Embed Size (px)
Citation preview
Mobile network protection system against
fraudulent and unwanted messaging traffic
T. Gojević, K. Matas, M. Skomeršić and M. Žuvanić
Infobip Ltd / Products and Solutions dpt., Zagreb, Croatia
{tomislav.gojevic, kristijan.matas, marko.skomersic, marko.zuvanic}@infobip.com
In this paper, mobile network protection system against
fraudulent and unwanted messaging traffic is discussed.
Application to Person (A2P) messaging traffic is raising
every year and with that raise fraudulent and unwanted
traffic is gaining momentum as well. Home Location
Register (HLR) lookup, Short Message Service (SMS) and
Unstructured Supplementary Service Data (USSD) is
exchanged between mobile network operators and along
with regular traffic, there are also cases of traffic affecting
network performance, link utilization and subscriber
satisfaction. This paper will, discuss technical, commercial
and security challenges of the aforementioned messaging
traffic and how mobile network protection system can help
to solve them.
Keywords: mobile networks, SMS, HLR, USSD, A2P
I. INTRODUCTION
Total SMS traffic in the world is expected to reach
9.089,3 billion in 2012 from 8.015,5 billion in 2011[1].
Along with the increase in regular Person to Person (P2P)
and Application to Person (A2P) SMS traffic, there is
also a huge increase in unwanted and fraudulent SMS
traffic, and vast numbers of HLR lookups and USSD
traffic that is either not regulated or it is used for some
other purposes than the one it was created for.
All of the aforementioned trends significantly
influence mobile network performance; link utilization
and subscriber (dis)satisfaction, which leads to subscriber
churn and potential loss of revenue for a mobile network
operator (MNO).
To minimize these issues, mobile network operators
were looking for a platform, similar to a firewall, to
protect their network against various cases of spam,
signalling overload, faking inside SS7 signalling parts of
the message, theft of identity and unbalanced messaging
traffic.
The only way to analyse and essentially stop
fraudulent messaging traffic in real time is to integrate an
SS7 analysing system directly on the signalling links.
This way an MNO is able to detect all unwanted
messaging traffic without any delay, which leaves no
time for the fraudsters to adapt and change the patterns of
behaviour.
II. TECHNICAL BACKGROUND
Standard SMS signalling flow, composed of HLR
lookup and followed by SMS delivery, is displayed on Figure 1.
SMSC
SRI_SM_REQ
SRI_SM_RESP
MOBILE network B
HLR MSC/VLR
MT_FWD_SM
MT FSM ACK
MOBILE network A
Figure 1.
Standard SMS signalling flow
Standard network initiated USSD signalling flow is
depicted below on Figure 2.
USSD GW
SRI_SM_REQ
SRI_SM_RESP
MOBILE network B
HLR MSC/VLR
PROCESS_UNSTRUCTURED_SS_REQUEST
PROCESS_UNSTRUCTURED_SS_REQUEST
MOBILE network A
...
Figure 2.
Standard USSD signalling flow
784 MIPRO 2012/CTI
When sending signalling messages to other networks,
mobile network nodes use, among other distinctive
marks, addresses – Global Titles (GT) to represent
themselves to other network nodes. GT is written in two
different layers of an SS7 signalling message, Signalling
Connection Control Part (SCCP) [2] and Mobile
Application Protocol (MAP) [3]. From its beginning, SS7
was a relatively closed network community; with none or
very little access to external parties e.g. service providers.
But in the recent years mobile network operators have
started to open their networks and provide access to the
SS7 signalling network, to external parties. That resulted
in usage of HLR, SMS and USSD signalling messages
for other purposes that originally intended. Mobile
network operators have some very basic and crude ways
of stopping unwanted messaging traffic, but there is no
bulletproof way of stopping various manipulations on the
SCCP and MAP level i.e. changing of Global Titles to
bypass basic blocking rules inside network nodes.
