AU2016204016B2 - A method and system for authenticating a messaging route with a mobile subscriber of a mobile device - Google Patents
A method and system for authenticating a messaging route with a mobile subscriber of a mobile device Download PDFInfo
- Publication number
- AU2016204016B2 AU2016204016B2 AU2016204016A AU2016204016A AU2016204016B2 AU 2016204016 B2 AU2016204016 B2 AU 2016204016B2 AU 2016204016 A AU2016204016 A AU 2016204016A AU 2016204016 A AU2016204016 A AU 2016204016A AU 2016204016 B2 AU2016204016 B2 AU 2016204016B2
- Authority
- AU
- Australia
- Prior art keywords
- network
- signalling
- subscriber
- home network
- mobile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
A method (300, 400) of authenticating a messaging route in a mobile
telecommunications network (110) comprising at least a home network (120) and at
least one other network (120) which is not the home network, the method (300, 400)
including sending, by a signalling module (206), a first signalling request to the current
or last-known home network (120) to determine whether or not the mobile subscriber
(108) exists and sending, by the signalling module (208), a second signalling request
to the other network (140) to determine whether or not the mobile subscriber (140).
The method (300, 400) includes determining, by a control module (208), that the
messaging route with the mobile subscriber (108) is authentic in response to both the
first signalling request succeeding and the second signalling request failing, and
determining that the messaging route with the mobile subscriber (108) is not authentic
in response to either one of the first signalling request failing or the second signalling
request succeeding.
3/7
00(
C)
0) C
._V0
0
CLC
L7 0
m0
00
C)C
U) a)
CD
coc r_
0 0
CC))
E
co ~C
C-))
00
Description
3/7 00( C)
) C ._V0
CLC L7 0 m0
00
U) a)
coc r_
0 0
co ~C C-))
A method and system for authenticating a messaging route with a mobile subscriber of a mobile device
[0001] This invention relates to financial transactions in which mobile devices are used to authenticate at least part of the transaction. This invention relates more specifically to a method and system for authenticating a messaging route to a mobile device involved in a financial transaction, thereby to assist in detecting or preventing fraudulent transactions.
[0002] The Applicant is aware of an existing method in which financial institutions (e.g., banks) use multi-factor authentication in order to validate transactions. An example of this is the use of electronic tokens, also called one-time PINs (OTPs). When a user (e.g., a banking customer) performs a credit card transaction or online transaction, the financial institution will send the user an OTP via a wireless device. Only when the user submits the correct OTP as part of the transaction, is the transactionapproved.
[0003] Alternatively, a party may want to validate a subscriber before communicating in some other way such as a with voice call to the subscriber or validating the subscriber when receiving a voice call from the subscriber.
[0004] FIG. 1 shows a PRIOR ART example of how this existing method of multi factor authentication is intended to work. The financial institutions initiates sending, via a mobile telecommunications network, of an OTP via SMS (Short Message Service) to the mobile device (also called a mobile terminal, mobile station, portable device, or user equipment) of the user. It is correctly delivered to the user's mobile device.
[0005] The user then submits the OTP to authenticate the transaction. The financial institution receives and verifies the OTP. If the received OTP matches the OTP sent by the financial institution, then the financial institution authenticates the transaction and proceeds with it.
[0006] There are a number of ways in which a fraudster or criminal may intercept the OTP on a mule network using mobile network porting:
Create porting rules on the Home Network Elements to redirect the OTP containing message, and then destroy these rules once the message is delivered to the mule mobile device (mobile station) to hide the fact that porting rules were created;
Use falsified information and follow the normal porting processes to create a fraudulent porting route in the central porting database; or
Tamper directly with the central porting database.
[0007] It is noted by the Applicant that when a fraudster attempts to re-route messaging via another network to another device, these are known respectively as "mule" networks and "mule" devices.
