WO2003094562A1 - Local usage monitoring and fraud detection for mobile communication networks - Google Patents

Local usage monitoring and fraud detection for mobile communication networks Download PDF

Info

Publication number
WO2003094562A1
WO2003094562A1 PCT/GB2003/001814 GB0301814W WO03094562A1 WO 2003094562 A1 WO2003094562 A1 WO 2003094562A1 GB 0301814 W GB0301814 W GB 0301814W WO 03094562 A1 WO03094562 A1 WO 03094562A1
Authority
WO
WIPO (PCT)
Prior art keywords
handset
usage
fraud
detector
network
Prior art date
Application number
PCT/GB2003/001814
Other languages
French (fr)
Inventor
Philip Hobson
Lee Cowdrey
Derek Dempsey
Original Assignee
Cerebrus Solutions Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cerebrus Solutions Limited filed Critical Cerebrus Solutions Limited
Priority to AU2003222991A priority Critical patent/AU2003222991A1/en
Priority to CNA038135779A priority patent/CN1930901A/en
Priority to GB0424241A priority patent/GB2404823B/en
Publication of WO2003094562A1 publication Critical patent/WO2003094562A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning

Definitions

  • the invention relates to handsets for radio communication networks such as cellular telephony networks, to removable cards such as SIM cards for such handsets, to methods of using such handsets, to methods of detecting fraudulent use of a handset, to methods of maintaining fraud detection, to management systems for fraud detection, to methods of charging for handset usage, to methods of maintaining a usage monitoring system for monitoring use of a handset used as part of a radio communication network, and to a management system for maintaining a usage monitoring system.
  • US patent 5 734 977 A useful summary of some different types of fraudulent use, and a detection system is shown in US patent 5 734 977. It is known to provide fraud detection systems for detecting anomalous usage patterns from call detail records. These are processed at a central location and suspicious activity is alerted to operators who can decide what action to take. There is a heavy processing load for this central location, dealing with thousands or millions of subscribers, and a delay involved in passing CDRs to this location. Hence response times are typically hours. Also, detection event scenarios use algorithms or rules that cannot be tailored to individual subscriber behaviour without a huge and impractical processing load or processing delay.
  • a request for service message includes an identification code specific to the mobile communication device and a transmitted authentication code which represents a cumulative total of the prior usage of the mobile communication device is received from the mobile communication device at a central processing facility.
  • the transmitted authentication code is compared to a stored authentication code for the mobile communication device and communication is initiated between the mobile communication device and the recipient if the transmitted authentication code and the stored authentication code match.
  • the mobile Station has a nonvolatile memory to store an electronic identification number and a first calling event table.
  • the apparatus also includes a MSC (mobile service centre) or HLR (home location register) having a second calling event table that contains a mirror image of the first calling event table, as long as no fraud has occurred.
  • the first and second calling event tables contain identifying information for MS calling activity, such as outgoing call information, which may comprise a called number, a call time, a call duration, and/or a call date.
  • the first and second calling event tables are updated with each outgoing call, and authorization to make future calls is based on conditioned correspondence between the information contained in each calling event table.
  • US patent: 6,338,140 intended as a defence against cloning.
  • US patent: 6,321,339 shows a system for authentication of network users and issuing a digital certificate. This requires users to ESN (Electronic Serial Number) or provide identification information. The user is presented with a hierarchy of queries to ensure identity.
  • US patent 6,223,290 shows a method for preventing the fraudulent use of a cellular telephone. This involves programming a unique code into an auxiliary memory which is compared to at least one component code. The idea is to link the telephone memory, the telephone hardware and the micro-controller to prevent cloning by locking the hardware to a particular provider. This can prevent (successful) modification of ESN (Electronic Serial Number) or MEI
  • US patents 6,198,915 and 5,625,669 show a mobile phone with internal accounting. This allows call value to be calculated by use of an accounting program. The user is alerted to account status. The phone can decrement a debit account or calculate an account charge on demand. It also shows activating, updating and programming a new phone remotely.
  • a mobile handset for use as part of a radio communication network, the handset having a monitor arranged to monitor usage of the handset and a detector arranged to determine if such usage is fraudulent.
  • Fraud detection can be quicker if carried out at source, where the usage information originates, that is, the handset.
  • the detector can look at usage such as calls still in progress or undertake immediate analysis after call completion. There is less delay and less communications overhead if there is no need to transmit usage information to a centralised fraud detection arrangement.
  • Any remedial action following the detection can be implemented with less delay. Such remedial action can include locking the handset, or sending an indication (e.g. by SMS) to inform the operator (via an application management component of interesting behaviour which may pertain to fraud.
  • the detection can be tailored more easily to individual users or groups of users if the detection is carried out locally at the handset, resulting in more accurate detection.
  • Costs of implementing and running the fraud detection can be reduced since the detection processing no longer needs a large central processing facility with expensive communications links and interfaces to complex billing systems. This also means the solution is inherently more scalable as numbers of subscribers increase and as types of activity increase with the increase in use of revenue based services such as WAP, permanently-on services using GPRS and future 3G network services like EMS and MMS. Fraudulent usage is intended to encompass any usage for which the corresponding revenue is not collected for any reason. This can include calls not properly billed, as well as calls billed but not paid.
  • the handset is arranged as part of a distributed processing network fraud management system. This can enable improved detection compared to a completely centralised or a completely autonomous arrangement. The advantages of both can be combined. Average patterns of many users usage over the network can be built up, yet still be personalised to each user, on a time of day and day of week basis, for example.
  • Another dependent claim feature is a lock for preventing further usage in the event of the detector determining fraudulent (including inappropriate ) usage.
  • This can also act as a trigger mechanism which may lock the phone when interesting events have been recognised. This can enable quicker reaction to fraud detection, than a network based lock. Also, it enables the logistical difficulty and delay of preventing use on other operators' networks to be avoided.
  • Another dependent claim feature is sending an indication to a network operator in the event of the detector detecting unusual usage such as fraudulent or inappropriate usage.
  • This can enable an operator to take appropriate action, such as closer monitoring, or prompting the user for authentication, or warning the user that a lock will be activated.
  • the indication can be carried by a message service, including SMS, EMS, MMS, email or others.
  • An advantage of a message service over network signalling type solutions is that it can be easier to implement, requiring no interface into complex network management or billing systems. Also it can be faster and more efficient, especially across many networks. This addresses the common problem of roaming fraud where mobile phone usage on other operators' networks may not be identified for some time due to common time lag of days or weeks in call records reaching the home operators (Home Public Land Mobile Network) (HPLMN) mediation system.
  • HPLMN Home Public Land Mobile Network
  • monitor or the detector being adaptable by means of a message sent from a network operator -.
  • this can enable the handset to be upgraded remotely. Also thresholds or other parameters can be adjusted if fraud is not being detected accurately, to reduce inconvenience to users, or to reduce inconvenience to operators.
  • Another dependent claim feature is the monitor having an aggregator for aggregating current usage information into a current signature. This can enable easier processing of the usage information, if it is summarised or standardised. The limited processing and storage resources of the handset can thus be used more efficiently.
  • Another dependent claim feature is the detector being arranged to detect anomalous usage by comparing the current signature with a typical signature representing usage over a long period. This can enable various types of fraud to be detected quickly and accurately.
  • monitor being arranged to adapt the typical behavioural signature with the current usage information. This can enable the detection accuracy to increase with time and each SIM card having an accurate view of the individual behavioural characteristics of usage of Network services.
  • Another dependent claim feature is the detector being arranged to compare the current usage to thresholds of levels of activity. This is a particularly useful indicator of fraud. It can be one of several detection methods. A particularly useful method involves a combination of behavioural detection over a period of time and detection of current activity, also termed event based detection. The usage usefully includes both incoming calls and messages, and outgoing activity. Even if such incoming activity is not itself fraudulent, it can be an indication or predictor of fraudulent outgoing activity.
  • Another dependent claim feature is the detector being arranged to compare the current usage to predetermined activities categorised as fraudulent. These activities can include calling predetermined numbers or countries or premium rate numbers for example. This can be used in addition to other detection methods.
  • Another dependent claim feature is the detector being arranged to be adjustable remotely by a network operator. This can enable detection sensitivity to be adjusted, or thresholds or hot list numbers or categories to be updated for example.
  • the monitor and detector can be in the form of software.
  • the monitor and the detector can be implemented on a removable card. This could be for example a SM card, or a Java card for the 2.5G or 3G environment where usage includes data service usage and transactions.
  • Another aspect of the invention provides a removable card for a handset for use as part of a radio communication network, the removable card having a monitor arranged to monitor usage of the handset and a detector arranged to determine if such usage is fraudulent.
  • monitor is intended to encompass monitors arranged as part of a hybrid solution with some of the processing being based in the handset and some in the network.
  • Another aspect of the invention provides a method of using a mobile handset suitable for use with a radio communications network, the handset having a fraud detector, the method having the step of: using the handset to communicate over the radio communications network, following activation of the fraud detector, such usage being monitored by the fraud detector.
  • Another aspect of the invention provides a method of detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: monitoring usage of the handset, in the handset, and determining in the handset if such usage is fraudulent.
  • Another aspect of the invention provides a method of offering a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: receiving from a subscriber, a request for service activation, and sending a message to the handset to cause the detector to detect fraudulent use.
  • An advantage of handset based fraud detection is the ease with which it can be activated or de-activated for each subscriber, either by activating software installed at manufacturing time on the handset card, or conceivably by downloading the appropriate software to the handset card when the handset card is already in the field or in service.
  • Another aspect of the invention provides a method of maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: maintaining a record of which handsets have fraud detectors, and remotely updating the fraud detectors in one or more of these handsets.
  • Another aspect of the invention provides a method of maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: receiving an indication that a handset has been locked by the fraud detector, and remotely unlocking the handset if the use is not fraudulent.
  • Remote unlocking is intended to encompass sending an unlock code for the subscriber to enter into the handset to unlock it.
  • Another aspect of the invention provides a management system for offering a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: an interface arranged to receive from a subscriber, a request for service activation, and a processor arranged to send an indication to the handset to cause the detector to detect fraudulent use.
  • This aspect is a system corresponding to one of the above methods.
  • Another aspect of the invention provides a management system for maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: a record of which handsets have fraud detectors, and a processor arranged to remotely update the fraud detectors in one or more of these handsets.
  • This aspect is a system corresponding to one of the above methods.
  • Another aspect of the invention provides a management system for maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: an interface for receiving an indication that a handset has been locked by the fraud detector, and a processor arranged to send a command to remotely unlock the handset if the use is not fraudulent.
  • This aspect is also a system corresponding to one of the above methods.
  • Another aspect of the invention provides a mobile handset having a lock for preventing use, and a lock controller for activating the lock based on monitored usage.
  • An advantage of the lock being in the handset rather than in the network is that it can prevent the handset card being used with other networks. Also, it can enable the use to be prevented more quickly than conventional centralised network based usage prevention.
