Fighting Future Fraud A Strategy for Using Big Data, Machine Learning, and Data Lakes to Fight Mobile Communications Fraud

Fighting Future Fraud A Strategy for Using Big Data, Machine Learning, and Data Lakes to Fight Mobile Communications Fraud Authored by: Dr. Ian Howells Dr. Volkmar Scharf-Katz Padraig Stapleton 1

TABLE OF CONTENTS!! INTRODUCTION FUTURE FRAUD AND BIG DATA 4! CURRENT FRAUD LANDSCAPE 6! FINANCIAL IMPACT OF FRAUD 7! HOW FRAUD OCCURS 9! FRAUD DETECTION AND ANALYTICS SYSTEMS 10! VISUALIZING THE ART OF MOBILE FRAUD 12! VISUALIZING A CALL-BASED VOLUME AND VELOCITY ATTACK 14! VISUALIZING A CALL-BASED VOLUME AND VELOCITY MULTICHANNEL ATTACK 18! VISUALIZING A CALL-BASED VOLUME AND VELOCITY MULTI-PRONGED GROUP ATTACK 19! VISUALIZING TIME-BASED VOLUME ATTACKS 20! VISUALIZING HIGH USAGE ROAMING DATA 21! THE ROLE OF MACHINE LEARNING IN ANOMALY DETECTION 23! A BIG DATA PLAYBOOK TO BEAT MOBILE FRAUD 25! PLAY 1 - INTEGRATE ALERTS WITH CONTEXTUAL INFORMATION 29! PLAY 2 - INTEGRATE MACHINE LEARNING AND VISUALIZATION 29! PLAY 3 - USE DATA LAKE APPLICATIONS TO INCREASE ACCURACY 30! PLAY 4 - THE POWER OF MACHINE LEARNING AND ANOMALY DETECTION 31! PLAY 5 - DETECT CRIME RINGS NOT JUST INDIVIDUALS 33! PLAY 6 - DETECT AT THE TEST PHASE BEFORE THE ATTACK MOUNTS UP 34! PLAY 7 - DETECT LOCAL ACCOMPLICES 34! APPLICABILITY OF THIS PLAYBOOK TO MULTIPLE VARIETIES OF FRAUD TYPES & METHODS 35! SUMMARY 36! 2

COMMON KNOWN FRAUD TYPES 38! INTERCONNECT BYPASS FRAUD 39! INTERNATIONAL REVENUE SHARE FRAUD (IRSF) 39! PREMIUM RATE SERVICE FRAUD 40! FRAUD METHODS 41! ABUSE OF SERVICE TERMS AND CONDITIONS NEGATIVE MARGIN 42! IMEI REPROGRAMMING 42! PBX HACKING / IP PBX HACKING 43! PHISHING 43! SIGNAL MANIPULATION SIP AND SS7 HACKING 44! SIM CLONING 44! SMS FAKING OR SPOOFING 45! SUBSCRIPTION FRAUD AND NEVER PAY 45! WANGIRI FRAUD 46! ABOUT THE AUTHORS 47! ABOUT ARGYLE DATA 49! 3

INTRODUCTION FUTURE FRAUD AND BIG DATA We have had the privilege of working with global leaders and visionaries on their strategies for future fraud, big data, and machine learning. What consistently comes up is that bestin-class carriers know the fraud types and fraud methods that they have been attacked with in the past, and they know the scale of fraud today. However, what keeps them up at night can be captured in a famous phrase by Donald Rumsfeld: There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don t know. But there are also unknown unknowns. There are things we don t know we don t know. This translates to: New Fraud - What new types and methods of fraud are criminals using that we don t know about and that we aren t detecting? New Platforms and Technology - How are we going to use new big data platforms and machine learning to detect both old and new types of fraud in real time? New Sources of Data - How are we going to protect subscribers from fraud in the new world of connected cars, connected home, mobile payments, IoT in utilities, and IoT in health and fitness? What is critical to understand is that a) criminals are continually innovating; b) each subscriber will have many devices, many channels, and many potential attack points; and c) we need a better way to detect new fraud and protect customers and carriers in this new world today, not in 2020. It is commonly agreed that you can no longer effectively protect a subscriber with silos or disconnected, disparate systems. What is required, to protect subscribers effectively in the new world, is a big data/data lake strategy that encompasses batch billing data, real-time call, VoIP, SMS and data packets, and business data. To truly get the value from an application accessing a data lake means discovering what you don t already know. This makes asking the right questions much harder. What is needed to get the right answer, at scale, is real-time machine learning and anomaly detection. Criminals make their money in mobile fraud by behaving in an anomalous way, exploiting loopholes or arbitrage opportunities in the system. If they continue to behave in this way, automated anomaly detection systems can now identify them. Modern machine learning can discover anomalous behavior in real time, uncover new and old types of fraud, and treat a loyal customer who has paid their bills on time for five years differently than a brand new customer. It is critical to no longer have separate applications 4

