Gabriele Lieser



Cyber security and fraud prevention are hard. But how are fraud and security analysts supposed to vigilantly gain and maintain control of their threat landscape if daily duties still include a lot of manual work? Would it help if there were maybe an all-inclusive platform providing technical security practitioners with easy-to-use information to simplify and validate the correct configuration of every roaming relevant network element? Concerning cyber security and fraud prevention, the GSMA already provides a variety of useful tools and information with its Fraud and Security Group (FASG), documents on best practice countermeasures (cf. Insights #8), the MISP (Malware Information Sharing Platform) and the T-ISAC (Telecommunication Information Sharing and Analysis Centre) initiative.

In our latest RoamsysNext Insights #8, we shared information on how the GSMA provides useful tools and information with the Fraud and Security Group (FASG) and documents on best practice countermeasures.
In this week’s blog, our CTO and colleague, Hendrik Hoehndorf, speaks about further GSMA initiatives advancing the industry with regard to cyber security and fraud prevention. 

RoamsysNext Insights

In RoamsysNext Insights our experts share their views on extensive industry topics and possible solutions we can offer.

Hendrik, as a telecom professional with extensive experience in creating innovative and award-winning software and services for mobile operators, you know the industry from scratch. As a key contributor to various GSMA groups, can you tell us how the GSMA’s initiatives help the industry advance?

Especially with roaming fraud, the GSMA has found ways to improve the situation remarkably. They introduced the NRTRDE (Near Real Time Roaming Data Exchange) format to replace the HUR (High Usage Report). Until 2008, HUR was the standard method used for the frequent exchange of roaming usage data and the detection of fraud. When the NRTRDE (Near Real Time Roaming Data Exchange) format was developed and standardized, the time for the home network to analyze call data was shortened considerably. With the compulsory implementation of NRTRDE for all members, partner operators have a four-hour window to exchange files (contrary to the 36-hour window by the HUR standard) and to stop unauthorized network usage. With the help of this requirement, revenue loss due to roaming fraud could be reduced to a large extent.
In my role as a chairman, I lead the GSMA FSS (File Specification Subgroup) that was tasked to define the new standard. While NRTRDE certainly proved to be very beneficial, it still bugs me that it gives fraudsters a several-hour’s window to act undetected, an unsatisfactory situation for fraud managers. HUR and NRTRDE both were devised at a time where the HPMN did not always have visibility of what his roamers were up to, because this visibility needed to be provided by the VPMN and that in turn took a bit of time (time in which fraud could take place undetected). Luckily, in 2020, many networks have access to roaming CDRs generated in their own home network and hence can act much quicker also in fraud situations. There is still a lot of work to do, but fortunately, a lot of innovation is going on. You should closely follow the GSMA activities around T-ISAC (Telecommunication Information Sharing and Analysis Centre) where you will soon find lots of remedies to your fraud and security issues.

The recommendation documents from the Fraud and Security Group (FASG) and the documents on best practice countermeasures are living documents that evolve with the latest attacks and threat landscape. How else is the GSMA helping with fraud detection and prevention?

Yes, these measures are very important pieces of the puzzle, and they are incredibly helpful. However, they are updated perhaps once or twice a year. In defending networks and subscribers from the latest attacks, operators must use current intelligence to feed into their processes and systems. This is where MISPs (Malware Information Sharing Platform) come in. It was conceived in 2011 as a remedy to the inefficient manual sharing of intelligence (Indicators of Compromise, IoCs) by email or PDF documents. The early versions of MISP improved information sharing via practical open source tools, open format and practices. These days there are many MISPs available, kind of specializing in terms of users: banks have different threats to deal with than mobile operators. Luckily, there is a dedicated GSMA MISP that’s geared towards the mobile industry. It was jointly implemented by the GSMA and the prestigious Luxembourgish CIRCL (Computer Incident Response Center Luxembourg,

Use the GSMA MISP actively

Today, the official GSMA MISP gathers, shares, stores and correlates IoCs of targeted attacks, threat intelligence, premium number fraud information, vulnerability information, high risk ranges, IP addresses used in connection with bot net attacks, etc. An automatic correlation finds relationships between attributes and indicators from malware, attacks campaigns or analysis. In MISP, sharing is key to the detection of attacks. Fraudsters often apply their “business model” in the same or different campaign on similar organizations. Finding the needle in a haystack is easier if information is shared by trusted partners and trust-groups: collaborative analysis saves time and double work. I can only encourage every mobile network operator to actively use the GSMA MISP! It is a service provided free to the GSMA membership!

the game of logic

There have been various international bodies helping to investigate the problem (the GSMA’s Fraud and Security Group amongst others). Operators are installing systems and processes to fight fraud, and yet, it seems as if MNOs are doomed to chasing the trend and focusing the attention on limiting losses once they’re hit by fraud. How can we change that?

If anyone was able to predict fraud incidents, he or she would be a multi-billionaire. However, there are platforms that come close to detecting a high percentage of malicious traffic before it can cause any harm. The GSMA T-ISAC will eventually become the central hub of information sharing for the telecom industry, including the GSMA MISP, and it allows members the opportunity to share intelligence, a requirement of the NIS Directive for European members. Through this system, GSMA members are safeguarded by one of the Articles of Association, which is a Non-Disclosure Agreement (NDA), protecting them from data leakage occurring between members. The MISP infrastructure automates the feed. Talking and sharing in networking workshops and virtual member meetings, focusing on cyber-attacks by generating threat intelligence and delivering threat alerting, training and learning with industry experts and peers are being expanded as well.

Hendrik, thank you very much for the insightful interview which has once again clarified the importance of the GSMA’s FASG, MISP and T-ISAC initiatives. Take care!

Gabriele Lieser joined RoamsysNext in 2020 as Customer Success Manager to strengthen the bonds with our increasing number of customers and to support the marketing team. Gabriele has a strong background in corporate sales. She studied at the Universities of Trier (Germany) and Manitoba (Canada) and is incorporated in the RoamsysNext Client Service team.

“The team is a crucial asset”

It has been an exciting year for RoamsysNext. And as 2023 is coming to an end, we took the opportunity to talk with CEO Michael Grasmück about the past year, the growing team that becomes more and more international, and the comeback of an industry institution.

Reporting at a glance: The RoamsysNext Dashboards

The RoamsysNext tools offer many reporting functionalities of which the dasboards play an important role. Learn more about using them in practice to identify bottlenecks, visualize your team's performance and bring a smile to your management's faces.

Load More Posts