This case study carries a simple message that IRSF attack is real and action should be taken now. IRSF accounts for about $10.7 billion in fraud losses, up by 497% from previous year (CFCA Global Fraud Loss Survey). Whether you are small, big, MNO, an MVNO, a fixed or VoIP operator, lack of a sound Fraud Management Strategy and a Fraud Monitoring System that supports a hotlist of IPR Test Numbers, will be an easy target for fraudsters. And like this MVNO, the consequences could be devastating.
The Victim
The Mobile Virtual Network Operator (MVNO) in this case study has been in business for nearly a decade, offering various mobile services to both consumers and businesses. Their core strategy revolves around procuring airtime at the most competitive rates possible and then passing these preferential rates on to their customers. Airtime procurement is managed through multiple aggregators. Historically, they have not encountered any significant fraud issues and have allocated minimal resources to the responsibilities of Fraud Management or Revenue Risk.
The Fraud
One of the MVNO’s lines of business involves supplying post-paid SIM cards to international partners, who, in turn, offer them to tourists visiting the MVNO’s home country. These SIM cards are activated upon the tourists’ arrival in the country and are used as local SIM cards.
The MVNO received a request from a registered European company (Company A) for 70 post-paid SIM cards to be provided to a group of tourists traveling to the MVNO’s country. After conducting due diligence on Company A’s request, it was agreed that the 70 SIM cards would be dispatched. Subsequently, these SIM cards were sent to and received by Company A, initially in an inactive state (refer to Figure 1).
Several weeks after Company A received these SIM cards, the MVNO learned, through information provided by their Network Provider, that some of these SIM cards were being used in the European Country where Company A was located to make calls to known IRSF destinations. The MVNO had no prior knowledge that these SIM cards had been activated, with roaming enabled, and the initial reports indicated that some had incurred IRSF costs amounting to several thousand US dollars. In response, the MVNO promptly blocked all 70 SIM cards. The exact method by which these SIMs were activated remains unclear, but there is suspicion that the provisioning system used to activate the 70 SIMs was accessed by an unauthorized individual before the IRSF attack (refer to Figure 2).
The Investigation
Once all call records were made available to the MVNO, it was found that a carefully planned IRSF attack commenced at around 9.00pm on a Friday night and continued for 77 hours (until all SIM cards were blocked). All 70 SIMs were used simultaneously utilising the phones multi-party calling function, potentially permitting 420 calls to be active at any one time.
During the 77 hour period, a total of 51,900 calls were made to 605 unique IRSF numbers across 41 different countries. The total loss attributed to these calls was $US 2.130 million with an average hourly loss of $US 27,662.00.
Lessons Learnt
The MVNO was not expecting these SIM cards to be used until they arrived in his home country, so there was no monitoring in place for high usage. He had no direct relationship with his Network Provider, purchasing capacity through Aggregators, so there was no timely delivery of NRTRDE records.
Had the MVNO completed a full fraud risk review across the business, it would have ensured that monitoring was in place to identify high usage of any SIM cards allocated to him which were in an activated state, whether or not this activation was completed lawfully, or unlawfully.
Could an IRSF Database have prevented this?
Without a shadow of doubt; although it should be clarified that this would have been dependent on the timely delivery of NRTRDE records, something that should have been contractually agreed between the MVNO and/or the MNO (Mobile Network Operator) and Aggregators. This is an improvement opportunity that would have been identified by an independent fraud management review.
These Test Numbers advertised by IPRN providers are generally called prior to an IRSF attack to confirm for the fraudster that a number range can be called from the location and device he is using. IRSF databases such as Rombus are now used by a number of Communication Service Providers (Mobile, Fixed, MVNO and VOIP) worldwide and is now a key defence against IRSF. It can populate a hot list within an established Fraud Management System (FMS).
All call records in the attack were tested against the Advertised Test Number database. Of the 605 unique numbers called, 168 of them were in the most recent Advertised list. Calls to these Test Numbers, some of which were repeated several times over different handsets, would have generated 289 Fraud alerts during that 77 hour period had the NRTRDE records been tested through the IRSF number hotlist as they arrived. Within 30 minutes of this fraud starting, 36 calls were made to Test Numbers, and 24 of these Test Numbers were in Advertised List, so would have generated fraud alerts.
Hindsight is wonderful, however a basic Fraud Risk Management review would have identified the risks associated with this transaction, and the implementation of an inexpensive Fraud Management System utilising the IRSF database could have avoided losses in this instance of over $US2 million.
The Outcome
The MVNO is now considering voluntary liquidation of the company, which not only impacts the founder’s future, but also that of the loyal staff. This incident re-iterates the message that irrespective of how big or small a company is, a lack of a sound Fraud Management Strategy and a Fraud Monitoring System that supports a hotlist of IPR Test Numbers, will be an easy target for fraudsters. And like this MVNO, the consequences could be devastating.
For further information on controlling IRSF Fraud, please write to info@frslabs.com.