and databases for each type of fraud. What is required is to provide a unified strategy to detect both traditional and new attack vectors, with an integrated infrastructure for applications such as: Domestic and roaming fraud Mobile payment fraud Never pay fraud Negative margin fraud Arbitrage fraud SS7 security IoT abuse and fraud connected car, connected home, and mhealth Modern machine learning and analytics systems can visualize fraud by highlighting anomalies that likely point to fraudulent behavior. When you see fraud visualized in this way, it shows beautifully obvious anomalous behavior that is very difficult to hide. What struck us when looking at these visualizations is that there is a common pattern to fraud and combinations of fraud. Visualizations bring fraud to life and make it beautifully obvious to a human. This is what machine learning, when combined with big data, does at scale. Big data is commonly described in terms of the ability to handle volume, velocity, and variety. In this book we take these big data concepts and show how to apply them to beat mobile fraud. In the following pages, we examine a common volume and velocity attack pattern across a variety of channels that is equally applicable to many combinations of fraud types and methods, showing different views through graphs, analytics, and anomaly detection visualizations.!! 5

Part 1: CURRENT FRAUD LANDSCAPE 6

2014 will be remembered as the year that the fraud and security dam broke with fraud moving from being a back-office subject to front-page news. Existing fraud management systems are losing the innovation battle against sophisticated cyber criminal gangs. What struck us when we researched the market is that Fraud is a dirty word that people don t like to talk about. There is a lack of knowledge about the scale and impact of fraud at senior management and board level. On average, a company loses 5% of revenue to fraud. One of our favorite articles, When Will CFO s Put the F Word in Their Annual Reports?, discussed this and provided the following questions that every analyst and shareholder should be asking a company now: What is the bottom line impact of losses due to fraud in your company? What is the cost of customer service and churn due to fraud in your company? What is the impact of fraud on your earnings per share and stock price? How do you compare to the average performer in your industry in preventing fraud? What are you doing to protect your brand from the reputational damage fraud causes when it becomes public? We have been privileged to work with some global leaders that understand the impact of the F Word and believe that every enterprise and carrier has an obligation to protect its subscribers from fraud and can differentiate itself by doing so. In order to broaden the conversation about fraud, and make it possible for all relevant players to participate in the conversation about fraud prevention, everyone must first have a basic understanding of the current fraud landscape. FINANCIAL IMPACT OF FRAUD When we researched the market, one thing that struck us was that criminal adversaries are out-innovating enterprises and are doing so because the rewards are so large. It was common to see enterprises using the same approaches they were using 3 to 5 years ago, but the world of fraud and the level of sophistication has moved on dramatically since then. This is literally costing communications service providers (CSPs) billions of dollars per year. The Association of Certified Fraud Examiners (ACFE) reported that the typical organization loses 5% of revenue each year to fraud a global loss of $3.7 trillion. The Communications Fraud Control Association (CFCA) reported mobile and fixed line carriers lose $38 billion per year to fraud. The CFCA also details fraud s impact at a more granular level. Following are their reported fraud costs by fraud type, method, and region. 7

Costs by fraud type: International Revenue Share Fraud (IRSF) $10.75 billion Globally $3.21 billion North America $2.07 billion Western Europe Interconnect Bypass Fraud $5.97 billion Globally $1.78 billion North America $1.15 billion Western Europe Premium Rate Service Fraud $3.74 billion Globally $1.12 billion North America $0.72 billion Western Europe Costs by fraud method: Subscription Fraud $8.05 billion Globally $2.40 billion North America $1.55 billion Western Europe PBX Hacking / IP PBX Hacking $7.47 billion Globally $2.22 billion North America $1.44 billion Western Europe Wangiri Fraud $1.77 billion Globally $0.53 billion North America $0.34 billion Western Europe Phishing $1.57 billion Globally $0.47 billion North America $0.30 billion Western Europe Abuse of Service Terms and Conditions $1.17 billion Globally $0.53 billion North America $0.34 billion Western Europe SMS Faking or Spoofing $0.79 billion Globally $0.23 billion North America $0.15 billion Western Europe 8

IMEI Reprogramming $0.58 billion Globally $0.18 billion North America $0.11 billion Western Europe Signal Manipulation $0.40 billion Globally $0.12 billion North America $0.08 billion Western Europe SIM Cloning $0.40 billion Globally $0.12 billion North America $0.08 billion Western Europe HOW FRAUD OCCURS The distinction between fraud types and fraud methods is an important one as it distinguishes how fraud is perpetrated. A fraud type is a way to monetize fraud. For example, premium rate service fraud involves the use of premium rate numbers where callers have to pay a fee for calling the number. But if no one calls that number, no profit is made. That is where the fraud method comes in. A fraud method is a way to drive a large amount of traffic to a fraud type. A common fraud method to drive traffic to a premium rate number is known as Wangiri fraud, where a robo-dialer calls thousands of numbers and hangs up after just one ring. People see a missed call, and a surprising number of them (on average 20%) call back without realizing they are calling a premium rate number. Wangiri creates the demand and premium rate service fraud monetizes it. Note that there can be many different combinations of fraud types and methods. For example, SMS phishing is another common method to drive traffic to a premium rate number. A very successful real-world fraud campaign used SMS phishing to send a message that said please call this number, we are trying to deliver flowers to your wife and listed a premium rate number for call back. Other key distinctions are that fraud may occur: When a subscriber is roaming abroad When a subscriber is in their home country 9

