Subscription fraud

Subscription fraud

Continuing our occasional series on the different kinds of fraud that take place on mobile networks, Mark Yelland, an international expert on mobile fraud and revenue protection looks at the risks associated with subscription fraud:

Subscription fraud is usually described as using a service with no intention to pay. The concept is straightforward: the fraudster signs up for a service, exploits that service and then defaults on the bill.

For post-paid (or contract) customers, the fraudster uses a number of tricks to overcome the simple checks implemented by networks, for example he builds up a picture of a user with some small usage regularly settling the bill on time. At the appointed time the fraud is initiated: the fraudster then uses the phone to run up a significant bill and uses his social engineering skills and ‘good behaviour’ to keep the service going until such time as the network terminates service.

A more recent trend is for genuine customers to have fraudsters’ phone numbers added to their accounts and settled by the customer unwittingly or not. This can be achieved through a number of different methods from postal interception, refuse examination for account details, passing off or simply contacting the relevant helpdesk to request the addition of another handset and bluffing. The key indicator is the level of bad debt and whether it is in line with the industry average.

For pre-paid customers, the situation is slightly more complex. The fraudster tops up the credit on the phone regularly using a number of stolen credit card numbers. There is nothing in the payment process to alert the network to a potential issue, until the cards are actually cancelled and a chargeback is applied by the card issuer to the network. For the network the losses are not simply the value of the traffic, but potentially any fines levied by the card issuers and as a last resort, the removal of the ability to take card payments directly or even indirectly through services such as PayPal. Hence the key indicator is the level of card transactions being refused by the relevant card processor.

The weakness being exploited is the failure to confirm the identity of the person making the request for service. The first check needs to be a check that the request does not come from an originating country that has been blacklisted as a high risk environment. If it is, then additional verification steps should be implemented or the service declined. The second check is that the Media Access Control (MAC) address is valid and not registered on a fraud database. However, with the introduction of virtualisation software, it is possible to spoof MAC addresses and those should also be disallowed. Having verified, as far as is practicable, that the originating address is valid, the next requirement needs to be a two-stage sign-up process, whereby the person signing up has to activate the account by replying to an email. This method is not foolproof as there are a number of email services, such as GuerillaMail.org that can provide a disposable email account that is valid for a few hours, which gives the fraudster time to reply to the verification email. In the case of passing off, the email should be sent to the account holder, not the individual concerned.

Recognising that these checks can always be beaten, the next step is to minimise the exposure. This can be limiting the number of SIMs that can be bought at any one time or restricting the services available until certain behaviours have been observed, for example:

  • disabling calls to Premium Rate Services or Roaming
  • putting a limit on the number of different cards that can be used to top up a service on a single SIM
  • putting a limit on the number of SIMs that can be topped up by a single card

implementing the 3D Secure process appropriately but recognising its limitations, for example it cannot be used alongside an auto top-up process but should be invoked for any change to a service.