[0008] A fraudster may also perform a "sim swap" where a mule SIM is associated with the IMSI of the subscriber. A fraudster may also impersonate the subscriber by pretending to be the subscriber roaming on a mule network
[0009] FIG. 2 illustrates the PRIOR ART results of using any of these fraudulent methods to obtain fraudulent access to the OTP. As the porting rules/routes have been falsified, the OTP-containing message is redirected to the mobile device of the fraudster using the mule handset. The fraudster can then use the fraudulently obtained OTP to transact on behalf of the real user.
[0010] It will naturally be appreciated that porting rules and porting databases exist for a number of useful and legitimate functions which they can perform, for example, migrating a telephone number from one mobile network provider to another. For example, mobile number portability (https://en.wikipedia.ora/wiki/Mobile number portability, accessed 12 June 2015), is intended to permit a subscriber on one network to move with his telephone number to a different network. Thus, it is not the porting process per se which is problematic, but rather the fraudulent use of this process.
[0011] The Applicant wishes to overcome or at least ameliorate at least one of the above-mentioned disadvantages or exploits used by fraudsters. It would be advantageous if there was a method and system to detect, inhibit, or prevent fraudulent use of the porting rules or porting routes which may be used for intercepting OTP containing messages.
[0012] In a first aspect, there is provided a method of authenticating a messaging route with a mobile subscriber of a mobile device in a mobile telecommunications network comprising at least a home network and at least one other network which is not the home network, the method including:
retrieving, by a querying module:
an indication of a current home network of the mobile subscriber, if the current home network is identifiable; or
an indication of a last-known home network of the mobile subscriber, if the current home network is not identifiable;
sending, by a signalling module, a first signalling request to the current or last known home network to determine whether or not the mobile subscriber exists on the current or last-known home network;
sending, by the signalling module, a second signalling request to the other network which is not the current or last-known home network to determine whether or not the mobile subscriber exists on the other network; and determining, by a control module, that the messaging route with the mobile subscriber is authentic in response to both the first signalling request succeeding and the second signalling request failing, and determining that the messaging route with the mobile subscriber is not authentic in response to either one of the first signalling request failing or the second signalling request succeeding.
[0013] The method may include the additional steps of:
gathering, by the control module, a minimum age of any one or more network parameters associated with the subscriber; and
calculating, by the control module, a risk factor based on the gathered age of the parameters, with a lower age indicating a higher risk.
[0014] The calculated risk factor may be communicated to or used by a financial institution or interested party in determining the probability that the message path has been compromised. Examples of network parameters which may be gathered include an age of the IMSI and MSISDN association, how long the subscriber has been registered on the network it is registered, how long the subscriber has been in a particular country or region, etc. A high risk factor (e.g., a sim swap was performed in the last 24 hours) may suggest that a message route is not authentic. The home network may be used to gather the network parameters.
[0015] The method may be performed before, during, or after communicating with the mobile device using the messaging route. The method may be performed with a mobile-terminating (MT) communication or with a mobile-originating (MO) communication. The method may be performed on an automatic and periodic basis, which may enable to a financial institution or interested party to be alerted about the calculated risk factor proactively.
[0016] In response to determine that the messaging route is not authentic, the OTP-containing message may be withheld. Instead, or in addition, an alert message may be sent to the financial institution and/or the subscriber, alerting that the messaging route may be compromised.
[0017] The OTP-containing message may also be delivered and the risk information returned to the transmitting party. The transmitting party may at that point decide to terminate the transaction or to let it continue.
[0018] The querying module may be configured to query a central database (if available) to retrieve an indication of the current home network. The central database may form part of the infrastructure of the mobile telecommunications network. The method may include sending, by the querying module, a query message to the central porting database.
[0019] The signalling module may be configured to send the first and/or second signalling requests in the form of one or more of the following:
- MAP (Mobile Application Part) SRI (Send Subscriber Information) signalling message;
- MAP ATI (Any Time Interrogation) signalling message;
- any other MAP, TCAP (Transaction Capabilities Application Part), or ISUP (ISDN (Integrated Services Digital Network) User Part) signalling message that will return information about the subscriber that may be used to determine a risk of the message not being delivered to the correct subscriber; or
- a Diameter signalling protocol.
