This article first appeared in the January 1999 issue of Monitoring Times.


The nature of fraud in cellular telephone systems is changing as service providers incorporate new defenses. Three years ago the industry reported fraud losses of $800 million due primarily to the use of "cloned" cell phones (see PCS Front Line, January 1997). In 1998 those losses dropped to less than $300 million as two anti-fraud technologies, authentication and radio frequency fingerprinting, came into widespread use.


Authentication uses a cryptographic process to determine whether a cellular telephone is legitimate or not. Before the phone is activated it is programmed with a secret number called an A-key, a copy of which is also stored in the cellular service providerís computer. The A-key is used by the phone and the service provider to generate Shared Secret Data (SSD).

When a phone attempts to place a call, the service provider issues a mathematical challenge to the phone. The phone uses the SSD to compute a response, which it sends back. The service provider checks this response using a local copy of the SSD, and if the two answers match the phone is allowed to place the call. Cloned phones will presumably not have the correct SSD and will fail the challenge-response process.

in 1996, 21 of the 100 top cellular markets had authentication, and only a handful of cellular telephones were capable of performing the process. Today, two-thirds of the top 100 markets have authentication in place and the majority of new phones are authentication-capable.

Interestingly enough, almost no PCS providers are using authentication. There are also other hurdles. Certain safety features of the authentication process are not used, and many carriers use the same A-key for all phones in their network. So far none of these weaknesses have been exploited by criminals, and by and large authentication has been very successful. Roseanna DeMaria, Vice President of Business Security at AT&T Wireless, calls it "the nuclear weapon of fraud prevention."

Radio Frequency Fingerprinting

Just as no two human fingerprints are exactly identical, transmission characteristics vary slightly between individual cellular telephones. Such technical details as phase noise and harmonic spectra can uniquely identify a particular cell phone transmitter. By checking this transmitter signature against a known good signature, an RF fingerprinting system can determine whether a cell phone trying to place a call is the real thing or an impostor.

In 1996, 19 of the top 100 cellular markets had installed radio frequency fingerprinting systems. Today 73 are performing fingerprinting, with increasing interest from PCS carriers and operators in other countries.

Wireless Telephone Protection Act

Congress listened to the wireless industry lobbyists and passed the Wireless Telephone Protection Act, signed by the President and now Public Law 105-172, making it illegal to possess, produce or sell hardware or software used for cloning a wireless telephone. This act removes the "intent to defraud" clause in the previous law, relieving prosecutors of the task of proving a defendant intended to defraud service providers. It is now simply illegal in the United States to own certain types of hardware or software. A first offense is now punishable by 15 years in prison, and a second or subsequent offense carries a possible 20 year sentence. Besides additional fines and penalties, the Act also authorizes the government to seize any and all personal property used or intended to be used in the crime.

Although described as only related to cloning cellular telephones, the wording of the Act covers a great deal more:

18 U.S.C. 1029(a)(9) "knowingly uses, produces, traffics in, has control or custody of, or possesses hardware or software, knowing it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument so that such instrument may be used to obtain telecommunications service without authorization."

This is broad enough to include Internet access, voicemail accounts, and many other information services carried via a telecommunications network.

Fraud is still occurring despite these technical and legislative tools, and new forms are emerging.

Subscription Fraud

Wireless carriers now view fraudulent subscriptions as the biggest threat to their bottom line. Individuals with no intention of paying for service are signing up with fake identification or using the stolen credentials of others, causing a reported loss in 1998 of more than $300 million. In response, the wireless industry is beginning to implement the safeguards that other credit-granting companies do, including checking for bad addresses, mismatched telephone numbers, and other obvious inconsistencies. Carriers are also learning the patterns of subscription fraud, including the common indicator of a billing address change within the first 15 to 30 days of opening an account.

Late in the 105th Congress the Identity Theft and Assumption Deterrence Act was passed and is now Public Law 105-318. It specifically addresses wireless subscription fraud, but overall prohibits the unlawful possession, transfer, or use of a "means of identification" of another person. It is promoted as a tool to fight criminals that gain access to someoneís credit card, Social Security number, or other identification and use it to acquire goods or services. Occurrences of identity theft have been increasing in recent years as lax privacy standards and large computer databases make it easy to gather sensitive information about almost anyone.

Insider Fraud

Wireless carriers are also beginning to realize that their own employees contribute to fraudulent activity, with sales people doing everything from establishing fraudulent or fictitious accounts to activating accounts with going through the billing system. Numerous employees from a variety of cellular companies have been caught selling identification numbers or other access codes to criminal enterprises, or using their position of trust to reveal competitive information.

