Detection Connection

Fraud detection is by nature reactive. Fraud can't be detected on the network until it's on the network. However, some fraud software vendors are attempting to make detection less reactive by developing systems that will identify criminals before they ravage a network.

Circle of Fiends

One way to reduce fraud is to identify and stop repeat offenders. Some vendors use a profiling process called link analysis for this task. Link-analysis profilers gather and correlate subscriber information that can link customers to fraudulent activities.

Various types of subscriber data can be used for link analysis. One popular method, known as a dialed-digit analysis, scrutinizes the records of who's calling who.

Ericsson's (www.ericsson.com) dialed-digit analysis application is, appropriately, called the Circle of Fiends. This is a function of the Analyst's Notebook, a data visualization and analysis tool developed by i2 and integrated into Ericsson's FraudOffice system. The tool analyzes a large volume of call detail records (CDRs) and reveals resulting correlations between records.

Circle of Fiends tracks each subscriber's 10 most frequently called numbers, said Michelle Slevin, Ericsson channel manager, FraudOffice. Alarms activate when the dialed numbers match those associated with ongoing or previous fraud cases. This enables carriers to identify a previously banished criminal by his or her most frequently dialed numbers.

Expanding the fraud circle to include graphic analyses of the criminals' incoming calls is another way to perform dial-digit analysis. TSI's (www.tsiconnections.com) FraudX software includes this feature. The system tracks not only the people the fraudulent phones dial but also those who call the fraudulent phones. These may, in turn, be calling the same numbers called by known perpetrators.

"Because you can visually represent the calling patterns, you can find numbers to investigate that may not have popped up through other methods," said Billy Osborne, TSI product manager, fraud solutions.

In some cases, returning criminals may not call numbers that can be linked to past crimes, but they might call a number called by another fraudulent subscriber, which can alert a fraud analyst to possible criminal activity.

"What we're doing is sort of a web of who calls who and being able to represent that in a digital picture, which from an analyst's perspective makes it a lot easier to recognize patterns of behavior that may not be evident through traditional dialed-digit analysis," Osborne said.

Chain of Debtors

Lightbridge (www.lightbridge.com) has added its own twist to link-analysis profiling. The company's fraud suite, Fraud Centurion, combines two profilers, Fraudbuster and Alias. Fraudbuster analyzes call patterns, combining usage information with billing information. The idea is to understand usage information better in the context of a subscriber's billing profile. For example, if a customer subscribes to the least expensive plan a carrier offers but is making 300 calls a day, there's a problem.

Alias uses link analysis to profile new subscribers, primarily looking at credit-card information. The profiler marks accounts that have used fraudulent credit cards and looks for new accounts that use the same credit-card information.

Alias catches subscription fraud by detecting suspicious changes early in the life of an account, said Jay Newberg, Lightbridge sales consultant. For instance, a subscriber who changes the account address within the first week raises suspicion. Sometimes fraudulent subscribers change the account address early to prevent the legitimate credit-card owner from receiving welcome information from the wireless carrier.

Link analyses also can be performed on other identity data such as Social Security numbers and home telephone numbers, Newberg said.

The Multi Method

However, link analysis is only one technology in Lightbridge's arsenal. Fraudbuster also performs group-level profiling, examining network activity by customer segments - for example, by rate plan.

The software also performs fingerprint analysis, which makes determinations such as:

• the types of numbers being called
• whether the subscriber is calling suspect countries
• whether suspect numbers are being called
• whether the subscriber is making calls at suspect times of day.

"On top of all of that, we can add in some manual statistical analysis," Newberg said, adding that a neural network can be included to enable the system to "learn" to identify fraud better.

The combination of profiling methods differentiates Lightbridge's fraud software, according to Newberg.

"Some of the systems on the market are based on just one of those techniques," he said. "We found it a more solid approach to combine as many as we can in an intelligent fashion, not just glomming things on there."

Fraudbuster's evolution has been driven by feedback from customers and prospects, Newberg said. He thinks there's a trend toward a more comprehensive view of subscribers, which will be aided by more thorough profiling.