Below are various techniques on how to avoid basic
blocking rules and cases that are troubling the mobile
network operators:
SMS Fake – occurs when an incoming
message (MT_FWD_SM) comes from a
foreign SMSC, and terminates at one of the
receiving operator’s VLR/MSCs. The
message bears a manipulated originating
address, destination address, or other
items.[4]
SMS spoofing – SMS-MO (coming into
operators network from a foreign
VLR/MSC, and terminating at operators
network SMSC) which bears a wrong
originating address, a wrong destination
address, or other manipulated items.[4] SMS Spam – occurs when the receiving
network clients receive unsolicited SMS
Unbalanced HLR, SMS and/or USSD traffic
– occurs when an operator receives more
messaging traffic from a certain partner
operator than it sends back. This results in a
signalling misbalance and higher costs for
the receiving operator
Unsolicited USSD – occurs when an
operator clients start to receive unsolicited
USSD sessions to their mobile phone
screens. USSD is not regulated and there are
virtually no benefits for the receiving
network
To be able to handle these cases, mobile network
operators should use a robust system that is placed
directly on the signalling links.
Figure 3.
MNO protection system
As shown on Figure 3, MNO protection system can be
deployed in two different ways; passive, where the
system doesn’t interfere with the signalling flow but
rather receives a carbon copy of the signal attenuated by -
20 or -30 dB (so it doesn’t interfere with the original
signal) through a Protected Monitoring Point (PMP) [5]
and analyses it; active, where the system is directly on the
signalling link and it can interfere with the signalling
flow e.g. stop a signalling unit, or generate a “dummy”
response as if was coming from a real network node.
MNO protection system receives the Message Signal
Unit (MSU) on the monitored E1 link(s) and analyses
SCCP and MAP parts of an MSU is displayed in Figure
4.
------------------------------------------------------
SCCP ITU
------------------------------------------------------
IE: Called Party Address
00001000 Subsystem number (SSN) = 8 (MSC)
00000000 Translation type (TT) = 0 (unknown)
0001---- Numbering Plan (NP) = 1 (ISDN/telephony numbering plan
(Recommendations E.163 and E.164))
-0000100 Nature of Address Indicator (NAI) = 4 (international number)
0------- Spare = 0 (Spare field (1 bit))
Address signals = 18763800XXX
IE: Calling Party Address
00001000 Subsystem number (SSN) = 8 (MSC)
00000000 Translation type (TT) = 0 (unknown)
0001---- Numbering Plan (NP) = 1 (ISDN/telephony numbering plan
(Recommendations E.163 and E.164))
-0000100 Nature of Address Indicator (NAI) = 4 (international number)
0------- Spare = 0 (Spare field (1 bit))
Address signals = 3859XX000000
------------------------------------------------------
MAP
------------------------------------------------------
application-context-name = { 0 4 0 0 1 0 21 3 } (shortMsgMO-RelayContext-v3)
OP Code = 46 (MO-ForwardSM)
MAP-SM-DataTypes.MO-ForwardSM-Arg
sm-RP-DA = serviceCentreAddressDA
Address signals = 385XX3800XXXf
sm-RP-OA = msisdn
msisdn = 91 81 67 74 70 59 f2
Address signals = 18764707XXXf
imsi = XXXXX0000139753f
Figure 4.
MNO protection system
Parts that are in bold and italic should be the same,
but by manipulation on the MAP layer, third party that
has access to the MNO signalling network is able to
bypass basic blocking rules by implementing a so called
trusted GT inside MAP layer.
MIPRO 2012/CTI 785
MNO protection system is able to detect any kind of
manipulation on either SCCP or MAP layer, along with
tracking of:
Incoming and outgoing traffic balances –
shows that there are some mobile networks
that are sending a lot of A2P and spam
traffic. Counting of incoming and outgoing
SMS
Signalling link (over)load – shows Denial
of Service (DoS) attempts. Counting of
signalling MSU messages in a pre-defined
time window
Excessive HLR lookup requests – shows an
misuse of HLR lookups which should be
used only for routing purposes. Counting of
incoming HLR lookups compared to
incoming SMS coming from the same
network, measured ratio greater than 2.5
should be considered as fraudulent activity.
SMS spam – unwanted SMS traffic, not
requested by the user. Counting of all
incoming SMS that have in their SMS text
words or phrases that are on the spam
definition list
Unsolicited USSD traffic – unwanted
USSD traffic, not requested by the user.
Counting of incoming USSD related
signalling MSU messages
III. IMPACT ON MOBILE OPERATORS
Mobile network operators, like mentioned before, are
facing issues with misuse of their signalling network and
subscriber churn, but there is also one impact most
measurable just by a glance at the traffic volume figures.
