False Sense of Security?

The security of TDMA and CDMA digital technology has a myth-like grandeur. Digital technology is touted as being untouchable by the cloning fraud that has plagued analog carriers. TDMA and CDMA phones and the interworking networks, which are based on the ANSI-41 standard, were created with authentication capability. This put them ahead of analog systems, which had no built-in security. But authentication capability alone does not protect a network from cloning fraud. There are additional, imperative steps that must be taken to secure a network.

Unfortunately, the reality is that cloning is possible. As more analog operators arm their networks against cloning fraud, cloners will migrate to new avenues such as digital networks. Although a few digital operators are developing strong security, others are relying on the nebulous but popular myth that TDMA and CDMA technology is clone-proof. To avoid the damage that cloning fraud has wreaked on analog networks, digital operators need to protect themselves now.

Dispelling the Myth There are many reasons that digital seems clone-proof. Some people assume that cloning can't penetrate TDMA and CDMA because of the inherent protection in digital networks. GSM technology has the utmost security because cloning prevention technology is mandatory on GSM networks. But all digital networks aren't as secure as GSM. TDMA and CDMA networks also were built with cloning prevention technology, but unlike GSM operators, carriers don't have to activate the security features for TDMA and CDMA networks.

Because cloners have yet to attack these networks, many operators are not activating and managing these built-in security features. Authentication, as described in the ANSI-41 standard, is the strongest fraud protection the industry has at its disposal. When deployed, administered and maintained correctly, authentication can stop cloning fraud before it even occurs.

But some digital operators are not activating authentication because of the added complexity it imposes on the customer-provisioning process. Some operators are using authentication but are placing default A-keys made up entirely of zeros in the network and all of the handsets. This avoids the time and staffing it takes to manage individual A-keys. But a default A-key is as good as no A-key. Cloners easily can break through the authentication when all of the keys are the same. Even after carriers have activated authentication and assigned unique A-keys for each subscriber, they still have to protect the A-keys to ensure that they are not obtained illegally.

There are many critical steps to develop a secure network. Having authentication capability is only the first step that operators must take if they want to deter cloning fraud. Cloning can take place on digital networks if authentication is not activated, if you use default A-keys, or if the criminal somehow can steal the subscribers' A-keys.

Instead of activating the authentication features, some carriers are relying on "digital's inherent security" and are advertising their systems as clone-proof even though their network security features are inactive. In the world of advertising hyperbole, carriers have a motive to mesh the term digital with clone-proof. The misunderstanding has spread throughout the industry and what is actually a myth is now assumed to be fact.

No Easy Task One reason criminals have not yet attacked digital networks is because the technology to clone analog phones is readily accessible, and the equipment is cheap. To clone any wireless phone, digital or analog, fraudsters must steal the MIN and the ESN and program them into a second phone. Cloners use a radio scanner to record a subscriber's MIN and ESN and use special equipment to program these codes into a handset. There are dozens of Internet web sites, magazines, books and stores where complete "how to" information is available. Analog cloners can buy these scanners at local radio electronic stores for $200.

However, the technology to clone a digital phone is more complex and expensive. A cheap radio scanner will not work on digital networks because the radio transmission technique and protocol is complex. All the elements of the CDMA and TDMA systems must interwork with each other. The rules for this interworking all are described in the industry standards: TIA/EIA IS-95 for CDMA and TIA/EIA IS-136 for TDMA. The purpose of a standard is to encourage competition among equipment suppliers, which means these standards are available to anyone willing to pay a few hundred dollars for them. These standards are the cloner's Bible. They contain a complete description of the protocol.

Along with standards information, digital cloning equipment can be obtained, but it is expensive. The same test equipment that technicians use to check CDMA and TDMA networks can be used to clone phones. Technicians need the ability to monitor each of the radio channels to assure proper operation. This same monitoring procedure can be used to clone a phone, but the equipment can cost $50,000.

One cloning method that is cheaper than test equipment is to use the electronic chips from the phones themselves. Soon, a clever hacker will emerge who will disassemble an off-the-shelf CDMA or TDMA phone, interconnect it to a PC, and convert a standard cellular phone into a TDMA or CDMA scanner. What hackers do today, cloners will do soon after.

