About TeraNetTest

By-Pass/SimBox/ Grey Route/GSM Gateway Fraud

Introduction

Fraud is a significant problem that costs wireless and wire line carriers billions annually.  Additionally, it consumes a substantial amount of signaling and voice bandwidth as well as the resources of individual network elements (i.e. STPs, switches, databases). In order to properly identify By-Pass Fraud one needs to understand the issues around this fraud. Teralight Ltd has spent years in detecting and eliminating this fraud and understands the dynamics of this problem very well.  To demonstrate the challenges carriers face with respect to controlling fraud, this document will focus on SIM Box (i.e. GSM Gateway) fraud which impacts carriers financially on the order of billions annually, while accounting for as much as 20% of a provider’s terminating traffic.

Types of Fraud

The table below highlights some of the more pervasive types of fraud harming carriers.

The objective of the SIM Box operator is to bypass the international gateway switches in order to bring mobile traffic into a country and have it appear as domestic originated traffic. With this setup, SIM Box owners are able to compete with carriers in wholesale markets where the SIM Box owner’s cost is much lower, resulting in major revenue losses for the mobile carrier.
  
Additionally, the Calling Line Identity (CLI) is not delivered because the CLI of the SIM used in the SIM Box is delivered instead, adversely affecting subscriber services and the subscriber’s experience.  Since SIM Boxes are utilized for commercial purposes (although fraudulently), they do not exhibit the same calling behavior as the average subscriber, and  they have high utilization that causes network congestion and limits legitimate subscriber traffic.

Types of Bypass Fraud (SIM Box Interconnect Configuration)

SIM Box is located in an Adjacent Operator’s Network

In this scenario, calls from other networks are delivered first to the Adjacent Operator’s network and then to the Home Operator’s network as inbound mobile originated calls, bypassing the international/national gateway switch and standard termination fees.  The Home Operator in this scenario could be a wire line operator (the SIM Box can deliver calls to any network with whom the Adjacent Operator is connected); therefore, this scenario is equally applicable to both fixed and mobile operators.  This scenario is extremely difficult to deal with using current control technologies and approaches as the SIM Box is physically on another network out of the victim carrier’s control.

SIM Box is Located in the Home Operator’s Network

In this scenario, the SIM Box delivers calls to the Adjacent Operator’s network as outbound mobile originated calls, thus bypassing the international/ national gateway switch and standard termination fees for such traffic.  This scenario causes additional damage to the Home Operator because not only do they lose the standard termination fees (soft loss), but they must also pay access fees to the Adjacent Operator for terminating the outbound calls generated by the SIM Box (hard loss). This is typical in many countries.

SIM Box is Located Within the Network of the Home Operator.

In this scenario, calls from other networks are delivered to the Home Operator and terminate on the Home Operator’s network, thus appearing as on-net mobile-to-mobile calls.  Again, these calls bypass the international/national gateway switch and standard termination fees for such traffic.  This configuration also causes serious concerns regarding quality of service, congestion, spectrum management and network utilization.

The Approach of Guardian in Eliminating Fraud, in Real-Time

The Teralight Ltd Guardian TeraNet Test solution is a suite of products that are based upon the following approach:

• TeraNet Test Solution by pushing the calls to the Operator’s Network
• Detect the Fraudulent Numbers
• Eliminate by informing operator to block them

Figure 4: Guardian Approach

TeraNet Test Solution

The TeraNet Test Solution has the following major components:

• Prevail Application installed in Teralight NOC to generate the required reports.
• Automated Call Generation System in our POPs, Calling Cards and global routes loaded in Call Generation System.
• Non-Directory Numbers in Home Operator.
• CallerID Box, GSM to Analog conversion Box and Desktop Machine. These are portable and can be installed anywhere in the whole country. No Limitation.

