This article first appeared in the December 1997 issue of Monitoring Times.

CELLULAR COMPANIES FIGHT FRAUD

Fraud is on the run, according to the Cellular Telecommunications Industry Association (CTIA). At the annual Wireless Fraud '97 conference held recently in Orlando, industry investigators, law enforcement personnel, and security vendors gathered to discuss the latest efforts to combat fraud in cellular systems.

From its peak in 1995, losses due to "cloned" cellular telephones (see PCS Front Line, January 1997), the most significant source of fraud, have dropped in most major markets due in large measure to two technological solutions: authentication and radio frequency fingerprinting.

Authentication prevents cloning by requiring a cellular telephone to correctly answer a cryptographic challenge using a key that is known only the network and the legitimate phone. Since the key itself is never transmitted over the air, anyone monitoring the channel will be unable to answer the challenge correctly. With at least 30% of cellular telephones now in service and almost all newly manufactured phones support authentication, the industry expects cloning to be virtually eliminated in the next few years. Even now, carriers that have already implemented authentication have seen drops in cloning fraud of 90% or more, with a corresponding relief in network congestion. As a representative of Los Angeles Cellular put it, "We were building additional capacity to support the cloners."

Radio frequency (RF) fingerprinting systems prevent fraudulent calls by comparing the "signature" of the cellular telephone transmitter to a stored copy. Each cellular telephone transmitter has a series of parameters that make it unique, including phase noise, rise time, harmonics, peak deviation, and other characteristics that vary from phone to phone. When a cell phone attempts to access the network with a signature that doesn’t match the one on file, the call is "knocked down" and the presumed cloner is shut out. To date more than two millions calls have been knocked down by RF fingerprinting systems, although the two vendors of such systems at present cannot share fingerprint databases with other. Cellular telephone "signatures" gathered on one vendor's system cannot be used on the other, leaving a gap that some fear may be exploited.

FUTURE FRAUD

Overall more than $300 million has been invested in antifraud technology. As attacks on the air interface become less and less successful, more attacks are expected on the cellular network, including hacking attempts on the computers that store customer data. More than 22,000 telecommunications switches are vulnerable to outsider penetration, and many of these are in unmanned facilities and administered remotely, protected only by a simple username and password. With the advent of competitive local service, more entry points into the telephone network will open up, increasing the risk for intrusion.

"Social engineering" of company employees by outside persons seeking information under false pretenses is also on the rise as new carriers scramble to staff their operations. Checking the background of these employees is important, as unscrupulous employees releasing unauthorized information also top the list of a telecommunications carrier's security weaknesses.

Because wireless carriers are in the credit-granting business, they are subject to the same kinds of fraud that other companies suffer, such as credit card and other credit-granting businesses. Increasing numbers of criminals are using false identification to apply for service with no intention of paying the bill. This subscription fraud is currently the fastest-growing area of wireless crime, and industry efforts are underway to apply procedures and policies from the financial services arena to limit such losses.

The CTIA sees itself as doing all this for the greater good of society, since the cellular telephone has become the "tool of choice for crooks" because of the anonymity and mobility it provides, by preventing fraud they help stop other crimes in which these thieves are usually involved.

PAGER EAVESDROPPING

More than 40 million Americans now carry pagers, but messages sent over these broadcast systems are subject to interception as two recent, high profile events indicate.

In August, three men were arrested in New York and face a number of charges, including violating the Electronic Communications Privacy Act (ECPA) for allegedly intercepting pager messages destined for senior members of the New York police and fire departments as well as the mayor's office, the bomb squad, and a district attorney's office. The men are employees of Fort Lee, New Jersey-based Breaking News Network (BNN), which provides immediate notification of significant fire and news events in the Mid-Atlantic region via pager to thousands of subscribers, primarily media organizations including the Associated Press, the New York Post, and several New York television stations.

The U.S. Attorney's office claims these pager messages, deemed "too sensitive" to be broadcast over police radio, were received by BNN and contained such details as the location of state and federal officials, witnesses, and injuries to police officers. They also warned that "if you are using a paging system, your communications may not be secure... No governmental agency or business is immune from this illegal monitoring."

It appears that messages were intercepted via a radio receiver and pager decoding software as well as a number of "cloned" pagers. A person familiar with the case has suggested that BNN was caught retransmitting a false message deliberately sent out to trap them. If BNN passed along incorrect details that could only have come from the false message, police could prove they were involved in pager interception.

This is believed to be the first-ever prosecution for the interception of pager messages. If convicted, each of the three men could face five years in prison and a $250,000 fine on each charge.

NEWARK,NJ(ESSEX CO) W/F: 991 FRELINGHUYSEN AVE ENG.19 RPTS A FIRE

IN AN 11TH FLR APT. TROUBLE FORCING ENTRY. RESCUE 1 RPTS AN VICTIM IN CARDIAC

ARREST ON THE 11TH FLR PERFORMING CPR. SIGNAL 11 (A/H'S) BNN/145

9/6/97 4:16 PM

U/D SMITHFIELD RI- PLANE HAS EXPLODED AND IS ON FIRE. ALL VICTIMS

ARE BELIEVED TO BE REMOVED PRIOR TO THE FIRE. BNN134

9/6/97 5:45 PM

QUEENS,NY *PERP SEARCH* 41ST AVE AND 21ST ST. PERP WANTED FOR A SHOOTING. ESU

REQ POWER SHUT DOWN IN SUBWAY STATION. BNN53

9/6/97 10:36 PM

U/D MANHATTAN,NY *BARRICADED PERP* 435 EAST 105TH ST. PERP IS WANTED IN

CONNECTION WITH A STABBING. ESU ON SCENE. BNN53

9/6/97 10:44 PM

HACKENSACK,NJ (BERGEN) *STOVE EXPLOSION* 40 PASSAIC ST. STOVE

EXPLODED BURNING 1 VICTIM. UNK CONDITION. EMS ENR

9/6/97 10:55 PM

Figure 1: Sample messages from Breaking News Network

WHITE HOUSE PAGERS

In September a transcript was posted on the Internet of what appeared to be messages from the White House staff and Secret Service paging system operated by the White House Communications Agency. The messages, sent during an April visit to Philadelphia by President Clinton and gathered by commonly available pager interception software, reveal on a minute-by-minute basis the departure of Clinton from Andrews Air Force Base, his arrival in Philadelphia, and his travel to Foster Stadium and later to the Wyndham hotel. Other messages show telephone callers waiting for the President that included Bob Dole and Chelsea Clinton, as well as a number of mundane messages regarding food, keys, sports scores, and personal comments.

