The disclosure of this invention will focus on its application in the AMPS cellular telephone system. This is done for the sake of clarity and brevity, since describing this invention as it applies to each of the other voice and data network system protocols would be needlessly tedious. It will become clear to a person reasonably skilled in this art that the methods described in this disclosure can be applied similarly to any wireline or wireless voice or data network system. While the cellular network uses digits dialed by telephones for determining which points in the network will be connected, it is easy to replace dialed digits with other data or voice network connection addressing schemes, thereby allowing application of this invention to those types of networks. In any network where unauthorized access to the network requires the unauthorized user to present a connection point address, description or dialed digits, this invention will take advantage of that aspect of the network connection protocol.
An important aspect of the activities of network users is that most will only attempt to connect (or be connected to from) a limited quantity of destinations in a relatively repetitive pattern. This means that, for an average network user, a specific list of unique destination connection points can be established which account for the majority of the network time used during connections established by that user. Fortunately, this also applies to unauthorized users of network systems.
Currently there is extensive fraudulent access to the cellular network using a stolen mobile phone number (MIN) combined with its mated electronic serial numbers (ESN). These stolen MIN/ESN pairs (IDs) are programmed into the phones of unauthorized system users. Once a stolen ID has been programmed into an unauthorized cellular telephone, the cellular switch can not distinguish this phone from the original, since a look-up of its ID for validation purposes will of course be successful.
IDs are obtained by unauthorized users through various methods such as decoding the data from signals received when a valid mobile unit attempts to connect a call, or by stealing them through illegal access to the cellular carrier's data base or by having a cellular employee steal the IDs. These stolen IDs are used by unauthorized users locally, as well as being traded for others throughout the country.
In current art, to prevent unauthorized system access, cellular telephone carriers use various well known pre-call and post-call validation mechanisms for call attempts made on their systems. Current validation schemes include technologies such as remote pre-call lookup of the phone's ID in the home switch (for roaming units), post-call "profiling" of customer usage, pre-call radio frequency (RF) "fingerprint" comparison of call attempts to stored RF fingerprints of valid mobile phones, pre-call authentication key exchange, pre-call voice verification, and pre-call entry of personal identification numbers. While each of these technologies provides a level of protection for the wireless network, significant quantities of unauthorized users continue to successfully complete calls through the network. This is due in large part to the limited deployment and specific effectiveness of the various technologies currently available. Since most of these technologies are time consuming, expensive and complex to implement, many cellular markets currently operate without the fraud protection these technologies provide.
Pre-call validation mechanisms have historically been the most effective approach for preventing fraudulent calls before they are connected. This has the distinct advantage of both preventing the losses which the call would have incurred and preventing the appearance of the call on the valid customer's bill. Pre-call blocking decisions are currently made based on the validity of the MIN/ESN pair, the RF fingerprint of the phone, the knowledge or suspicion that the ID has been stolen, the location of the mobile, the validity of a personal identification number, the voice of the phone user, the validity of an authentication key exchange, or the dialed digits of the call. On a call-by-call basis, one or more of these parameters are checked to verify whether the cellular phone or user is a valid one. If the phone or user is considered unauthorized based on any of these parameters, the call is prevented from completing.
As can be seen with the current ID "cloning" in the cellular markets, the MIN/ESN check has very little value in the pre-call prevention of fraudulent access to the network. Cloned phones will always validate in a MIN/ESN check since the valid unit's ID has been programmed into the unauthorized phone.
RF fingerprinting has been able to stop call attempts made by phones identified as invalid, but the identification can be in error and the protection is limited to geographic areas covered by RF fingerprinting receivers. With the very high cost of the RF fingerprinting equipment, carriers have chosen to leave large segments of their markets without RF fingerprinting protection.
Preventing calls based on the suspicion or knowledge that an ID has been stolen is simply a matter of removing the valid MIN/ESN pair from the validation data base. This, of course, means that the valid subscriber's phone will not work either. A new phone number must be assigned to the valid unit, or the old phone number may be used if the valid subscriber is provided with another mobile phone (with a different ESN).
Once it is recognized (or suspected) that a valid ID has been compromised, the cellular carrier typically reprograms the legitimate subscriber's phone with a new phone number (MIN), also updating the subscriber's switch records to reflect this change, thereby invalidating the old (compromised) MIN/ESN pair. Further attempts to use the old ID combination are automatically blocked in the cellular switch, protecting the legitimate subscriber. This method of protection (known as "teleconversion") is both inconvenient for the subscriber and expensive for the cellular carrier.
Even if future calls using the same stolen identities are thereby prevented, the unauthorized users simply switch to other stolen identities in a matter of seconds and continue completing unauthorized calls. This is made easy for the unauthorized users due to the availability of massive quantities of stolen valid IDs. In fact, some unauthorized users have equipment built into their phones which allows them to gather groups of valid IDs off the air, automatically programming their phones with lists of those IDs to choose from by simple telephone keypad selections. This type of phone eliminates the need for separate ID gathering equipment. It is therefore both inefficient and ineffective in the long term to apply the inconvenient and manually intensive approach of teleconversion in an attempt to prevent fraud.
