As mischief and hackers run amok in the online realms, raiding Ether and possibly stealing the identities of millions of Swedes, we are all left with the scorching reminder of the importance of security and privacy.

Jason Bryan, the CEO of ROCCO, once again takes the role of the seeker of truth (also known as an interviewer in this context), and sits down with Fraud and Security expert – Philippe Orsini, the Vice President and Product Manager  of Araxxe, a French company that specialises in fraud related services. Araxxe was elected as a Tier one vendor in our report – The leaders in SIM BOX detection 2017  – so we asked them to dedicate a few minutes of their time to our burning questions and tell us more about their success, as well as give us a few insights into the fraud detection world.

J.B:  The key reason we wanted to hear from you is, of course, because you are the Tier One vendor of the SIM box detection report which we just completed. This is real feedback from MNOs; we don’t take part in the reports, we just analyse the results and facilitate the MNOs, giving their feedback on the vendors. Clearly, you have a lot of support out there, so big congratulations from us.

P.O: Thank you, we’re very proud.

J.B: We started this report in 2015 and it’s great to witness the progress which companies make. People say positive and negative things, but we do very neutral research and we’re very encouraged to see leaders like yourself; it’s clear that you are at the top of your game.

P.O: It’s all about the people; the service itself is very automated, very industrialised but at the end of the day, what really matters aren’t the robots, but what you do with them. They represent the technical infrastructure and you need the skilled people to operate it – skilled fraud specialists. We rely on their expertise and ability to keep up-to-date as fraud trends can shift rapidly. Another key point for us is to have frequent meetings with our clients, have discussions and bring them value. There’s a high risk of feeling disconnected due to the automated process, but to us, it’s all about the people and being close to the client.

The other factors that we believe to set us apart from our competition is our extended VoIP/Calling Cards platform in the market, our quick detection time measured in real-time notifications of SIM box fraud and our call campaign management. Our call campaign management is based on dynamic rules to optimize the probability to detect bypass in real time. Our call campaigns are also designed to be as “quiet” as possible to minimize the risk of counter-detection by fraudsters. We were probably the first supplier to extend our detection service to SMS Fraud in 2011 and we can help operators to tackle OTT Bypass, CLI Re-filing and MTR Arbitrage, Ghost Trunks, A2P SMS Termination Abuse.

How MNOs detect SIM Boxes

J.B: Could you briefly explain how exactly do MNOs detect SIM boxes? According to most sources, no caller ID appears on the screen when receiving a call through a SIM box, yet in India apparently the number of the SIM card appears. Wouldn’t that make it easier for MNOs to pick up on the fraudulent call?

P.O: When transforming a call with a SIM box, the CLI (Caller Line Identifier) is replaced by the CLI of the SIM card used in the SIM box. The fraudsters usually try to hide this new CLI by masking the Caller ID: simply because a mobile user may find it strange to receive a call from abroad with a domestic Caller ID! This is why in most countries, no Called ID appears on the screen of genuine mobile users when receiving a call through a SIM box.

In some countries, it is not allowed to mask the CLI: this is a decision taken at country level by the telecom regulator or the government; but it is also a matter of technical configuration in the mobile network. This is precisely what we do in our service: in our call campaign, we use test SIM cards with specific profile that enables us to force the presentation of the CLI and detect SIM boxes quickly.

Virtual SIMS versus Physical SIMS

J.B: This is great information for people who are a bit confused about the SIM box concept. Operators know about it, but they might not necessarily understand the kind of skills it entails to perform these services and to detect them. So, onto the third question – it seems that these criminals use virtual SIMs to instantly replace the inactive SIMs, so is there a way for MNOs to discern virtual SIMs from physical SIMs? Is there’s a way to legally obtain a virtual SIM through a MNO? Wouldn’t that make it something like a eSIM?

P.O: Virtual SIM – we use this technology extensively on our technical platform. The word “Virtual SIM” is usually used when physical SIM Cards are installed in a SIM server (a piece of equipment storing boards with a lot of SIM cards) physically separated from the modems (pieces of equipment that interact with the radio network and generate calls. One usually says that the physical SIM card has been virtualized in the modem through a logical link between the modem and the SIM Server.