[0020] The method may include sending multiple second signalling requests to multiple other networks which are not the home network. A "mule" network is an example of the other network.
[0021] The method may be implemented by an existing component of the telecommunications network, e.g., a specially configured SMS gateway, or may be implemented by a customised component, e.g., an authentication gateway having the only function of authenticating the messaging route.
[0022] The mobile subscriber may be represented by, or embodied by, a Subscriber Identity Module (SIM), e.g., a SIM card. The method may include the prior step of authenticating one or more of:
the MSISDN;
the IMSI;
the network registered on;
the location; or
the country
of the subscriber.
[0023] The invention extends to a non-transitory computer-readable medium having stored thereon a computer program which, when executed by a computer, directs the computer to perform the method of the first aspect.
[0024] In a second aspect, the present invention extends further to a system operable to authenticate a messaging route with a mobile subscriber of a mobile device in a mobile telecommunications network comprising at least a home network and at least one other network which is not the home network, the system including:
a querying module configured to:
retrieve an indication of a current home network of the mobile subscriber, if the current home network is identifiable; or
retrieve an indication of a last-known home network of the mobile subscriber, if the current home network is not identifiable;
a signalling module configured to: send a first signalling request to the current or last-known home network to determine whether or not the mobile subscriber exists on the current or last known home network; and send a second signalling request to the other network which is not the current or last-known home network to determine whether or not the mobile subscriber exists on the other network; and a control module configured to: determine that the messaging route with the mobile subscriber is authentic in response to both the first signalling request succeeding and the second signalling request failing; and determine that the messaging route with the mobile subscriber is not authentic in response to either one of the first signalling request failing or the second signalling request succeeding.
[0025] The control module may be configured to
gather a minimum age of any one or more network parameters associated with the subscriber; and
calculate a risk factor based on the gathered age of the parameters, with a lower age indicating a higher risk.
[0026] The system may include computer processor and a computer-readable medium having stored thereon a computer program operable to direct the operation of the processor. The modules (the querying module, the signalling module, and the control module) may be conceptual modules corresponding to functional tasks performed by the processor. It is to be understood that the processor may be one or more microprocessors, controllers, digital signal processors (DSPs) or any other suitable computing device, resource, hardware, software, or embedded logic.
[0027] The system of the second aspect may be configured to perform the method of the first aspect.
[0028] Other aspects, features, and advantages will become apparent from the following detailed description when taken in conjunction with the accompanying drawings, which are a part of this disclosure and which illustrate, by way of example, principles of the inventions disclosed.
[0029] The accompanying diagrammatic drawings facilitate an understanding of the various embodiments.
[0030] In the drawings:
FIG. 1 shows a schematic diagram of a PRIOR ART network topology in which the messaging route is authentic;
FIG. 2 shows a schematic diagram of a PRIOR ART network topology in which the messaging route has been compromised and is therefore not authentic;
FIG. 3 shows a schematic diagram of a network topology incorporating a system operable to authenticate a messaging route, in accordance with the invention;
FIG. 4 shows a schematic diagram of the system of FIG. 3;
FIG. 5 shows a network sequence diagram of a method of authenticating a messaging route, in accordance with the invention;
FIG. 6 shows a flow diagram of the method of FIG. 4; and
FIG. 7 shows a schematic diagram of a computer within which a set of instructions, for causing the computer to perform any one or more of the methodologies described herein, may be executed.
[0031] The following description of the invention is provided as an enabling teaching of the invention. Those skilled in the relevant art will recognise that many changes can be made to the embodiment described, while still attaining the beneficial results of the present invention. It will also be apparent that some of the desired benefits of the present invention can be attained by selecting some of the features of the present invention without utilising other features. Accordingly, those skilled in the art will recognise that modifications and adaptations to the present invention are possible and can even be desirable in certain circumstances, and are a part of the present invention. Thus, the following description is provided as illustrative of the principles of the present invention and not a limitation thereof.