  • the monitoring and detection in this case can be local or centralised or a hybrid of the two.
  • a dependent claim feature is the activation being dependent on the location of the handset.
  • An advantage of location dependence is that it can help deter theft, or limit the revenue loss. This is particularly the case for mobile handsets or SMs that are fraudulently recycled for use on other networks perhaps in different countries.
  • a handset based solution is much more cost effective than maintaining network based lock out since there are so many networks around the world.
  • Another dependent claim feature is the handset being for use with a cellular network, being arranged to determine location by identifying which cell the mobile is in. This can enable more efficient fraud prevention by locking out or limiting calls made from particular cells, or only allowing calls in specified cells where the user is likely to be.
  • Another dependent claim feature is the handset being adjustable remotely by a network operator. This enables updating to alter the locations, or the sensitivity of any monitoring or fraud detection for example. This can make the arrangement much more user friendly.
  • Another aspect of the invention provides a mobile handset for use as part of a radio communication network, the handset having a monitor arranged to monitor and record usage of the handset.
  • the usage information can be used for a variety of purposes, including fraud detection, other revenue assurance activity such as for marketing purposes and other customer relationship management (CRM) activities.
  • CRM customer relationship management
  • Another dependent claim feature is sending information relating to the monitored usage to a network operator using a message service.
  • This can enable the network operator to have near real time information about usage more directly, without having to rely on conventional signalling networks or billing systems.
  • Particularly for roaming meaning usage on other networks than the user's home network, there could be a considerable delay of hours, or days before the home network is made aware of such usage.
  • For applications such as fraud prevention, or location based services, it can be valuable to have more up to date usage information.
  • a high risk or identified group or individuals that are roaming across networks, can be monitored more closely. Using a hybrid of centralised and distributed technologies, their handsets can monitor and inform a centralised network fraud detection manager in real time when the roamers are behaving suspiciously.
  • Another dependent claim feature is an aggregator for aggregating and storing in the handset an aggregated profile of the usage.
  • the information can be condensed to reduce communication costs. There is less need for a large central processing facility with expensive communications links and interfaces to complex billing systems. This also means the solution is inherently more scalable as numbers of subscribers increase.
  • Another aspect of the invention provides a method of charging for handset usage, the charging being dependent on whether the handset has active fraud detection.
  • An advantage of this is that if the fraud detection is local, in the handset, it can be made more visible to subscribers, and can be selectively activated more easily than a centralised system. Thus it is easier for the operator to convince subscribers that it brings added value and so is worth an extra fee. Thus revenue can be increased. Alternatively, if revenue increases sufficiently by the reduction in fraud, or other revenue loss, the operator can opt to offer a discount to subscribers to activate the fraud detector, to encourage more to do so. The better scalability of the local handset based detection makes this more feasible.
  • Another aspect of the invention provides a method of charging for handset usage, the charging being dependent on whether the handset has active usage monitoring.
  • Another aspect of the invention provides a method of maintaining a usage monitoring system for monitoring use of a handset used as part of a radio communication network, the handset having a usage monitor, the method having the steps of: maintaining a record of which handsets have usage monitors, and receiving usage information from these handsets.
  • Another aspect of the invention provides a management system for maintaining a usage monitoring system for monitoring use of a handset used as part of a radio communication network, the handset having a usage monitor, the system having: a record of which handsets have usage monitors, and a processor arranged to receive usage information from these handsets. This corresponds to the above method.
  • Another aspect of the invention provides a removable card as set out above and having an aggregator for aggregating current usage information into a signature.
  • Another aspect of the invention provides a removable card for a handset for use as part of a radio communication network, the removable card having software arranged to monitor usage of the handset and for storing in the handset a signature summarising the usage.
  • Another dependent claim feature is software arranged to detect anomalous usage by comparing a short term usage with the signature representing usage over a longer period. Another dependent claim feature is software arranged to update the signature with current usage information. Another dependent claim feature is software arranged to use the signature for revenue assurance purposes. Another dependent claim feature is software arranged to use the stored signature to send usage information from the handset to an operator of the network to enable services to the user to be tailored according to the usage information. Another dependent claim feature is the removable card being arranged to receive software updates when installed in the handset, sent by an operator of the network over the network. Another aspect is software for storing on a removable card for implementing the above features. Another aspect is a mobile handset having the removable card having any of the above features.
  • Scalability Unlike Moore's Law referring to CPU power (doubling every 2 years), online storage is not increasing in the same proportions, therefore centralised fraud management approach will eventually become too cost restrictive for all but the top few operators due to the increasing online storage requirements per subscriber as more and more revenue delivering services are provided.
  • Monitor at Source Fraudulent calls are made by the mobile handset therefore the best place to detect and prevent these calls is on the handset in real-time not later after the call records (CDR's) have been collected, converted and distributed to up-stream back office systems run by the operator.
  • CDR's call records
  • Tailored Service rather than centrally trying to monitor and predict every single subscribers usage patterns and future calling habits, the empowered handset is devoting its entire resources to one single subscriber. With the aid of the operator tagging the subscriber with a single class of subscription (pre-paid, post-paid consumer, post-paid business etc) the solution is tailored and targeted to one market arena with its own unique thresholds and particular rules (e.g. pre-paid customers do not frequently roam, but may have higher rate of SMS usage than post-paid business). This can reduce any potential false positives that could be generated by a centralised approach and can increase the success rate of fraud prevention.
  • Global Solution - By utilising the GSM based SM Card and the industry standard SM Toolkit for developing the software, embodiments of the invention can work in all of today's handsets without the need for unique distributions being required for each mobile handset manufacturer.
  • Embodiments of the invention can be included into every SM Card during the operators' point-of-sale (manufacturing) process. Later using Over-The- Air Activation, the service can be remotely enabled either at the subscriber's wish or the operators' demands.
  • Portability For embodiments using software located on the SM Card, when a subscriber updates the handset they automatically take the software with them. As no handset can be used without a SM Card, any fraud protected handset will require an alternative SM card (and alternative operator/billmg contract) if the original SM Card is removed.
  • CRM customer relationship management
  • optionally calling patterns can be sent from the handset to the operator, allowing current usage trends to be monitored, and future service trends to be forecast, which can lead to better tailoring of services to suit users and increase revenues.
  • Fig 1 shows a schematic view of a first embodiment of the invention, with a handset having a monitor and a fraud detector
  • Fig 2 shows a schematic view of another embodiment, having a network fraud management system
  • Fig 3 shows a schematic view of another embodiment, having a handset arranged to monitor usage
  • Fig 4 shows a schematic view of another embodiment, haing a handset with a lock
  • Fig 5 shows a schematic view of another embodiment, having a handset arranged to send usage information using a message service
  • Fig 6 shows a schematic view of another embodiment, showing a removable card for a handset
  • Fig 7 shows a schematic view of another embodiment, showing steps in activating monitoring
  • Fig 8 shows a schematic view of another embodiment, showing steps in detecting fraudulent usage
  • Fig 9 shows a schematic view of another embodiment, showing steps in reactivating a locked handset.
  • FIG. 1 shows a schematic view of a first embodiment of the invention, with a handset having a monitor and a fraud detector, in the context of a typical radio communications network.
  • the network shown as item 10, can be a GSM or other cellular network, or an IP network ranning over radio links or cellular telephone links or radio data links such as GPRS (General Packet Radio Service) or 3G networks.
  • a first handset 20 is shown for users to communicate over the network.
  • Other handsets 50 can be conventional handsets or handsets similar to the first handset.
  • the handsets can be PDAs (Personal Digital Assistants) or portable or handheld computers with radio communication capability.
  • the network is shown coupled to other networks 70, which may be radio or terrestrial or any kind.
  • Network management and billing systems 60 are also shown. Conventionally, there are signalling channels to enable the network management system to communicate with base stations around the network, for conventional network management purposes. Such network management systems could have some level of traffic monitoring, at least of levels of traffic at different parts of the network, to identify any
  • the first handset has a usage monitor 30, and a fraud detection function 40, which uses the output of the usage monitor.
  • the output of the fraud detection function can be used for any purpose, so for clarity, none is illustrated in this figure.
  • the usage monitor can be completely stand alone, or coupled to the network. This can be achieved using the conventional signalling channels, or other methods such as SMS (short message service) messages. Usage information from many such handsets can be collated in the network, Its output can be in any form, but can usefully include a summary of usage over a period of time. An example of this is the behaviour signatures described in more detail below.
  • the output can be used for other purposes as well as for fraud detection.
  • the fraud detection element can be implemented to use any of various conventional methods. Depending on the processing and memory capabilities of the handset and the desired level of detection, it may be appropriate to use a simpler algorithm or one requiring less processing or memory resource than those typically used for network based fraud detection. An example will be described in more detail below.
  • FIG. 2 shows a schematic view of another embodiment, having a network fraud management system as well as a handset 210 with local detection of fraud (also called “Terminator” TM).
  • the handset can be similar to the first handset of figure 1, or have some other arrangement. It can be used by users to communicate over the network 220, (which can be a similar network to that of figure 1).
  • a control centre 230 is coupled to the network and provides and interface to the network fraud management centre. This has a network fraud detection system 250, fraud analyst workstations 260, and a handset detection management centre 240, to which help desk terminals 270 for the terminator application, are coupled.
  • FIG. 3 shows a schematic view of another embodiment, having a handset arranged to monitor usage. Corresponding reference numerals are used to those in figure 1.
  • a usage store 300 is provided. This enables a summary of the usage to be stored in the handset.
  • This usage can include calls, messages, email usage, data communications, and non communications usage, e.g. games, calendars, and other applications. This would often be impractical to store in the handset, or transmit from the handset without some type of compression or summarising.
  • An example is the behaviour signature described below, which can be updated continuously.
  • the usage information can be used for marketing purposes either external, by selling on to others, or internal for use by the operator. It might also be used for network management purposes, or revenue assurance purposes. For example, the usage stored in the handset could be compared to the bill prepared for that user, to identify any anomalies.
  • Figure 4 shows a schematic view of another embodiment, having a handset arranged to lock the handset to prevent usage.
  • Corresponding reference numerals are used to those in figure 1.
  • Having a local lock 410 rather than merely barring use in the network enables quicker action to prevent fraudulent calls, and prevents use on other networks more easily and effectively.
  • the lock can be implemented by software on a SM card for the handset.
  • the software would interact with a processor on the handset to bar the use.
  • the details of implementation would vary with different types of handset, but could follow established practice.
  • a lock controller 400 is shown, again implementable in software on a SM card for example, for ensuring the lock is activated for the correct criteria, and can be unlocked remotely by the network operator.
  • the controller is also optionally arranged to alert the network operator when the lock is activated.
  • the lock can be activated based on usage, which in this case can be monitored locally or in the network, for example at a base station, an MLC (mobile location controller) or MSC (mobile services switch centre) or equivalents, or a network management or billing centre.
