I thought Telcos could benefit from my interview with a SIMboxer, or, more precisely, a former SIMboxer. I’ve been aware of SIMboxing since 2002, and was involved in legal proceedings with one major SIMbox enterprise from 2003 to 2013, when their final appeal was thrown out by the European Court of Justice. I’ve been learning about SIMboxing all that time, so why would I want to talk to a former SIMboxer? Well, first, nobody knows everything. Second, much of the Telco ‘knowledge’ is second-hand or inferred – are you sure what you ‘know’ is accurate? One option is to verify your data at source, so I talked with ‘Dan’, the SIMbox man.
I’ve considered the possibility that this article may be criticised by operators who think it will educate SIMboxers – well guys, they already understand SIMboxing; it’s the telcos that need to learn more.
Dan grew up in a remote part of Eastern Europe. He was lucky that his father worked in a University, so from age 5 or 6, Dan had access to computers. Like many others in the early days, he became a geek (maybe now he would have become a gamer) and developed an addiction to computers, often missing school because he was coding or hacking.
He studied Mathematics for 2 years then changed subject and eventually dropped out of Higher Education. Like everyone else, Dan needed to earn money and his came from running a telemarketing service, delivering a billion pre-recorded marketing calls. This was his first exposure to VoIP. After 2 years he started working with international calls and developed a capability to terminate international calls using local analogue fixed lines.
Entering the Telecoms market
When Dan moved to another country he looked at telecoms as a means of earning money, especially when he found a demand for cheap international termination. In 2009/10, he delivered bypass traffic via Huawei USB sticks which supported one channel for about USD20; he had 100 SIMs working non-stop for 1-2 years before the carrier started to introduce fraud controls. Rather than being the end of the road, this was a challenge that just made Dan’s business more interesting. He recognised at about this time that playing the game effectively needed real SIMboxes for volume so he started running SIMboxes with 1,000 SIMs.
Down to Business
I asked Dan how he chose his routes and he said it was simply driven by rates. Because of all the traffic we’ve seen going to Cuba, it was interesting that Dan mentioned Cuba as an exception. Cuba is a no-go because it’s controlled by the army – the only way you can work there is to have your equipment in embassies.
Africa was initially successful but the business model was affected by compulsory pre-paid registration – it’s still possible to get around it, but you really need a local contact and/or a company insider. Basically, for Dan it was not worth the effort – too much time was wasted when there were better opportunities. His business model led him to work on termination where the rate was 12 cents or more and this provided him a net profit of USD 1-4,000 per day.
Dan says he spent 6-12 months preparing a new route. To avoid detection, there is a need to make SIMbox SIMs look like a human user, so you need to research normal usage in that market. For example, in some markets, it is normal for 60% of usage to be WhatsApp or Viber, and successful SIMboxers understand that excessive minutes on regular voice routes can be a detection trigger. If you can’t simulate ‘normal’ it can be a big financial hit when your 1,000 x USD20 SIMs are blocked after 5 minutes. It may need an investment of USD 15-20k to optimise a SIMbox operation. In some countries, it is difficult to import SIMbox equipment and this, together with other local factors, could be a barrier to entering that market.
Operationally, systems need 24-hour monitoring, so you need teams of people. One of the problems for SIMbox operators is that their ‘employees’ steal the process, buy their own equipment and set up their own operations. Dan’s solution to this aspect of the business was to automate and he wrote thousands of scripts to support the process and minimise manual interventions – it meant more work for him, but he retained control of the critical processes.
This is the main objective, after all. But, today, you can’t put tens of thousands of dollars into a personal bank account without people asking questions, so you need a company account. And since the telco transit companies are set up offshore, your company and bank account might as well be offshore too; you also get the added benefits of zero reporting and zero taxation.
In the wholesale telecoms market, operators know what sort of route they are buying when they get a 20-70% discount. The Telco carrier teams play the game and blend grey routes with legitimate terminations. In some cases, there is a conflict within the Telco because the carrier team is buying the type of routes that the fraud prevention guys are trying to detect and block. Dan also mentioned situations where one operator within a Telco Group was using SIMbox routes to terminate traffic into another company within the same group!
This is often a national or regional issue. In some markets, there are unlimited supplies available from distributors, but buying in bulk carries the inherent risk that the fraud team will block them in bulk. In markets where there is a legal requirement to register SIMs there are adequate supplies available from re-seller kiosks who either do not care about registration or accept false documents and IDs. The other options are to buy from illegal sources which supply pre-registered SIMs or go direct to the Telco and pay a bribe for pre-registered SIMs; Dan has seen 1,000 SIMs purchased in a single transaction.
Why Give Up SIMboxing?
Dan reduced his employee risk by handling the core functions, but this meant living what he described as:
11 years, working 24 hours per day on a computer
Nobody in Dan’s organisation got caught, but he began to worry about personal risk to people working for him; those hosting SIMbox equipment in their homes and those buying SIMs and equipment. So, he wound the business down and stopped. Now he’s changed sides and he’s trying to sell his insider knowledge and expertise back to the Telcos. Dan knows that SIMboxing has been a major fraud topic for at least 10 years but when he tries to talk to the Telcos they tell him they’re using commercial solutions so they’re already protected. How is SIMbox fraud still possible if Telcos are protected and, if they are protected, why has SIMboxing remained a top 3 fraud issue for the last 10 years? Something doesn’t add up.
