Wireless fraud, now and in the future: a view of the problems, some solutions

Mobile Phone News, Oct 24, 1994 by Dennis Walters, William Wilkinson, Jr.

Nevertheless, IS-41 does not necessarily prevent the fraudulent tumbling of ESNs and MINs through all possible pairs until acceptable matches are found. Pre-call verification in the IS-41 environment checks the roamer's ESN/MIN pair on the home switch. If it is accepted at home, the serving switch receives a confirmation to serve. This testing for possible matches is similar to the common form of fraud on interexchange carrier networks, where a fraudulent user finds a legitimate credit card personal identification number by repeatedly dialing possible number combinations using a personal computer until a match is found, or by hacking into a PBX for an outgoing dial tone.

To defeat the current approach to tumbling in an IS-41 environment, the perpetrator only has to use a network of tumbling phone units with the same MIN. If the tumbler is detected on a certain MIN, the user can cycle through a set of MINs until another workable ESN/MIN pair is found. Weaknesses in IS-41 Scheme

According to the Telecommunications Industry Association (TIA), network roaming fraud using cloned phones will still be difficult to detect, even in the IS-41 environment. TIA notes the following weaknesses in the IS-41 scheme:

* it cannot discriminate between the legitimate subscriber who initiates a call (while a clone is in use) from a clone that tries to initiate a call (while the legitimate phone is in use);

* disconnecting a clone is at the discretion of the serving system;

* the home system may not be aware of the cloning; and

* the legitimate subscriber may be disconnected when a clone operates.

It is possible to include a lockout mechanism in a mobile switching center (MSC) or mobile telephone switching office (MTSO) within the serving territory that will detect clones. Unfortunately, such support systems are not in general use and may have a potentially negative impact on legitimate subscribers. Despite the implementation of IS-41, cloning will not be deterred.

In addition to its known shortcomings, there is the issue of timeliness; IS-41 will not be implemented fully until late 1995. Current implementation efforts are still limited to the larger carrier systems. Meanwhile, criminals continue to victimize the legitimate cellular industry.

One example is the "Lifetime Phone," which has the ability to store multiple valid MIN/ESN pairs, and is completely programmable through the keypad. This phone is capable of being used as both a tumbler and a clone. By continually programming another legitimate subscriber's MIN/ESN pair into this phone, criminals make it appear as a legitimate phone. This phone is being sold on the streets for $1,500, and is appearing throughout the U.S. and Canada. Industry Answers: IS-54

The IS-54 standard for the cellular telephone authentication protocol theoretically would block a clone's ability to operate. Using secret data shared between the switch and the phone unit to authenticate the phone as legitimate, the ability to clone will be greatly reduced. However, the concept only is being considered for digital, new analog and dual-mode phones. The 10- 12 million existing analog phones have no authentication capability.