  • the lock controller is arranged to communicate with such network elements or external elements by means of a message service, such as SMS.
  • Fig 5 shows a schematic view of another embodiment, having a handset arranged to send usage information using a message service.
  • the handset does not necessarily have a terminator fraud detector.
  • the usage is monitored by the usage monitor 30.
  • the usage info is sent onwards by element 500 over the network by a message service, such as SMS.
  • a message service such as SMS.
  • These elements can be implemented in the form of software on a removable card such as a SM card.
  • the software can be downloaded or updated remotely, again using the message service.
  • the usage monitoring can include monitoring individual calls, or messages, or monitoring trends or patterns of usage over a period of time, or a combination.
  • unusual activity can be deduced from a hybrid of behaviour over a period of time, and current events. It can involve monitoring both incoming and outgoing activity.
  • Fig 6 shows a schematic view of another embodiment, showing a removable card 600, such as a SM or Java card for a mobile handset.
  • a memory map 690 shows memory areas in 5 segments at different memory addresses. At addresses 0 to 16k is free memory available for software applications, hi this case, usage monitoring and fraud detection applications 680 are located here. These include modules titled “Call Learn” TM 630, “Call- Predict” TM 640, “Call-Guard", TM 650, and “Call Control” TM 660.
  • Call learn is an example of a monitor for monitoring usage. It creates and maintains by updates, one or more behaviour signatures (also called profiles) representing an aggregate of various parameters of usage over a period of time. These can be implemented in various ways. An example is shown in US patent 5,966,650 entitled
  • a long term signature is formed of an aggregation of 20 to 30 fields, each having a value representing a different parameter of the usage, selected according to the application of the signature and/or the class of subscriber.
  • the fields may have values representing a number or proportion of international calls, or emails, or premium rate calls, or local calls, over the period in question, e.g. several months.
  • a short term signature can also be built up to represent current usage over a number of hours or days.
  • the long term signature can be updated by using the current signature, and producing a type of weighted average of the field values, weighted according to the periods represented, or in the case of fields being time sequences of values, the oldest values can be dropped and new current values added at the other end of the sequence.
  • the number of fields and/or the precision of the values can be reduced.
  • Call Predict is used to detect anomalies by comparing the current signature with the typical or long term signature.
  • the amount of change from the typical can be represented by a behaviour change index.
  • the level of this index which triggers action can be adjusted according to the class of subscriber, and on an individual basis, to prevent unwanted false detections.
  • implementation can follow established principles as shown in US patent 6,038,555 entitled “Generic processing capability” and hereby incorporated by reference.
  • This shows anomaly detection for event streams, and provides a method for measuring change for event streams. The method depends upon the construction of a behaviour profile and provides a proprietary method for the efficient comparison of current activity against some benchmark activity. Once again the main adaptation envisaged would be a simplification of the method to accommodate limited processing capacity.
  • Call Guard is used in parallel with Call predict as another way of detecting anomalies in usage and thus detecting fraud.
  • actual call or message attributes are compared to rules, thresholds and hot lists.
  • rules can be set for exceeding combinations of lower thresholds, or for calls at unusual times of day for example. Again more details are set out in the above referenced US patent.
  • Comparison with hot lists involves comparing destination addresses for the usage, e.g. phone numbers, email addresses, web site addresses and so on, with addresses known to be related to fraudulent activity.
  • the hot list can also include cell or network identities which are compared to the current cell or network of the handset, to detect if it is outside a prearranged limited area of bona fide usage.
  • Call control is arranged as a receiver for over-the-air activities (OTA) including processing of Terminator SM-Updates of hot lists. Call control also maintains and undertakes Network Operator requested adjustments to: Hot-List entries Rules & Thresholds values including call types CRM analysis of Signatures Loading new Live and Decayed Signatures
  • Alarm detection
  • Options can include override of the consumer's handset control with a
  • Another option is to dial automatically, or send an SMS message to a Network Operator
  • Help Desk to enable the user to verify their identity, or face locking of the handset after a predetermined time. Another option is to alert the operator without alerting the user.
  • Another option is immediate locking of the handset. Once locked, the call control is arranged to enable unlocking through an entry code provided remotely or - through remote unlocking. -. Call control validates the unlock code received from the operator before unlocking the handset. Partial locking can be arranged, e.g. to limit use to a subset of types of communication, or a subset of addresses, or locations (e.g. cells) of usage.
  • Addresses 16k to 32k can be used as workspace for persistent storage of data 670 for the applications.
  • the rules and thresholds can be stored here, also hotlists, the current or live signature, the long term or decayed signature, and temporary storage of messages or programmes received OTA.
  • the software can be implemented in any appropriate language according to the application, such as the well known C, or Java languages. Particularly for handsets other than mobile phones, it may be stored in on board memory rather than on a removable card.
  • the software can be executed by conventional hardware in the handset, such as standard general purpose microprocessors or digital signal processors, or processor modules on ASICs (application specific integrated circuits).
  • Fig 7 shows a schematic view of another embodiment, showing steps in activating monitoring.
  • the user subscriber
  • the operator can activate without user initiative.
  • the Network Operator starts the activation process and sets or adjusts the subscriber class for that subscriber, either depending on user input, or by reference to other sources.
  • the Terminator Mobile Application is activated via a SM- Update SMS message.
  • the Call-Predict & Call-Guard modules are initialised with default values.
  • Call- Predict & Call-Guard are remotely adjusted via Call-Control to reflect a revised subscriber class (e.g. Pay as you go, Business, international etc) via SM-Update.
  • Fig 8 shows a schematic view of another embodiment, showing steps in detecting fraudulent usage.
  • the subscriber initiates outgoing call or message, or receives an incoming call or message.
  • Call-Learn and Call-Predict are monitoring call details (duration, dialed number, destination). Similarly, for incoming calls, the same details can be recorded.
  • Call-Control will lock-down the handset and/or send a message to the operator if Call Predict generates an Alert.
  • Call-Control will lock-down the handset and/or send a message to the operator if Call Guard generates an Alert.
  • Call control will lock down the handset and/or send a message to the operator, if it detects usage in a non permitted location, e.g. another network, or particular cells of the home network.
  • Hybrid combinations of these types of monitoring are particularly useful for deducing unusual activity. For example if behaviour patterns are unusual, then lower event thresholds can be used, to trigger action. Similarly, the location information can be used in combination with behaviour and or events, to provide more accurate detection.
  • the display 855 of the handset shows an indication that the handset has been locked, and offers the opportunity to call the operator with a code for the type of fraud detected, to request remote unlocking, as will now be explained in more detail.
  • Fig 9 shows a schematic view of another embodiment, showing steps in reactivating a locked handset.
  • Call-Guard has locked the phone, the consumer must contact the Network Operator to obtain unlock code. Only the Network Operator HelpDesk number can be dialed.
  • the Network Operator undertakes verification procedures and ascertains the fraud code nature from the subscriber's handset.
  • the handset remains locked and withdrawn from the network, or, at step 930, the Network Operator provides an unlock code to the subscriber and makes any necessary adjustments to consumer subscription class or to thresholds, to prevent more unwanted false detections.
  • Call-Predict & Call-Learn are remotely adjusted via Call-Control to reflect consumer subscription class via SM-Update.
  • a means of capturing user behaviour within the SM card of the mobile handset, by building a subscriber signature is provided.
  • One option is to apply fraud detection techniques to this user data.
  • Another is to determine the location of the usage, e.g. by determining cell identity in a cellular system, or network identity for roaming usage. If the usage is identified as potentially fraudulent, action can be taken.
  • One option is to lock the handset and allow it to be unlocked only by the network operator. Use can thus be restricted to particular predetermined locations. Fraud can be deterred since much fraud involves use at locations far from the user's home cell. In 2.5G/3G networks, data network usage monitoring can take place by maintaining a list of 'hot' URLs or other indicator.
  • User behaviour can be captured by recording and maintaining call data for that user.
  • This information can include dialled number and behavioural data such as call duration and call destination.
  • the behavioural data will be maintained and aggregated into a subscriber usage profile.
  • These two elements are then analysed by the fraud detection software for potential fraud.
  • the dialled numbers can be checked against a list of 'hot' numbers, numbers known to the operators as suspicious. If there is a match the phone is immediately locked.
  • the hot number list can be downloaded from a central Fraud Management System by means of a mobile control unit and can be updated whenever the hot number list changes.
  • the behavioural data aggregated into a user profile, is compared to the user's typical profile. If there is a major discrepancy, showing a dramatic change in behaviour the phone can be locked.
  • the method of comparison used may include standard statistical analysis techniques, proprietary techniques such as Dynamic Deviation, neural networks or other advanced techniques. The result of the comparison will provide an indication of the likelihood of fraud.
  • the behavioural data is also compared against thresholds of activity for the category of user and any threshold exceeded will provide evidence of fraud.
  • Each user is initially provided with a default profile that constitutes the typical use for this type of user.
  • the default profiles are based on information provided by the central fraud management system that processes all user activity.
  • the aggregated behavioural profiles are decayed into the user profile to maintain an adaptive record of user behaviour as described in above mentioned US patent 5,966,650.
  • Embodiments include a software application capable of running on the SM card of a mobile phone and a fraud management system that can communicate with mobile handsets and download information such as hot list updates to handsets running the fraud detection application.
  • Benefits include fraud detected and prevented at source, potentially thousands of Fraud Management System's (FMS) deployed in the field for a specific network operator, each FMS uniquely tuned to one consumer. Also, the solution is portable between various mobile handsets due to industry support for SIM cards and a SIM Toolkit allowing the network operator to add the application to every new SM card as a standard component at the time of manufacture.
  • the subscriber could enable the Terminator Agent, just as easily as enabling Conference Calling, Data Services and 2nd Line Services.
  • the Network Operator could charge for Terminator Agent activation, either via monthly subscription to Retail consumers or as standard service offering to Business consumers. Branding incorporated in alerts to subscribers could increase market awareness for the selected Network Operator and for a fraud detection service operator or supplier.
  • Callguard can be used to monitor other scenarios e.g children not being allowed to call certain numbers, by adding to the hot lists.
  • User adjustable hot-lists could be used. Different levels of monitoring or revenue assurance could be provided.
  • the fraud alert or the "out of authorised location" alert could be sent to other people or agencies, e.g. alerts of children's inappropriate usage could be sent to parents.
  • Alerts on company handsets could be alerted to the company as well as the user.
  • Credit card companies could be alerted to increase monitoring of the users credit card. Insurance excess discounts could be offered if activation of monitoring is accepted by the user.
  • the remote locking function could be used by emergency services to prevent usage in the vicinity of an emergency, to prevent congestion and ensure availability to higher priority users such as emergency services.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Fraud detection provided on a mobile handset for a radio network, allows detection to take place immediately. User behaviour is recorded within the SIM card of the mobile handset, by building a subscriber signature. Fraud detection techniques can be applied to this usage data. The location of the usage can be determined, e.g. by determining cell identity in a cellular system, or network identity for roaming usage. If the usage is identified as potentially fraudulent, action can be taken such as locking the handset. Use can thus be restricted to particular predetermined locations. Fraud can be deterred since much fraud involves use at locations far from the user's home cell. User behaviour can be captured by recording and maintaining call data such as call duration and destination. The dialled numbers can also be checked against a list of ‘hot’ numbers, numbers known to the operators as suspicious.