Fraud may also occur with: Voice Data Text And combinations of the above FRAUD DETECTION AND ANALYTICS SYSTEMS Criminals typically use new variations or different combinations of fraud, which are very difficult to detect using traditional methods that attempt to detect known, previous patterns of fraud. Criminals are innovating rapidly while many carriers continue to try to defend themselves with old techniques and technology based on: Silos of data across multiple systems Batch approaches using ETL/EDW Rules based on old, known types of fraud Business intelligence Existing systems that that utilize outdated technologies simply can t catch modern fraudsters because they: Fail (don t discover fraud) Overwhelm (bombard users with false positives) Operate in batch (discovers fraud after the criminal has gone) Use dated rules (discover last year s fraud, not today s fraud) To compete and out-innovate modern cyber criminal gangs, leading CSP s are utilizing big data, Hadoop, and machine learning to provide real-time access to huge amounts of data stored in a data lake. There is a shift from: Batch to real-time Thresholds to anomaly detection Rules to machine learning SQL to SQL and graph analysis Silos of data to data lakes Scale-up hardware to commodity Hadoop architectures These modern systems defend against and proactively attack fraud by: Detecting fraud in real time Detecting both new (unknown) and old (known) types of fraud 10

Minimizing false positives Identifying crime rings and not just individuals Detecting test attacks Identifying local accomplices More information about a modern approach to fraud detection that utilizes new technology can be found in part 3 of this book. 11

Part 2: VISUALIZING THE ART OF MOBILE FRAUD 12

When you discuss a particular fraud type or fraud method in isolation they are very difficult to understand. To bring fraud to life requires real-life stories and combinations of fraud types and methods that are being used together. That is what we will do here, using great visualizations that make fraud beautifully obvious. We must emphasize here that all of the examples and real-life stories we will review and talk through are using realistic, synthetic data. Each scenario will discuss a particular pattern for a fraud attack and will be based upon an example Brazilian operator under attack. A Dashboard Showing Attacks on Brazil In the following sections, we will walk you through common fraud attacks by examining visualizations of both call-based and time-based attack patterns. These will then be visualized as anomalies that can be simply detected by humans and by machines. 13

VISUALIZING A CALL-BASED VOLUME AND VELOCITY ATTACK In this visualization, we will look at a call-based volume and velocity attack that shows Wangiri fraud (the fraud method) used with international revenue share fraud (the fraud type). In the dashboard scenario map shown previously, a real-time machine learning algorithm has alerted you to a Wangiri attack from Cuba. The attack type and method become far clearer when you visualize it. In the diagram below you can see at the center a number in Cuba calling 1000 s of people in Brazil. Each blue line is a call out from Cuba to Brazil. A Wangiri Attack: Blue Lines Are Calls from a Single Number in Cuba to Brazil 14

When you drill down you can instantly see over 20,000 calls. Bar Chart Showing Anomalous Number of Calls from Cuba to Brazil Further analysis would show an average call duration of zero seconds. In this case, both volume and velocity are the key features related to the number of calls, not the minutes consumed. This pattern of a high volume of calls from a single number, paired with a very short call duration, signals a Wangiri attack. This type of attack is based on volume and probability. A robo-dialer calls thousands of numbers, hanging up after just one ring to show as a missed call, with the goal of getting unsuspecting victims to call the number back. In the case of international revenue share fraud, the calls come from a foreign country that has high connection fees. These fees are highest in the Caribbean (including Cuba) and many small countries in the Pacific. 15

On average, about 20% of people do call the missed number back, racking up connection fees for the local telecom operator. These callbacks can be visualized in the following diagram, where each blue line is a callout and each red line is a callback. Victims (Shown in Red) Responding to One-Ring Call (Shown in Blue) When you drill down you can instantly see that over 3800 people call back to Cuba: Bar Chart Showing Anomalous Number of Calls from Brazil to Cuba 16

Another way to look at the attack is over time. On the left side, in blue, we see the attacker calling out and on the right side, in red, subscribers or victims calling back. Timeline View Attacks on Left and Responses on Right This can also be viewed in a different way, with a gravitational pull based on call volume. The outer circle of calls did not call back. However, the inner circle of calls did call back. A Gravity Diagram Outside Ring Shows Callouts, Inside Ring Shows Callouts and Callbacks 17

What is interesting is that these visualization patterns are equally applicable to many combinations of fraud types and methods that use this common volume- and velocitybased attack pattern. Similar fraud attacks can combine any of the following fraud methods and fraud types: Fraud Methods Wangiri Call and SMS Spamming SMS Phishing (V)PBX Hacking Fraud Types International Revenue Share Fraud Domestic Revenue Share Fraud Premium Rate Service Fraud VISUALIZING A CALL-BASED VOLUME AND VELOCITY MULTICHANNEL ATTACK In this visualization, we will look at a variation of a call-based volume and velocity attack that utilizes multiple channels. Criminals have an arsenal of fraud types and fraud methods at their disposal, and they are able to use these on voice, SMS, and data and also on combinations of these in multichannel attacks. We previously discussed a callbased attack where a robotic dialer called thousands of numbers and a percentage of people called back. We will now look at a similar attack method combining SMS and voice that shows SMS phishing (the fraud method) with premium rate service fraud (the fraud type). The diagram below looks similar to the Wangiri attack diagram we saw earlier, except in this case it involves a number texting 1000 s of people in Brazil. Each blue line is a text out, and in this case there are no callbacks. Multi-Channel Attack SMS Phishing With Text Going Out and No Callbacks 18

