|
Cellular Fraud: How's it happening and what are they doing to prevent it? written by : mstrmind special thanks to Blackax The Cellular industry is a booming business. Its revenues top 20 billion dollars a year in America alone. With the expansion of cheaper phones, and cheaper contracts, grows every year. With any industry that large there is fraud. People are out there everyday trying to find out either how to make a free call, or just how to beat the system. Some people get caught,though most go unharmed. As of 1999 there have been a little over 1000 people arrested and tried for cellular fraud, most with multiple counts. Jail time usually looks like 5-15 years and a very very large fine, upwards of 1/4 million dollars. Experts say that over 800 thousand dollars each day and each year 600 million dollars are lost due to cellular fraud, which is approx 2.5% of the total revenues of the cellular industry. Which seems to be a good number for any kind of stolen goods in any industry. The average lost stock in a Target store is 1.5% of total sales, which is about $400,000 roughly, per store. First, lets look at how a cell phone actually works. You fire your cellular phone up (note: I'm just talking about AMPS right now(AMPS=Advanced Mobile Phone System aka analog)), and your nearest cell tower in your cell picks you up. In your cell there is a base station that houses several transceivers and different types of control equipment for all the channels assigned to that cell. Then from there the base station contacts the area's MTSO (mobile telephone switching office) and then in turn contacts the CO (central office) The Cellular Radio freqs have been nicely broken down by the FCC into 2 bands. There are also bands around 1.9 Ghz used by Sprint and for GSM but I'm not gonna be getting into that. Band A - Non Wireline Band B - Wireline Control Channels=21 (313-333) 21 (334-354) Voice Channels=001-312 355-666 The control channels are used to send only digital data between the phone and the cell base station. When a call is signaled at the central controller, the paging system opens 2 channels, a control and a voice. Over the control, information like the ESN/MIN/PIN will be sent and then over the voice, your call will initiate. NAM-Number Assignment Module. This is usually a eeprom chip located inside your phone, which is programmed to contain your ESN/MIN. You can usually change your MIN up to 20 times, some phones can even hold multiple MINs. The downside to your NAM, or upside, is you cannot change you ESN via handset programming...unless you installed a new eeprom ;) Older base stations were just asking for fraud, there was absolutely no monitoring equipment located at these, and they wonder why fraud picked up so quick! Your MTSO connects to your cell site by a fiber optic line or a 18 gHz microwave link. And in turn your cell site is using a 38 gHz microwave link to link to a Microcell Transmitter. When you fire your phone up, and your base station finds your MIN/ESN it looks into the SS7 (signaling system 7) database. This is where the billing takes place, and where most fraud can be stopped. If simple monitoring software was in place, simple usage studies could find usage spikes, and maybe make a simple call to the user and ask what's up. (Much like how those nice 50mb online storage sites find out that people are d/ling mp3s and warez from their servers, they just look at usage logs. If the logs say 10mb/day for 2 months and then all of the sudden 1000mb/day gets pumped from that site, something's usually up.) Each cellular has 2 channels associated with it, the transmit (REVERSE) and the receive (FOWARD). REVERSE freqs= 824-848 mhz (phone to tower) Forward freqs= 869-894 mhz (tower to phone) Conventional dispatch=806-809.7 mhz and 851-854.75 mhz Trunked dispatch= 809.75-824 mhz and 854.75-869 mhz General reserve=848-851 mhz and 894-902 mhz and 928-947 mhz Channel spacing = 30 mhz AMPS Cellular lobbyists are attempting to block conventional/truncked dispatch frequencies on scanners. The logic being that they want to protect the cellular calls that take place there (Nextel). This would make it stupidly difficult to moniter 800,hz trunked communications, such a NJ state pohlice :( Note: Pager signals start at 929mhz and extend up to 932mhz. Almost all of the pagers you come across will be regular modulated data, much like your modem. I've only heard of a few encrypted pager messages. There are a few ways to go about monitering pagers, but I'm not going to go into that either. This is where our first kind of cellular fraud comes in. Cloning. Unless you were in a cave the past 10 years this prolly isn't the first time you've heard this term. This is what got Kevin Mitnick caught. He owned an infamous Oki 900, which is one of the easiest and nicest phones to clone because it can hold 5 NAMs once modded. There are many ways cloners go about their business. The first way is to buy a scanner that has DDI (Digital Device Interpreter). The most prevalent method today is to use a discriminator mod with Banpaia software. There are a few scanners out there that have this out of the box. You sit on your freq while your scanner takes in the data, then it decodes it for you(merely demodulates it much like your modem does) and watch as the ESN/MIN (also known together as pairs) pile up on your computer. Each of these pairs basically guarantee a good week or so of free calls, and screws the person who is actually paying for their phone. This will only work while the phone is Roaming. Ways to protect yourself from