Description

Local Usage Monitoring and Fraud Detection for Radio Communication Networks
Related Patents
This application relates to US patent 5,966,650 entitled "Detecting mobile telephone misuse", and US patent 6,038,555 entitled "Generic processing capability" hereby incorporated by reference in their entirety.
Field of the invention
The invention relates to handsets for radio communication networks such as cellular telephony networks, to removable cards such as SIM cards for such handsets, to methods of using such handsets, to methods of detecting fraudulent use of a handset, to methods of maintaining fraud detection, to management systems for fraud detection, to methods of charging for handset usage, to methods of maintaining a usage monitoring system for monitoring use of a handset used as part of a radio communication network, and to a management system for maintaining a usage monitoring system.
Background
Mobile telephony fraud has been widespread since the initial expansion of mobile phone usage. The telephone operators and handset manufacturers have put into place many security measures, fraud prevention measures and fraud detection measures. These include the use of identification codes such as IMSI (- International Mobile Subscriber Identity)and IMEI (International Mobile Equipment Identity) (MSI and MEI were not designed primarily for fraud detection but more for subscriber and handset identification needs) and the deployment of fraud detection systems based on rules and thresholds and neural network technologies to monitor subscriber usage. Currently fraud detection systems typically use mediation data from the operator's billing system to analyse user behaviour, construct subscriber signatures and apply fraud detection software techniques to identify potentially fraudulent use. They also take other streams of data from the network operator such as SS7, customer care and billing for example - the essence is that network operators are having to feed single or multiple data sources into a centralised system - even if this system is distributed.
One of the difficulties with usage monitoring is the time taken to positively identify fraudulent usage and de-activate the phone. During this time a significant amount of usage could have taken place resulting in a significant revenue loss to the operator. It is in the operator's interest to identify fraud at the earliest stage possible to minimise the substantial revenue losses occurred.
A useful summary of some different types of fraudulent use, and a detection system is shown in US patent 5 734 977. It is known to provide fraud detection systems for detecting anomalous usage patterns from call detail records. These are processed at a central location and suspicious activity is alerted to operators who can decide what action to take. There is a heavy processing load for this central location, dealing with thousands or millions of subscribers, and a delay involved in passing CDRs to this location. Hence response times are typically hours. Also, detection event scenarios use algorithms or rules that cannot be tailored to individual subscriber behaviour without a huge and impractical processing load or processing delay.
It is also known from US patent 5 655 004 to attempt immediate detection and refusal of fraudulent calls, while permitting continuing service to the legitimate user by authenticating a request for communication service between a mobile communication device, e.g., a cellular telephone, and a recipient, h particular a request for service message includes an identification code specific to the mobile communication device and a transmitted authentication code which represents a cumulative total of the prior usage of the mobile communication device is received from the mobile communication device at a central processing facility. The transmitted authentication code is compared to a stored authentication code for the mobile communication device and communication is initiated between the mobile communication device and the recipient if the transmitted authentication code and the stored authentication code match. Another US patent, 6 295 446 aims at defeating cloned cellular telephone operations including those using stolen PINs (Personal Identification Numbers). The mobile Station (MS) has a nonvolatile memory to store an electronic identification number and a first calling event table. The apparatus also includes a MSC (mobile service centre) or HLR (home location register) having a second calling event table that contains a mirror image of the first calling event table, as long as no fraud has occurred. The first and second calling event tables contain identifying information for MS calling activity, such as outgoing call information, which may comprise a called number, a call time, a call duration, and/or a call date. The first and second calling event tables are updated with each outgoing call, and authorization to make future calls is based on conditioned correspondence between the information contained in each calling event table.
However, such arrangements still involve the cost of a central facility, and the delay and cost of sending information to and from the central facility, to reach a decision on fraudulent activity, then de- activate the phone. During this time, a significant amount of usage could have taken place, resulting in significant revenue loss to the operator.
It is also known to provide mobile handsets capable of requiring a PIN to be entered before calls are allowed. An example is shown in US patent: 6,338,140, intended as a defence against cloning. However, this remedy is inconvenient and unpopular with users. US patent: 6,321,339 shows a system for authentication of network users and issuing a digital certificate. This requires users to ESN (Electronic Serial Number) or provide identification information. The user is presented with a hierarchy of queries to ensure identity. US patent 6,223,290 shows a method for preventing the fraudulent use of a cellular telephone. This involves programming a unique code into an auxiliary memory which is compared to at least one component code. The idea is to link the telephone memory, the telephone hardware and the micro-controller to prevent cloning by locking the hardware to a particular provider. This can prevent (successful) modification of ESN (Electronic Serial Number) or MEI
US patents 6,198,915 and 5,625,669 show a mobile phone with internal accounting. This allows call value to be calculated by use of an accounting program. The user is alerted to account status. The phone can decrement a debit account or calculate an account charge on demand. It also shows activating, updating and programming a new phone remotely.
Summary of the Invention
It is an object of the invention to provide improved apparatus or methods addressing these issues.
According to a first aspect of the invention, there is provided a mobile handset for use as part of a radio communication network, the handset having a monitor arranged to monitor usage of the handset and a detector arranged to determine if such usage is fraudulent.
This has a number of advantages over conventional centralised systems. Fraud detection can be quicker if carried out at source, where the usage information originates, that is, the handset. The detector can look at usage such as calls still in progress or undertake immediate analysis after call completion. There is less delay and less communications overhead if there is no need to transmit usage information to a centralised fraud detection arrangement. Any remedial action following the detection, can be implemented with less delay. Such remedial action can include locking the handset, or sending an indication (e.g. by SMS) to inform the operator (via an application management component of interesting behaviour which may pertain to fraud. Notably, the detection can be tailored more easily to individual users or groups of users if the detection is carried out locally at the handset, resulting in more accurate detection. Costs of implementing and running the fraud detection can be reduced since the detection processing no longer needs a large central processing facility with expensive communications links and interfaces to complex billing systems. This also means the solution is inherently more scalable as numbers of subscribers increase and as types of activity increase with the increase in use of revenue based services such as WAP, permanently-on services using GPRS and future 3G network services like EMS and MMS. Fraudulent usage is intended to encompass any usage for which the corresponding revenue is not collected for any reason. This can include calls not properly billed, as well as calls billed but not paid.
As a dependent claim feature, the handset is arranged as part of a distributed processing network fraud management system. This can enable improved detection compared to a completely centralised or a completely autonomous arrangement. The advantages of both can be combined. Average patterns of many users usage over the network can be built up, yet still be personalised to each user, on a time of day and day of week basis, for example.
Another dependent claim feature is a lock for preventing further usage in the event of the detector determining fraudulent ( including inappropriate ) usage. This can also act as a trigger mechanism which may lock the phone when interesting events have been recognised. This can enable quicker reaction to fraud detection, than a network based lock. Also, it enables the logistical difficulty and delay of preventing use on other operators' networks to be avoided.
Another dependent claim feature is sending an indication to a network operator in the event of the detector detecting unusual usage such as fraudulent or inappropriate usage. This can enable an operator to take appropriate action, such as closer monitoring, or prompting the user for authentication, or warning the user that a lock will be activated. The indication can be carried by a message service, including SMS, EMS, MMS, email or others. An advantage of a message service over network signalling type solutions is that it can be easier to implement, requiring no interface into complex network management or billing systems. Also it can be faster and more efficient, especially across many networks. This addresses the common problem of roaming fraud where mobile phone usage on other operators' networks may not be identified for some time due to common time lag of days or weeks in call records reaching the home operators ( Home Public Land Mobile Network) (HPLMN) mediation system.
Another dependent claim feature is the monitor or the detector being adaptable by means of a message sent from a network operator -. Amongst other advantages, this can enable the handset to be upgraded remotely. Also thresholds or other parameters can be adjusted if fraud is not being detected accurately, to reduce inconvenience to users, or to reduce inconvenience to operators.
Another dependent claim feature is the monitor having an aggregator for aggregating current usage information into a current signature. This can enable easier processing of the usage information, if it is summarised or standardised. The limited processing and storage resources of the handset can thus be used more efficiently.
Another dependent claim feature is the detector being arranged to detect anomalous usage by comparing the current signature with a typical signature representing usage over a long period. This can enable various types of fraud to be detected quickly and accurately.
Another dependent claim feature is the monitor being arranged to adapt the typical behavioural signature with the current usage information. This can enable the detection accuracy to increase with time and each SIM card having an accurate view of the individual behavioural characteristics of usage of Network services.
Another dependent claim feature is the detector being arranged to compare the current usage to thresholds of levels of activity. This is a particularly useful indicator of fraud. It can be one of several detection methods. A particularly useful method involves a combination of behavioural detection over a period of time and detection of current activity, also termed event based detection. The usage usefully includes both incoming calls and messages, and outgoing activity. Even if such incoming activity is not itself fraudulent, it can be an indication or predictor of fraudulent outgoing activity.
Another dependent claim feature is the detector being arranged to compare the current usage to predetermined activities categorised as fraudulent. These activities can include calling predetermined numbers or countries or premium rate numbers for example. This can be used in addition to other detection methods. Another dependent claim feature is the detector being arranged to be adjustable remotely by a network operator. This can enable detection sensitivity to be adjusted, or thresholds or hot list numbers or categories to be updated for example.
The monitor and detector can be in the form of software. The monitor and the detector can be implemented on a removable card. This could be for example a SM card, or a Java card for the 2.5G or 3G environment where usage includes data service usage and transactions.
Another aspect of the invention provides a removable card for a handset for use as part of a radio communication network, the removable card having a monitor arranged to monitor usage of the handset and a detector arranged to determine if such usage is fraudulent.
This reflects that cards such as SM cards can be the most valuable part of a handset, and may be a separately tradeable commodity, suitable for use with handsets from many manufacturers. The term monitor is intended to encompass monitors arranged as part of a hybrid solution with some of the processing being based in the handset and some in the network.
Another aspect of the invention provides a method of using a mobile handset suitable for use with a radio communications network, the handset having a fraud detector, the method having the step of: using the handset to communicate over the radio communications network, following activation of the fraud detector, such usage being monitored by the fraud detector.
This aspect, concentrating on the actions of the subscriber, could be particularly useful if the subscriber is the only party within the jurisdiction of the patent, for example.
Another aspect of the invention provides a method of detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: monitoring usage of the handset, in the handset, and determining in the handset if such usage is fraudulent.
This corresponds to the apparatus aspects, and may be particularly useful if there is more value in the use of the apparatus, in service, than in the selling value of the apparatus.
Another aspect of the invention provides a method of offering a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: receiving from a subscriber, a request for service activation, and sending a message to the handset to cause the detector to detect fraudulent use.
This aspect, concentrating on the actions of the operator, could be particularly valuable if the benefits to the operator are large compared to the value of the individual handsets. An advantage of handset based fraud detection is the ease with which it can be activated or de-activated for each subscriber, either by activating software installed at manufacturing time on the handset card, or conceivably by downloading the appropriate software to the handset card when the handset card is already in the field or in service.
Another aspect of the invention provides a method of maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: maintaining a record of which handsets have fraud detectors, and remotely updating the fraud detectors in one or more of these handsets.
This aspect, also concentrating on the actions of the operator, could be particularly valuable if the benefits to the operator are large compared to the value of the individual handsets. Notably, the updating can be more easily tailored to individual usage patterns without an impractical amount of processing or storage capacity being required, since the detectors are handset based, rather than being centralised. Another aspect of the invention provides a method of maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: receiving an indication that a handset has been locked by the fraud detector, and remotely unlocking the handset if the use is not fraudulent.
This aspect, also concentrating on the actions of the operator, could be particularly valuable if the benefits to the operator are large compared to the value of the individual handsets. Notably this helps to overcome the possible risk of inconvenience to subscribers from false fraud detections. Remote unlocking is intended to encompass sending an unlock code for the subscriber to enter into the handset to unlock it.
Another aspect of the invention provides a management system for offering a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: an interface arranged to receive from a subscriber, a request for service activation, and a processor arranged to send an indication to the handset to cause the detector to detect fraudulent use.
This aspect is a system corresponding to one of the above methods.
Another aspect of the invention provides a management system for maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: a record of which handsets have fraud detectors, and a processor arranged to remotely update the fraud detectors in one or more of these handsets.
This aspect is a system corresponding to one of the above methods. Another aspect of the invention provides a management system for maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: an interface for receiving an indication that a handset has been locked by the fraud detector, and a processor arranged to send a command to remotely unlock the handset if the use is not fraudulent.