We use this tech in Arraxe as we have SIM servers in France and modems worldwide, which is how we test the billing of the roaming situation. They put tons of fraudulent accounts on one SIM server and they can use this virtual SIM card anywhere in the country in which they are operating. “SIM Servers” are also called “SIM farms” in some news. The word “SIM Farm” is often used in the context of “advertisement fraud” (performing artificial clicks to a website to give a feeling that a website or an app is extensively used, in order to attract advertisement) and SIM server is often used in the context of “bypass fraud” (routing real calls through SIM cards to avoid paying the official call termination fee of a MNO). Technically this is not the same thing because there are some SIM farms which use only handsets and no SIM Server.

The main benefit for the fraudsters is that they can make the SIM card move. Just imagine – they have one SIM server in one place and three other robots/modems in other places. One SIM card in the SIM server will be able to place one call in robot 1 and later, with the same card,  in robot 2 in a completely different place. From the MNOs’ point of view, it will seem like the SIM card is moving and it will be a lot more difficult to understand that this SIM card is actually in a SIM farm and is currently used by a fraudster. It’s a way to simulate human behaviour, which is one of the parameters used by MNOs in the fraud detection process.

The word eSIM is used to describe a new technology where mobile operators will configure SIM card information directly on the user equipment instead of storing it on physical SIM cards introduced in the user equipment.To operate a SIM box, fraudsters have to handle tons of physical SIM cards: procure the SIM cards, test them, install the SIM cards and finally replace the inactive SIM cards once detected and disconnected by the MNO.

ESIMs pose another advantage for the fraudsters – it will be easier to change the cards. It will be only a matter of a data update on the handset which will save a lot of significant time.

Our clients will stress even more than before the need for faster detections. Virtual or not virtual, physical SIM or eSim, the key point is to detect the fraudulent subscription as quickly as possible. With detection based on test calls generation, to increase detection speed, we can increase the number of detection calls.

SIM Servers

J.B: The SIM server – why is it so feasible that you can buy it online if it is creating these kinds of issues? What are some other uses for the SIM server?

P.O: SIM farms are extensively used by fraudsters operating SIM boxes to transform international incoming traffic. In this case of traffic reselling, the nuisance for the subscribers is basically a lower quality of service (no CLI and poor voice quality). There is no unwanted call annoying the subscribers.

Moreover, SIM farms and SIM boxes may also be used to operate marketing campaigns, genuine or not. SPAM SMS campaign are often operated via SIM BOX SMS. We can help our client to detect SIM BOX SMS in a similar way we detect SIM BOX VOICE. We can also help operators tune their SMS Firewall by using our reports and the information about grey routes to be blocked by the firewall.

The next generation of SIM boxes are much better though, so the call quality isn’t always bad.

J.B: We actually came across this in our studies about A2P SMS ; we did a study last year on SMS Firewall and this year we finished a study on Signalling Firewall, so we are familiar with the background. I have one very basic question – how does a SIM farm operator get a hold of so many SIM cards without alerting the MNOs?

P.O:  A very sensitive question for the operators, but the truth is that there are two types of people in the industry: sales people and fraud management people. Fraudsters buy a lot and use a lot, so logically one of the best ways to prevent this is to not sell too many SIM cards or make sure that the person buying 10 000 cards a week is actually a good client, but for sales people that’s a lot of business. Indirect sales distributors do not directly depend on the MNOs, even though they also have contracts, so they tend to be the problem. Strict rules need to be applied within the company or among the distributors in direct and indirect sales. MNOs have to make it harder to buy so many cards a week, but not all of them are very strict and they mainly concentrate on the detection and disconnection instead of trying to prevent it from happening altogether.

J.B: And especially in this time of the Internet of Things, M2M – it seems like a very good disguise for fraudsters.

P.O: Absolutely, we have already detected cases of SIM cards that were supposed to be dedicated to IoT activities – something completely legal – and it turned out that they were being used for illegal SIM boxes.


J.B: Companies should be more transparent about what certain SIM cards are being used for and it seems like there isn’t enough internal communication. And another question to finish off this eSIM segment – what is the evolution of the systems you have to cope with eSIM? Many operators are thinking about consumer eSIM, as a method of defending themselves from the situation that could occur in the future, where a subscriber can swap easily their profile to another operator – both in the domestic and international setting – so this could be a bad thing but it could also be a good thing. What is the provision made for covering eSIM?