This does not mean the attack was unsuccessful though. In this example the SMS attack used the text "We are trying to deliver flowers to your wife please call this number", and it was a very successful fraud campaign. The diagram below shows a graph only with callbacks and no callouts, which is an example of a response on a separate channel. Multi-Channel Attack Response Callbacks Only In summary, the attack pattern on one channel drove the response pattern on a separate channel. VISUALIZING A CALL-BASED VOLUME AND VELOCITY MULTI-PRONGED GROUP ATTACK Another variation of a call-based volume and velocity attack is one that uses a range of numbers or is committed by a group of people. You then see a sequence of clusters as opposed to a single cluster. This can be pictured as follows where one attack is coordinated from 3 separate numbers (often in a close range) simultaneously: Coordinated 3-Way Multi-Pronged Attack 19

VISUALIZING TIME-BASED VOLUME ATTACKS In this visualization, we will look at two time-based volume attacks that show subscription fraud (a fraud method) and Wangiri fraud (a fraud method) used with international revenue share fraud (the fraud type). In this example, volume refers to the number of minutes used as opposed to the number of calls made. In the dashboard scenario map, shown earlier, a real-time machine learning algorithm has alerted you to the attacks. You drill down and see that two numbers have consumed a large number of minutes: one with 1,438 minutes and a high call volume, and one with 1,015 minutes and a low call volume. International Revenue Share Fraud Minutes and Number of Calls International revenue share fraud (IRSF) is driven by both connection charges (as discussed earlier) and by the number of minutes consumed. The top 2 bars both have consumed large numbers of international minutes, but with a radically different number of calls. The green bar shows a number in Cuba that has received many short calls from subscriber victims in Brazil. This is likely a Wangiri attack, with victims calling back and getting charged high connection fees. As time is a key dimension here, keeping the victim on the phone for as long as possible when they call back is a key strategy. Criminals use techniques such as 20

using an answer phone that sounds like the phone is still ringing or asking someone to hold. The brown bar shows a number in Peru that has also consumed a very large amount of minutes from callers in Brazil, but with a much smaller number of calls. This scenario typically indicates subscription fraud. In the case of subscription fraud, a phone is fraudulently bought or stolen and is then used by criminals to call international numbers for long periods of time. VISUALIZING HIGH USAGE ROAMING DATA While strictly not fraud, high usage is very important to most businesses especially if it involves roaming data usage since it is particularly expensive. High usage can indicate fraud, and being alerted to high usage as it happens (rather than when receiving their monthly bill) is critical for most businesses to avoid Bill Shock. The following diagram shows outliers for both outgoing data on the left and incoming data on the right. High Usage of Roaming Data Outgoing and Incoming Interestingly, the outgoing data on the left appears to be a gradual curve and might not have been obvious, at first glance, as showing anomalous behavior. 21

Here is another view of that same data, but visualized in a way that makes the outliers (anomalies) much more obvious. High Usage of Roaming Data Alternate View With Obvious Anomalies As can now easily be seen, certain users have an abnormal amount of either outgoing or incoming data traffic. 22

THE ROLE OF MACHINE LEARNING IN ANOMALY DETECTION The visualizations we have examined so far easily allow humans to see fraud patterns, and they are equally applicable to fraud across: Call SMS Data But how does a service provider get to the point where they can quickly identify anomalous behavior? It is not feasible to have fraud analysts manually inspect such an incredibly high number of individual calls and then create graphs to detect fraud. It simply doesn't scale. Detecting known fraud types on small subsets of data is relatively easy. Detecting known fraud types when you have 24 hours to do it is relatively easy. Detecting known and new (unknown) types of fraud by looking at all the data all the time is very, very hard. There are simply too many callers with too many calls, too many texts, and too much data to do this the graphical manual way. The only way to detect anomalies is to apply machine learning at massive scale in real time. This was not possible until recently, but now there are systems available that utilize big data and Hadoop to do just that. When you have enough data, and you have access to that data in real time, you can detect fraud in real time. The math performed with machine learning makes fraud as obvious to the machine as these diagrams are to a human being. 23

Wangiri Anomaly Detection View When you look at the chart above there is a cluster of calls in the bottom left corner but one number, that sticks out like a sore thumb in the top left corner, has made over 21,000 calls and consumed almost zero seconds. This is obviously anomalous behavior both to a human and a machine. Visualizations bring fraud to life and make it beautifully obvious to a human. 24