This encompasses sending an unlock code to the user. This aspect is also a system corresponding to one of the above methods.
Another aspect of the invention provides a mobile handset having a lock for preventing use, and a lock controller for activating the lock based on monitored usage.
An advantage of the lock being in the handset rather than in the network, is that it can prevent the handset card being used with other networks. Also, it can enable the use to be prevented more quickly than conventional centralised network based usage prevention. The monitoring and detection in this case can be local or centralised or a hybrid of the two.
A dependent claim feature is the activation being dependent on the location of the handset. An advantage of location dependence is that it can help deter theft, or limit the revenue loss. This is particularly the case for mobile handsets or SMs that are fraudulently recycled for use on other networks perhaps in different countries. A handset based solution is much more cost effective than maintaining network based lock out since there are so many networks around the world.
Another dependent claim feature is the handset being for use with a cellular network, being arranged to determine location by identifying which cell the mobile is in. This can enable more efficient fraud prevention by locking out or limiting calls made from particular cells, or only allowing calls in specified cells where the user is likely to be. Another dependent claim feature is the handset being adjustable remotely by a network operator. This enables updating to alter the locations, or the sensitivity of any monitoring or fraud detection for example. This can make the arrangement much more user friendly.
Another aspect of the invention provides a mobile handset for use as part of a radio communication network, the handset having a monitor arranged to monitor and record usage of the handset.
There are many advantages of monitoring in the handset rather than the conventional arrangement of monitoring in the network. Cost can be greatly reduced if the monitoring in the handset enables the monitoring to be carried out without major modification to the complex, expensive network signalling, management, or billing systems. The usage information can be used for a variety of purposes, including fraud detection, other revenue assurance activity such as for marketing purposes and other customer relationship management (CRM) activities.
Another dependent claim feature is sending information relating to the monitored usage to a network operator using a message service. This can enable the network operator to have near real time information about usage more directly, without having to rely on conventional signalling networks or billing systems. Particularly for roaming, meaning usage on other networks than the user's home network, there could be a considerable delay of hours, or days before the home network is made aware of such usage. For applications such as fraud prevention, or location based services, it can be valuable to have more up to date usage information. A high risk or identified group or individuals that are roaming across networks, can be monitored more closely. Using a hybrid of centralised and distributed technologies, their handsets can monitor and inform a centralised network fraud detection manager in real time when the roamers are behaving suspiciously.
Another dependent claim feature is an aggregator for aggregating and storing in the handset an aggregated profile of the usage. There are a number of advantages of doing this in the handset rather than elsewhere in the network. The information can be condensed to reduce communication costs. There is less need for a large central processing facility with expensive communications links and interfaces to complex billing systems. This also means the solution is inherently more scalable as numbers of subscribers increase.
Another aspect of the invention provides a method of charging for handset usage, the charging being dependent on whether the handset has active fraud detection.
An advantage of this is that if the fraud detection is local, in the handset, it can be made more visible to subscribers, and can be selectively activated more easily than a centralised system. Thus it is easier for the operator to convince subscribers that it brings added value and so is worth an extra fee. Thus revenue can be increased. Alternatively, if revenue increases sufficiently by the reduction in fraud, or other revenue loss, the operator can opt to offer a discount to subscribers to activate the fraud detector, to encourage more to do so. The better scalability of the local handset based detection makes this more feasible.
Another aspect of the invention provides a method of charging for handset usage, the charging being dependent on whether the handset has active usage monitoring.
Similar advantages apply to such usage monitoring as to fraud detection. Potentially, if such usage information can be valuable for marketing purposes, it could be sold on, with the user's permission, and the users could be offered a discounted charging scheme. This has benefits for the user and the operator.
Another aspect of the invention provides a method of maintaining a usage monitoring system for monitoring use of a handset used as part of a radio communication network, the handset having a usage monitor, the method having the steps of: maintaining a record of which handsets have usage monitors, and receiving usage information from these handsets. An advantage of this is that the local aggregation of such information can reduce the amount of processing and communication overhead compared to a centralised solution. Also, it can reduce the need for expensive interfaces to complex installed systems, such as billing systems, yet can produce extremely valuable information about subscriber behaviour. As above, it is more scalable than a conventional centralised system.
Another aspect of the invention provides a management system for maintaining a usage monitoring system for monitoring use of a handset used as part of a radio communication network, the handset having a usage monitor, the system having: a record of which handsets have usage monitors, and a processor arranged to receive usage information from these handsets. This corresponds to the above method.
Another aspect of the invention provides a removable card as set out above and having an aggregator for aggregating current usage information into a signature.
Another aspect of the invention provides a removable card for a handset for use as part of a radio communication network, the removable card having software arranged to monitor usage of the handset and for storing in the handset a signature summarising the usage.
Another dependent claim feature is software arranged to detect anomalous usage by comparing a short term usage with the signature representing usage over a longer period. Another dependent claim feature is software arranged to update the signature with current usage information. Another dependent claim feature is software arranged to use the signature for revenue assurance purposes. Another dependent claim feature is software arranged to use the stored signature to send usage information from the handset to an operator of the network to enable services to the user to be tailored according to the usage information. Another dependent claim feature is the removable card being arranged to receive software updates when installed in the handset, sent by an operator of the network over the network. Another aspect is software for storing on a removable card for implementing the above features. Another aspect is a mobile handset having the removable card having any of the above features. Advantages of the various aspects of the invention and optional features set out above include the following considerations: a). Scalability: Unlike Moore's Law referring to CPU power (doubling every 2 years), online storage is not increasing in the same proportions, therefore centralised fraud management approach will eventually become too cost restrictive for all but the top few operators due to the increasing online storage requirements per subscriber as more and more revenue delivering services are provided.
b). Monitor at Source: Fraudulent calls are made by the mobile handset therefore the best place to detect and prevent these calls is on the handset in real-time not later after the call records (CDR's) have been collected, converted and distributed to up-stream back office systems run by the operator.
c). Exploit existing unused processing resource: Today's generation of mobile phones posses enough computing power to provide a whole host of services and features (calender, address books, email, SMS, EMSMMS). Tapping into a small percentage of this computing power can enable monitoring of the usage patterns of the legitimate owner and prediction of future calling habits, with little or no effect on other applications.
d) Tailored Service: rather than centrally trying to monitor and predict every single subscribers usage patterns and future calling habits, the empowered handset is devoting its entire resources to one single subscriber. With the aid of the operator tagging the subscriber with a single class of subscription (pre-paid, post-paid consumer, post-paid business etc) the solution is tailored and targeted to one market arena with its own unique thresholds and particular rules (e.g. pre-paid customers do not frequently roam, but may have higher rate of SMS usage than post-paid business). This can reduce any potential false positives that could be generated by a centralised approach and can increase the success rate of fraud prevention. e) Global Solution: - By utilising the GSM based SM Card and the industry standard SM Toolkit for developing the software, embodiments of the invention can work in all of today's handsets without the need for unique distributions being required for each mobile handset manufacturer.
f) Ease of deployment - Embodiments of the invention can be included into every SM Card during the operators' point-of-sale (manufacturing) process. Later using Over-The- Air Activation, the service can be remotely enabled either at the subscriber's wish or the operators' demands.
g) New Service Support - When operators launch new services, the signatures and class of subscription can be updated and remotely sent over the air to enabled handsets, thus allowing new services protected or new hot spots guarded.
h) Customer Loyalty Protection - Rather than annoy high revenue subscribers, new services can be tagged with warning status rather than lock status to allow the operator to centrally decide whether this subscriber is actually performing fraud or just making unforeseen calling patterns and exceeding thresholds as the new service increases its associated market penetration.
i) Brand Recognition: Subscribers will be more inclined to select handsets from operators which boast this mobile fraud detection/prevention solution, knowing full well that if their handset is lost or stolen at the first attempt of fraud the handset will be locked and they will not be liable to any call charges that the operator may wish to apply to fraudulent usage.
j) Portability: For embodiments using software located on the SM Card, when a subscriber updates the handset they automatically take the software with them. As no handset can be used without a SM Card, any fraud protected handset will require an alternative SM card (and alternative operator/billmg contract) if the original SM Card is removed. k) CRM (customer relationship management)- optionally calling patterns can be sent from the handset to the operator, allowing current usage trends to be monitored, and future service trends to be forecast, which can lead to better tailoring of services to suit users and increase revenues.
1) Location Based Services - Usage of the handset in particular geographic locations can be blocked or recorded while at the same time reversing this concept and prevent the subscriber from calling particular locations.
m) Future Proof - The basis for 3G and the forthcoming 4G generation of mobile services is all based upon the highly successful GSM 2G standard. By supporting the core features of the GSM 2G standard and later 2.5G/3G standards, compatibility can be maintained with future standards.
Any of the dependent claim features can be combined with each other and with any of the aspects of the invention, as would be apparent to those skilled in the art. Aspects may be combined together. Advantages other than those set out above will be apparent to those skilled in the art.
Brief Description of the Drawings
Embodiments of the invention will now be described to show byway of example how the invention can be implemented, with reference to the figures, in which:
Fig 1 shows a schematic view of a first embodiment of the invention, with a handset having a monitor and a fraud detector, Fig 2 shows a schematic view of another embodiment, having a network fraud management system,
Fig 3 shows a schematic view of another embodiment, having a handset arranged to monitor usage,
Fig 4 shows a schematic view of another embodiment, haing a handset with a lock, Fig 5 shows a schematic view of another embodiment, having a handset arranged to send usage information using a message service Fig 6 shows a schematic view of another embodiment, showing a removable card for a handset,
Fig 7 shows a schematic view of another embodiment, showing steps in activating monitoring, Fig 8 shows a schematic view of another embodiment, showing steps in detecting fraudulent usage, and
Fig 9 shows a schematic view of another embodiment, showing steps in reactivating a locked handset.
Detailed Description
Figure 1 shows a schematic view of a first embodiment of the invention, with a handset having a monitor and a fraud detector, in the context of a typical radio communications network. The network, shown as item 10, can be a GSM or other cellular network, or an IP network ranning over radio links or cellular telephone links or radio data links such as GPRS (General Packet Radio Service) or 3G networks. A first handset 20 is shown for users to communicate over the network. Other handsets 50 can be conventional handsets or handsets similar to the first handset. The handsets can be PDAs (Personal Digital Assistants) or portable or handheld computers with radio communication capability. The network is shown coupled to other networks 70, which may be radio or terrestrial or any kind. Network management and billing systems 60 are also shown. Conventionally, there are signalling channels to enable the network management system to communicate with base stations around the network, for conventional network management purposes. Such network management systems could have some level of traffic monitoring, at least of levels of traffic at different parts of the network, to identify any congestion problems.
The first handset has a usage monitor 30, and a fraud detection function 40, which uses the output of the usage monitor. The output of the fraud detection function can be used for any purpose, so for clarity, none is illustrated in this figure. The usage monitor can be completely stand alone, or coupled to the network. This can be achieved using the conventional signalling channels, or other methods such as SMS (short message service) messages. Usage information from many such handsets can be collated in the network, Its output can be in any form, but can usefully include a summary of usage over a period of time. An example of this is the behaviour signatures described in more detail below. The output can be used for other purposes as well as for fraud detection.
The fraud detection element can be implemented to use any of various conventional methods. Depending on the processing and memory capabilities of the handset and the desired level of detection, it may be appropriate to use a simpler algorithm or one requiring less processing or memory resource than those typically used for network based fraud detection. An example will be described in more detail below.
Figure 2 shows a schematic view of another embodiment, having a network fraud management system as well as a handset 210 with local detection of fraud (also called "Terminator" ™). -. The handset can be similar to the first handset of figure 1, or have some other arrangement. It can be used by users to communicate over the network 220, (which can be a similar network to that of figure 1). A control centre 230 is coupled to the network and provides and interface to the network fraud management centre. This has a network fraud detection system 250, fraud analyst workstations 260, and a handset detection management centre 240, to which help desk terminals 270 for the terminator application, are coupled.
This is a hybrid system with the network fraud management system implemented following conventional principles, but adapted to cooperate with the terminator applications, to provide the advantages of fraud detection at local and network levels. The network fraud management system can identify fraudulent behaviour across groups of users, and produce statistics representing "normal" behaviour over large numbers of subscribers, categorised into different types (also called classes) of subscribers. This information can be downloaded in summarised form to the terminator applications on users handsets, to improve accuracy of the local detection. In the other direction, usage information, or potential fraud detections can be fed in real time from the terminator applications to the network fraud system, to improve its accuracy. Figure 3 shows a schematic view of another embodiment, having a handset arranged to monitor usage. Corresponding reference numerals are used to those in figure 1. In this case, instead of a local fraud detection application in the first handset, a usage store 300 is provided. This enables a summary of the usage to be stored in the handset. This usage can include calls, messages, email usage, data communications, and non communications usage, e.g. games, calendars, and other applications. This would often be impractical to store in the handset, or transmit from the handset without some type of compression or summarising. An example is the behaviour signature described below, which can be updated continuously.