Figure 5: Components in Detecting By-Pass Fraud

 

Prevail Application

The Teralight Ltd Prevail application is an integrated fraud-detection application that works on Oracle, which is the most reliable database software, which can in real-time track down and detect fraudulent traffic on the network. With the deployment of Prevail, the organization can minimize the time and costs associated with fighting the fraud and successfully recovering lost revenue as a result of fraudulent calls, phantom traffic, non-paying subscribers, interconnect billing errors and SIM Boxes. Prevail is the “engine” that takes all data and identifies problem areas.

PREVAIL is designed to process different types of CDR output from different switches. The application analyzes call detail records independent of their structure or format. Realizing that different operators have different formats for maintaining call detail records, with each format suited to meet specific needs, a generalizing mechanism was embedded within the software to handle any given CDR format. Prevail is designed to process all the data from the CallerID box in the form of CDRs in real-time and process them in real-time to generate the required reports. However, the Prevail’s generalized feature help us in processing any kind of operator’s CDRs and generate the required reports.

This CDR generalization feature is made available through the utilization of configuration files, which are used to define the format according to which the desired data is extracted from the CDR. Once the format has been defined, the software reads the configuration file of the CDR, irrespective of its type, and then appropriately converts it into a loadable format. Data from this newly converted file is then loaded into the database for analysis. 

Prevail Bypass filtering capability is used for detecting bypass providers by analyzing Test call generator’s calls, network call flows, daily call traffic, calling numbers to non-listed numbers. Several options have been embedded into this feature of the application:

• Teranet Test Call generator calls are monitored and process in real-time
• Daily call traffic statistics are stored and analyzed.
• If the calling number is a local number and has called to already provided non-listed numbers of the Operator, then Prevail generates an alarm immediately, as calling numbers can never be local in this case. This helps to assure one hundred percent confidence that the calling SIM is fraudulent.
• There are several predefined bypass detection conditions which act on unexpected behavior of any number of conditions which can include long duration calls, high number of attempts, called number, high MO/MT ratio etc.
• The system filters the top “x” numbers which are coming in the illegal bypass traffic category and stores and provide reports on calling numbers, called numbers, unique B-Leg numbers, (ACD) average call Duration, ASR (Average Success rate), PDD (Post Dial Delay), Average time between calls (As the SIM Box dials as soon as the line is free and duration between calls helps to detect the grey routes.
• The parameters for bypass detection can be configured.
• The solution filters out the numbers with invalid and empty A-numbers and valid national numbers with the missing A-Leg of a call coming from interconnect operator. A large exclusion list is included within the system, so that known ISPs and large volume users may not be confused with suspicious users.
• The system makes recommendations on the basis of statistical formulas.
• The Prevail bypass filter screens the incoming international calls from international trunk groups in cases when the calling number does not belong to the carrier’s country.
• Different value base measurements affect the accuracy of the results.

Test Call Generation System

The Teralight Test Call Generation System running in several POPs around the globe helps in generating the calls from different regions of the world.
Test Call generation is configured to take input in the form of soft route information and calling cards including PIN number, account number, password, destination IP address, call pattern, called numbers, average duration of call, break between two calls and the number of calls to the specified group of numbers.
Once the above required information is configured then the test call generation system starts generating the calls and keep logs of each call. This system helps in identifying the grey routes in real-time using the destination CallerID CDRs and the reports from the Prevail application.
Test Call generator is configured on the basis of number of test calls requirement from the customer along with the estimated number of grey route operators working in the home country. One license of the test call generator can generate around 1000 test calls in a day and the license is always dedicated to one customer at a time and never been shared for any other customer’s traffic.

 

• Non-Listed Numbers

The Non-listed numbers are those numbers which are not assigned to anyone and are non-directory numbers. They help in assuring Prevail and our engineers that all the calls made on those non-listed numbers are made by Teralight Call generation system. The reason for the non-listed numbers is that it assures Prevail that if the calling number to these non-listed numbers is a local number then that local number is doing the fraudulent activity and sending the calls through some SIM box because all the calls been made to those numbers are from Test Call generator which is not in home country and making an international call. Therefore the calling number should always be an international number.

