 |
|||||||
 |
 |
|
|||||
Cellular Business
June 1997 Managing Cellular FraudBy Roseanna DeMaria
A multifaceted fraud management plan will keep you one step ahead of the cellular fraudster.
Security management in the 1990’s is a business skill that is routinely misunderstood and undervalued. It requires a pro-active approach to meeting security goals supported by business-case-driven decisions. The effective execution of this strategy will become a competitive differentiator in the marketplace as we move toward the millennium. Unfortunately, the execution component of this plan is not without its challenges. While fraud affects every part of our business, it frequently is relegated to a security team — if there is one. Yet the security team is not the starting point for fraud management in our business. To successfully manage fraud, all managers must have security-related objectives in their performance plans. Similarly, securing the company’s assets must be part of every employee’s job. In sum, good security practices must become habit in the workplace. This cannot be achieved without the uniform, visible and enthusiastic upper-management support that ‘walks its talk’ with an openly demonstrative commitment to good security practices. Security values must be inextricably interwoven into the corporation’s culture. The likelihood of success is astronomical for a cellular fraud management plan in a corporate culture that prioritizes good security practices in the workplace and in the operation of the carrier’s network. The creation of such a fertile, security-infused culture requires a comprehensive approach to security that addresses physical security needs, network and system security needs, information security needs, and internal compromise issues. When facilities, systems and the workplace have been secured, the cellular fraudster’s harvesting efforts fail, and he cannot find a secondary avenue of attack. Cellular fraud’s management has earned its place as a core priority in any wireless carrier’s security plan. The fraud losses of the early 1990s provide adequate support for making this criminal challenge a priority. The cellular fraudster is unique because he consists of two kinds of criminals: the clone-phone manufacturer/distributor and the clone-phone end user. The former is a merchant selling to a community of criminal customers. Like any other entrepreneur, his motive is money. The vast majority of clone-phone end users are criminals seeking anonymous, ubiquitous communication service to further their own criminal enterprise. When the anonymity of the cloned phone is eroded and the quality of “anytime, anywhere” service dissolves, this criminal racketeer will pursue other forms of communication. Demands for this illicit device will decrease, and the manufacturer/distributor will find himself without a revenue stream. Cellular fraud cannot be addressed merely by incorporating it into a generic security approach that does not address this criminal’s demonstrated needs. A specific targeted fraud management plan is necessary to eradicate this threat. Effective cellular fraud management is driven by a clear understanding of the criminal customer’s perspective and resilience. Consequently, the fraud plan must be flexible as the criminal in achieving its goal. A singular solution does not exist. Combating the cellular fraudster requires a multifaceted attack. Because cellular fraud affects every part of the carrier’s business, an interdisciplinary team with representatives of each core-business department is necessary to launch the attack. Within this framework the fraud plan can be constructed. OPERATIONAL EFFICIENCYThe plan’s first goal is to ensure its own operational efficiency, namely to unite all fraud management efforts within regions and across regions. This is done by creating interdepartmental fraud teams to launch region-specific, multifaceted attacks. The unification goal is critical to maximizing the plan’s impact. Each fraud team should have a “coach” or single point of contact for plan coordination, as well as an executive sponsor or upper management member who is the fraud-process owner.The coordination of the attack is dependent on clearly communicating that the plan to the team and across the organization. The executive sponsor must ensure the plan’s deployment becomes a priority. Ongoing communication will ensure that that the plan be modified to address changes in the criminal’s attack. DETERRENCEThe second goal is deterrence. The fraudster must be deterred by eliminating the fraud threat both inside and outside the carrier’s company. Education and awareness enables the employee base to identify the threat and react appropriately while also underscoring the importance of the fraud plan’s deployment. By understanding the crime, customers can assist the carrier’s fraud efforts and better appreciate their added value. For example, an educated customer will appreciate the value of an authentication-capable phone. By educating and supporting the law enforcement customer, the carrier can send a “live” deterrence message to the criminal through arrest and conviction.The “criminal customer” obviously does not need to be educated on the crime. The carrier, however, must tell this illicit customer, “We know where you are. We know what you are doing. We will stop you.” This message is sent through prevention and detection technologies that erode the quality and longevity of the clone phone’s service. It also is sent through the media when carriers publicize their fraud management efforts and successes. AT&T Wireless Service used the direct approach and launched a public ad campaign on billboards, buses, trains and ferries that stated, “Cellular service has gotten very sophisticated, now it can even track the criminals who steal it.” This message, however, will not succeed in the absence of fraud prevention and detection technologies that directly affect the quality of the clone-phone product. The deterrence goal must include a strong message of zero tolerance to the criminal. PREVENT & DETECTThe third goal is to deploy a pluralistic set of prevention and detection technologies throughout the carrier’s service area. Technology is the “quarterback” of the carrier’s fraud team. It plays a critical role in driving the success of the other fraud-plan goals. The success of prevention/detection tools will determine the quality of the criminal customer’s product and directly influence the criminal-customer demand in the marketplace.Prevention is the preferred technology because it precludes the cloned phone from functioning in the first place. Hence, it is important that the carrier use a panoply of prevention tools to address the challenge. The spectrum of available prevention tools includes personal identification number (PIN) protection, RF fingerprinting, voice verification and the “nuclear weapon” of prevention – authentication. Authentication will change the cloning frontier dramatically. Its deployment across the cellular industry will cause the criminal to seek electronic serial numbers (ESNs) and mobile identification numbers (MINs) that are not prevention- and technology-protected. The “low hanging fruit” of unprotected roaming numbers and non-authenticating numbers will become targets for cloning. Accordingly, prevention tools such as PIN protection or RF fingerprinting will play an important role. Detection is visibility into the phones operating on your system. A profiling tools is vital to any fraud management plan, and it must be as flexible and expansive as the system with which your phones operate. Visibility into roaming numbers is mandated by the natural increase in roaming fraud that results from the deployment of effective prevention technologies. Detection also is the means by which you can identify, measure and address any breaches in your prevention technologies. MIGRATIONThe forth and final goal is preparing for the fraud migration that will result from the successful deployment of the above goals. When the criminal can no longer easily scan ESN/MINs, he will break into physical facilities, break into systems and try to bribe carrier employees. The carrier must be ready to meet the criminal on these new frontiers. Consequently, carriers should be conducting risk assessments in these areas to identify specific vulnerabilities. When the criminal arrives, the carrier’s security measures should be there to meet him at the door and promptly escort him out.The anatomy of a meaningful cellular fraud management plan, first and foremost, is driven by the people deploying it. Effective fraud management is an achievable goal in a business that prioritizes securing its assets, something any successful competitor must do.
DeMaria is vice president of business security for AT&T Wireless Services, Kirkland, WA.
|
|||||||