The usage information can be used for marketing purposes either external, by selling on to others, or internal for use by the operator. It might also be used for network management purposes, or revenue assurance purposes. For example, the usage stored in the handset could be compared to the bill prepared for that user, to identify any anomalies.
Figure 4 shows a schematic view of another embodiment, having a handset arranged to lock the handset to prevent usage. Corresponding reference numerals are used to those in figure 1. Having a local lock 410 rather than merely barring use in the network enables quicker action to prevent fraudulent calls, and prevents use on other networks more easily and effectively. The lock can be implemented by software on a SM card for the handset. The software would interact with a processor on the handset to bar the use. The details of implementation would vary with different types of handset, but could follow established practice.
A lock controller 400 is shown, again implementable in software on a SM card for example, for ensuring the lock is activated for the correct criteria, and can be unlocked remotely by the network operator. The controller is also optionally arranged to alert the network operator when the lock is activated. The lock can be activated based on usage, which in this case can be monitored locally or in the network, for example at a base station, an MLC (mobile location controller) or MSC (mobile services switch centre) or equivalents, or a network management or billing centre. The lock controller is arranged to communicate with such network elements or external elements by means of a message service, such as SMS.
Fig 5 shows a schematic view of another embodiment, having a handset arranged to send usage information using a message service. Corresponding reference numerals are used to those in figure 1. The handset does not necessarily have a terminator fraud detector. The usage is monitored by the usage monitor 30. The usage info is sent onwards by element 500 over the network by a message service, such as SMS. These elements can be implemented in the form of software on a removable card such as a SM card. As with other embodiments, the software can be downloaded or updated remotely, again using the message service. The usage monitoring can include monitoring individual calls, or messages, or monitoring trends or patterns of usage over a period of time, or a combination. It can involve monitoring for unusual usage, and sending a message in the event of unusual usage, and/or sending a summary of all the usage. In particular, unusual activity can be deduced from a hybrid of behaviour over a period of time, and current events. It can involve monitoring both incoming and outgoing activity.
Fig 6 shows a schematic view of another embodiment, showing a removable card 600, such as a SM or Java card for a mobile handset. A memory map 690 shows memory areas in 5 segments at different memory addresses. At addresses 0 to 16k is free memory available for software applications, hi this case, usage monitoring and fraud detection applications 680 are located here. These include modules titled "Call Learn" ™ 630, "Call- Predict" ™ 640, "Call-Guard", ™ 650, and "Call Control" ™ 660.
Call learn is an example of a monitor for monitoring usage. It creates and maintains by updates, one or more behaviour signatures (also called profiles) representing an aggregate of various parameters of usage over a period of time. These can be implemented in various ways. An example is shown in US patent 5,966,650 entitled
"Detecting mobile telephone misuse" and hereby incorporated by reference. This shows the core of user profiling technology and describes the creation of a user signature from event stream data. The main adaptation required would be a reduction in the number of fields specified to accommodate the limited memory available. A long term signature is formed of an aggregation of 20 to 30 fields, each having a value representing a different parameter of the usage, selected according to the application of the signature and/or the class of subscriber. For example, the fields may have values representing a number or proportion of international calls, or emails, or premium rate calls, or local calls, over the period in question, e.g. several months. A short term signature can also be built up to represent current usage over a number of hours or days. The long term signature can be updated by using the current signature, and producing a type of weighted average of the field values, weighted according to the periods represented, or in the case of fields being time sequences of values, the oldest values can be dropped and new current values added at the other end of the sequence. To meet constrained memory resources of a SM card for example, the number of fields and/or the precision of the values, can be reduced.
Call Predict is used to detect anomalies by comparing the current signature with the typical or long term signature. The amount of change from the typical can be represented by a behaviour change index. The level of this index which triggers action, can be adjusted according to the class of subscriber, and on an individual basis, to prevent unwanted false detections. Again implementation can follow established principles as shown in US patent 6,038,555 entitled "Generic processing capability" and hereby incorporated by reference. This shows anomaly detection for event streams, and provides a method for measuring change for event streams. The method depends upon the construction of a behaviour profile and provides a proprietary method for the efficient comparison of current activity against some benchmark activity. Once again the main adaptation envisaged would be a simplification of the method to accommodate limited processing capacity.
Call Guard is used in parallel with Call predict as another way of detecting anomalies in usage and thus detecting fraud. In this case, actual call or message attributes are compared to rules, thresholds and hot lists. For example, there could be a threshold of the number of international calls made in a period of minutes or hours. There could be a threshold of the number of short calls made in a similar period, or the number and duration of calls made to premium rate numbers could be thresholded. Rules can be set for exceeding combinations of lower thresholds, or for calls at unusual times of day for example. Again more details are set out in the above referenced US patent. Comparison with hot lists involves comparing destination addresses for the usage, e.g. phone numbers, email addresses, web site addresses and so on, with addresses known to be related to fraudulent activity. The hot list can also include cell or network identities which are compared to the current cell or network of the handset, to detect if it is outside a prearranged limited area of bona fide usage.
Call control is arranged as a receiver for over-the-air activities (OTA) including processing of Terminator SM-Updates of hot lists. Call control also maintains and undertakes Network Operator requested adjustments to: Hot-List entries Rules & Thresholds values including call types CRM analysis of Signatures Loading new Live and Decayed Signatures
Another task is Alarm (detection) queue management, which includes determining what action to take. Options can include override of the consumer's handset control with a
(potentially branded) user interface indicating:
Terminator Logo/3rd Party Branding
Message to Consumer indicating fraud detected
Fraud Code
Another option is to dial automatically, or send an SMS message to a Network Operator
Help Desk, to enable the user to verify their identity, or face locking of the handset after a predetermined time. Another option is to alert the operator without alerting the user.
Another option is immediate locking of the handset. Once locked, the call control is arranged to enable unlocking through an entry code provided remotely or - through remote unlocking. -. Call control validates the unlock code received from the operator before unlocking the handset. Partial locking can be arranged, e.g. to limit use to a subset of types of communication, or a subset of addresses, or locations (e.g. cells) of usage.
Also shown in figure 6 are other areas of the memory map of the SM. Addresses 16k to 32k can be used as workspace for persistent storage of data 670 for the applications. For example, as shown, the rules and thresholds can be stored here, also hotlists, the current or live signature, the long term or decayed signature, and temporary storage of messages or programmes received OTA.
The software can be implemented in any appropriate language according to the application, such as the well known C, or Java languages. Particularly for handsets other than mobile phones, it may be stored in on board memory rather than on a removable card. The software can be executed by conventional hardware in the handset, such as standard general purpose microprocessors or digital signal processors, or processor modules on ASICs (application specific integrated circuits).
Fig 7 shows a schematic view of another embodiment, showing steps in activating monitoring. At step 710, the user (subscriber) requests Terminator subscription via the Network Operator. Optionally, the operator can activate without user initiative. At step 720, the Network Operator starts the activation process and sets or adjusts the subscriber class for that subscriber, either depending on user input, or by reference to other sources. At step 730, the Terminator Mobile Application is activated via a SM- Update SMS message. At step 740, the Call-Predict & Call-Guard modules are initialised with default values. At a later date, optionally as shown at step 750, Call- Predict & Call-Guard are remotely adjusted via Call-Control to reflect a revised subscriber class (e.g. Pay as you go, Business, international etc) via SM-Update.
Fig 8 shows a schematic view of another embodiment, showing steps in detecting fraudulent usage. At step 800, the subscriber initiates outgoing call or message, or receives an incoming call or message. At step 810, during the outgoing call, Call-Learn and Call-Predict are monitoring call details (duration, dialed number, destination). Similarly, for incoming calls, the same details can be recorded. At step 820, Call- Control will lock-down the handset and/or send a message to the operator if Call Predict generates an Alert. At step 830, Call-Control will lock-down the handset and/or send a message to the operator if Call Guard generates an Alert. At step 840, Call control will lock down the handset and/or send a message to the operator, if it detects usage in a non permitted location, e.g. another network, or particular cells of the home network.
Hybrid combinations of these types of monitoring are particularly useful for deducing unusual activity. For example if behaviour patterns are unusual, then lower event thresholds can be used, to trigger action. Similarly, the location information can be used in combination with behaviour and or events, to provide more accurate detection. At 850, the display 855 of the handset shows an indication that the handset has been locked, and offers the opportunity to call the operator with a code for the type of fraud detected, to request remote unlocking, as will now be explained in more detail.
Fig 9 shows a schematic view of another embodiment, showing steps in reactivating a locked handset. At step 900 Call-Guard has locked the phone, the consumer must contact the Network Operator to obtain unlock code. Only the Network Operator HelpDesk number can be dialed. At step 910, the Network Operator undertakes verification procedures and ascertains the fraud code nature from the subscriber's handset. At step 920, the handset remains locked and withdrawn from the network, or, at step 930, the Network Operator provides an unlock code to the subscriber and makes any necessary adjustments to consumer subscription class or to thresholds, to prevent more unwanted false detections. At step 940, Call-Predict & Call-Learn are remotely adjusted via Call-Control to reflect consumer subscription class via SM-Update.
Concluding remarks
As has been discussed above, installing fraud detection on the handset allows detection to take place at the earliest opportunity. A means of capturing user behaviour within the SM card of the mobile handset, by building a subscriber signature is provided. One option is to apply fraud detection techniques to this user data. Another is to determine the location of the usage, e.g. by determining cell identity in a cellular system, or network identity for roaming usage. If the usage is identified as potentially fraudulent, action can be taken. One option is to lock the handset and allow it to be unlocked only by the network operator. Use can thus be restricted to particular predetermined locations. Fraud can be deterred since much fraud involves use at locations far from the user's home cell. In 2.5G/3G networks, data network usage monitoring can take place by maintaining a list of 'hot' URLs or other indicator.
User behaviour can be captured by recording and maintaining call data for that user. This information can include dialled number and behavioural data such as call duration and call destination. The behavioural data will be maintained and aggregated into a subscriber usage profile. These two elements are then analysed by the fraud detection software for potential fraud. The dialled numbers can be checked against a list of 'hot' numbers, numbers known to the operators as suspicious. If there is a match the phone is immediately locked. The hot number list can be downloaded from a central Fraud Management System by means of a mobile control unit and can be updated whenever the hot number list changes.
The behavioural data, aggregated into a user profile, is compared to the user's typical profile. If there is a major discrepancy, showing a dramatic change in behaviour the phone can be locked. The method of comparison used may include standard statistical analysis techniques, proprietary techniques such as Dynamic Deviation, neural networks or other advanced techniques. The result of the comparison will provide an indication of the likelihood of fraud. The behavioural data is also compared against thresholds of activity for the category of user and any threshold exceeded will provide evidence of fraud.
Each user is initially provided with a default profile that constitutes the typical use for this type of user. The default profiles are based on information provided by the central fraud management system that processes all user activity. The aggregated behavioural profiles are decayed into the user profile to maintain an adaptive record of user behaviour as described in above mentioned US patent 5,966,650.
Embodiments include a software application capable of running on the SM card of a mobile phone and a fraud management system that can communicate with mobile handsets and download information such as hot list updates to handsets running the fraud detection application.
Benefits include fraud detected and prevented at source, potentially thousands of Fraud Management System's (FMS) deployed in the field for a specific network operator, each FMS uniquely tuned to one consumer. Also, the solution is portable between various mobile handsets due to industry support for SIM cards and a SIM Toolkit allowing the network operator to add the application to every new SM card as a standard component at the time of manufacture. The subscriber could enable the Terminator Agent, just as easily as enabling Conference Calling, Data Services and 2nd Line Services. The Network Operator could charge for Terminator Agent activation, either via monthly subscription to Retail consumers or as standard service offering to Business consumers. Branding incorporated in alerts to subscribers could increase market awareness for the selected Network Operator and for a fraud detection service operator or supplier.
Other variations
Callguard can be used to monitor other scenarios e.g children not being allowed to call certain numbers, by adding to the hot lists. User adjustable hot-lists could be used. Different levels of monitoring or revenue assurance could be provided. The fraud alert or the "out of authorised location" alert could be sent to other people or agencies, e.g. alerts of children's inappropriate usage could be sent to parents. Alerts on company handsets could be alerted to the company as well as the user. Credit card companies could be alerted to increase monitoring of the users credit card. Insurance excess discounts could be offered if activation of monitoring is accepted by the user. The remote locking function could be used by emergency services to prevent usage in the vicinity of an emergency, to prevent congestion and ensure availability to higher priority users such as emergency services.
Other variations and additions can be conceived by those skilled in the art and are intended to be encompassed within the scope of the claims.

