Bernardo Galvão Lucas, WeDo Technologies’ Chief Marketing and Strategy Officer, outlines the top telecom fraud threats that communications service providers need to be prepared for in 2018.


According to IHS Markit, the rise of embedded SIMs (eSIMs) will grow from 108 million in 2016 to nearly 1 billion shipments by 2021. The launch of Apple Watch 3, the most recent high profile device featuring eSIM technology, is seen as the catalyst to accelerate adoption in a wide array of wearables, consumer electronics and IoT devices. While the usability and convenience benefits of eSIMs are widely touted, communications service providers need to also be prepared for their fraud vulnerabilities.

The GSMA’s Security Accreditation Scheme (SAS) enables mobile operators to assess the security of their Universal Integrated Circuit Card (UICC) and eSIM suppliers. This means there is no way to download applications to the (UICC) without the consent of the Mobile Network Operators (MNO). However, with so many stakeholders involved (MNO, subscription manager and eUICC manufacturer), if fraud or a security compromise occurs in a eUICC environment, it may be difficult to quickly identify and fix the root cause because it can occur at so many different levels.

Bernardo Galvão Lucas, Chief Marketing and Strategy Officer, WeDo Technologies

In addition, CSPs should be aware of how the implications of ‘traditional’ telecom fraud such as subscription fraud, International Revenue Share Fraud (RSF), roaming or traffic pumping fraud can be committed via SIM cloning – whereby SIM access is obtained using hacking software that’s widely available on the internet. For eSIMs this may be a constant threat.

And finally, fraud precautions need to be put in place when the IoT devices are finally retired. Many of these new e-SIM devices are powered by batteries that once the device is activated, used for a few years, it will be just thrown away. However, if devices, such as an Apple Watch, end up in a dumpster or a recycling center, there’s a high risk of non-legal re-use, or recalibrating a device previously associated to a person’s identity. If not properly dis-associated from the original owner, the device and its ‘identity’ can remain active in the wrong hands.


In today’s world, our digital identities have a lot of value. With a single digital user identity, mobile customers can access supporting services including banking, e-commerce, and travel, without having to remember multiple usernames and passwords. Unfortunately, this has also created a tempting environment for fraudsters.

Allowing customers to use their social media accounts for identity validation, such as Facebook or Google, provides a convenient way for them to sign up for new services. But how do you know that the account is real, and that it is a real person, and not a ‘bot’ claiming that identity? The recent news of fake social media accounts and troll farms has pulled back the curtain on this growing and disturbing trend. Fake or synthetic IDs are a big part of the problem. These phony IDs can be made with just a few bits of stolen information, such as social security number and birth date. Most synthetic or stolen identities use elements of a real person’s identity to construct a whole other persona. Even with multi-factor identification, if the initial profile is spoofed using a synthetic ID, and false accounts are created to support these fake identities, these prevention methods can still fall short.

Synthetic IDs and subscription fraud are types of identity theft that provide fraudsters a gateway to a host of larger security threats that can include financial theft or even terrorism. The incidence of this type of fraud has grown significantly, especially over the past ten years as more security measures have been put in place to prevent other types of fraud – mainly credit card theft. In fact, the U.S. Federal Financial Institutions Examination Council (FFIEC) has mandated that financial services institutions establish social media risk-management programs to include compliance, as well as reputational risk.


According to a recent survey by HPE, 85% of businesses will implement an IoT strategy by 2019, driven by the need for innovation and business efficiency. But while businesses are forging ahead with their IoT visions, the security and fraud management strategies have taken a backseat. So much so, that in the same survey, 84% of respondents say they have already experienced an IoT-related security breach.

While startling, it is also unsurprising. 2017 was auspiciously pronounced the Year of the Hack by Forrester, and we saw this play out where everyday appliances such as lightbulbs, smart TVs and security cameras have been hijacked and used to mount distributed denial of service (DDoS) attacks. In fact, DDoS attacks are typically a prelude of bigger fraud problems to come, as fraudsters use these attacks as a smokescreen to slow down the response to the real issue, which is the fraud and theft that is actually taking place. These ‘man in the middle attacks’, whereby a communication between two systems is intercepted, become real threats. An example of this is fraudsters commandeering the communication between your connected fridge and the local grocery store. But instead of your ‘smart’ refrigerator ordering milk, the communication is commandeered into making calls to a premium number at $0.60 per minute, allowing fraudsters to collect money on the other side. In the telco world, fraudulent apps are used to trick smartphone users to register and pay for a service after they have visited the fraudster’s website or have downloaded a fraudulent app. These one-click billing fraud schemes can be similarly applied to IoT, but the speed and scale of the impact of these schemes will be far more devastating.


5G will be characterized by more devices, more data, new services and more complex networks to manage. With all-IP networks, the onset of network virtualization functions (NFV) and the Internet of Things bringing a new type of complexity to the table, suffice it to say that a 5G future is looking good for fraudsters.

Billions of potentially untested and unsecured newly connected chipsets, modules and devices are entering the market, along with an entire ecosystem of digital service provider partners, new digital services, complex revenue share plans and B2B2X business models. In addition, how services are architected can also pose a threat. The arrival of Voice over LTE (VoLTE), for example, means mobile calls are even more exposed to fraud because signaling is implemented in the mobile operating system instead of the mobile-based broadband network, as it is for 2G/3G telephony. Many of these vulnerabilities can then be exploited remotely through mobile malware to profit fraudsters.

While most Communication Service Providers (CSPs) focused on launching new services and partnerships with Digital Service Providers (DSPs), my fear is that security and fraud are being sidelined as an afterthought – or that CSPs will believe that their old ways of managing fraud will suffice. Nothing could be further from the truth. Ultimately, new technologies are allowing for new fraud opportunities. Communications service providers must see 2018 as a tipping point for prioritizing their fraud management strategies so that they can enjoy the benefits of the exciting digital era.



Please enter your name here
Please enter your comment!