Using the location of a mobile unit to establish whether a call may be completed from that unit is only effective when combined with other types of information. For instance, it would not be reasonable to assume that a first mobile unit is an unauthorized unit simply because it is operating in a cell site which has a particularly high incidence of fraud. However, if it is additionally known that a second mobile unit with the same ID is currently registered in a distant cell site and the distant cell site is known to be frequented by the valid mobile, then the location of the first mobile unit can be used as a determining factor in deciding whether or not to allow completion of call attempts from the first mobile unit.
Forcing the valid mobile user to enter a personal identification number (PIN) prior to connecting a call is another form of pre-call blocking. This mechanism, which is quite inconvenient to the valid subscriber, is subject to easy compromise of the PINs. Unauthorized users who monitor the control channel of the cellular system can follow the mobile unit to the assigned voice channel and use an inexpensive dual-tone-multi-frequency (DTMF) decoder to discover the PIN transmitted by the valid subscriber. In fact, some cellular systems allow the transmission of a PIN on the control channel (in the form of dialed digits) for temporarily activating or deactivating the phone. In this format, the PIN will be collected at the same time as the MIN and ESN as the unauthorized user receives them on the control channel.
Forcing the valid mobile user to speak a key phrase prior to connecting a call is a form of pre-call blocking which is both inconvenient to the valid subscriber and subject to analysis error and compromise over time. Unauthorized users who monitor the control channel of the cellular system can easily follow the mobile unit to the assigned voice channel and use an inexpensive voice recording device to record the key voice authentication phrases as they are spoken by the valid subscriber. Once recorded, these phrases can be played back in response to queries from the voice authentication system. Further, this technology is expensive and requires very large data storage capacity for keeping digitized samples of voice key phrases of each valid subscriber. Finally, this technology makes it very inconvenient for valid users to allow use of their phone by friends, business associates or family.
Using an authentication key (A-key) exchange has proven to be a highly effective method for preventing unauthorized calls through wireless systems. This pre-call method allows the subscriber to remain uninvolved with the authentication process. This is due to the fact that the A-key information is pre-programmed into the wireless phone and the authentication exchange is automatically accomplished when the subscriber attempts to connect a call. Unfortunately, the A-key function is only available in units manufactured after a particular date. There are (at the time of this application) approximately 25 to 30 million cellular subscribers operating phones which do not have this authentication capability. This leaves the wireless carrier with the burden of providing an alternate method of fraud prevention for these unprotected units. Additionally, as of the date of this writing, the encryption algorithm used to protect the data used in A-key exchanges has been compromised. It has been shown also that, using certain techniques, the A-key itself can be also be compromised. A Shared Secret Data (SSD) protection which is being used to enhance the A-key protection is currently the only portion of this protection scheme which has not yet been compromised.
Some pre-call profiling systems exist for providing identification of fraudulent usage of the network. there are several drawbacks to this use of subscriber profiling. First, each valid user's call activities must be individually profiled. Each user's entire profile must be compared against for every event generated by that user, requiring massive storage of data and very high powered, and therefore expensive, computers. Second, since violation of thresholds is essentially the final determining factor in determining whether fraudulent usage is occurring, it is easy for the unauthorized users to carefully fit their activities within the typical thresholds, switching from ID to ID to accomplish this for any given ID. This "flying under the radar" technique has been used quite successfully by loners in the cellular telephone systems. Another disadvantage of the profiling approach is that it can misidentify calls as fraudulent when such calls are made by valid users experiencing unusual circumstances (unusual circumstances can create the need for out-of-profile calls).
The final category on which pre-call blocking is determined is that of the dialed digits used in a call origination. Call barring based on dialed digits has long been used by the wireless and wireline carriers for preventing calls to certain destinations. The dialed digits are currently used in several ways to block call completion in a wireless telephone system.
The earliest use of call barring based on dialed digits is that of preventing completion of calls in which the dialed digits point to a non-existent destination. This is typically accomplished in the switching translation tables.
Barring calls to long distance destinations for given phones is now commonly offered as a feature to the individual subscribers of wireline and wireless carriers. Additional restrictions based on the dialed digits are also offered, such as preventing calls to certain NPA-NXX groups. In fact, ft is currently the practice of the wireless carriers to restrict all calls to international destinations unless specifically requested not to do so by the valid subscriber.
Prevention of call completion based on the dialed digits of a call attempt (either the digits dialed by the call originator or the phone number of the call originator) has significant unrealized potential for protection against unauthorized access to the wireless network. If the wireless carrier has knowledge of the digits commonly dialed by unauthorized users (or the phone number of the location used to dial unauthorized users), the carrier can use this information to prevent completion of call connections to or from these unauthorized users based on the dialed digits of their call attempts or the phone numbers of the originators of calls made to the unauthorized users. The carrier currently has available a number of mechanisms for acquiring a list of the dialed digits of calls made by unauthorized system users, as well as the phone numbers of originators of calls made to the unauthorized users. Note that calls received by unauthorized users are also of interest in that the phone number of the call origination point is often available to the carrier in the form of the well known "caller ID" feature and the standard automatic number identifier (ANI) used when connecting calls between switches.
