Passive methods for detecting illegal traffic termination

Now the illegal termination of traffic has become one of the major disasters of any telecommunications operator

The Operators in those countries where international communication costs several times more expensive than local traffic, suffer the most. Also, the government’s attitude towards this, let’s say, the type of business, plays no small role. The top countries, the most affected by this type of fraud, are the countries of Africa, the Balkan Peninsula and, of course, the CIS.

As you know, the essence of this type of fraud lies in the sending the international voice or SMS traffic, bypassing the proper switching equipment. As a result, a number of problems arise. First, the operator loses money on interconnection accounts. Secondly, the quality of communication suffers, there are extraneous noises, delays, frequent cliffs. Thirdly, the caller’s number is changed.

If a few years ago this type of fraud could be dealt by the only people with the appropriate technical education, today a “business” of this kind can be bought on a turn-key basis. On the Internet, a lot of proposals from organizations ready to sell and set up the necessary equipment at an affordable price, install specialized software to simulate human activity, reduce with the originators of traffic, provide round-the-clock technical support. And of course, they will teach where to place the equipment and what settings to make, so that it would be more difficult for operators to identify and block the scammer’s SIM cards.

In 2016, two main types of systems for detecting this type of fraud are used in the world practice:

Active systems are systems that detect fraud numbers, making test call sessions (calls) from different parts of the world to operator numbers.

Passive systems are the systems that analyze subscriber activity for “humanity”.

If the active systems are more or less clear, then to configure the passive systems requires an in-depth analysis to identify the main criteria that differentiate the card from live subscribers. This is not such a simple task as it might seem at first glance.

Thanks to modern systems, SIM cards in gateways allow:

  • Send and receive messages with pre-prepared text;
  • Make calls and respond to them with the transfer of a real conversation record to the voice channel;
  • Create groups, imitating communication with regular contacts (friends);
  • Simulate a different movement between locations, depending on the time and day of the week;
  • Send USSD requests, to check the balance and connect bonuses. Read the required information from the answers;
  • Monitor balances and bonuses;
  • Set a schedule, to distribute traffic volumes during the day and on different days of the week.

We propose to pay attention to some features of the work of the simulation systems of human activity, which you can try to use to identify SIM-cards scammers or to make the crooks of life more difficult.

Terminator needs to monitor balances and bonuses on their SIM cards. This is to ensure that the room suddenly does not stop. (After all, they also need to maintain a reputation in the eyes of their customers.) Traffic termination control systems can send USSD commands for checking balances and connecting bonuses. Also, they can read the necessary information from the received answers. In the event that the answer could not be read, after several attempts, the system often unloads the SIM from the gateway. If you periodically make small changes to the USSD response in order to make it difficult to parse the text using a mask, you can theoretically cause a malfunction in the parser and, as a consequence, complicate the life of the scammer.

When simulating human activity, the system makes a chime between the numbers in the gateway. Thus, if a terminator number is found, it is necessary to analyze the connections with other SIM cards.

The system that manages the termination allows you to create multiple locations and adjust the movement between them. In this case, since the instantaneous movement over a long distance will look suspicious, set the delay between leaving one location and appearing in another. During the delay, the SIM card is turned off. Based on this feature, it is proposed to analyze the geography of the movement of subscribers. Are they moving gradually or jumping between locations, bypassing the intermediate base stations. Also, it makes sense to look at other numbers, the list of locations of which coincides with the locations of the identified numbers.

Of course, it is unlikely that the methods described above are applicable to all operators and all terminators. But, in my opinion, it makes sense to analyze the traffic of terminators through the prism of these features.

If you need a universal method that can complement the system for detecting illegal termination, the best result will be a reconciliation of outgoing calls in roaming received from TAP files and NRTRDE, with incoming calls from your own called subscribers.

If you need a universal method that can complement the system for detecting illegal termination, the best result will be a reconciliation of outgoing calls in roaming received from TAP files and NRTRDE, with incoming calls from your own called subscribers.

In general, the control logic is as follows: subscriber A is roaming and calls to subscriber B. Subscribers A and B are subscribers of the operator. If subscriber B at this time came to an incoming call of the same duration from the number C, then through the number C terminate the traffic. Of course, such control can not be compared with a ringing, but, as practice showed, it can be a pleasant addition to a high percentage of accuracy.

The fight against illegal traffic termination is a difficult and costly task. However, if the situation is neglected, one day, the revenue for interconnect will become history for the operator.