Part 3: A BIG DATA PLAYBOOK TO BEAT MOBILE FRAUD 25

Fraud is big business driven by attack and defense/detection phases. Facebook, Google, and LinkedIn have pioneered big data and machine learning approaches to protecting their subscribers and gaining insight on vast amounts of data. We believe that CSPs can learn from the big data approaches taken and apply them to the mobile industry to detect and analyze fraud and create data lakes for new applications. Facebook uses an immune system process, which was pictured like this in a paper they wrote on the subject: During the Attack phase the attack has not been detected and is generating revenue for the cyber criminal gang. After Initial Detection the system is forming a defense strategy. During Defense, the barriers have been put in place and the attack is rendered ineffective. Modern cyber criminals are able to detect this and Mutate, to work around the defense mechanism. The defender seeks to shorten Attack and Detect phases while lengthening Defense and Mutate phases. The attacker seeks the opposite, to shorten the bottom phases while lengthening Attack and Detect phases. There is a reason Facebook calls its machine learning fraud detection approach an immune system it must constantly evolve to defend against both new attacks and mutations of existing attack vectors. But this type of machine learning is different and is called adversarial machine learning. There is a famous phrase Lies, damned lies, and statistics popularized in the United States by Mark Twain. 26

In a traditional machine learning environment, the end user cooperates with the machine learning algorithm because there is mutual benefit. For example, an end user will get better recommendations and more personalized advertisements, while Amazon sells more books, and Google gets better click-through rates. But what if the user is a fraudster and the input he provides are lies and damned lies? That is where machine learning becomes adversarial machine learning. Everything you track about a subscriber is called a feature. Features may be relatively static CRM or billing data such as: IMSI Corporate/SME/personal user Pre-pay/post-paid Payment history Features may real-time data such as: Total duration of minutes Total number of calls Count of numbers called Count of calls received Data consumption Features may be dynamically generated such as: Days since activation Time between calls In traditional machine learning, the goal is to improve the accuracy of the classifier based on the features. But adversarial machine learning is different. Fraud is a business. Assume it is impossible to completely stop. When you are being attacked by a cyber criminal gang the goals are: Speed (discover the fraud as quickly as possible) Cost to the attacker (measure features that are costly or hard to change) Speed is important a 2% false positive rate that impacts 1000 users/accounts is better than a 1% false positive rate that impacts 100,000 users/accounts. Cost to the attacker is also important, because fraud is a business driven by profit and time. If a feature is too costly to change or if it makes the time frame for the fraud too big, you fundamentally make the attack unprofitable. 27

Google, Facebook, and LinkedIn are masters of adversarial machine learning. Facebook has developed what it calls an immune system that detects fraud at massive scale. For example, if a fraudster joins Facebook and has no friends on the network, but on his first day he writes 1000 You have won the lottery! posts, it s easy to create a feature such as Number of posts per day, track those that exceed 1000, and catch the fraudster. However, it s also quick and easy for the fraudster to change his program and send out 999 posts. So if Facebook creates a derived feature Number of posts per day/ Number of friends of more than 1 month, it s more difficult for the criminal to change and even if he can get friends there will be no impact for one month. To do this effectively, feature selection is critical. Appropriate feature selection improves classifier accuracy more than a better algorithm. What is effectively happening is machine learning is being used to detect anomalous (or high usage) behavior in seconds or minutes as opposed to hours or days. This is possible on known fraud as well as mutations or new types of fraud. The beauty of continually analyzing data, and lots of it, across a data lake is that cyber criminal gangs cannot hide their anomalous behavior amongst the crowd. Through machine learning, the needles in the haystack just stick out like sore thumbs. Through graph theory, accomplices also become very obvious. Criminals make their money in mobile fraud by behaving in an anomalous way, exploiting loopholes or arbitrage opportunities in the system. If they continue to behave in this way, automated anomaly detection systems can now identify them. If they don t, they dramatically reduce the opportunity the make money. Both options are good to a mobile operator. The immune system approach is a perfect analogy for what is required in a modern fraud detection system. The basis for this playbook is an immune system approach using adversarial machine learning and graph theory. 28

PLAY 1 - INTEGRATE TEXTUAL ALERTS AND GRAPHIC ALERTS WITH CONTEXTUAL INFORMATION Alert Showing Roaming Fraud in Columbia This playbook starts off with an email alert notifying the analyst about Brazilian subscribers roaming in Columbia making an anomalous number of calls to Uruguay, Ecuador, and Cuba. The graphic alert conveys additional information showing, for example, roaming patterns globally. It also can be set up to animate call volumes specifically from Columbia over a month, showing an anomaly today. This immediately adds context to the fraud. PLAY 2 - INTEGRATE MACHINE LEARNING AND VISUALIZATION The previous chapter used visualizations to make fraud beautifully obvious. Machine learning and visualizations are very complementary. Humans often want to see visualizations that convey data for extra understanding and insight into the fraud technique or method. Anomaly detection visualizations show outliers but lose useful context. When you combine the two you have a very powerful detection and analysis approach as a starting point in the playbook. 29