Claims

Claims:
1. A mobile handset for use as part of a radio communication network, the handset having a monitor arranged to monitor usage of the handset and a detector arranged to determine if such usage is fraudulent.
2. The handset of claim 1, arranged as part of a distributed processing network fraud management system.
3. The handset of claim 1, having a lock for preventing further fraudulent usage in the event of the detector determining fraudulent usage.
4. The handset of claim 1, arranged to send an indication to a network operator in the event of the detector detecting fraudulent usage.
5. The handset of claim 4, the indication being carried by a message service.
6. The handset of claim 1 , the monitor or the detector being adaptable by means of a message sent from a network operator using a message service.
7. The handset of claim 1, the monitor having an aggregator for aggregating current usage information into a current signature.
8. The handset of claim 7, the detector being arranged to detect anomalous usage by comparing the current signature with a typical signature representing usage over a long period.
9. The handset of claim 8, the monitor being arranged to adapt the typical behavioural signature with the current usage information.
10. The handset of claim 7, the detector being arranged to compare the current usage to thresholds of levels of activity.
11. The handset of claim 1, the detector being arranged to compare the current usage to predetermined activities categorised as fraudulent.
12. The handset of claim 1, the detector being arranged to be adjustable remotely by a network operator.
13. The handset of claim 1, the monitor and detector being in the form of software.
14. The handset of claim 1 , the monitor and the detector being implemented on a removable card.
15. A removable card for a handset for use as part of a radio communication network, the removable card having a monitor arranged to monitor usage of the handset and a detector arranged to determine if such usage is fraudulent.
16. A method of using a mobile handset suitable for use with a radio communications network, the handset having a fraud detector, the method having the step of: using the handset to communicate over the radio communications network, following activation of the fraud detector, such usage being monitored by the fraud detector.
17. A method of detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: monitoring usage of the handset, in the handset, and determining in the handset if such usage is fraudulent.
18. A method of offering a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: receiving from a subscriber, a request for service activation, and sending a message to the handset to cause the detector to detect fraudulent use.
19. A method of maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: maintaining a record of which handsets have fraud detectors, and remotely updating the fraud detectors in one or more of these handsets.
20. A method of maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the method having the steps of: receiving an indication that a handset has been locked by the fraud detector, and remotely unlocking the handset if the use is not fraudulent.
21. A management system for offering a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: an interface arranged to receive from a subscriber, a request for service activation, and a processor arranged to send an indication to the handset to cause the detector to detect fraudulent use.
22. A management system for maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: a record of which handsets have fraud detectors, and a processor arranged to remotely update the fraud detectors in one or more of these handsets.
23. A management system for maintaining a fraud detection service for detecting fraudulent use of a handset used as part of a radio communication network, the handset having a fraud detector, the system having: an interface for receiving an indication that a handset has been locked by the fraud detector, and a processor arranged to send a command to remotely unlock the handset if the use is not fraudulent.
24. A mobile handset having a lock for preventing use, and a lock controller for activating the lock based on monitored usage.
25. The mobile of claim 24, the activation being dependent on the location of the handset.
26. The mobile of claim 25, being for use with a cellular network, being arranged to determine location by identifying which cell the mobile is in.
27. The mobile of claim 24, the lock controller being adjustable remotely by a network operator.
28. A mobile handset for use as part of a radio communication network, the handset having a monitor arranged to monitor and record usage of the handset.
29. The mobile handset of claim 28, being arranged to send information relating to the monitored usage to a network operator using a message service.
30. The mobile handset of claim 28 having an aggregator for aggregating and storing in the handset an aggregated profile of the usage.
31. A method of charging for handset usage, the charging being dependent on whether the handset has active fraud detection.
32. A method of charging for handset usage, the charging being dependent on whether the handset has active usage monitoring.
33. A method of maintaining a usage monitoring system for monitoring use of a handset used as part of a radio communication network, the handset having a usage monitor, the method having the steps of: maintaining a record of which handsets have usage monitors, and receiving usage information from these handsets.
34. A management system for maintaining a usage monitoring system for monitoring use of a handset used as part of a radio communication network, the handset having a usage monitor, the system having: a record of which handsets have usage monitors, and a processor arranged to receive usage information from these handsets.
35. The removable card of claim 15, having an aggregator for aggregating current usage information into a signature.
36. A removable card for a handset for use as part of a radio communication network, the removable card having software arranged to monitor usage of the handset and for storing in the handset a signature summarising the usage.
37. The removable card of claim 35 or 36, having software arranged to detect anomalous usage by comparing a short term usage with the signature representing usage over a longer period.
38. The removable card of any of claims 35 to 37, having software arranged to update the signature with current usage information.
39. The removable card of any of claims 35 to 38 having software arranged to use the signature for revenue assurance purposes.
40. The removable card of any of claims 35 to 39 having software arranged to use the stored signature to send usage information from the handset to an operator of the network to enable services to the user to be tailored according to the usage information.
41. The removable card of any of claims 35 to 40 arranged to receive software updates when installed in the handset, sent by an operator of the network over the network.
42. Software for storing on a removable card for implementing any of claims 15 or 35 to 41.
43. The mobile handset of any of claims 28 to 30, having the removable card of any of claims 15 or 35 to 41.
PCT/GB2003/001814 2002-05-03 2003-04-28 Local usage monitoring and fraud detection for mobile communication networks WO2003094562A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU2003222991A AU2003222991A1 (en) 2002-05-03 2003-04-28 Local usage monitoring and fraud detection for mobile communication networks
CNA038135779A CN1930901A (en) 2002-05-03 2003-04-28 Local utilization monitoring and fraud detecting for mobile communication network
GB0424241A GB2404823B (en) 2002-05-03 2003-04-28 Local usage monitoring and fraud detection for mobile communication networks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0210241.6 2002-05-03
GBGB0210241.6A GB0210241D0 (en) 2002-05-03 2002-05-03 Local usage monitoring and fraud detection for radio communication networks

Publications (1)

Publication Number Publication Date
WO2003094562A1 true WO2003094562A1 (en) 2003-11-13

Family

ID=9936077

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2003/001814 WO2003094562A1 (en) 2002-05-03 2003-04-28 Local usage monitoring and fraud detection for mobile communication networks

Country Status (4)

