage
based on a detailed history profile of user behaviour. This takes fraud detection down to the
personal level comparing like with like enabling detection of less obvious frauds that may only
be noticed at the personal usage level. An absolute usage system would not detect fraud at this
level. In addition, however, because a typical user is not a fraudster, the majority of criteria that
would have triggered an alarm in an absolute usage system will be seen as a large change in
behaviour in a differential usage system. In this way a differential analysis can be seen as
incorporating the absolute approach.
-
8/8/2019 Mobile Fruad Detection
8/23
-
8/8/2019 Mobile Fruad Detection
9/23
Mobile fraud detection
9
important concern here is the potential creation of false behaviour patterns. Several decaying
systems are currently being investigated.
RELEVANT TOLL TICKET DATA:
There are two important requirements for user profiling. At first, efficiency is of the
foremost concern for storing the user data and for performing updates. Secondly, user profiles
have to realise a precise description of user behaviour to facilitate reliable fraud detection. All
the information that a fraud detection tool will need to handle is derived from the toll tickets
provided by the network operator.
The following toll ticket components have been viewed to be the most fraud relevant
measures:
Charged_IMSI identifies the user) First_Cell_Id(location characteristic for mobile originating
calls) Chargeable_Duration(base for all cost estimations).
B_Type_of_Number(for distinguishing between national / international calls).
Non_Charged_Party(the number dialled).
These components will continually be picked out of the toll tickets and incorporated into the user
profiles in a cumulative manner.It is also anticipated that the analysis of cell congestion can
provide useful ancillary information.
-
8/8/2019 Mobile Fruad Detection
10/23
Mobile fraud detection
10
MOBILE DEVICE IDENTIFICATION
This is enabled through a JavaScript on the server that the user logs in to, which captures
whatever information it can get from the user's browser and phone, depending on whether the
user is using a browser or native application. If the application is browser-based, then the
JavaScript application captures whatever information it can get from the user's browser to
uniquely identify that particular user's browser and mobile device. If the mobile application is
native and residing on the mobile handset, native applications can additionally gather the phone's
serial number and network card number. This will require opt-in by the user.
Device identification in Wireless communication relies on various cryptographic
mechanisms. The impact of those cryptographic schemes again depends on various challenges of
key distribution by robustly detecting and revoking compromised keys. A Network Access
Identifier (NAI) is used to uniquely identify the device. The use of a temporary NAI allows the
system to allocate resources more flexibly. Once a given mobile device has received the
provisioning parameters, the NAI used to access the Provisioning Server (PS) can be assigned to
another device.
Mobile device identification
-
8/8/2019 Mobile Fruad Detection
11/23
Mobile fraud detection
11
LOCATION OF DEVICE
This is based on the phone's location information independent of the browser (IP
address), so the user does not have to have his or her mobile browser application open for this to
work; the phone only needs to be turned on. Enterprises may want to check and correlate the
location of the device relative to anything else they know about the user's location through other
systems they may interact with at the enterprise. For mobile phones, there are two architectures
that are used to obtain location information: One relies on device information (e.g., using the
GPS-API applications that the user must opt into); the other employs APIs provided through
mobile network operators that don't require the users to opt in to releasing this information.
TECHNOLOGY USED:
The technology of locating is based on measuring power levels and antenna patterns and
uses the concept that a mobile phone always communicates wirelessly with one of the closest
base stations, so if you know which base station the phone communicates with, you know thatthe phone is close to the respective base station.
Advanced systems determine the sector in which the mobile phone resides and roughly
estimate also the distance to the base station. Further approximation can be done by interpolating
signals between adjacent antenna towers. Qualified services may achieve a precision of down to
50 meters in urban areas where mobile traffic and density of antenna towers (base stations) is
sufficiently high. Rural and desolate areas may see miles between base stations and therefore
determine locations less precisely.
GSM localization is the use of multilateration to determine the location of GSM mobile
phones, usually with the intent to locate the user.
Localization-Based Systems can be broadly divided into:
-
8/8/2019 Mobile Fruad Detection
12/23
Mobile fraud detection
12
Network-based Handset-based SIM-based Hybrid
NETWORK-BASED:
Network-based techniques utilize the service provider's network infrastructure to identify
the location of the handset. The advantage of network-based techniques (from mobile operator's
point of view) is that they can be implemented non-intrusively, without affecting the handsets.
The accuracy of network-based techniques varies, with cell identification as the least
accurate and triangulation as moderately accurate, and newer "Forward Link" timing methods asthe most accurate. The accuracy of network-based techniques is both dependent on the
concentration of base station cells, with urban environments achieving the highest possible
accuracy, and the implementation of the most current timing methods.
One of the key challenges of network-based techniques is the requirement to work
closely with the service provider, as it entails the installation of hardware and software within the
operator's infrastructure. Often, a legislative framework, such as E911, would need to be in place
to compel the cooperation of the service provider as well as to safeguard the privacy of the
information.
