You are on page 1of 25

Fraud in Short Messaging in

Mobile Networks
Kari-Matti Puukangas / TeliaSonera

Supervisor: Professor Raimo Kantola
Instructor: M.Sc Niko Kettunen


Scope of the study
Different Types of Fraudulent SMS

How Fraudster Connects to the Network
Why Fraudulent Messaging Should be Prevented
How to Prevent Fraudulent Messages

3rd party faking
Spamming and Flooding
GT scanning and Mobile malware

TCAP Handshake
SMS Firewall


Kari-Matti Puukangas


cheap messages China 6-10 Spam messages per day per user India 20% of the short messages is Spam E-mail to SMS is the biggest source to Spam Not a problem yet Europe     Quite expensive messages Operators control all connected links Phishing and “call to premium number” type of attacks Not a problem yet Kari-Matti Puukangas 3 .Background  SMS fraud around the world  Asia     USA    SMS spamming is very common.

Background Kari-Matti Puukangas 4 .

Background Kari-Matti Puukangas 5 .

Scope of the study     Describe the different fraud scenarios How the fraud can be identified and prevented Describe the fraud prevention methods Give a recommendation of the most suitable method based on a SWOT analysis Kari-Matti Puukangas 6 .

Different Types of Fraudulent SMS        Spoofing Faking 3rd party faking Spamming Flooding GT scanning Mobile malware Kari-Matti Puukangas 7 .

Spoofing   Illegal use of the home SMSC Mobile Originated SMS with a manipulated A-MSISDN (real or wrong) is coming from a roaming subscriber. Kari-Matti Puukangas 8 .

Kari-Matti Puukangas 9 . SMSC number or A-MSISDN are manipulated (can be existing numbers).Faking   Originated from the international SS7 Network and is terminated to home mobile network.

3rd Party Faking    A special case of Faking Happens in third party’s network Termination fees to home network Kari-Matti Puukangas 10 .

g.  Purpose to slow down the operator network or jam one ore more mobile terminals Usually combined with spoofing or faking Kari-Matti Puukangas 11 . to call a premium number) Flooding  A large number of messages sent to one or more destinations  Messages may be either valid or invalid.Spamming and Flooding  Spamming   Unsolicited SMS The spam SMS content can include:      Commercial information Bogus contest Messages intended to invite a response from the receiver (e.

e.g.GT Scanning and Mobile Malware  GT Scanning    A lot of MO_Forward_SM or SRI messages with SMSC or MSC address incremented by one in each message Fraudster tries to find unprotected SMSC or MSC Mobile malware  All kinds of binary messages. viruses or service settings Kari-Matti Puukangas 12 .

How Fraudster Connects to the Network  Increased number of parties connected to SS7 network    Bulk connections from small operators   Do not care how the connection is used Hacking a short messaging entity   Interfaces to SS7 and Internet Potential thread by hackers May be noticed quite soon Pribe the operator employees  May be possible in some less developed countries Kari-Matti Puukangas 13 .

Why Fraudulent Messaging Should be Prevented  Subscriber’s point of view     Receiving spam is very annoying Spoofed number may cause charges to innocent user Spoofed subscriber may get angry calls and messages from message receivers (blocking the handset) Operator’s point of view        Loss of messaging income Wrongly charged customers Increased customer care contacts Increased churn Loss of termination fees Termination of roaming agreements Increased signaling network load Kari-Matti Puukangas 14 .

How to Prevent Fraudulent Messages   GSMA has created a criteria to detect the fraud and basic actions for stopping it Means to prevent fraudulent messages    TCAP Handshake TCAP Sec SMS Firewall Kari-Matti Puukangas 15 .

200 Based on the TCAP segmentation used in the long messages First two messages used for the authentication Requires MAP version 2 or 3 Protection against faking Kari-Matti Puukangas 16 .TCAP Handshake      3GPP specification 33.

TCAP Handshake  SWOT analysis for TCAP Handshake Strengths - Weaknesses No big investments Good protection against faking Standardized by 3GPP - Opportunities - Applies only to the Fake cases Requires MAP version 2 or 3 Software of all SMS related elements needs to be upgraded All parties need to use the handshake Maintenance of the policy table Threats Fast results if taken widely into use - Kari-Matti Puukangas The other operators are not going to implement this solution Spoofing and flooding may increase 17 .

TCAP sec  3GPP specifications 33.  Requires new component to the network   SS7 Security Gateway (SEG) with databases for security policy (SPD) and security association (SAD) SEG secures the TCAP transactions with the help of the Policy Database  Protected or unprotected mode Kari-Matti Puukangas 18 .204 and 29.204.

TCAP sec  SWOT analysis for TCAPsec Strengths - Weaknesses Good protection against Faking Possibility to secure all SS7 traffic Standardized by 3GPP - Opportunities - Needs a lot of interworking between operators Applies only to the Faking cases All operators need to use TCAPsec New network element (SS7-SEG) Currently not many SS7-SEG manufacturers Price may be high Maintenance of the new element need dedicated personnel A lot of work in maintaining the policy tables Threats If all operators implement TCAPsec it will give perfect protection against faking - If not implemented completely by all operators fraudsters will have possibility to use spoofing and flooding types of messages Kari-Matti Puukangas 19 .

SMS Firewall       GSMA document IR.82 gives the guidelines to prevent SMS threats with a firewall SMS Firewall can stop all known threats Spoofing and faking prevention by comparing messages or location Spamming and flooding prevention by checking the content Virus check Can be implemented without the actions of the other operators Kari-Matti Puukangas 20 .

SMS Firewall  Preventing SMS Spoofing with Firewall Kari-Matti Puukangas 21 .

SMS Firewall  Preventing SMS faking with Firewall Kari-Matti Puukangas 22 .

there is minimal configuration needed The Firewall can also be used for other business purposes Reporting tools available Opportunities - - For the complete protection home routing needs to be activated New element needs to be installed Threats Easy and fast deployment will give good protection against existing threads - New kind of fraud that possibly could bypass the firewall Kari-Matti Puukangas 23 .SMS Firewall  SWOT analysis for SMS Firewall Strengths - Weaknesses Full fills all fraud cases described by GSMA Not dependent on other operators actions Many Firewall manufacturers Can be integrated to the SMSC system If part of the SMSC system there is no need for new personnel After installation.

Conclusion  Requirements     The system must be able to protect against all known fraud cases The system needs to have an ability to collect the reports of the incidents The system must to be able to work regardless of the actions of other operators. Conclusion  The only available solution that fulfils all of the requirements is the SMS Firewall. With the firewall solution the operator can implement a solid line of defence against all known fraudulent SMS threats. Kari-Matti Puukangas 24 .

Thank You  Questions? Kari-Matti Puukangas 25 .