Roamer Activity Filtered to Show Roaming Fraud In the visualization above the analyst has received an alert to roaming fraud. He can look at a tab of all roamer activity. This could be vast. The needles in the haystack can be visualized by combining the chart with machine learning by selecting the roaming fraud filter (top right) reducing thousands of calls to a handful of outliers. PLAY 3 - USE DATA LAKE APPLICATIONS TO INCREASE THE ACCURACY OF FRAUD DETECTION Many of the dashboards have applied machine learning against a single data source from the data lake. This by itself can be very effective. The approach can be improved by data lake applications that use data from multiple sources. 30

Dashboard View Showing Data from Multiple Sources The dashboard above combines TD.35 data, billing records, and CRM data. This allows both a human and a machine learning algorithm to distinguish between an anomalous amount of roaming voice (or SMS or data) used by a business user, who has paid their bill on time for the last five years, as opposed to a new post-paid user who has been a subscriber for 5 days. PLAY 4 - THE POWER OF MACHINE LEARNING AND ANOMALY DETECTION We have previously looked at anomaly detection visualizations such as the Wangiri view that follows. This anomaly is obvious to a human being and is looking at the features number of calls and total duration in minutes. 31

Wangiri Anomaly Detection View Machine learning algorithms are able to look at many, many features in parallel. This is visually analogous to continually looking at many, many visualizations similar to the one above, but using different features. This, combined with a data lake of many sources, is why machine learning is so powerful: Many features (static, real-time, and generated) + Many data sources + Real-time machine learning is what identifies the needles in the haystack. To do this requires the ability to access lots of data with lots of compute power big data. 32

PLAY 5 - DETECT CRIME RINGS NOT JUST INDIVIDUALS Criminals often work in gangs as opposed to by themselves. Graph theory allows us to see not only who the criminals have called, but also the numbers connected at the second and third levels. The diagram below is particularly interesting. We see three centers of activity with criminals calling out to multiple victims. This quickly identifies not only an individual criminal, but also an organized crime ring. Crime Ring with Two Major Criminals and One Minor Criminal 33

PLAY 6 - DETECT AT THE TEST PHASE BEFORE THE ATTACK MOUNTS UP As well as the three criminals operating together, what is particularly interesting in the previous image are the three dots in between the two major clusters. These are test numbers used by criminals before they launch a major assault. What we can predict, by knowing these numbers, is if anybody calls these test numbers in the future, an attack is likely imminent from the number calling into the test number. PLAY 7 - DETECT LOCAL ACCOMPLICES Criminals working from abroad typically need a local accomplice. Again, by applying graph theory, we can discover the accomplice. The criminal may have made tens of thousands of calls. However, most of the numbers are called only once or twice, and very few of them are a conversation. What we can see here is the criminal speaks primarily to four people and one of them he not only calls, but gets calls back from regularly. This is his local accomplice in Brazil. Graph Drilldown to Detect Criminal Accomplices 34

THE APPLICABILITY OF THIS VOLUME AND VELOCITY PLAYBOOK TO MULTIPLE VARIETIES OF FRAUD TYPES AND METHODS Volume, velocity, and variety are key underpinnings of both big data and mobile fraud. This playbook is applicable to many combinations of fraud types and fraud methods. For example, the fraud type where monetization occurs could be a premium rate number or international revenue share number. The fraud method to drive traffic could be a Wangiri attack or an SMS phishing attack. Both have similar patterns and can be detected using similar machine learning techniques. 35

SUMMARY 36

This book has outlined what machine learning, when combined with big data, does at scale and is the approach pioneered by Facebook and Google. To defend their subscribers they have developed an immune system. Imagine if your body s immune system could only protect you from viruses you had already experienced. This is how most fraud management systems operate today, detecting known, old types of fraud and failing to detect new variants or combinations of fraud. If your immune system behaved like this, you would be dead. Carriers are losing millions of dollars because of this, and many don t even know what they are losing and where they are losing it. What is needed is a fraud management system that behaves like an immune system, rapidly evolving and adapting to both new attacks and new types of attacks. Big data and machine learning are littered with a new vocabulary and set of acronyms, but what is important is what they provide a way to deliver anomaly detection, at massive scale and in real time, to make fraud as obvious to a machine as the diagrams are to a human being. Mobile carriers truly do have Big Data and have the opportunity to use it for good beating fraud, protecting subscribers, and saving millions of dollars. 37

! Appendix A: COMMON KNOWN FRAUD TYPES 38

INTERCONNECT BYPASS FRAUD At a Glance This fraud involves unauthorized insertion of traffic into another carrier's network without going through the traditional interconnect route. Cost to the Industry Interconnect bypass fraud costs the industry: $5.97 billion Globally $1.78 billion North America $1.15 billion Western Europe Interconnect Bypass Fraud in Action International calls cannot be processed and completed through one phone carrier, so the originating carrier routes traffic via an intermediary phone carrier for an additional fee called a settlement rate. For example, a subscriber calling from country A to country D may interconnect through countries B and C, where each country receives an interconnection fee. With interconnect bypass fraud, the call is connected from country A directly to country D without going through countries B and C, thereby depriving the carriers in countries B and C of their fees. One fraudulent approach for this type of fraud is to connect calls through the Internet directly to a box of SIM cards in the destination country, which then connects the caller to the callee. INTERNATIONAL REVENUE SHARE FRAUD (IRSF) At a Glance This fraud involves artificially inflating traffic to a foreign number. Cost to the Industry IRSF costs the industry: $10.75 billion Globally $3.21 billion North America $2.07 billion Western Europe International Revenue Share Fraud in Action IRSF can be committed domestically or, more commonly, while roaming. Certain countries have particularly high interconnection fees and are a focus for IRSF. Wangiri fraud, SMS fraud, subscription fraud, and PBX fraud are the typical methods used to artificially inflate traffic to international numbers. A further way to inflate the call traffic is by using conference call numbers to have multiple simultaneous calls. IRSF, combined with 39