A Matter of Time If it is possible to clone digital phones, why don't digital carriers have a cloning problem? Cloners have not tampered with digital networks because it does not make economic sense for them to do so. Today, analog is the only technology that covers every cellular market in the United States. Cloners haven't had to exploit digital networks because digital networks are only a small portion of the market. But that is changing. Peter Nighswander, The Strategis Group director for cellular and PCS, estimated that at the end of 1997 there were 50.1 million analog subscribers compared with 6.5 million digital subscribers in the United States.

If the market remained static, digital operators never would have to be concerned with cloning fraud. However, industry trends prove that it is more important for digital network operators to take pro-active measures to secure their networks.

"Within two or three years, digital networks are going to start seeing cloning activity," said Rick Kemper, CTIA director for secure systems.

The rapid growth rate of digital markets supports this theory. The Strategis Group estimates that within five years, there will be 90.5 million digital subscribers.

In addition to digital growth, analog networks are becoming more secure as operators deploy fraud-prevention technology and develop security. As security becomes tighter on analog systems, cloners will look for new avenues. In 1996, CTIA reported that U.S. wireless carriers lost approximately $650 million to fraud, with cloning fraud causing the largest impact to carriers' bottom lines. Tom McClure, CTIA fraud management director, said that the revenue lost to fraud in 1997 was significantly lower than in 1996, estimating a 30% decrease. Given the tenacity of the criminals, it is inevitable that when their efforts to clone analog networks are thwarted, they will target digital networks.

Preparing for the Inevitable Digital operators need to prepare themselves now for the problems that lurk on the horizon. Having an authentication option in the protocol is important, but that alone does not make the network secure. McClure said that digital operators can be in front of cloning fraud. Some carriers already are taking measures to prepare for the inevitable. For example, several digital carriers are represented on the CTIA Fraud Technology Advisory Group.

The fact is that digital phones can be cloned. Although cloners are not attacking digital systems today because AMPS is easier and more available, this will not hold true in the future. History demonstrates that criminals look for the easiest target. Don't leave your digital system vulnerable.

Jeffery is Synacom Technology vice president of marketing and business development. His e-mail address is stu@synacom.com.

"Wireless fraud" has become synonymous with "cloning" since the early 1990s. But there are many other varieties of fraud activity targeting wireless carriers. According to Todd Young, The Guidry Group director of consulting services, carriers can assess their fraud vulnerability by addressing these critical questions.

4 Have you evaluated your bad debt? Is it really bad debt, or is it fraud? Do you have company-wide procedures in place to identify and separately classify the two?

Have you investigated your returned mail lately? How many of those accounts activated over the 1-800 telemarketing line have fictitious mailing addresses? How many customers are not paying because order-entry errors cause the bills to be sent to invalid addresses?

Are patterns of write-off activity developing around particular distribution channels, agents, dealers or employees?

Are you offering prepaid services that are controlled by usage limits programmed into the handset (rather than usage limits that are monitored at the switch)? If so, have you considered what would happen if such accounts were cloned? The account could receive unlimited usage through the clone phone.

Have you considered the potential impact of negotiating roaming agreements from your digital PCS markets onto non-authenticated cellular analog systems? Are you relying on the assumption that cloners can't scan digital MINs/ESNs from the air?

Have you considered that a dual-mode PCS phone that roams into an analog cellular market may have to transmit its MIN/ESN in a non-encrypted analog form? Or, have you considered that a dishonest employee could sell the MIN/ESN information of your digital customers to cloning bandits who operate in your roamer partner's markets?

Have you instituted revenue assurance programs designed to detect unusual unbilled call activity and reconcile accounts that are active in the switch, but not the billing system?

Are you truly prepared to implement authentication? Have you instituted procedures to initialize and securely record the A-key information of your digital (and analog) subscribers who have authentication-compatible equipment? If not, how do you plan to assign A-keys to subscribers when you do implement authentication?

Have you instituted criminal and financial background checks for all new employees? If you have, do you know what kind of background check really is being performed? (Many agencies charge a low price for a background check of questionable value.) The statistics on employee collusion in cellular fraud activities prove that background checks are a necessity, not an option.