Archive for April, 2007

Whenever people ask me about fraud in telecoms, I try to get one thing straight at the beginning. Do they want to know about the kinds of fraud committed by employees, committed by the “customer” (often in collusion with employees) or committed by other telcos? In reality, “Fraud” divisions within telcos often deal with just one or two of the three, and leave the rest for somebody else to cover. In some ways it makes sense to split up responsibility for fraud. The skills needed to analyse call patterns for indicators of fraud are not very similar to the skills needed to monitor employees which are dissimilar to the skills needed to understand the weaknesses that might be exploited by another telco. But splitting up responsibility, or focusing attention on one kind of fraud at the expense of others, can leave gaps in a telco’s defences. One of the biggest current gaps is protection against the use of GSM gateways, also known as “simboxes”.

GSM gateways are devices that allow a call on a fixed-line network plugged in one side to be connected to a mobile network on the other side. By bridging the world of fixed and mobile, they offer a clever way to exploit price differentials of a mobile network provider. The fraud requires the use a GSM gateway stuffed full of SIMs charged at standard retail rates. These get sited within range of a radio antenna and are used to connect calls to the victim network instead of using a normal fixed interconnection between networks. Instead of paying the full price to terminate an interconnect call legitimately, the offender instead pays the retail cost of a local call. This means the mobile network is cheated out of some of its revenues. In addition, concentrating traffic in one cell may lead to disruption of service for legitimate mobile customers. To counter poor service, the unwary mobile network operator may even find itself making an otherwise unnecessary investment in extra base station capacity. But this kind of fraud gets little attention. Why is that?

  • The fraud can fall into a grey area legally. Contracts may not be tightly enough worded in stipulating that retail SIMs are not to be used by non-retail customers. In addition, legislators and regulators may not be keen to intervene. GSM gateways may lead to discounted services for the public, and are a back-handed way of eroding mobile termination charges without needing direct intervention.
  • Telcos using GSM gateways may be completely legitimate in most other respects. Few vendors or consultancies specialising in fraud and revenue assurance want to alienate potential customers, so often prefer to keep quiet rather than highlight this topic.
  • GSM gateway fraud challenges most preconceptions about fraud and how to detect it. For example, there is no link between this kind of fraud and bad debt. On the contrary, exploiters of GSM gateways may be mistaken for excellent customers, because they have very large bills but pay them promptly.

Like any kind of fraud, it is impossible to accurately estimate the impact of GSM gateway fraud. What we can say for certain is that vigilant mobile operators will suffer a lot less than those who do nothing to counter GSM gateway fraud. A two-step approach is needed: tight wording of contracts to clarify that retail contracts are not available for businesses using GSM gateways as an alternate means of interconnection, coupled with constant monitoring and prompt termination of contracts. To find out more, you can check out the site of Revector, a new company focusing on this area, or read this article which promotes Revector but also lists some of its competitors specialising in GSM gateway detection.

Bookmark and Share

All companies are under pressure to save money. British Gas have recently given everyone a salutary lesson on how not to do it. It may sound simplistic, but chances are that British Gas employed insufficient resources on performing a billing migration. In particular, they skimped on testing and validation. And what was the result? Lots of complaints, lots spent on extra staff to handle those complaints, lots of negative publicity. The cost to British Gas will be far greater than the amounts saved during migration.

Here are a few links to stories that describe the mess made by British Gas. They also give a sense of how much reputation damage has been done.

Apologies from the British Gas Managing Director on BBC TV

The BBC’s story on the British Gas billing fiasco

How The Sun newspaper reported the rise in complaints from British Gas customers

A Guardian newspaper story on how British Gas intended to take a deceased customer to court

And, in what must have been the worst error of all, here is the story of one customer receiving a bill for £2,320,333,681,613. Yes, UK£2.3 trillion (US$4.6 trillion). At least you cannot argue that British Gas do not have scalable billing. But unless there is a burst of hyper-inflation it will be a long time before they really need to send out such a big bill. In 2006 the group that owns British Gas had total annual revenues of a mere UK£16.5bn (US$33bn). It is a shame they did not reinvest more of it in billing…

Bookmark and Share

I promised myself I would be presenting at fewer conferences this year. It takes a long time to write good new material and I do not believe in accepting an invitation to speak unless I have something new to say. However, I will be in London on 9th May to talk at IIR’s Global Forum on Telecoms Internal Audit, Risk Management and IT Controls. For those of you who cannot wait, you can now see see a sneak preview of my slides on the downloads page.

The reason why I accepted this particular invite was the same as it usually is: I wanted to say something that I felt should be said but rarely does. If you ever go to a conference with a title involving audit, risk and controls, and listen to a speaker from the revenue assurance community, you may enjoy what they say, but you may not notice what they do not say. The average revenue assurance speaker usually fails to talk about audit, or risk, and often fails to talk about controls. So I got it in my head after reading a risk management study from Deloitte to discuss the link between revenue assurance and risk. My particular motivation came from observing that most people who do revenue assurance see it as a special and stand-alone discipline, whilst good risk management is about avoid a silo mentality. So what gets described as revenue assurance best practice often conflicts with risk management best practice. This can easily happen where you find people working in each silo with no overall boss that forces them to integrate what they do. Fortunately, going to the conference I am lucky enough to be able to talk first-hand about one example of revenue assurance best practice that highlights the limits of putting revenue assurance into a silo. The revenue assurance maturity assessment, due to be published soon, identifies silo-based revenue assurance as an intermediary stage in its development. To reach the highest levels of maturity the activity of revenue assurance has to grow beyond the confines of a silo and be fully integrated into the business. In turn, the nature of revenue assurance changes to become an element of enterprise-wide risk management. I know that will not be a popular or welcome message for some, especially those interested in building empires or fighting turf wars. But it needs to be said. If integrated risk management is not the destiny of revenue assurance, it can only be because businesses fail to take a holistic approach to risk. The operational risks within the scope of revenue assurance are not a special case. They need to be assessed and measured alongside all the risks the business faces.

Bookmark and Share

It stands to reason that anything that has a value like cash, and which can be bought and sold, needs to be guarded as securely as cash. Examples are postage stamps, gift tokens and prepaid telecoms vouchers. At least in telecommunications the vouchers can be canceled when the theft is discovered, but if security is too weak to stop the theft, it may not be tough enough to discover it promptly either. Better to stop the initial theft than rely on blocking the cards later. Fortunately, Ghana Telecommunications were able to respond quickly enough to a recent robbery; read here about the theft of US$250,000 of prepaid vouchers from Ghana Telecommunications stores in Accra.

Bookmark and Share

Revenue share should be pretty simple, really. You sell something, you take a percentage of the money made, and you give that percentage to somebody else. Problems occur if you cannot keep a track of what you sold. A few weeks ago I blogged about how Vodafone UK had failed to process SMS text message votes for an interactive tv show on a timely basis, and how that would also have an impact on revenue sharing partners. This weekend there was a news story that Vodafone UK has admitted to problems with reporting of revenue share. Stories like that tend should cause concern for any business in a revenue share relationship with Vodafone. The resources Vodafone employs to assure revenue share will be stretched even further by the challenges involved in assuring the new advertising and search deals that Vodafone has with both Yahoo and Google. They say good relationships are based on trust, and bad ones on vigilance. If Vodafone are unable to keep track of what they owe, their business partners would be well advised to stop trusting and start auditing.

Bookmark and Share