premium rate service fraud, recently made headlines when two individuals were arrested for gaining access to business telephone systems and using the systems to place international telephone calls to premium rate numbers. This cost the victims more than US$50 million. The success of their operation got the perpetrators put on the FBI's cyber most wanted list. PREMIUM RATE SERVICE FRAUD At a Glance This fraud involves artificially inflating traffic to a premium rate number. Cost to the Industry Premium rate service fraud costs the industry: $3.74 billion Globally $1.12 billion North America $0.72 billion Western Europe Premium Rate Service in Action Wangiri fraud, SMS fraud, subscription fraud, and PBX fraud are the typical methods used to artificially inflate traffic to premium rate service numbers. 40

Appendix B: FRAUD METHODS 41

ABUSE OF SERVICE TERMS AND CONDITIONS NEGATIVE MARGIN At a Glance This fraud involves a violation of the carrier s service terms and conditions or acceptable use policy, causing the carrier to lose money on a subscription. Cost to the Industry Negative margin or abuse of service terms and conditions costs the industry: $1.17 billion Globally $0.53 billion North America $0.34 billion Western Europe Abuse of Service Terms and Conditions Fraud in Action An example of violating the carrier s service terms and conditions would be a subscriber with an unlimited data plan who downloads videos 24x7x365. Negative margins can occur at the individual, family, or enterprise level. IMEI REPROGRAMMING At a Glance This fraud happens when a fraudster changes the IMEI (International Mobile Station Equipment Identity) number of a handset to hide the true origination of the device. Cost to the Industry IMEI reprogramming fraud costs the industry: $0.58 billion Globally $0.18 billion North America $0.11 billion Western Europe IMEI Reprogramming in Action Each phone that contains a SIM card is identified by a unique IMEI. When a criminal steals a handset, they change the IMEI to hide the true origination of a handset or identity of the caller. 42

PBX HACKING / IP PBX HACKING At a Glance This fraud involves compromising/hacking a PBX system with the intent to use it to make an excessive number of calls, typically to an international or premium rate number. Cost to the Industry PBX hacking costs the industry: $7.47 billion Globally $2.22 billion North America $1.44 billion Western Europe PBX Hacking in Action PBX hacking is a natural partner to international revenue share fraud or premium rate service fraud, and it recently came to prominence when it made the front page of the New York Times in an article titled Phone Hackers Dial and Redial to Steal Billions. In one example in the article, a small architecture firm had $166,000 worth of calls routed from the firm to premium rate numbers in Gambia, Somalia, and the Maldives over a single weekend. It would have taken 34 years for the firm to run up those charges legitimately based on its typical phone bill. PHISHING At a Glance This fraud is the illegal attempt to either acquire sensitive information or induce a subscriber to commit an act that generates revenue for the criminal. Cost to the Industry Phishing costs the industry: $1.57 billion Globally $0.47 billion North America $0.30 billion Western Europe Phishing in Action Phishing is typically done by masquerading as a trustworthy entity via electronic communication using voice, SMS, or email. One famous and very successful phishing campaign involved a text message being sent out that said We are trying to deliver flowers to your wife. Please call this number XXXXX. The number listed was a premium rate number that generated revenue for the fraudsters, and this scam had a very high conversion rate. 43

SIGNAL MANIPULATION SIP AND SS7 HACKING At a Glance This fraud involves manipulation of either the SIP or SS7 signaling message. Cost to the Industry Signal manipulation costs the industry: $0.40 billion Globally $0.12 billion North America $0.08 billion Western Europe Signal Manipulation in Action Just as the Internet runs on TCP/IP and HTTP, the mobile world uses SIP and SS7. Traditionally, this form of hacking has been used to hide the true origination or identity of the caller. The losses shown above are relatively small when compared to other fraud methods, but recent announcements by German researchers showed that security flaws could let hackers and criminals listen to private phone calls and intercept text messages on a potentially massive scale. This is particularly dangerous when two-factor authentication uses a text message. This has made signal manipulation and SS7 hacking a high priority for the mobile industry. SIM CLONING At a Glance This fraud involves duplicating a SIM card to charge the cost of phone calls back to the owner of the original SIM card, similar to cloning a credit card. Cost to the Industry SIM cloning costs the industry: $0.40 billion Globally $0.12 billion North America $0.08 billion Western Europe SIM Cloning in Action SIM cloning involves duplicating a SIM card so that someone else pays the cost of your usage. The subscriber may not even notice the usage until the billing period ends, and even then they may not look at the bill. This form of fraud is often used in conjunction with premium rate service fraud and international revenue share fraud. 44