this? Nothing. Having a digital phone will help. (a NEW digital phone, TDMA used the old methods AMPS used, but the new CDMA(code division multiple access) and TDMA (time division multiple access, doesn't have the same problems) Americas PCS (personal communication service) is a GSM-like system (Global System for Mobile Communications). PCS has an "A-Key" (authentication key) which helps cut down on fraud. And RFF (radio-frequency fingerprinting, created by ATT in '96), basically RFF compares your call to a database of RFF, and can find everything out about the found...from how worn out the keypad is, to what software it's running and who makes the chips. RFF is very expensive and is used more in military situation to find out whether a radio beacon is hostile, and under other extreme situations. Another "security" feature out there is VVR (voice verification reinstatement). If your phone roams into an area with RFF or and A-key system, the operator will call your phone and ask you for your social security number, and upon verification let your call continue roaming (does anyone see a problem in that system?)You look at these neato security features and you wonder...well why does fraud STILL happen? Because most people don't wanna go out and get a new phone. And as long as people are roaming, people will get ripped off. The Second main way of committing cellular fraud is Subscription Fraud. Which is, in a nutshell, using someone else's info to connect a cell phone. The penalties for committing subscription fraud is hefty, usually due because the person caught commits the crime over and over and over again. In 1998 a man was convicted of 139 counts of cellular fraud. In total he had 100 Third degree felonies, and 39 second degree felonies of Theft of Intellectual Property. I never found out the end of this trial..but I bet you a nice fine was put on him. Bail we set for him at $225,000. You yourself can do nothing about Subscription Fraud, it doesn't directly effect you. Though the industry give you the bullshit like blah blah we need to hire more blah blah so the rate are higher..u know the drill. The only way to stop subscription fraud is for the programs the cellular companies implement in the system to catch it, and as some of us may know...these don't work very well. There are always ways around computer programs. Maybe if all of america switched to GSM at once and never touched another phone system one would be well...but of course this wont happen. Experts say that AMPS is 10% secure, CDMA is 80% secure and GSM is 99% secure. Though I think they said this before GSM was cracked, but stronger encryption wouldn't be too hard to implement. Your local poooohlice office has a few nice ways of catching cloners too. The older school method that has been around for awhile is called Triangulation. For Triangulation you need 3 cell phone towers cooperated and finding out the time it takes for their signal to locate you and bounce back, and then they can find where u are within a 200 yard radius. Other triangulation methods are: Mobile units (cars) can triangulate using doppler systems, and nice guys running around with directional antenneas, these methods, or a combination of them, if practiced can catch nearly everyone. There are newer methods yet to be used but they seem more promising. The newest method thought up has to do with the GPS system. There is a new GPS like system that seems promising though. It's called a GPS cursor. Which is made by CRIL (Cambridge Research and Innovation Ltd). You don't need any changes to your phone, and isn't very expensive. It has been demonstrated on GSM and is said to be able to be used on other PCS systems in America. The idea is based on the same idea as Radio Triangulation. The freq for this are carried over the same 900mhz airwaves the calls are currently on. (call in the USA are occur on 800 and 1900mhz, 900mhz is europes GSM) It's the same technology astronomers use to see far off galaxy in their radio telescopes. In the case of GSM handset positioning, Cursor uses a secondary network of base stations in fixed locations, which are effectively dummy handsets. Without adding anything to existing base stations or altering the GSM signaling, it is possible to capture a portion of the total transmitted signal received at the mobile handset. This is retransmitted to the Cursor base station, where it is correlated with the signal as originally received at the Cursor base station. The correlation determines the time difference between when the signals were received at the Cursor base station and the mobile handset, which in turn gives the distance of the mobile handset from the originating GSM base station. Performing this operation three times for different GSM base stations fixes the position of the mobile. In fact, Cursor uses 12 fixes to improve accuracy and reduce the number of Cursor base stations required. If can locate a person within a 160-foot radius, with the base stations being in a 10-15 mile radius. All in all, cellular fraud is a booming theft market, and the more people that jump on the cellular bandwagon, the more fraud we will see. Unless there is a decent encryption scheme in place, there isn't too much change we will see in the future. Even with the new positioning techniques, in a highly urbanized area a 160 foot radius isn't that great. Large metal buildings and direction finding equals a headache. Furthurmore go into Manhattan and you find a 160-foot radius with less than 100 cell phones. Know your penalties, and know what you're getting into.