[0032] FIG. 3 illustrates a network topology 100 which includes a system 200 (which is illustrated in more detail in FIG. 4) operable to authenticate a messaging route, in accordance with the invention. Afinancial institution intheform ofabank102 has implemented two-factor authentication and issues an OTP to a banking customer to authenticate a financial transaction. This OTP is generated in accordance with established techniques and this OTP process need not be discussed further.
[0033] The bank 102 communicates the OTP in the form of an OTP-containing message, e.g., an SMS message or another type of message, like a USSD (Unstructured Supplementary Service Data) message, an IP (Internet Protocol) message, an HTML (Hypertext Mark-up Language) message, an XML (Extensible Mark-up language) message, an MMS (Multimedia Messaging Service) message, or directly to a phone-based and/or SIM-based application.
[0034] The OTP-containing message is communicated via a mobile telecommunications network 110 to a user 108 (who is usually a customer of the bank 102). The user 108 has a mobile device 104, in the form of a mobile phone, which contains a SIM card 106 to identify the subscriber (that is, the user 108) to the telecommunications network 110.
[0035] The telecommunications network 110 comprises at least two service provider networks 120, 140 interoperating with each other. A first service provider has issued the SIM card 106 to the user 108, and thus the network 120 of this first service provider is considered the home network 120 from the perspective of the user 108 (or, more technically accurately, from the perspective of the SIM 106). The sim 106 and mobile phone 104 may be capable of communicating on the other network 140, but this is not considered the home network (and may be considered a roaming network in certain circumstances).
[0036] Each network 120, 140 comprises a plurality of network components, including one or more of a messaging gateway 122 (which will be an SMSC (SMS Centre) in the case of an SMS message), a HLR/AuC (Home Location Register/Authentication Centre) 124, 144, an MSCNLR (Mobile Switching CentreNirtual Location Register) 126, 146, an STP (Signal Transfer Point) 128, 148, and a BSS (Base Station Subsystem) 130, 150. The BSSs 130, 150 are connected to various base stations 132 to which mobile devices are connectable.
[0037] A porting database 134 has been established to permit mobile number portability. Usually, the porting database 134 does not form part of one specific network 120, 140 but is accessible by all networks 120, 140. Unfortunately, the porting functionality can be used by fraudsters to re-route messages. It is this exploit which the present invention endeavours to address.
[0038] Importantly, the topology 100 includes a system 200 in accordance with the invention. FIG. 4 illustrates components of the system 200. The system 200 has a computer processor 202 communicatively coupled to a computer-readable medium 210, like a hard drive or other non-transitory medium. The computer-readable medium 210 has stored thereon a computer program 212 which directs the operation of the processor 202 and of the system 200 as a whole.
[0039] The processor 202, under the direction of the computer program 212, comprises a querying module 204, a signalling module 206, and a control module 208. Briefly, the querying module 204 is operable to determine a current or last-known home network of the SIM 106. The signalling module 206 is operable to send signalling messages to determine whether or not the SIM 106 is present on the networks 120, 140, while the control module 208 is operable to interpret, based on the outcome of the signalling messages, whether or not a messaging route is authentic or has been compromised.
[0040] The invention will further be described, in use, with reference to FIGs 5-6. FIG. 5 shows a network sequence diagram of a method 300 of authenticating a messaging route, in accordance with the invention. FIG. 6 shows a flow diagram of a method 400 of authenticating a messaging route, in accordance with the invention. The methods 300, 400 may not correspond exactly, but they are both methods in accordance with the invention.
[0041] The methods 300, 400 include retrieving, by the querying module 204, an indication of the current home network 120 of the mobile subscriber 108 and SIM 106 (if the current home network 120 is identifiable). This may be done by querying the HLR/AuC 124 using an MSISDN (or telephone number) associated with the SIM 106. If the current home network is not identifiable, then the querying 204 resorts to using the last-known home network (also network 120 in this example).
[0042] Once the home network has been established, the signalling module 204 may, as an added precaution, query the porting database 134 to determine whether or not the MSISDN has been ported at database level. If it has, this may be due to a fraudulent telephone number porting request.
[0043] The MSISDN may be checked by the signalling module 206 using one or more signalling commands such as MAP, TCAP, ISUP, Diameter or such to the network 120. Practical examples of these commands are:
Any Time Interrogation;
Send Routing Information;
Location Update;
Insert Subscriber Data;
Forward Short message or Network Initiated USSD or Unstructured Supplementary Service Notify;
Billing requests; or
Authentication requests.
Accordingly, the control module 208 verifies that the MSISDN is registered on the correct network, i.e., the home network 120.
[0044] The signalling module 206 performs one or more signalling tests which verify whether or not the subscriber 108 or SIM 106 is indeed in its home network 120, as would be expected and to ensure that it is not the other network 140. It should be understood that the other network(s) 140 are quite legitimate networks belonging to other mobile service providers. However, when a fraudster has interfered with the message routing process, the other network 140 may then function as a mule network.
[0045] The signalling module 206 sends a first signalling request (comprising one or more signalling messages) to the current or last-known home network 120 to determine whether or not the mobile subscriber 108 exists on this home network 120. If it does not, the number may have been ported and the route compromised. More specifically, if an IMSI (International Mobile Subscriber Identity) is not returned, then the subscriber has been ported and the messaging route is compromised. This determination (and any other system 200 intelligence) is provided by the control module 208. The OTP-containing message is withheld and an alert message is delivered instead.
[0046] If the IMSI is returned, but does not match an internally stored expected IMSI, then it is likely that a SIM swap has been performed. Similarly, if the IMSI does not match the MSISDN, then a SIM swap or tampering is likely. The OTP-containing message is withheld and an alert message is delivered instead.
[0047] Similarly, if network-specific information is not correct, then there is a likelihood of spoofing. The control module 208 determines whether or not the network addressing is correct and confirms that the VLR is also on the correct network 120. If it is not correct, the OTP-containing message is withheld and an alert message is delivered instead.
[0048] In some cases a subscriber may legitimately change a SIM, port to another network or roam on another network. In these cases, the party wishing to authenticate the subscriber may prefer to use the ages of the information extracted to the information itself. For example, if a subscriber ported a month ago, the likelihood of it being a legitimate porting event is very high as the subscriber would have noticed his phone not working during that time.
[0049] Importantly, the other network 140 must also be signalled. The signalling module 206 sends a second signalling request to the other network 140. This is because, even if all of the other signalling tests have been passed, if the other network 140 returns the IMSI of the SIM 106 or subscriber 108, then it is likely that the messaging route has been compromised by means of fraudulent porting. The OTP containing message is withheld and an alert message is delivered instead.
[0050] If:
the MSISDN is verified in the central porting database 134;
it is in the home network 120;
it has a correct and matching IMSI;
the network information is correct; and
there are no matching IMSIs on the other network 140,
then the control module 208 determines that there are no other active routes that may suggest porting. The OTP-containing message may be sent to the subscriber 108.
[0051] In the case where the party wishing to authenticate the subscriber wishes to use the age of the information or a risk factor calculated, then these values may also be returned to the transmitting party after the OTP was sent in order to allow them the opportunity to terminate the transaction.