Nortel Networks appears to agree (www.nortelnetworks.com). Cerebrus, the company's fraud software suite, has been designed to profile individual subscribers based on approximately 256 attributes such as the duration of subscribers' calls, said Faz Hussain, Nortel Networks fraud solutions president and general manager.

Cerebrus contains both a neural-network module and a rules-and-threshold module. Using the statistical model, the software tracks subscribers' historic behavior patterns on the network and identifies changes. It then compares subscribers' behavior to a built-in library of about 400 known fraudulent behaviors, said Mark Johnson, Nortel Networks fraud solutions business development director.

The Cerebrus software uses three criteria to determine whether fraud alarms should be generated: the breaking of conventional rules and thresholds, change in subscriber behavior and behavior that fits known fraudulent behavior.

"We take those three inputs, and we (can) make a much more intelligent decision about when to generate alarms than you would be able to do with a statistical model, even if that statistical model had been generated on the basis of neural-network activity," Johnson said.

Data Connection

Future fraud applications likely will focus on controlling fraud in 2.5G and 3G data applications, such as m-commerce. Some vendors are considering possible fraud scenarios and planning solutions now. Others, such as Nortel Networks, already have launched 3G fraud packages.

Unfortunately, vendors can only guess about what next-generation fraud will look like.

"Our existing customers, who were moving to GPRS and had bought 3G licenses, were asking us what the risks were going to be," recalled Eoin Leahy, Ericsson Telecom Management Services Group general manager, global services division. "Nine months ago, a lot of people in the industry didn't know how they were going to make money from the 2.5G services they knew they were going to roll out. Correspondingly, if you don't know how you're going to make money, then you don't know how the money is going to flow through the business and what the risks are going to be."

Ericsson investigated wired Internet fraud and then produced a white paper last year on potential fraud risks in 2.5G and 3G networks. One of the company's major observations was that credit-card fraud was rampant on the Internet, which exposed retailers and credit-card companies to large financial risks. In an m-commerce environment, however, the bulk of the risks could fall to carriers that take on financial liability by agreeing to bill subscribers for retail purchases or receive payments for value-added content.

"The positive responses we got to the scenarios that we identified in that document led us to the design of what we believe is a next-generation fraud-management system," Leahy said.

Ericsson identified two major needs: an SS7 surveillance system with the ability to perform real-time fraud detection in a packet-switched environment and an artificial intelligence system to adjust rule thresholds within the profiling system automatically.

To attain these functions, Ericsson partnered with Inet (www.inet.com) and Searchspace (www.searchspace.com). The partnerships will give Ericsson use of Inet's SS7 GeoProbe, a product that extracts CDRs from the network in real time and Searchspace's adaptive rule mechanism (ARM) for the artificial-intelligence component. Ericsson plans the first North American installation of the new version of FraudOffice, known as 2.0, in September.

Lightbridge and TSI are planning similar product updates during the next 18 months to accommodate the burgeoning risks of wireless data.

"We're moving toward a 3G profiler," said Lightbridge's Newberg. According to Newberg, the profiler will be highly scaleable because next-generation networks will produce more data. The profiler also is being developed to gather information from various types of network elements and to react to changes quickly.

Nortel Networks recently released the 3G version of Cerebrus. The software enables real-time CDR analysis, a feature designed to reduce losses that could occur with the delayed processing of financial transactions such as purchases via mobile phones. The new version of Cerebrus also includes revenue-assurance applications. The company also plans to add financial-application modules to the software suite.

Next-Gen Catch 22

Although various vendors are building next-generation fraud detection solutions, some vendors wonder whether carriers will purchase them right now. TSI's Osborne said that wireless fraud departments' budgets are tightening because cloning fraud is down and wireless fraud in general isn't as epidemic as it was five years ago. Also, wireless fraud managers are more concerned about fighting today's fraud schemes than preparing to battle tomorrow's problems.

According to Osborne, North American ANSI-41 carriers, TSI's historic customer base, are focused on cloning and traditional subscription fraud.

"They've gotten better at fighting it. Their losses have been reduced, but if they stopped looking at it, it would probably blow up again," he said. "The next-generation fraud risks, like m-commerce, are still out on the horizon for them."