Network Intrusions

Like most modern businesses, wireless service providers rely on computers to do everything from controlling the wireless network to generating billing statements, and are beginning to realize that their computers are not well protected. Last summer at the Black Hat Briefings, one of the premier computer security conferences held each year, information security specialists described numerous specific, real-world attacks launched against data networks. Many of these attacks exploit weaknesses in certain operating systems and improperly configured support software commonly used by wireless service providers.

However, not all network intrusions are performed by persons with extraordinary computer skill. Such simple things as poor password selection have led to more system compromise than esoteric software bugs. For example, one study by a Black Hat participant reported that at least five percent of all administrative passwords are the word "password," with many others easily guessed. This is borne out by an admission by AT&T Wireless that all of their security breaches in the past year were due to identification/password management problems of one kind or another.

The Bottom Line

While it is true that fraud is costing wireless service providers money, each company has to answer the question, what's an acceptable level of fraud? Clearly it is not financially reasonable to spend more money on fighting fraud than would be lost to it otherwise, so companies must strike a balance between detecting, preventing, and prosecuting fraud and the losses they incur. With the drop in reported losses from four percent of industry revenue three years ago to less than half a percent currently, expect fraud departments to shrink and corporate resources to be spent elsewhere, at least until the next form of fraud becomes commonplace.

220 MHz

For those of you still counting, the Federal Communications Commission (FCC) completed their 17th auction in October of 1998. More than 900 licenses were up for bid in the 220 MHz band, which was taken away from the Amateur Radio service a few years ago.

Three nationwide licenses, six licenses in each of five Regional Economic Area Groups, and five licenses in each of 175 Economic Areas represent "Phase II" of the licensing process for this band. Phase I occurred in 1992 and 1993 by lottery.

The 220 MHz service is divided into 200 channels of 5 kilohertz (kHz) each. Each channel is a pair of frequencies, with base stations transmitting between 220 MHz and 221 MHz, and mobile or control stations transmitting exactly one MHz higher.

Although one of the original goals of the 220 MHz service was to encourage the development of spectrally efficient technology to work in the narrow 5 kHz channels, the FCC has relented and will allow license holders of adjacent channels to combine them into wider frequency blocks.

Channel Assignments in the 220 - 222 MHz Band
ChannelBase FrequencyMobile Frequency
1 220.0025 221.0025
2 220.0075 221.0075
3 220.0125 221.0125
... ... ...
199 220.9925 221.9925
200 220.9975 221.9975

Channels 21 through 30 and 151 to 160 were licensed in nationwide 5-channel blocks for non-Government users during Phase I. Channels 111 through 120 are nationwide 5-channel blocks for Government use.

Channels 161 through 170 and 181 through 185 were set aside during Phase II as non-nationwide channels for Government users. Ten channels (161 - 170) go to Public Safety Radio Services (PSRS) and five channels (181 - 185) are for Emergency Medical Radio Service (EMRS).

Of the PSRS channels, 161 through 165 are licensed on a shared basis to all eligible public safety agencies. These will be the common mutual aid channels that agencies will use to communicate with each other during combined operations. The other five channels (166 though 170) are for exclusive use to a single license holder.

Three licenses for 30 nationwide channels were auctioned, with SMR equipment manufacturer Intek Global winning two.

Nationwide Licenses
1 51 - 60
2 81 - 90
3 141 - 150

In an attempt to be fair to auction participants and Phase I license holders, the FCC worked out the idea of "channel groups." These groups are made up of five non-contiguous channels within the band. These groups are used in the non-nationwide licenses.

Channel GroupChannels
1 1, 31, 61, 91, and 121
2 2, 32, 62, 92, and 122
... ...
19 19, 49, 79, 109, and 139
20 20, 50, 80, 110, and 140

Economic Area Licenses

Five blocks of 10 channels each were auctioned for 175 geographic areas called Economic Areas (EAs). Based on work by the Department of Commerce, these EAs represent collections of counties that are tied together by business activity.

BlockChannel Groups
A 2, 13
B 3, 16
C 5, 18
D 8, 19
E 171 - 180

Regional licenses

Six geographic areas called Regional Economic Area Groupings (REAG) each have fifteen channels, for a total of 75 REAGs. These REAGs are simply collections of EAs, each the size of several states.

BlockChannel Groups
F 1, 6, 11
G 4, 9, 14
H 7, 12, 17
I 10, 15, 20
J 186 - 200

The auction sold 693 of the 908 available licenses, with bids totaling more than $21 million. Each license is good for 10 years, and each winner must meet timetables for buildout of their services. These frequencies will be used by Specialized Mobile Radio (SMR) companies primarily for business use, including paging, data networking, and some digital voice services. The remaining licenses are expected to be reauctioned in June of 1999, presuming a sufficient number of participants can be found.

That's all for this month. I welcome your electronic mail at, and a variety of technical information is available on my website at Until next time, happy monitoring!

Comments to Dan Veeneman

Click here for the index page.
Click here for the main page.