Fraud Prevention: Learning to Stop Worrying and Love the Cable Modem

By Incognito on June, 2 2015

Stay up to date

Let’s be practical — people who steal service do not care how much data they consume, as they do not need to pay for it. Nor do they care if they are caught, as they will just clone another paying customer. Theft of service is even more problematic if you use policy enforcement to ensure fair access for all your subscribers on the network, or if you are monetizing overage, because fraud skews usage counters, which then need to be adjusted once the fraud has been identified and isolated.

So, how can you eliminate theft to assure revenue and restore high service quality to your paying customers?

Service theft is usually performed by cloning a paying customer’s cable modem. DOCSIS has many built-in mechanisms to prevent fraud, such as using Baseline Privacy Interface Specification (BPI+) or advanced encryption to reduce cloning, and some providers have also tried using techniques like single-use configuration files and anti-roaming to reduce service theft. While these measures make the job much more difficult for hackers, service theft remains far from impossible. Data theft is just as strong today as it was 10 years ago. In recent tests at major MSOs in North America and Latin America, we learned that up to 5 percent of network activity was fraudulent. In one case, we detected nearly 2000 fraudulent devices in a single city in 20 minutes.

One of the biggest challenges in solving this problem is obtaining a holistic view of provisioned devices across the entire network. There is also a direct compounding correlation between the subscriber count and the frequency, severity, and impact of service fraud. That’s why you need a fraud protection solution that integrates with your provisioning servers to ensure that you have a complete picture of all your active leases. Your solution should continuously mine, evaluate, and ingest data into a huge, high-availability central database.

Your solution will then be able to quickly glean lease data to locate fraudulent activity and cloned devices on your network using historical information, firmware revisions, provisioned parameters, usage patterns, and other distinctive attributes. Once a potentially fraudulent case is identified, your system should automatically add it to a list of possible fraudulent devices by leveraging lease information and provisioned parameters. In some cases, node splits will result in a brief period of overlap between old and new leases on different gateways, which can appear as a cloned device. For this reason, your system should include logic that can isolate node splits during fraud detection to discover only the legitimate cases of cloned or hacked firmware.

Ok, so you’ve raised found some suspicious devices. Time to call the doctor.

At this stage, there are several options available. The first is to identify the device as cloned and put it in a walled garden, or simply deny it service. You could allow the system to let the device continue operating in a “suspected fraudulent” service class while you continue the investigation. It’s important to acknowledge that even with smart network logic, certain network events may cause some legitimate devices to behave like cloned devices. However, it’s relatively simple to place these devices in a stage where they are left in operation and reinvestigated in the near future to see if the fraud classification was due to a network event or if it really is fraudulent activity. By building in customized business rules, you can automate many of these decisions to quickly generate reports on confirmed and unconfirmed fraudulent devices and activities.

By protecting your network with these security measures, you’ll learn to stop worrying about the fraudulent doomsday machine ruining your ARPU, and instead, learn to love the cable modem.

Submit a Comment

Get latest articles directly in your inbox, stay up to date