[0052] FIG. 6 shows a diagrammatic representation of a computer 600 within which a set of instructions, for causing the computer 600 to perform any one or more of the methodologies described herein, may be executed. In a networked deployment, the computer 600 may operate in the capacity of a server or a client machine in server client network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The computer 600 may be a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a cellular telephone, a web appliance, a network router, switch or bridge, or any computer 600 capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that computer 600. Further, while only a single computer 600 is illustrated, the term "computer" shall also be taken to include any collection of computers that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
[0053] The example computer system 600 includes a processor 602 (e.g., a central processing unit (CPU), a graphics processing unit (GPU) or both, a main memory 604 and a static memory 606, which communicate with each other via a bus 608. The computer 600 may further include a video display unit 610 (e.g., a liquid crystal display (LCD)). The computer 600 also includes an alphanumeric input device 612 (e.g., a keyboard), a graphical user interface (GUI) navigation device 614 (e.g., a mouse), a disk drive unit 616, a signal generation device 618 (e.g., a speaker) and a network interface device 620.
[0054] The disk drive unit 616 includes a computer-readable medium 622 on which is stored one or more sets of instructions and data structures (e.g., software 624) embodying or utilized by any one or more of the methodologies or functions described herein. The software 624 may also reside, completely or at least partially, within the main memory 604 and/or within the processor 602 during execution thereof by the computer system 600, the main memory 604 and the processor 602 also constituting computer-readable media.
[0055] The software 624 may further be transmitted or received over a network 626 via the network interface device 620 utilizing any one of a number of well-known transfer protocols (e.g., HTTP, FTP).
[0056] While the computer-readable medium 622 is shown in an example embodiment to be a single medium, the term "computer-readable medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term "computer-readable medium" shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the computer 600 and that cause the computer 600 to perform any one or more of the methodologies of the present embodiments, or that is capable of storing, encoding or carrying data structures utilized by or associated with such a set of instructions. The term "computer-readable medium" shall accordingly be taken to include, but not be limited to, solid-state memories and optical and magnetic media.
[0057] The system 200 may include at least some of the components of the computer 600.
[0058] The Applicant believes that the invention as exemplified is advantageous as it can detect various methods of porting-related, SIM swap related and spoofing (impersonation) - related fraud used to re-route security messages. The methods 300, 400 do not require modification to systems of the bank 102 or to the mobile device 104 of the subscriber 108.
[0059] In this specification, the word "comprising" is to be understood in its "open" sense, that is, in the sense of "including", and thus not limited to its "closed" sense, that is the sense of "consisting only of'. A corresponding meaning is to be attributed to the corresponding words "comprise", "comprised" and "comprises" where they appear.
[0060] In addition, the foregoing describes only some embodiments of the invention(s), and alterations, modifications, additions and/or changes can be made thereto without departing from the scope and spirit of the disclosed embodiments, the embodiments being illustrative and not restrictive.
[0061] Furthermore, invention(s) have described in connection with what are presently considered to be the most practical and preferred embodiments, it is to be understood that the invention is not to be limited to the disclosed embodiments, but on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the invention(s). Also, the various embodiments described above may be implemented in conjunction with other embodiments, e.g., aspects of one embodiment may be combined with aspects of another embodiment to realize yet other embodiments. Further, each independent feature or component of any given assembly may constitute an additional embodiment.
Claims (19)
1. A method of authenticating a messaging route with a mobile subscriber of a mobile device in a mobile telecommunications network comprising at least a home network and at least one other network which is not the home network, the method including:
retrieving, by a querying module:
an indication of a current home network of the mobile subscriber, if the current home network is identifiable; or
an indication of a last-known home network of the mobile subscriber, if the current home network is not identifiable;
sending, by a signalling module, a first signalling request to the current or last-known home network to determine whether or not the mobile subscriber exists on the current or last-known home network;
sending, by the signalling module, a second signalling request to the other network which is not the current or last-known home network to determine whether or not the mobile subscriber exists on the other network; and
determining, by a control module, that the messaging route with the mobile subscriber is authentic in response to both the first signalling request succeeding and the second signalling request failing, and determining that the messaging route with the mobile subscriber is not authentic in response to either one of the first signalling request failing or the second signalling request succeeding.
