Even if the SIM card does ultimately prove itself invulnerable to cloning, GSM will still not put a stop to fraud. Eileen McGrath-Hadwen explains why.

The GSM networks in operation throughout the world all share a common goal -- to deliver high quality, reliable and secure wireless communication services to their subscribers. The design of the GSM network, and later the DCS1800 network, was a tremendous effort of will, engineering talent, financial capital and marketing foresight. The resulting standard created a more secure way to deliver wireless telecommunications services compared with analogue networks in operation at the time.

The selection and endorsement of the GSM standard by many countries around the world today is testimony to the success of that effort. Increasing numbers of wireless subscribers demand seamless operation of their services while roaming to and from their homes, offices, and wherever their personal and business interests may draw them. Their itineraries may require that they travel to a meeting in the same city where they live, in the same country, or even in a compatible network on the other side of the world. Herein lies the crux of the problem.

Accelerating use of mobile communication services by a growing subscriber base across an expanding network of participating roaming partners has created an opportunity to technically de-fraud the GSM network to a degree most participants in the early design of the network would not have thought possible. The experience of fraud in analogue and D-AMPS wireless networks in the US and elsewhere provides a good glimpse into how it mutates over time, always seeking the path of least resistance. What was once solved with subscriber and handset identity validation by the Home Location Register (HLR) and Visitor Location Register (VLR) transformed into a new form of fraud via the capture and transmission of valid identity pairs by impostors. In other words, fraud has mutated from tumbling into cloning.

What was solved with the use of Personal Identity Numbers (PINs) transformed into a new form of fraud via the capture and transmission of those stolen PINs or via the hijacking of a voice channel by a fraudster once the network security features were performed. The battle, and the list of new forms of fraud, goes on.

It's the analogue carriers' painful experience that for any one technological solution to fraud, there exist a multitude of ways to circumvent that technology. The security goal becomes less a search for the silver bullet, and more a process of gathering as much hard data about what is actually happening on the network in order to detect and mitigate the changing forms of wireless fraud as they emerge.

Normally, when faced with the threat of billions of dollars of wireless fraud, the impulse is to build more and more complex technological solutions to prevent a security breach. Fraud always targets the weakest link. In the GSM network today, the weakest links are in international roaming markets.

The "challenge and response" technique incorporated into the GSM authentication process allows the Subscriber Identity Module (SIM) to verify its International Mobile Subscriber Identity (IMSI) by demonstrating knowledge of the authentication algorithm and the unique key, Ki. According to the protocal, the home system sends a random challenge to the handset. Only the handset can encrypt the challenge, using both the algorithm and Ki resident within the SIM assigned to that subscriber. Using the stored algorithm, the SIM is able to generate the correct response back to the home system.

In such a protocol, the single point of failure is the Authentication Center in the home system.

However, with diligence and adherence to strict security protocols, the Authentication Center could conceivably be made reasonably secure from theft of IMSI and Ki sets, both by outside and inside thieves. In theory, authentication should prevent fraudulent access to wireless service.

However, the high technology route may miss the mark. The methods to defraud a system can often revolve around quite simple and direct applications of the principle that a chain is only as strong as its weakest link.

Let's take a look at increasing international roaming in GSM networks as one example of this principle in action. As mentioned above, GSM and DCS1800 networks are expanding at unprecedented rates. The volume of billable calling traffic is increasing to levels that were only dreamed of just a few years ago. Of course, in order to deliver billable calling traffic, locally or across the globe, there is a tremendous amount of non-signaling traffic which is required to support all that billable activity.

The validation and authentication protocols themselves, which must be transmitted in order to deliver secure wireless service for each call, reserve a lot of communications overhead. In order to provide for the volume of calling and non-signaling traffic required today, the network administrators may choose to configure their VLRs to stand in as alternates for the "unique challenge and response" protocol of authentication.

Instead of requiring the home system to test the results of authentication's "challenge and response" while the subscriber is roaming, the HLR may abdicate its authentication responsibilities to the VLR.

In this scenario, it is the serving system's VLR which sends the unique challenge and tests the response from the SIM. The VLR will have previously requested and received the triplets from the home system prior to the unique challenge in order to allow the VLR to remove some of the intersystem communications traffic.

