Cellular Fraud:  How's it happening and what are they doing to prevent it?

                        written by : mstrmind
                                   special thanks to Blackax

The Cellular industry is a booming business.  Its revenues top 20 billion
dollars a year in America alone.  With the expansion of cheaper phones, and
cheaper contracts, grows every year.  With any industry that large there is
fraud.  People are out there everyday trying to find out either how to make a
free call, or just how to beat the system.  Some people get caught,though
most go unharmed.  As of 1999 there have been a little over 1000 people
arrested and  tried for cellular fraud, most with multiple counts.  Jail
time usually looks like 5-15 years and a very very large fine, upwards of
1/4 million dollars.

Experts say that over 800 thousand dollars each day and each year 600 million
dollars are lost due to cellular fraud, which is approx 2.5% of the total
revenues of the cellular industry.  Which seems to be a good number for any
kind of stolen goods in any industry.  The average lost stock in a Target
store is 1.5% of total sales, which is about $400,000 roughly, per store.  

First, lets look at how a cell phone actually works.  You fire your cellular
phone up (note: I'm just talking about AMPS right now(AMPS=Advanced Mobile
Phone System aka analog)), and your nearest cell tower in your cell picks you
up.  In your cell there is a base station that houses several transceivers
and different types of control equipment for all the channels assigned to that
cell. Then from there the base station contacts the area's MTSO (mobile
telephone switching office) and then in turn contacts the CO (central office)
The Cellular Radio freqs have been nicely broken down by the FCC into 2 bands.
There are also bands around 1.9 Ghz used by Sprint and for GSM but I'm not
gonna be getting into that.

Band A - Non Wireline                     Band B - Wireline

Control Channels=21 (313-333)             21 (334-354)
Voice Channels=001-312                        355-666

The control channels are used to send only digital data between the phone and
 the cell base station.  When a call is signaled at the central controller,
 the paging system opens 2 channels, a control and a voice.  Over the control,
 information like the ESN/MIN/PIN will be sent and then over the voice, your
 call will initiate.

NAM-Number Assignment Module.  This is usually a eeprom chip located inside
your phone, which is programmed to contain your ESN/MIN.  You can usually
change your MIN up to 20 times, some phones can even hold multiple MINs.  The
downside to your NAM, or upside, is you cannot change you ESN via handset
programming...unless you installed a new eeprom ;)

Older base stations were just asking for fraud, there was absolutely no
monitoring equipment located at these, and they wonder why fraud picked up so
quick!  Your MTSO connects to your cell site by a fiber optic line or a 18 gHz
microwave link.  And in turn your cell site is using a 38 gHz microwave link
to link to a Microcell Transmitter.

When you fire your phone up, and your base station finds your MIN/ESN it looks
into the SS7 (signaling system 7) database.  This is where the billing takes
place, and where most fraud can be stopped.  If simple monitoring software
was in place, simple usage studies could find usage spikes, and maybe make a
simple call to the user and ask what's up. (Much like how those nice 50mb
online storage sites find out that people are d/ling mp3s and warez from their
servers, they just look at usage logs.  If the logs say 10mb/day for 2 months
and then all of the sudden 1000mb/day gets pumped from that site, something's
usually up.)

Each cellular has 2 channels associated with it,
the transmit (REVERSE) and the receive (FOWARD).
REVERSE freqs= 824-848 mhz (phone to tower)
Forward freqs= 869-894 mhz (tower to phone)
Conventional dispatch=806-809.7 mhz and 851-854.75 mhz
Trunked dispatch= 809.75-824 mhz and 854.75-869 mhz
General reserve=848-851 mhz and 894-902 mhz and 928-947 mhz
Channel spacing = 30 mhz AMPS

Cellular lobbyists are attempting to block conventional/truncked dispatch
frequencies on scanners.  The logic being that they want to protect the
cellular calls that take place there (Nextel).  This would make it stupidly
difficult to moniter 800,hz trunked communications, such a NJ state pohlice :(

Note:  Pager signals start at 929mhz and extend up to 932mhz.  Almost all of
the pagers you come across will be regular modulated data, much like your
modem.  I've only heard of a few encrypted pager messages.  There are a few
ways to go about monitering pagers, but I'm not going to go into that either.