Some of these acquisition mechanisms are inefficient and allow erroneous data to pollute the list. For example, some carriers, once fraud has been discovered on an account, simply attempt to interview the valid subscriber, asking which calls on the bill are valid and which are fraudulent. This method is disruptive to the valid subscriber, as well as slow, expensive, prone to error, and unfortunately vulnerable to subscriber dishonesty or inaccuracy. It is also highly unlikely that the valid user will know which received calls were made by unauthorized users. For all of the inconvenience and manual effort involved with this approach, it finally results in the acquisition of a relatively small number of dialed digits of unauthorized users (typically averaging 10 or 20 unique dialed digits per subscriber interview).
While some profiling systems have the ability to profile a certain amount of unauthorized user activity, the same limitations and drawbacks exist as with profiling valid user activities (misidentification errors, out-of-profile events, etc.). In addition, none of the profiling systems currently automatically create a list of dialed digits which are guaranteed to have been dialed exclusively by unauthorized users. Neither do the profiling systems currently automatically create a list of phone numbers which have dialed unauthorized users and guaranteed not to have been dialed by valid users.
On the other hand, very efficient and fully automated mechanisms exist for collecting a massive list of digits dialed by unauthorized system users as well as the phone numbers of those dialing the unauthorized users. For instance, a process which uses a device to feed specifically prepared "tagged" IDs to the unauthorized users by transmitting them over the air is accomplished by the invention described in U.S. Pat. No. 5,655,019 ("Identity protection method for use with wireless telephone systems"--Christian Christmas; Randolph W. McKeman), included herein by reference. Once unauthorized users "steal" these IDs, the carrier can monitor the use of the tagged IDs by automatically compiling the connection detail records (CDRs) generated by the switching systems. These CDRs contain not only the ID of the unauthorized phone, but also the dialed digits of the call attempt or the phone number of the call originator if the call is being received by the unauthorized user. By manipulating these CDRs generated by tagged IDs, the carrier can create a very large comprehensive list of the digits dialed by the unauthorized users who use the tagged IDs, as well a similar list of phone numbers which have dialed the tagged IDs. Since no valid subscribers use the tagged IDs, all dialed digits in the list are guaranteed to have been dialed by unauthorized users. Similarly, all phone numbers which have dialed the tagged IDs are guaranteed to have dialed an unauthorized user. This process has been shown to rapidly provide the carrier with a dialed digits list containing tens of thousands of unique entries (as well as a phone number list of similar proportion), all without involving the time of valid subscribers or carrier personnel.
Given that there are processes available for acquiring a large list of digits dialed by unauthorized users and phone numbers of those who have dialed unauthorized users, the carrier has the opportunity to make decisions about whether to block call completion based on the dialed digits used in a specific call attempt or the phone number of the originator of a call attempt. Unfortunately, some percentage digits dialed by unauthorized users are also dialed by valid users. In addition, a person dialing an unauthorized user may be using a phone owned by a business which receives valid calls from valid subscribers of the carrier's network. Assuming that the carrier does not wish to block any calls made to or from destinations dialed by valid subscribers, this renders the raw (unfiltered) list of digits dialed by unauthorized users (and phone numbers of those who have called them) of little use.
While external mechanisms currently exist which can make a determination to block or tear down calls using an interface to the switching system of a telephone network, these mechanisms are expensive and use up limited port bandwidth of the switching system. It would be faster and more cost effective to maintain a single master disallowed dialed digits list directly accessible by the switch (or group of switches) which allows the switch itself to determine (during the call setup process) whether to allow completion of a given call attempt based on the dialed digits used during the attempt. Routing translation tables in switches or groups of switches can accomplish a similar function, but are very complex to maintain. Modifying routing translation tables to keep them current with a list of disallowed destinations would be a tedious and unnecessarily complex process.
From this explanation it can be seen that a method and article are needed for automating the process of creating, in an efficient manner, a list of disallowed dialed digits which, if included in a call attempt as either the dialed digits or originating phone number, can be used as a determining factor for preventing completion of the call, eliminating from this list any dialed digits which will be dialed by valid subscribers, making this list available to a mechanism for blocking call completion through a network (based on digits dialed during the call setup process or the phone number of the originator of a call made to a network user). Additionally what is needed is a method and article which automatically creates a list of phone numbers which have dialed unauthorized network users, which, if used to originate a call to a network user, can be used as a determining factor for preventing completion of the call, eliminating from this list any phone numbers which dial valid subscribers or are dialed by valid subscribers, making this list available to a mechanism for blocking call completion through a network (based on digits dialed during the call setup process or the phone number of the originator of a call made to a network user). A method and article which meets these needs can be found in the invention described herein.