Country Link
CN (1) CN1930901A (en)
AU (1) AU2003222991A1 (en)
GB (2) GB0210241D0 (en)
WO (1) WO2003094562A1 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2868177A1 (en) * 2004-08-26 2005-09-30 France Telecom Mobile terminal's e.g. smart phone, use supervising, measuring and analyzing device, has program with automaton directing messages towards filtering procedure for filtering events in messages and sending activity trial to server
EP1679925A1 (en) * 2005-01-07 2006-07-12 LG Electronics Inc. Authentication of a mobile station
CN100428820C (en) * 2006-03-28 2008-10-22 江苏移动通信有限责任公司 User recognition module and method capable of realizing mobile terminal area locking
WO2008154687A1 (en) * 2007-06-19 2008-12-24 Freshtel R & D Pty Ltd Method and system for foreign network usage data collection
WO2010088428A1 (en) * 2009-01-29 2010-08-05 Qualcomm Incorporated Certified device-based accounting
US7774842B2 (en) 2003-05-15 2010-08-10 Verizon Business Global Llc Method and system for prioritizing cases for fraud detection
US7783019B2 (en) 2003-05-15 2010-08-24 Verizon Business Global Llc Method and apparatus for providing fraud detection using geographically differentiated connection duration thresholds
US7817791B2 (en) 2003-05-15 2010-10-19 Verizon Business Global Llc Method and apparatus for providing fraud detection using hot or cold originating attributes
US7971237B2 (en) * 2003-05-15 2011-06-28 Verizon Business Global Llc Method and system for providing fraud detection for remote access services
EP2472927A1 (en) * 2009-08-28 2012-07-04 ZTE Corporation Method and system for controlling an intelligent card remotely
US8255393B1 (en) * 2009-08-07 2012-08-28 Google Inc. User location reputation system
EP2645760A1 (en) * 2012-03-28 2013-10-02 Alcatel Lucent Collecting of Data Usage using a trusted application
US8718603B2 (en) 2009-08-28 2014-05-06 Zte Corporation Method and system for remote control of a smart card
US8744403B2 (en) 2009-08-28 2014-06-03 Zte Corporation Method and system for remote control of a smart card
CN105451234A (en) * 2015-11-09 2016-03-30 北京市天元网络技术股份有限公司 Signaling interactive data-based suspicious number analyzing method and device
WO2016114793A1 (en) * 2015-01-16 2016-07-21 Citrix Systems, Inc. Automatic intelligent local device fraud detection
US9779403B2 (en) 2007-12-07 2017-10-03 Jpmorgan Chase Bank, N.A. Mobile fraud prevention system and method
US9936339B1 (en) 2009-08-07 2018-04-03 Google Llc System and method of using spatial and temporal signals to identify and prevent attacks
US9996682B2 (en) 2015-04-24 2018-06-12 Microsoft Technology Licensing, Llc Detecting and preventing illicit use of device
US11210417B2 (en) 2016-09-26 2021-12-28 Advanced New Technologies Co., Ltd. Identity recognition method and device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5673150B2 (en) * 2011-01-31 2015-02-18 ソニー株式会社 Information processing method, information processing apparatus, and communication system
CN102833811A (en) * 2011-06-15 2012-12-19 中兴通讯股份有限公司 Subscriber identity module and method for implementing call barring by same
CN104869264A (en) * 2014-02-20 2015-08-26 联想(北京)有限公司 Method of monitoring swindle telephone and joining telephone conference and device of monitoring swindle telephone and joining telephone conference

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5345595A (en) * 1992-11-12 1994-09-06 Coral Systems, Inc. Apparatus and method for detecting fraudulent telecommunication activity
WO1998019489A2 (en) * 1996-10-25 1998-05-07 Telefonaktiebolaget Lm Ericsson (Publ) System and method of detecting and preventing fraudulent telephone calls in a radio telecommunications network
US6014557A (en) * 1996-03-14 2000-01-11 Bellsouth Intellectual Property Corporation Apparatus and methods for providing wireless system fraud and visibility data
WO2000030398A1 (en) * 1998-11-18 2000-05-25 Lightbridge, Inc. Event manager for use in fraud detection
US6226530B1 (en) * 1997-08-20 2001-05-01 Schlumberger Systemes Method of detecting fraud concerning electronic memory cards used in telephony
WO2001045444A1 (en) * 1999-12-13 2001-06-21 Nokia Corporation Detecting a fraudulent mobile station in a mobile communication system using location information of mobile station
US6295446B1 (en) * 1998-10-19 2001-09-25 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus to detect fraudulent calls in a radio network
EP1209935A1 (en) * 2000-11-24 2002-05-29 Telefonaktiebolaget L M Ericsson (Publ) Fraud detection method for mobile telecommunication networks

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5345595A (en) * 1992-11-12 1994-09-06 Coral Systems, Inc. Apparatus and method for detecting fraudulent telecommunication activity
US6014557A (en) * 1996-03-14 2000-01-11 Bellsouth Intellectual Property Corporation Apparatus and methods for providing wireless system fraud and visibility data
WO1998019489A2 (en) * 1996-10-25 1998-05-07 Telefonaktiebolaget Lm Ericsson (Publ) System and method of detecting and preventing fraudulent telephone calls in a radio telecommunications network
US6226530B1 (en) * 1997-08-20 2001-05-01 Schlumberger Systemes Method of detecting fraud concerning electronic memory cards used in telephony
US6295446B1 (en) * 1998-10-19 2001-09-25 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus to detect fraudulent calls in a radio network
WO2000030398A1 (en) * 1998-11-18 2000-05-25 Lightbridge, Inc. Event manager for use in fraud detection
US6535728B1 (en) * 1998-11-18 2003-03-18 Lightbridge, Inc. Event manager for use in fraud detection
WO2001045444A1 (en) * 1999-12-13 2001-06-21 Nokia Corporation Detecting a fraudulent mobile station in a mobile communication system using location information of mobile station
EP1209935A1 (en) * 2000-11-24 2002-05-29 Telefonaktiebolaget L M Ericsson (Publ) Fraud detection method for mobile telecommunication networks

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8340259B2 (en) 2003-05-15 2012-12-25 Verizon Business Global Llc Method and apparatus for providing fraud detection using hot or cold originating attributes
US7774842B2 (en) 2003-05-15 2010-08-10 Verizon Business Global Llc Method and system for prioritizing cases for fraud detection
US7783019B2 (en) 2003-05-15 2010-08-24 Verizon Business Global Llc Method and apparatus for providing fraud detection using geographically differentiated connection duration thresholds
US7817791B2 (en) 2003-05-15 2010-10-19 Verizon Business Global Llc Method and apparatus for providing fraud detection using hot or cold originating attributes
US7971237B2 (en) * 2003-05-15 2011-06-28 Verizon Business Global Llc Method and system for providing fraud detection for remote access services
US8015414B2 (en) 2003-05-15 2011-09-06 Verizon Business Global Llc Method and apparatus for providing fraud detection using connection frequency thresholds
US8638916B2 (en) 2003-05-15 2014-01-28 Verizon Business Global Llc Method and apparatus for providing fraud detection using connection frequency and cumulative duration thresholds
FR2868177A1 (en) * 2004-08-26 2005-09-30 France Telecom Mobile terminal's e.g. smart phone, use supervising, measuring and analyzing device, has program with automaton directing messages towards filtering procedure for filtering events in messages and sending activity trial to server
EP1679925A1 (en) * 2005-01-07 2006-07-12 LG Electronics Inc. Authentication of a mobile station
US7711352B2 (en) 2005-01-07 2010-05-04 Lg Electronics Inc. Authentication of mobile station
CN100428820C (en) * 2006-03-28 2008-10-22 江苏移动通信有限责任公司 User recognition module and method capable of realizing mobile terminal area locking
WO2008154687A1 (en) * 2007-06-19 2008-12-24 Freshtel R & D Pty Ltd Method and system for foreign network usage data collection
US9779403B2 (en) 2007-12-07 2017-10-03 Jpmorgan Chase Bank, N.A. Mobile fraud prevention system and method
US10510080B2 (en) 2007-12-07 2019-12-17 Jpmorgan Chase Bank, N.A. Mobile fraud prevention system and method
WO2010088428A1 (en) * 2009-01-29 2010-08-05 Qualcomm Incorporated Certified device-based accounting
US8977232B2 (en) 2009-01-29 2015-03-10 Qualcomm Incorporated Certified device-based accounting
US11818622B1 (en) 2009-08-07 2023-11-14 Google Llc System and method of using spatial and temporal signals to identify and prevent attacks
US10834521B1 (en) 2009-08-07 2020-11-10 Google Llc System and method of using spatial and temporal signals to identify and prevent attacks
US10349202B1 (en) 2009-08-07 2019-07-09 Google Llc System and method of using spatial and temporal signals to identify and prevent attacks
US9936339B1 (en) 2009-08-07 2018-04-03 Google Llc System and method of using spatial and temporal signals to identify and prevent attacks
US8255393B1 (en) * 2009-08-07 2012-08-28 Google Inc. User location reputation system
US9239929B1 (en) 2009-08-07 2016-01-19 Google Inc. Location data quarantine system
US8718602B2 (en) 2009-08-28 2014-05-06 Zte Corporation Method and system for remote control of smart card
EP2472927A4 (en) * 2009-08-28 2014-07-09 Zte Corp Method and system for controlling an intelligent card remotely
US8744403B2 (en) 2009-08-28 2014-06-03 Zte Corporation Method and system for remote control of a smart card
US8718603B2 (en) 2009-08-28 2014-05-06 Zte Corporation Method and system for remote control of a smart card
EP2472927A1 (en) * 2009-08-28 2012-07-04 ZTE Corporation Method and system for controlling an intelligent card remotely
EP2645760A1 (en) * 2012-03-28 2013-10-02 Alcatel Lucent Collecting of Data Usage using a trusted application
WO2016114793A1 (en) * 2015-01-16 2016-07-21 Citrix Systems, Inc. Automatic intelligent local device fraud detection
US9959399B2 (en) 2015-01-16 2018-05-01 Citrix Systems, Inc. Automatic intelligent local device fraud detection
US9996682B2 (en) 2015-04-24 2018-06-12 Microsoft Technology Licensing, Llc Detecting and preventing illicit use of device
CN105451234B (en) * 2015-11-09 2019-03-19 北京市天元网络技术股份有限公司 A kind of suspicious number analysis method and device based on Signalling exchange data
CN105451234A (en) * 2015-11-09 2016-03-30 北京市天元网络技术股份有限公司 Signaling interactive data-based suspicious number analyzing method and device
US11210417B2 (en) 2016-09-26 2021-12-28 Advanced New Technologies Co., Ltd. Identity recognition method and device

Also Published As

Publication number Publication date
AU2003222991A1 (en) 2003-11-17
GB2404823A (en) 2005-02-09
CN1930901A (en) 2007-03-14
GB0210241D0 (en) 2002-06-12
GB2404823B (en) 2006-08-16
GB0424241D0 (en) 2004-12-01

Similar Documents

Publication Publication Date Title
WO2003094562A1 (en) Local usage monitoring and fraud detection for mobile communication networks
US6098878A (en) Tariff management apparatus and method for communications terminals using smart cards
US9326173B2 (en) Methods and apparatus for machine-to-machine based communication service classes
US20060206941A1 (en) Communications system with distributed risk management
US9100310B2 (en) Methods, systems, and computer program products for monitoring service usage
CA2416775C (en) Multiple virtual wallets in wireless devices
AU2001282955A1 (en) Multiple virtual wallets in wireless devices
WO2004012387A1 (en) A system and method for the detection and termination of fraudulent services
WO2007117632A2 (en) Sim-centric mobile commerce system for deployment in a legacy network infrastructure
US7974602B2 (en) Fraud detection techniques for wireless network operators
US8452258B2 (en) Method and system to implement telephone billing to incentivize shared mobile phone usage
CN101605323A (en) Detection unusual by in the business of the portable terminal in cordless communication network emission
US20040063424A1 (en) System and method for preventing real-time and near real-time fraud in voice and data communications
EP1701500B1 (en) Communications system with distributed risk management
AU2841399A (en) Mobile telephone system with prepaid card
Cortesão et al. Fraud management systems in telecommunications: a practical approach
Macia-Fernandez et al. Fraud in roaming scenarios: An overview
US7130615B2 (en) Software authentication for mobile communication devices
US20180131814A1 (en) Method and system for revenue maximization in a communication network
Smith cTin Centre for Telecommunications Information Networking
Sector EDITOR’S NOTES: 1-This draft is the result of editing decisions made during the JQG6 interim meeting held in Dallas, US during June26
Smith GSM Digital Cellular Telephone System A Case Study of Encryption Algorithms
Abu-Hakima et al. A distributed intelligent agent approach for fraud detection in PCS
WO2014053161A1 (en) Method of authorizing a financial transaction

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

ENP Entry into the national phase

Ref document number: 0424241

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20030428

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 20038135779

Country of ref document: CN

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP