Embedded Mobile (M2M): Fraud and security management
The GSMA tells us to expect 500 million new connected devices in three years as the machine-to-machine (M2M) market booms. The growth in fraud could be equally rapid unless all the loopholes are closed.
There are boundless fraud risks associated with Embedded Mobile devices and their relevant applications, processes and different business models.
Communication service providers are finding that traditional security and fraud countermeasures are not practical, because there are too many new devices and configurations used in M2M.
What will be offered and who owns the risk?
In recent years, the telecoms industry has aligned with the financial services sector through to m-banking and m-commerce. Now with M2M extending the range of new markets and business partners to vehicle manufacturers, insurance providers, utility and medical businesses and vending machine suppliers, the opportunity for fraud is widening.
Types of fraud and security attacks
The CSP will need to evaluate the level of risk by initially defining some basic areas to be subjected to a risk assessment. These include the radio interface (communication path), provisioning, authentication (device & customer), actual product security, attended/unattended devices, operational control, device management, privacy and confidentiality of information.
For the core network protection, the security threat could take the form of impersonation of devices, traffic tunneling between impersonated devices, and firewall misconfiguration specific to the modem, router or gateway or attacks against the radio network being committed by rogue devices.
On a more basic level, unattended embedded mobile devices will often have their Universal Integrated Circuit Card (UICC) stolen. In South Africa recently, fraudsters stole more than 400 SIMs and made calls costing thousands of dollars in a systematic and co-ordinated attack.
Application designers must even consider the threat from Denial of Services attacks. A distributed DoS attack on the emergency services, during a major incident, is a high impact attack that would damage any CSP.
EM devices and applications collect masses of information that could be “confidential and private”. Any wrongful disclosure will both blight the CSP’s brand image and result in legal action.
Meanwhile, the boom in M2M will attract new device makers and app developers to the telecoms industry who may not appreciate procedures or understand the risks – as happened with the new round of mobile providers.
Considerations for a successful risk management strategy
Having considered potential risks, the CSP should consider how to defend itself. Adapting existing Fraud Management Systems (FMS) is an option when there are expected usage profiles.
However, defences need to extend beyond the traditional methods, by factoring in the way the devices and services are provisioned and offered. For example, a CSP needs to detect tampering or physical removal of a device. Location updates will ensure integrity of the device. Which means that if the device is programmed to call in every X hours or the cell ID changes, movement of a fixed device can be indicated.
of processes. Staff must be educated in new M2M fraud trends, and new products and services assessed for fraud and security weaknesses. In support of this, state of the art technology should be used to quickly raise alerts for suspect activity.