• CallerID Box, GSM box and Desktop Machine

GSM box is installed in any location in the country of the customer. It is use to install and configure the already provided operator’s SIMs which are always non-directory numbers. This Box installs four SIMs at a time and the operator generally configures more than 20 numbers over one SIM to reduce the setup cost. The GSM box is then connected to the CallerID box to convert GSM to analog which generates the CDRs in real-time and forwards all the data to the connected Desktop machine over the Ethernet or serial connection. The Desktop machine stores all the data which is then fetched automatically by the prevail application in real-time using the remote connection.

Figure 5: Teralight TeraNet Test Solution without Probes

 

 

How this Approach Works?

In this approach, we also work in a revenue sharing model as well as per month services model with the operators and regulators. This way the Operator does not need to bear any upfront cost, and shares the saved revenue with Teralight on detecting every fraudulent SIMs. In the TeraNet Test solution, Teralight provides enhanced services by providing Prevail and call generation services to the client. Teralight has POPs available in the US, UK, Hong-Kong, Pakistan etc from where we are providing such kinds of services to our customers around the globe. When utilizing these services, our customer is assured of detecting the bypass fraud in REAL-TIME and with these services Teralight doesn’t mean “Near to Real-Time”. In this approach of detecting and eliminating fraud, Teralight generates test calls from their POPs to the specific non-listed numbers. On the Customer end, non directory numbers are configured to generate alarms on calls coming from any local number to the specified non-listed number, hence assuring the revenue and detecting and eliminating fraud in real-time.

Flow of the Methodology

Teralight Guardian Fraud Detection Solution works using the following steps to detect the SIM Box Fraud efficiently.

• Discuss and understand customer requirement.
• As per the requirement, setup the license for the Prevail Application in our NOC to serve automatic reporting for the customer.
• Get the Non-listed numbers from the customer which is minimum of 80 numbers.
• Ask the operator to configure at least 20 numbers on one SIM.
• Install and configure the GSM box, CallerID box and desktop machine in the home country.
• Setup test call generator in different POPs.
• Configure cheapest calling cards in the test call generator.
• Configure cheapest routes in the routing information of test call generators.
• Test the complete setup for couple of days.
• Start sending the calls to the non-directory numbers.
• Prevail fetches the data from the already configured desktop machine which is storing the CDRs.
• Prevail Processes the data in real-time and send the automatic report through email to the customer email address.
• In the Prevail report, any Calling number with a local number would be identified as a SIM Box number and informed in the report.
• After the submission of report by prevail, operator blocks that number within two hours time. So that the Grey route operator changes the SIMs and we block the other SIMs too until he stops getting the business from the partners in other countries.
• If operator doesn’t block the number and it comes again in the Prevail reporting process after 2 hours of last report then it is treated as new fraudulent number.
• If the Fraudulent number is from some adjacent operator then it needs to informed by our customer to the adjacent operator to block on their network too.
• After every 24 hours, prevail generates the summarized report of all the detected numbers of the day.
• In few cases, the CLI has been blocked by the grey route operator, if we start seeing it very frequently in our prevail reports then following is requested from the operator.
• Enable the trace on few of the already provided Non-directory numbers.
• Enable this trace for at least 4 hours a day on different times which will be suggested by Teralight.
• Send the Trace output to Teralight.
• Teralight will process the traces in prevail and send the fraudulent numbers list which hiding the CLI.
• Operator blocks those numbers too or informs the adjacent operator to block them.
• Teralight services contract can be in two different ways.

• We invoice on detecting every fraudulent SIM and the rate per number will be decided at the time of contract and the Teralight working on identifying the revenue loss for the operator per SIM on monthly basis, hence not allowing any fraudulent activity to happen in the network.
• We invoice on the basis of monthly services contract for one year.