What’s Going Wrong?
Dan has seen vendor reports which have been provided to operators and says it is obvious that SIMbox solutions are not being used properly and he blames the Telcos. He may be right, but maybe someone most familiar with a business with only one employee may not appreciate the challenges of change management in a Telco.
He also thinks that Telcos under-invest in detection and resent paying USD 3,000 per month, for example, for test call generation (TCG). Telcos say TCG is not efficient enough but Dan disagrees. I’m sure the vendors will love hearing a voice from the other side saying that detection is related to call volume and too few test calls reduces detection rates. Dan says part of being a successful SIMbox operator is to evolve every day – the Telcos need an equivalent response and they’re just not good enough. The reluctance to invest extends to VoIP bypass, where a Telco with a 25¢ interconnect route cannot decide whether to spend $200k on a proven Viber solution.
For me there was a striking contrast between USD3,000 per month for TCG and USD1-4,000 profit per day for the SIMboxer.
Moving the goalposts
Dan cited the arrival of new equipment from a Chinese supplier, GOIP, as a game-changer. It’s cheap, easy to use, non-technical and they also offer outsourced management services including protection against the GSM operator’s anti-fraud systems! Previously, commercial SIMboxes cost USD 30-100k, now they’re available for USD 1,000 – perfect for aspiring entrepreneurs and hobbyist criminals.
However, for me, the most interesting reason Dan gave for failures on SIMboxing was Telco corruption. We had already covered the issues of the carrier team knowingly buying bypass routes, distributors supplying SIMs in bulk and logistics corruptly selling pre-registered SIMs, so what else was there? Dan quoted the example of a Head of Fraud, in a country well-known for SIMbox termination, who denied they have SIMboxing. He declined the offer of a free 10-minute demo to prove it and said he was not interested; Dan said he was corrupt. I agreed he may be incompetent and have a closed mind, but that doesn’t make him corrupt. (Note to vendors: what you think is an irresistible free offer may be seen as an admin headache and waste of time by a fraud manager who has already tried something similar without significant benefits).
Dan backed up his opinion with examples. In one, a carrier VP was running his own SIMbox operation with the help of a corrupt Head of Fraud Prevention. I asked if these were examples where he had personal knowledge of Telco corruption? Dan then quoted three cases where he paid fraud prevention guys to leave his SIMs running. Maybe you should ask yourself, how much your fraud prevention team is being offered? And would they tell you if you asked them?
Dan’s examples confirm what some of us already know, that Telco corruption supports SIMbox operations. It becomes more worrying if you list all the stages in the process where it is occurring:
- False pre-registered SIMs
- Bulk supply of SIMs
- Carrier teams buying discounted bypass termination
- Carrier staff running their own bypass termination
- Fraud prevention staff on the SIMboxer’s payroll
However, there’s one scenario Dan didn’t mention. That’s where the corruption occurs in the SIMbox detection vendor. Maybe the vendor boosted SIMbox traffic before a proof of concept to inflate the apparent size of the problem and ensure instant results once the service is commissioned. The corruption may extend to collaborating with senior staff in the Telecoms Ministry who are running bypass businesses. Or people in the vendor organisation may be running their own bypass business and paying a commission to senior staff in the Telecoms Ministry.
I ran a simple anonymous survey to ask Telcos how much they thought SIMboxers would pay in bribers to Telco staff. Thanks to everyone who responded – it’s not a controlled study but I thought it provided a useful test of opinion.
How much, per month, do you think a SIMboxer would be willing to offer as a bribe to each member of your fraud prevention team:
The 20 responses are summarised below:
The mean value of the responses received was USD 1,575 and, as you can see, only one respondent thought that USD 250 per month would buy their fraud staff.
So, what’s the correct answer?
Well, as usual, it’s not that simple, but if you want a simple answer then Dan, the retired fraudster, was paying fraud team members USD 1,000 per month. However, if that was your guess, don’t congratulate yourself just yet. Dan also said he was prepared to pay up to 40% of his profit to ensure he kept his SIMs operating unmolested.
Dan’s business model led him to work on termination where the rate was 12 cents or more and this provided him a net profit of USD 1-4,000 per day. That would mean he was prepared to pay the fraud team between USD 12,000 and USD 48,000 per month. I’m guessing that’s more than you’re paying them, so that’s probably a worry?
I don’t know if Dan’s business methods and profit model are representative, but let’s assume that he generated USD 1,000 per day and that higher termination rates generate proportionately higher profits. It should be possible to use your own termination rate to make an approximate calculation of the money SIMboxers have available for bribing your staff. Then you need to decide whether your current processes and controls are appropriate to meet that risk.
Or you could ignore it.
So, What Now?
I hope every Telco CEO asks his/her fraud managers to show them a copy of their SIMbox risk assessment and asks them two simple questions:
- Have you considered these risks?
- What controls address them?
This article first appeared on commsrisk.com in July 2017