HANDSET-BASED:
Handset-based technology requires the installation of client software on the handset to
determine its location. This technique determines the location of the handset by computing its
location by cell identification, signal strengths of the home and neighboring cells, which is
continuously sent to the carrier. In addition, if the handset is also equipped with GPS then
significantly more precise location information is then sent from the handset to the carrier.
The key disadvantage of this technique (from mobile operator's point of view) is the
necessity of installing software on the handset. It requires the active cooperation of the mobile
subscriber as well as software that must be able to handle the different operating systems of the
-
8/8/2019 Mobile Fruad Detection
13/23
Mobile fraud detection
13
handsets. Typically, smart phones, such as one based on Symbian[4]
, Windows Mobile, iPhone
and iPhone OS, or Android, would be able to run such software.
One proposed work-around is the installation of embedded hardware or software on the
handset by the manufacturers, e.g. E-OTD. This avenue has not made significant headway, due
to the difficulty of convincing different manufacturers to cooperate on a common mechanism
and to address the cost issue. Another difficulty would be to address the issue of foreign handsets
that are roaming in the network.
SIM-BASED:
Using the SIM in GSM and UMTS handsets, it is possible to obtain raw radio
measurements from the handset.The measurements that are available can include the servingCell-ID, round trip time and signal strength. The type of information obtained via the SIM can
differ from what is available from the handset. For example, it may not be possible to obtain any
raw measurements from the handset directly, yet still obtain measurements via the SIM.
HYBRID:
Hybrid positioning systems use a combination of network-based and handset-based
technologies for location determination. One example would be some modes of Assisted GPS,
which can both use GPS and network information to compute the location (although in most A-
GPS systems all computations are done by the handset, and the network is only used to initially
acquire and use the GPS satellites).
-
8/8/2019 Mobile Fruad Detection
14/23
Mobile fraud detection
14
Location of device
-
8/8/2019 Mobile Fruad Detection
15/23
Mobile fraud detection
15
RULE-BASED APPROACH TO FRAUD DETECTION
This approach works best with user profiles containing explicit information, where fraud
criteria given as rules can be referred. User profiles are maintained for the directory number of
the calling party (A-number), for the directory number of the called party (B-number) and also
for the cells used to make/receive the calls. A-number profiles represent user behaviour and are
useful for the detection of most types of fraud, while B-number profiles point to hot destinations
and thus allow the detection of frauds based upon call forwarding. All deviations from normal
user behaviour resulting from the different analyzing processes are collected and alarms will
finally be raised if the results in combination fulfill given alarm criteria.
The implementation of this solution is based on an existing rule-based tool for audit trail
analysis PDAT (Protocol Data Analysis Tool). PDAT is a rule-based tool for intrusion detection.
PDAT works in heterogeneous environments, has the possibility of on-line analysis, and
provides a performance of about 200 KB input per second. Important goals were flexibility and
broad applicability, including the analysis of general protocol data, which is achieved by the
special language PDAL (Protocol Data Analysis Language). PDAL allows the programming of
analysis criteria as well as a GUI-aided configuration of the analysis at run-time.
Intrusion detection and mobile fraud detection are quite similar problem fields and the
flexibility and broad applicability of PDAT are promising for using this tool for mobile fraud
detection too. The main difference between intrusion detection and mobile fraud detection seems
to be the kind of input data. The recording for intrusion detection produces 50 MB per day per
user, but only for the few users of one UNIX-system. In comparison, fraud detection has to deal
with a huge amount of mobile phone subscribers (roughly 1 Million), each of whom, however,
produces only about 300 bytes of data per day. PDAT was able to keep all interim results in main
memory, since only a few users had to be dealt with. For fraud detection, however, intermediate
data has of course to be stored on hard disc. Because of these new requirements it was necessary
to develop some completely new concepts such as user profiling and fast swapping for the
updating of user profiles. Also, the internal architecture had to be changed to a great extent.
-
8/8/2019 Mobile Fruad Detection
16/23
-
8/8/2019 Mobile Fruad Detection
17/23
Mobile fraud detection
17
a high number of elementary units makes it possible to learn arbitrarily complex tasks. For fraud
detection in telephone networks, neural network engines are currently being developed
worldwide. As a closely related application, neural networks are now routinely used for the
detection of credit card fraud.
There are two main forms of learning in neural networks: unsupervised learning and
supervised learning. In unsupervised learning, the network groups similar training patterns in
clusters. It is then up to the user to recognise what class or behaviour has to be associated to each
cluster. When patterns are presented to the network after training, they are associated to the
cluster they are closest to, and are recognised as belonging to the class corresponding to that
cluster. In supervised learning, the patterns have to be a priori labelled as belonging to some
class. During learning, the network tries to adapt its units so that it produces the correct label at
its output for each training pattern. Once training is finished the units are frozen, and when a new
pattern is presented, it is classified according to the output produced by the network.
Unsupervised learning presents some difficulties. The problem is that patterns have to be
presented - that is, encoded - in such a way that the data from fraudulent usage will form groups
that are distinct enough from regular data. On the other hand, these systems can be trained using
clean data only. With supervised learning, the difficulty is that one must obtain a significant
amount of fraudulent data, and label it as such. This represents a significant effort. Further, it is
not clear how such systems will handle new fraud strategies. Therefore, none of the approaches
appears to be a priori superior to the other, and both directions are being investigated.
a new approach called FraudX is used for fraud detection in GSM and ANSI-41 operator
-
8/8/2019 Mobile Fruad Detection
18/23
-
8/8/2019 Mobile Fruad Detection
19/23
Mobile fraud detection
19
FEATURES OF FRAUDX:
To identify potentially fraudulent activity, FraudX uses near real-time data from mobile
switches and creates a unique profile for each of your existing subscribers based upon a
subscribers incoming and outgoing call records. After the subscriber profile is established,
FraudX continually compares each subscribers calling activity to his or her profile, constantly
monitoring events. However, FraudX does allow for subtle variations in subscriber activity and
updates the subscribers profile with new, legitimate calling patterns as they emerge. Any
significant deviation from a subscribers normal profile generates a system alarm and a case to
be reviewed by a fraud analyst.
FraudX, which is scalable and flexible, also:
-
8/8/2019 Mobile Fruad Detection
20/23
Mobile fraud detection
20
Lets you determine the types of fraud most prevalent in your market and the types offraud on the rise.
Allows customization with its threshold, table and parameter value-setting capabilities aswell as with its:
User-defined pattern capabilities, allowing you to define specific conditions foridentifying call
records with certain fraud-associated characteristics. User-defined rule capabilities, allowing you to use if/then statements that alter FraudXs programming logic for assigning fraud types and confidence levels. User-defined automatic actions, allowing you to instruct FraudX to execute certain
routines in
response to defined fraud types and alarms with or without human intervention. Accepts data from your billing system, including customer subscription information, that
is used
to detect subscription fraud and is available for customized user-defined rules. Provides defense against subscription fraud by detecting excessive usage among new subscribers. Accepts a feed from your prepaid platform, monitors recharge activity and evaluates the
information against call activity.
HOW IT WORKS:
When you provision a new mobile subscriber, FraudX starts the process of building a
unique profile for that particular subscriber. Since profile data is based upon actual subscriber
usage,it generally takes about a month for FraudX to collect the data on a new subscriber and to
determine what is normal for each subscriber. In the meantime, FraudX allows you to track a
new subscribers usage during a probationary period against operator-defined thresholds. Once a
historical profile is established, FraudX compares that historical data with each subscribers
current profile data. By taking this cumulative approach, FraudX accounts for fluctuations in call
activity due to activities such as vacations or excessive travel.
-
8/8/2019 Mobile Fruad Detection
21/23
Mobile fraud detection
21
Once a profile is determined, the following process takes place:
1. FraudX accepts and performs edits on call records received from fraud data collection
systems.
2. The system evaluates the edited call records for:
Call pattern matching Suspicious dialed digits Suspicious electronic serial numbers (ESNs/MEIDs/IMEIs) Subscription fraud Collision and velocity (SIM cloning detection) Profile-specific variables, such as call cluster, call count and duration, source and
destination, and fraud call area.
3. The profiler assigns fraud probability and creates alarms when the fraud confidence levels you
set are exceeded. It then updates the profile components with the resulting call detail and
sends the alarms for fraud analysis.
4. When an alarm is generated, FraudX applies a set of knowledge-based, system-defined rules,
which can be customized with your additional rules, to determine if a case is presented.
5. When enough fraud evidence is generated, the system creates a case and continually updates
it.
6. The profiler performs the following steps to prioritize highly probable fraud cases:
Tracks by fraud type Accumulates evidence Assigns automatic actions, if needed Assigns confidence level
7. A fraud analyst reviews the cases and performs additional research as needed, following
your companys policies to determine what actions should be taken in response to each
case.
-
8/8/2019 Mobile Fruad Detection
22/23
Mobile fraud detection
22
8. As appropriate, a fraud analyst updates and/or closes cases in FraudX and marks calls as
fraudulent. These fraudulent calls can then be sent to your billing system to ensure the charges
from those calls do not appear on the legitimate subscribers bill.
Basic mobile location
-
8/8/2019 Mobile Fruad Detection
23/23
Mobile fraud detection
23
CONCLUSION
LIMITATIONS:
Since this system is based on history of user, it is not a foolproof system. There is everypossibility that even stolen mobile can be made similar use as before. But anyhow the
losses by making similar use will be very less.
Usually whenever a mobile is stolen, the user is likely to complaint to the police. So thelimitation mentioned above may not be a major problem.
Another limitation may be that, the user may himself make abnormal use of his mobile.So it is very essential that such false alarms should be prevented.
FUTURE EXPANSION:
The above-mentioned limitation can be overcome very easily. One of the availablemethods is to have a password mechanism.
In password mechanism the user will be provided with a unique code or password. Whennetwork moderator has a doubt of misuse of a particular mobile he can ask for password
confirmation from the user.