Barbarians at the Gate

Two years have passed since carriers began implementing authentication to combat cloning fraud, and all indicators suggest the results are worth the $2 million or more each paid in start-up costs. Fraud losses are down to $500 million, or less than 1.5% of the industry's total revenue, according to CTIA. By comparison, shoplifting siphons off about 1.77% of total annual retail sales, according to the National Retail Federation.

Just how many carriers or markets have authentication is difficult to pin down. The best estimate is a March 1998 CTIA survey that found it is deployed in 65% of the top 50 MSAs.

"We've really shrunk the pool of phones that are susceptible to cloning," said Tom McClure, CTIA director for fraud management. "I'm proud of the vendor community for how it has responded to the wireless industry's fraud concerns and provided the products that will keep us in front of the criminal."

BellSouth began implementing authentication nearly two years ago and today has it throughout its 9-state service area. Like many carriers, BellSouth supplements authentication with RF fingerprinting to protect phones manufactured before 1996. That approach has cut BellSouth's fraud losses by 97%, a typical industry figure.

Authentication is not cheap, however. One vendor estimated typical start-up costs at around $1.5 million, although that figure can vary widely depending on the network. But it is an investment that carriers apparently are willing to chalk up to the cost of doing business.

"If someone gets hit by fraud, you can see authentication getting implemented faster than (in) areas where it has not affected their bottom line," McClure said.

Perhaps just as remarkable as authentication's success is its resilience. The technology has not become obsolete, nor does it show signs of becoming so anytime soon. Most developers agree authentication should remain secure until about 2017, a date based on estimates of advances in technology, such as faster computers, and fraudsters' ingenuity. The two ways authentication likely will be made stronger is by enhancing the algorithm or making the key larger.

Such refinements would be costly for carriers, however, because they would affect many elements of their networks, and carriers might be reluctant to invest more money when they already have additional safeguards, such as RF-fingerprinting and behavior-profiling systems. Those costs and authentication's track record suggest the technology will remain little changed over the next few years.

GOOD ENOUGH? Although authentication has made cloning phones almost as difficult as cloning people, the technology isn't invulnerable.

"I think it's just a matter of time before somebody does break it, even as an academic exercise, which will make for bad press," said Randy Snyder, director of systems engineering at antifraud developer Synacom Technology and author of Mobile Telecommunications Networking With IS-41.

But what vulnerability it does have apparently is acceptable to the wireless industry.

"From a pure academic standpoint, authentication may be good enough forever because all you have to do is make the walls high enough to make it cost-ineffective for criminals to clone phones," Snyder said. "You don't have to make it bulletproof. And that's an important point because once it gets difficult enough, criminals will steal credit cards, which are more valuable. Cloning phones is just not a profitable business anymore because 90 out of 100 phones you steal will not be able to be cloned. So you're wasting your time."

Jeff Battcher, BellSouth manager of media relations, agreed.

"We've raised the bar extremely high," he said. "But if you've got enough money and knowledge, nothing is impossible. We've made a huge, significant stride, and it's going to take a long time for the criminals to catch up. But I think we've always got to be careful and look over our shoulders and continue to put in new processes."

CHINKS IN THE ARMOR The best anti-fraud technology is only as good as its implementation, an area where authentication has changed.

"When the carriers started to implement it, there were all kinds of issues that were not addressed by authentication that had to do with authentication, " Snyder said. More important, those issues -- such as how to generate A-keys, get them into the handsets and protect A-key databases -- are potential chinks in authentication's armor.

Outsourcing parts of authentication management is one way for carriers to reduce costs, but the downside of this approach is that security is handled out-of-house. Buying handsets with A-keys preprogrammed at the factory also is common, but again, who has access to that database is a concern. Security breaches also can occur at the point of sale, where there is often high turnover or salespeople who are employees of a third-party retailer.

"A lot of times, that's where employee fraud attacks," said Kate Canestrari, EDS product manager for wireless fraud.

The more people who have access to the A-key database, the greater the chance of literally giving away the keys. A-keys are "the number-one thing that's supposed to be kept secret about authentication," Snyder said. "You're relying on dealers and handset manufacturers to program them, and who knows what they're doing with them."

But A-keys have to be programmed at some point, and that means determining where internal fraud is least likely. For Cellular One in the Southwest, the choice was to have the handset manufacturer preprogram the A-keys.

"They sell so many handsets, and it's such a big issue on the carrier side that we feel in most cases they have the proper controls in place," said CFO Russ Craig. But Cellular One did decide against integrating its A-key- management system with its billing system, which is managed by a vendor. "I'd be very nervous about having someone external to my company managing that process for me."

DOWN, BUT NOT OUT The rise in subscription fraud is one indication of authentication's success. At the same time, authentication has forced fraudsters to refocus their efforts in other areas where less effort and expense are required. That shift puts smaller carriers in a tough position: find enough capital to implement authentication or risk being pillaged by fraudsters driven out of larger markets.

"If there's any cloning left after the large markets have eradicated it, people are going to clone phones from smaller markets, and those guys are going to get hit," Synacom's Snyder said. "So they should be anticipating what they're going to do." EDS' Canestrari agreed: "The fraudsters are going to take the path of least resistance, and that's where they're going to go: the carriers that are unprotected."

But even carriers that have implemented authentication are vulnerable when their subscribers are roaming in markets where carriers haven't deployed it. "In a roaming environment, authentication will be only as good as the number of carriers that deploy it," Canestrari said.

That puts pressure on carriers that don't yet have authentication. ALLTEL plans to implement authentication, and loss-prevention manager Adrieanna Glover said fellow carriers understand the capital and time necessary.

"I wouldn't say we're getting pressure" from roaming partners, she said. "I would say questions are coming up. They're not expecting us to have authentication deployed tomorrow, but they are asking us: Do we have a plan? Are we prepared to begin deploying authentication over a 3- to 5- to 7-year time line? And we can comfortably say 'yes' -- and completely understand why they would want to do that."

If there is an up side, it is that smaller carriers can learn from their larger counterparts' experiences.

"What that's allowed the industry to do is learn from the issues they faced and what was successful to allow the small- and medium-size carriers to make the best decision," Canestrari said.

Meanwhile, the industry is looking ahead to new fraud challenges, one of which is a return to subscription fraud.

"The industry has a unique opportunity to actually know exactly where the fraud is migrating," said Tony Zarrella, GTE TSI director of fraud-management services. "The GSM networks deployed in Europe have not experienced cloning or technical fraud. They are, however, experiencing a significant amount of subscription fraud."

CTIA's fraud task force has identified subscription fraud, along with inside jobs and hacker attacks on network systems, as an area where fraudsters will strike next.

"Any carrier that is not looking at subscription-fraud solutions today is going to be losing big time," Synacom's Snyder said. "They really need to get a jump on things."

ALLTEL and Cellular One in the Southwest are two carriers doing just that. Both train their employees to spot fraud, with special emphasis on their customer service and sales staffs.

"These employees are the eyes and ears of our company," Glover said.

Craig agreed. "It starts in the front lines with the sales department."

But in the future, the front lines will include every department. As McClure put it, "Fraud is not just the fraud department's job; it's all the employees' jobs."