+------------------------------ APR 27 09:24 AM ------------------------------+

G0000052103 ==> EAGLE DEPART|ANDREWS. OP|142|

+------------------------------ APR 27 09:49 AM ------------------------------+

G0000052103 ==> EAGLE|ARRIVE.OP|142|

+------------------------------ APR 27 10:14 AM ------------------------------+

G0000053593 ==> EAGLE DEPART|PHILLY|AIRPORT 1012|AM...OP85|

+------------------------------ APR 27 10:17 AM ------------------------------+

G0000052034 ==> EAGLE|ENROUTE|FOSTER|STADIUM...OP85|

+------------------------------ APR 27 10:27 AM ------------------------------+

G0000054146 ==> EAGLE CALL|MR BOB DOLE|HOLDING CALL|SWBD OP#103|

+------------------------------ APR 27 10:33 AM ------------------------------+

G0000053593 ==> EAGLE ARRIVE|FOSTER|STADIUM...OP85|

+------------------------------ APR 27 11:49 AM ------------------------------+

G0000055532 ==> YOUR CAR IS BEING TOWED FROM MC SITE. RETURN ASAP

G0000053989 ==> THIS IS A TEST OF AF-1 GROUP PAGE. REQUESTED BY CDR

RICHARDSON

+------------------------------ APR 27 12:47 PM ------------------------------+

G0000055538 ==> CALL THE AIRCRAFT

+------------------------------ APR 27 01:09 PM ------------------------------+

G0000052845 ==> EVERYTHING GOING CO DIAL TO AND FROM TRIP SITE, OUR ESCAPE

PLAN IN EFFECT.COLE

+------------------------------ APR 27 01:18 PM ------------------------------+

G0000054197 ==> MEXICO CITY HAVING SAME PROBLEMS, COLE SENDS. THANKS FOR

YOUR SUPPORT

+------------------------------ APR 27 02:18 PM ------------------------------+

G0000052170 ==> IF YOU DON'T COME BACK WITH FOOD....DON'T COME

BACK---AIRBORNE!!!

+------------------------------ APR 27 02:34 PM ------------------------------+

G0000054489 ==> MINOR HOSTAGE SITUATION IN TEXAS..NOT MUCH KNOWN NOW..WILL

ADVISE...PEOC

+------------------------------ APR 27 02:42 PM ------------------------------+

G0000052034 ==> EAGLE DEPART|FOSTER|STADIUM|ENROUTE|WYNDHAM|HOTEL...OP85|

+------------------------------ APR 27 07:25 PM ------------------------------+

G0000054013 ==> PLS CALL PHILLY SIG FOR MARY STEAMVIRGIN FOR 1ST LADY

+------------------------------ APR 27 07:53 PM ------------------------------+

G0000052034 ==> EAGLE DEPART|WYNDAM HOTEL|ENROUTE|CONVENTION|CENTER.|

+------------------------------ APR 27 07:56 PM------------------------------+

G0000052107 ==> EAGLE ARRIVE|CONVENTION|CENTER|

+------------------------------ APR 27 09:01 PM ------------------------------+

G0000052684 ==> EAGLE CALL|2ND REQUEST|CHELSEA|CLINTON|HOLDING CALL|SIGNAL|OPERATOR 142|

Figure 2: Portion of White House pager transcript

ENCRYPTION

These events come as the Administration and Congress wrestle with encryption legislation. Law enforcement agencies have long proclaimed that effective encryption would hamstring their ability to investigate suspected criminals while privacy advocates and software companies argue that such encryption is protected under Federal and common law and is required for secure electronic commerce. Such arguments have not swayed law enforcement, as FBI Director Louis Freeh recently suggested to a Senate committee that use of strong cryptography by American citizens should be banned, since a potential criminal could hide their telephone calls and electronic mail behind a privacy shield that the FBI could not pierce.

The FBI has also been aggressive in strong-arming telecom equipment providers, according to the Telecommunications Industry Association (TIA). Under the 1994 Communications Assistance to Law Enforcement Act (CALEA), equipment manufacturers are required to provide wiretap access to law enforcement agencies under a set of industry agreed-upon guidelines. TIA is upset that the FBI has shut out equipment providers and attempted to convince carriers to purchase wiretap features that are more intrusive to privacy than the 1994 law allows. The carriers themselves have also complained of the FBI's heavy-handed tactics in forcing implementation that goes beyond legal boundaries. In addition, this summer the CTIA requested that the FCC intervene and arbitrate the ongoing dispute between the FBI and the telecommunications industry as to the technical standards of the wiretap law. The final outcome of this remains uncertain as the October 1998 deadline for implementation of CALEA nears.

That's all for this month. More details and web page links are available at http://www.grove.net/~dan, and I welcome electronic mail at dan@decode.com. Until next month, happy monitoring!


Comments to Dan Veeneman

Click here for the index page.
Click here for the main page.

Updated May 1, 2003