SMS FAKING OR SPOOFING At a Glance This fraud involves manipulating the ANI (automatic number identification) to hide the true origination or identity of the caller by showing an incorrect caller number. Cost to the Industry SMS faking or spoofing costs the industry: $0.79 billion Globally $0.23 billion North America $0.15 billion Western Europe SMS Faking or Spoofing in Action SMS faking or spoofing is often used in phishing scams to obtain identity information from unsuspecting users. It can also be used to make foreign numbers appear as local numbers. SUBSCRIPTION FRAUD AND NEVER PAY At a Glance This fraud is the use of a service with no intent to pay. Cost to the Industry Subscription fraud costs the industry: $8.05 billion Globally $2.40 billion North America $1.55 billion Western Europe Subscription Fraud and Never Pay in Action Subscription fraud is a very large problem that is growing in two dimensions. Part of the reason for the dramatic growth in Never Pay is people's desire for an iphone or the latest Samsung phone. They will go into a shop, use a stolen identity to acquire a $600 phone that is subsidized to $200, walk out of the shop, and never pay the remainder of the contract. They will then root or jailbreak the phone and sell it illegally. A second form of subscription fraud is acquiring a post paid phone service, again with stolen identity details, and then proceeding to use the service in an excessive way during the initial billing period with no intent to ever pay the bill. A variation on this with similar patterns of behavior is when a phone is stolen and there is a pattern of excessive usage. 45

WANGIRI FRAUD At a Glance In Japanese wan means one and giri means hangup. This type of fraud, also known as one ring and cut, involves calling thousands of mobile phone users from a premium rate number, letting the call ring once, then hanging up. The goal is to get the unsuspecting victims to call the number back. Cost to the Industry Wangiri fraud costs the industry: $1.77 billion Globally $0.53 billion North America $0.34 billion Western Europe Wangiri Fraud in Action The wangiri approach of one ring and cut is particularly successful when combined with international revenue share fraud and premium rate service fraud. The call the user sees as a missed call appears to be coming from a domestic number when, in fact, the number is connected to an international premium rate service line. On average about 20% of people will return the missed call. The profitability of this fraud is further enhanced by tricks to keep the caller on the line as long as possible, such as playing a recording that sounds as if the phone is still ringing or asking the caller to hold. 46

ABOUT THE AUTHORS Dr. Ian Howells Chief Marketing Officer Argyle Data ian.howells@argyledata.com Dr. Ian Howells is a passionate technologist and serial entrepreneur with over 25 years experience building successful technology companies through IPO and acquisition. Prior to joining Argyle Data, Ian held senior marketing roles at Documentum from its early days through to IPO, SeeBeyond through its IPO and acquisition by Sun, Alfresco from a startup to the largest private open source company in the world and StorSimple, acquired by Microsoft. Ian has a Ph.D. in distributed databases and has published a number of papers and contributed to books on related topics. Ian speaks and writes widely on applying big data analytics and machine learning techniques to fraud or marketing and on open source. He previously penned the blog Open Source Hearts and Minds for Computerworld and currently writes for Fraud and Technology Wire. Dr. Volkmar Scharf-Katz VP of Mobile Strategy and Solutions Argyle Data volkmar.scharf-katz@argyledata.com Dr. Volkmar Scharf-Katz has over 15 years of experience in the mobile industry specializing in analytics, big data platforms, and communication technologies. Previously, he was Chief IP Networks Partner, R&D and Head of Service Platform at Vodafone where he was responsible for building advanced computing environments to demonstrate real-time analytics, showcase artificial intelligence and develop mobile applications. Dr. Scharf-Katz has a Ph.D. in computer science and information technology from Stanford University. He has vast and successful international experience in creating new and disruptive solutions for communication networks and mobile banking, and he also holds several patents. 47

Padraig Stapleton VP of Engineering Argyle Data padraig.stapleton@argyledata.com Padraig Stapleton brings years of industry-leading management and technical expertise across a number of areas including mobile telecommunications and big data. Most recently he was VP of Engineering and Operations for the Big Data group in AT&T responsible for development of their big data platform. Previously to that he was involved in a number of successful startups as VP of Engineering building development teams and delivering innovative products to the market place. Padraig has held senior leadership roles in various companies including Telephia, which was acquired by Nielsen, and InterWave Communications.!! 48

ABOUT ARGYLE DATA Argyle Data is used by the world s leading mobile operators to detect fraud, profit, and SLA threats that cost the industry $38 billion per year. Argyle Data s industryleading native Hadoop application suite uses the latest machine learning technologies against a unique, comprehensive data lake to give communications service providers a 360-degree view of user activities, allowing them to detect in real time the previously undiscoverable revenue threats and attack patterns being waged against their networks. ARGYLE DATA, INC. 2755 Campus Drive, Suite 165 San Mateo, CA 94403 USA Tel: 800.695.6021 Email: info@argyledata.com Web: www.argyledata.com Version 052016 50