This is where our first kind of cellular fraud comes in.  Cloning.  Unless you
were in a cave the past 10 years this prolly isn't the first time you've heard
this term.  This is what got Kevin Mitnick caught.  He owned an infamous Oki
900, which is one of the easiest and nicest phones to clone because it can
hold 5 NAMs once modded.  There are many ways cloners go about their business.
The first way is to buy a scanner that has DDI (Digital Device Interpreter).
The most prevalent method today is to use a discriminator mod with Banpaia
software. There are a few scanners out there that have this out of the box.
You sit on your freq while your scanner takes in the data, then it decodes it
for you(merely demodulates it much like your modem does) and watch as the
ESN/MIN (also known together as pairs) pile up on your computer.  Each of
these pairs basically guarantee a good week or so of free calls, and screws
the person who is actually paying for their phone.  This will only work
while the phone is Roaming.  Ways to protect yourself from this?  Nothing.
Having a digital phone will help. (a NEW digital phone, TDMA used the old
methods AMPS used, but the new CDMA(code division multiple access) and TDMA
(time division multiple access, doesn't have the same problems)  Americas PCS
(personal communication service) is a GSM-like system (Global System for
Mobile Communications).  PCS has an "A-Key" (authentication key) which helps
cut down on fraud.  And RFF (radio-frequency fingerprinting, created by ATT
in '96), basically RFF compares your call to a database of RFF, and can find
everything out about the found...from how worn out the keypad is, to what
software it's running and who makes the chips.  RFF is very expensive and is
used more in military situation to find out whether a radio beacon is hostile,
and under other extreme situations.  Another "security" feature out there is
VVR (voice verification reinstatement).  If your phone roams into an area with
RFF or and A-key system, the operator will call your phone and ask you for
your social security number, and upon verification let your call continue
roaming (does anyone see a problem in that system?)You look at these neato
security features and you wonder...well why does fraud STILL happen?  Because
most people don't wanna go out and get a new phone.  And as long as people
are roaming, people will get ripped off.

The Second main way of committing cellular fraud is Subscription Fraud.  Which
is, in a nutshell, using someone else's info to connect a cell phone.  The
penalties for committing subscription fraud is hefty, usually due because the
person caught commits the crime over and over and over again.  In 1998 a man
was convicted of 139 counts of cellular fraud.  In total he had 100 Third
degree felonies, and 39 second degree felonies of Theft of Intellectual
Property.  I never found out the end of this trial..but I bet you a nice fine
was put on him.  Bail we set for him at $225,000.  You yourself can do nothing
about Subscription Fraud, it doesn't directly effect you.  Though the industry
give you the bullshit like blah blah we need to hire more blah blah so the
rate are higher..u know the drill.  The only way to stop subscription fraud is
for the programs the cellular companies implement in the system to catch it,
and as some of us may know...these don't work very well.  There are always
ways around computer programs.  Maybe if all of america switched to GSM at
once and never touched another phone system one would be well...but of course
this wont happen.  Experts say that AMPS is 10% secure, CDMA is 80% secure and
GSM is 99% secure.  Though I think they said this before GSM was cracked, but
stronger encryption wouldn't be too hard to implement.

Your local poooohlice office has a few nice ways of catching cloners too.
The older school method that has been around for awhile is called
Triangulation.  For Triangulation you need 3 cell phone towers cooperated and
finding out the time it takes for their signal to locate you and bounce back,
and then they can find where u are within a 200 yard radius. Other
triangulation methods are: Mobile units (cars) can triangulate using doppler
systems, and nice guys running around with directional antenneas, these
methods, or a combination of them, if practiced can catch nearly everyone.
There are newer methods yet to be used but they seem more promising.  The
newest method thought up has to do with the GPS system.  There is a new GPS
like system that seems promising though.  It's called a GPS cursor.  Which is
made by CRIL (Cambridge Research and Innovation Ltd).  You don't need any
changes to your phone, and isn't very expensive.  It has been demonstrated on
GSM and is said to be able to be used on other PCS systems in America.  The
idea is based on the same idea as Radio Triangulation.  The freq for this are
carried over the same 900mhz airwaves the calls are currently on. (call in the
USA are occur on 800 and 1900mhz, 900mhz is europes GSM)  It's the same
technology astronomers use to see far off galaxy in their radio telescopes.

In the case of GSM handset positioning, Cursor uses a secondary network of
base stations in fixed locations, which are effectively dummy handsets.
Without adding anything to existing base stations or altering the GSM
signaling, it is possible to capture a portion of the total transmitted signal
received at the mobile handset. This is retransmitted to the Cursor base
station, where it is correlated with the signal as originally received at the
Cursor base station. The correlation determines the time difference between
when the signals were received at the Cursor base station and the mobile
handset, which in turn gives the distance of the mobile handset from the
originating GSM base station. Performing this operation three times for
different GSM base stations fixes the position of the mobile. In fact, Cursor
uses 12 fixes to improve accuracy and reduce the number of Cursor base
stations required. If can locate a person within a 160-foot radius, with the
base stations being in a 10-15 mile radius.

All in all, cellular fraud is a booming theft market, and the more people that
jump on the cellular bandwagon, the more fraud we will see.  Unless there is
a decent encryption scheme in place, there isn't too much change we will see
in the future.  Even with the new positioning techniques, in a highly
urbanized area a 160 foot radius isn't that great. Large metal buildings and
direction finding equals a headache. Furthurmore go into Manhattan and you
find a 160-foot radius with less than 100 cell phones.  Know your penalties,
and know what you're getting into.