Mobile network operators exchange, on a daily basis,
hundreds of thousands or even millions of HLR, SMS
and USSD messages. If these figures, when comparing
incoming and outgoing traffic, are roughly the same it
means that the network is pretty well protected, but if
these figures are greatly misbalanced, it means that the
MNO is poorly protected.
There is an example of incoming and outgoing
messaging traffic for one day in figure 4 and figure 5,
where it is very clear that there is a huge misbalance of
incoming and outgoing traffic (approx. 350 000 messages
during peak time).
Figure 4.
Incoming messaging traffic
Figure 5.
Outgoing messaging traffic
Mobile operator doesn’t have the means to capture
and detect these kinds of anomalies in the messaging
traffic in real time, but rather this was detected after
analysing the Call Data Records (CDR), with at least 24
hour delay.
With a network protection system the following
information were at hand immediately:
Country from where the traffic originated
Network from which the traffic originated
Global Title (GT) from which the traffic
originated
Type Of Number (TON) of the senders
Sender identification
Extracts from the reports that are provided in real time
to the mobile network operators, which contain the
aforementioned data is shown in Figure 6 and Figure 7.
786 MIPRO 2012/CTI
Figure 6.
SMS traffic misbalance report
Figure 7.
Sender identification and TON report
Figure 6 shows the SMS traffic misbalance i.e. it shows
the ratio of incoming to outgoing SMS traffic, the graph
shows that the incoming traffic is much bigger in volume
compared to the outgoing traffic. This means that the MNO
is receiving a lot of A2P SMS traffic, which is entering the
network without his knowledge, and ultimately without
financial benefit for the MNO.
Figure 7 shows top networks from where the SMS traffic
is coming from. Looking at this graph, the MNO can
immediately know what kind of SMS traffic is entering the
network e.g. alphanumeric senders (e.g. BARCLAYS
BANK), international senders (e.g. 447781234567). By
gaining knowledge on what kind of traffic is entering the
network, MNO can better adjust the protection system to
block certain type of traffic.
By implementing the mobile network protection system,
the MNO can eliminate the entire traffic with alphanumeric
senders, international senders that repeat themselves, Global
Titles which are used for A2P traffic exclusively, SMS
fraudulent traffic and SMS spam. SMS spam and unwanted
A2P traffic are toughest to detect and the mobile network
protection system needs to be updated regularly to maintain
a high rate of detection of 80 up to 87% of the
aforementioned cases
IV. CONCLUSION
This paper addresses potential threats and risks that are
rising along with the raise of global messaging traffic,
especially A2P, and gives an example of how those threats
and risks could be mitigated with a network protection
system. Not only that the network protection system would
help mobile network operators to gain real time insight on
what is happening on their signalling links, but it could also
help them protect their end customers, influence the
regulators to improve the deficiency of relative laws and
regulations [6] and ultimately operators could protect their
revenue too.
REFERENCES
[1] Mobile Messaging Futures 2011-2015, Analysis and Growth
Forecasts for Mobile Messaging Markets Worldwide: 5th edition, Portio Research Limited, 2011.
[2] ITU-T Q.711, “SERIES Q: SWITCHING AND SIGNALLING, Specifications of Signalling System No. 7 – Signalling connection control part (SCCP), Functional description of the signalling connection control part”, Mar. 2001.
[3] 3GPP TS 29.002, “Mobile Application Part (MAP) specification”, Dec. 2011.
[4] GSMA doc. AA.50, “SMS Fraud Criteria”, Aug. 2004.
[5] ITU-T Q.772, “GENERAL ASPECTS OF DIGITAL TRANSMISSION SYSTEMS”, Mar. 1993.
[6] Chen Yong-feng, “Causes and Countermeasures of Fraud Cases by SMS”, Journal of Beijing People’s Police College, Feb. 2006.
[7] Huang Liang-you, “On the Fraud by Mobile Phone Short Message and Its Countermeasures”, College of Law, Chongqing University of Posts and Telecommunications, Chongqing, Jun. 2008.
[8] Asival M., Sirat D:, Susatyo B., Electr. Eng. Dept. Univ. of Inodneisa, Depok, “Design and analysis of anti spamming SMS to prevent criminal deception and billing fraud: Case Telecom Flexi”, Management of Innovation and Technology, 2008.
MIPRO 2012/CTI 787