P.O: It’s a new concept, so we have only a few examples. From our perspective, there is no impact in terms of detection; on the other hand, eSIM will make the lives of fraudsters much easier, as I mentioned before. They will be quicker and speed is a key element – if they’re quicker, we also need to be quicker.  We do not expect eSIM to dramatically change our service, but for sure it will be a lot more challenging when it comes to the speed of detection and operation.

Bypass Fraud

J.B: I suppose the operators will need to have more stringent processes in terms of who they gave eSIM to. We saw from our report that a lot of MNOs are concerned about Bypass Fraud. In a recent Twitter post you said that ByPass Fraud is evolving, could you tell us more about that?

P.O:  There are some interesting new trends, actually. Most of the operators offer now very low prices for international calls, usually in packaged offers. This means that, from a fraudsters standpoint, a SIM card of Operator X is obviously interesting to terminate calls on the network of Operator X (traditional scenario ‘Incoming SIM box’) but it may also be interesting to terminate call on the network of selected international operators (depending on the retail offers marketed by the Operator X). This scenario ‘Outgoing SIM boxes’ is now very common and it is sometimes overlooked by the operators.

Another example would be the Mobile Termination Rate Arbitrage. In Europe, telecom operators can now apply a surcharge on non-European incoming traffic. This origin-based billing (based on the received CLI) is a tremendous opportunity for fraudsters: by simply refilling the CLI (replacing the initial non-European CLI by a European CLI), they can avoid to pay the MTR surcharge.

And to conclude, A2P SMS is currently a buzz word and also a big business opportunity for mobile operators. It is also an opportunity for fraudsters that use grey routes (non-contracted GSM routes) and SIM BOX SMS to terminate A2P SMS at a lower cost (sometime for free).


Bypass Fraud and IoT Devices

J.B: Are IoT Devices also impacted by SIM BOX Fraud and how do you think that this maybe an issue in the future?

P.O: IoT devices, maybe even more than other devices, may be hijacked by fraudsters to perform traffic reselling or more likely international revenue share fraud.

J.B: What about OTT bypass?

P.O: It’s about Viber mostly, most of the time we monitor Viber but also others, like WhatsApp, Skype. The fraud we detected currently was 90% through Viber. But what can the MNOs do when we detect it? It’s a big problem we have today, we have a solution when it comes to the detection but MNOs do not have a clear solution. Net neutrality in Europe won’t allow interference with Viber. The solution is deep package inspection – from a technical point of view it’s not easy and we have many operators who already have the DPI in place and still have not implemented the traffic solution against OTT bypass due to many reasons – legal, technical, commercial reasons.

J.B: Do you reckon SMS SIM box is growing?

P.O: Yes, it’s growing, but I can’t tell if it’s related to IoT contracts as we don’t always have feedback from our clients and don’t always know the full story.

Ghost Trunks

J.B: What is a Ghost Trunk?

P.O: It refers to interconnect trunk, very technical this one. It’s related to the switch where one operator and a carrier are interconnected, as well as through many other interconnectors. Ghost Trunk is a general name for a type of fraud used to – just to sum up very quickly – to find an open door to the network that can terminate voice calls on the network of the operator; but this traffic for some reason goes beyond the radar, so it’s not visible for the operator.// It seems very close to being internal fraud as someone needs to have access to the network configuration.//(?)

J.B: What new products or services are Araxxe working on right now that MNOs should be aware of?

P.O: Araxxe can help operators to tackle the main Interconnect Fraud schemes impacting their termination revenues:

  • Outgoing SIM Boxes

  • OTT Bypass

  • Mobile Termination Rate Arbitrage

  • Ghost Trunks

  • SMS Termination Abuse (both A2P and P2P)

Araxxe also offer managed services for End-to-end Billing Verification. We cover both Retail billing (the billing of MNO subscribers) and Wholesale billing (the billing of MNO wholesale partners such as roaming partners and transit carriers)

Many thanks to Phillipe for his time, it was insightful and congratulations to Araxxe again for doing so well in ROCCO’s SIM BOX Detection MNO survey.