The response is then tested against a fresh set of stored triplets -- the unique challenge, the response, and Ki. The serving system has two additional configuration options. The VLR may chose to re-use the triplets in order to further reduce the traffic back to the home system for fresh triplet sets. The VLR may also be configured not to authenticate on every call.

Today, the network designers' goal is to deliver wireless service to roaming subscribers within the constraints of the intersystems network capacity. Unfortunately, this is counter to the previous goal we have been discussing, namely the application of sophisticated authentication technologies to deliver wireless service in a secure network. If increasing network traffic efficiencies are the goal, then it becomes expedient to relax the very deployment of the oft-admired GSM authentication protocol.

Contrary to the better judgment of the original designers of the system, it becomes reasonable to allow the VLR to subsume the role of the home system, opening up the VLR to theft of valid authentication triplets. It even becomes acceptable to reuse authentication triplets at the VLR instead of reaching back to the home system for fresh sets. Amazingly, it becomes all right to configure the home or visited system not to authenticate on each and every call. Success appears to be the culprit in the rising tide of GSM international roaming fraud. There is too much traffic to do it right.

The hard choices in deploying GSM authentication today are but one example of the weak spots that fraudsters target in their attack on GSM networks. With the expansion of GSM networks, let's assume that the capacity figures and projections of the network administrators are valid and that they must restrict the non-signaling traffic. There are techniques which can be employed to limit the network exposure to fraud.

In the roaming example described above, the problem is most acute when subscribers' itineraries take them to international markets. The problem is worse for two reasons. First, the intersystems traffic is heavier. With heavier traffic, the network administrators' urge to circumvent the authentication protocol is stronger. Secondly, the fraudulent usage is more expensive in roamed markets. Unlike fraud in the home market where the cost of service is frequently analyzed in the soft currency terms of either unbillable network capacity or subscriber disaffection with fraudulent calls displayed on bills, fraud which occurs in a roaming market requires the billing and settlement in hard currency between roaming partners for a portion of the price of the service which was used -- or in this case, misused.

The GSM MoU Association has taken steps to mitigate the gaps in network security. It has begun by requiring certain reporting protocols between roaming partners. The requirements reflect an acknowledgment that if wireless service is to be delivered in this way, and if the authentication deployment network is to be configured within the constraints of the capacities of the roaming partners, then certain logical business rules need to be applied to protect the interests of the home carriers with whom the burden of payment resides.

As with may roaming agreements within AMPS and D-AMPS systems, GSM roaming partners now must report back to the home system the details of service which was delivered to their roaming subscribers shortly after that service was delivered. Typically, the interval between delivery of the service to the roaming subscriber and reporting the service delivery to the home carrier is 24 hours. The home carrier then is free to assess the risk of service delivery to that subscriber and is in a position to notify the visited system of any change in that subscriber's authorized use of roaming privileges.

The new reporting requirements also target the troublesome rise in subscription fraud. The illegal use of roaming privileges by a subscriber who has no intention of ultimately paying the bill is a costly crime for the home carrier. As with the technical roaming fraud described above, the home carrier is responsible for settling the roaming charges in hard, not soft, currency.

Fraud management systems which incorporate mechanisms to integrate service usage data are an additional weapon in the arsenal of the GSM carrier as they battle the early forms of technical and subscription fraud emerging in their networks.

These fraud management systems perform the role of early-warning systems for carriers, complementing the GSM roaming reporting requirement with hard data about the patterns of service usage on their networks. The designers continue to improve a robust network. The wireless vendor community must apply itself to the full range of fraud issues, and build solutions to remove exposure and anticipate the fraudsters' next move. For example, the integration of features to deliver and receive roaming service usage data in near real-time would be a welcome start. 24 hours is better than two days; one hour is even better.

Is there fraud after GSM? Unfortunately, yes. The question isn't so much whether a SIM can be cloned, as is claimed in the labs, or not. Fraud always targets the weakest link. In the GSM world today, the weakest links are subscription fraud and technical fraud in international roaming markets.

The challenge is to monitor and profile the activity using hard data, and to be alert to the changing face of fraud. As GSM markets grow, so too grow the risks, with compromises taken to deliver the service in the real world. The industry needs to learn about fraud and fight it using high technology, common sense business rules and integrated information and fraud management systems.