Passive methods to detect illegal traffic termination

Now illegal traffic termination has become one of the main ills of any telecommunications operator. The most affected operators in those countries where international communication is much more expensive than local traffic. Also, no small role is played by the attitude of the government towards this kind of business, if I may say so. The top countries, more than others suffering from this type of fraud, include the countries of Africa, the Balkan Peninsula and of course the CIS.

As you know, the essence of this type of fraud is to direct international voice or SMS traffic, bypassing the proper switching equipment. As a result, a number of problems arise. First, the operator loses money on interconnect settlements. Secondly, the quality of communication suffers, there are extraneous noises, delays, frequent breakages. Thirdly, the caller's number is changed.

A few years ago, only people with relevant technical education could deal with this type of fraud, but today you can buy a “business” of this kind on a turnkey basis. On the Internet, there are a lot of offers from organizations that are ready to sell and set up the necessary equipment for a reasonable price, install specialized software to simulate human activity, mix up with traffic originators, and provide 24-hour technical support. support And of course, they will teach where to place the equipment and which settings to make, so that it is more difficult for operators to identify and block the cheater's SIM cards.

In 2016, in world practice, there are two main types of systems for identifying this type of fraud:
')
Active systems are systems that detect fraud numbers, making test call sessions (pings) from different parts of the world to operator numbers.

Passive systems are systems that analyze the activity of subscribers on the subject of "humanity".

If with active systems everything is more or less clear, then in order to configure passive systems, deep analysis is required to identify the main criteria that distinguish fraud cards from living subscribers. This is not such an easy task as it may seem at first glance.

Thanks to modern systems, SIM cards in gateways allow you to:

• send and receive messages with pre-prepared text;
• make calls and answer them with the transfer of the recording of a real conversation in the voice channel;
• create groups, imitating communication with regular contacts (friends);
• simulate different movement between locations, depending on the time and day of the week;
• send USSD requests to check the balance and connect bonuses. Read the required information from the answers;
• keep track of balances and bonuses;
• set a schedule for the distribution of traffic volumes during the day and on different days of the week.

We propose to pay attention to some features of the work of imitation systems for human activity, which you can try to use for additional identification of SIM-cards of fraudsters, or to complicate life for rogues.

The Terminator needs to control balances and bonuses on its SIM-cards. This is to ensure that the room does not suddenly shut up. (After all, they also need to maintain a reputation in the eyes of their customers.) Traffic control systems are able to send USSD commands to check balances and connect bonuses. They can also read the necessary information from the received responses. If the answer could not be read, after several attempts, the system often unloads the SIM from the gateway. If periodically make small changes in the USSD response, in order to make parsing the text on the mask more difficult, it is theoretically possible to make the parser crash and, as a result, complicate the fraudster’s life.

When imitating human activity, the system calls back between the numbers in the gateway. Thus, when a terminator number is detected, it is necessary to analyze the connections with other SIM cards.

The system that controls the termination allows you to create multiple locations and customize the movement between them. At the same time, because instantaneous movement over a long distance will look suspicious; a delay is set between leaving one location and appearing to another. For the time delay, the SIM card is turned off. Based on this feature, it is proposed to analyze the geography of movement of subscribers. Do they move gradually or jump between locations, bypassing intermediate base stations. Also, it makes sense to look at other numbers, the list of locations of which coincides with the locations of the identified numbers.

Of course, it is unlikely that the methods described above are applicable to all operators and all terminators. But, in my opinion, it makes sense to analyze the traffic of terminators through the prism of these features.

If a universal method is needed, which can be supplemented with a system for detecting illegal termination, then the best result will be obtained by reconciling outgoing calls in roaming received from TAP files and NRTRDE with incoming calls from own called subscribers.

In general, the control logic is as follows: subscriber A is roaming and calls subscriber B. Subscribers A and B are subscribers of the operator. If a subscriber B came at that time with an incoming call of the same duration from the C number, then the C number terminates traffic. Of course, such control does not compare with the ringing, but, as practice has shown, it can be a pleasant addition with a high percentage of accuracy.

Combating illegal traffic termination is a difficult and expensive task. But if you let the situation take its toll, one day the day will come when the revenue for the interconnect will be history for the operator.