2. The method as claimed in claim 1, which includes the additional steps of:
gathering, by the control module, a minimum age of any one or more network parameters associated with the subscriber; and
calculating, by the control module, a risk factor based on the gathered age of the parameters, with a lower age indicating a higher risk.
3. The method as claimed in claim 2, in which the calculated risk factor is communicated to or used by a financial institution or interested party in determining the probability that the message path has been compromised.
4. The method as claimed in any one of claims 2-3, in which the network parameters are gathered using only a home network where the subscriber is registered and in the country where the subscriber is registered.
5. The method as claimed in any one of claims 2-4, which is performed on a periodic basis to be able to alert a financial institution or interested party to the calculated risk factor proactively.
6. The method as claimed in any one of claims 1-5, which is performed before, during, or after communicating with the mobile device using the messaging route.
7. The method as claimed in any one of claim 1-6, which is performed with a mobile terminating (MT) communication or with a mobile-originating (MO) communication.
8. The method as claimed in any one of claims 1-7, in which:
the method which is performed prior to sending an OTP (On-Time PIN) containing message; and
in response to determine that the messaging route is not authentic, withholding the OTP-containing message may be withheld.
9. The method as claimed in claim 8 insofar as it depends from claim 2, in which the OTP message is delivered to the subscriber and the calculated risk factor is sent to a sender of the OTP.
10. The method as claimed in any one of claims 1-9, which includes sending an alert message to a financial institution and/or to the subscriber, alerting that the messaging route may be compromised.
11. The method as claimed in any one of claims 1-10, which includes querying, by the query module, a central database to retrieve an indication of the current home network.
12. The method as claimed in claim 11, in which the central database includes a central porting database, the method including sending, by the querying module, a query message to the central porting database.
13. The method as claimed in any one of claims 1-12, in which the signalling module is configured to send the first and/or second signalling requests in the form of one or more of the following:
- MAP (Mobile Application Part) SRI (Send Subscriber Information) signalling message;
- MAP ATI (Any Time Interrogation) signalling message;
- any other MAP, TCAP (Transaction Capabilities Application Part), or ISUP (ISDN (Integrated Services Digital Network) User Part) signalling message that will return an error if the subscriber does not exist in that network; or
- a Diameter signalling protocol.
14. The method as claimed in any one of claims 1-13, which includes sending multiple second signalling requests to multiple other networks which are not the home network.
15. The method as claimed in any one of claims 1-14, in which the mobile subscriber is represented by a Subscriber Identity Module (SIM), the method including the prior step of authenticating an MSISDN (Mobile Station International Subscriber Directory Number) or IMSI (International Mobile Subscriber Identity) of the subscriber.
16. A non-transitory computer-readable medium having stored thereon a computer program which, when executed by a computer, directs the computer to perform the method as claimed in any one of claims 1-15.
17. A system operable to authenticate a messaging route with a mobile subscriber of a mobile device in a mobile telecommunications network comprising at least a home network and at least one other network which is not the home network, the system including:
a querying module configured to:
retrieve an indication of a current home network of the mobile subscriber, if the current home network is identifiable; or
retrieve an indication of a last-known home network of the mobile subscriber, if the current home network is not identifiable;
a signalling module configured to:
send a first signalling request to the current or last-known home network to determine whether or not the mobile subscriber exists on the current or last-known home network; and
send a second signalling request to the other network which is not the current or last-known home network to determine whether or not the mobile subscriber exists on the other network; and
a control module configured to:
determine that the messaging route with the mobile subscriber is authentic in response to both the first signalling request succeeding and the second signalling request failing; and determine that the messaging route with the mobile subscriber is not authentic in response to either one of the first signalling request failing or the second signalling request succeeding.
18. The system as claimed in claim 17, in which the control module is configured to:
gather a minimum age of any one or more network parameters associated with the subscriber; and
calculate a risk factor based on the gathered age of the parameters, with a lower age indicating a higher risk.
19. The system as claimed in any one of claims 17-18 which is configured to perform the method as claimed in any one of claims 1-15.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| ZA201504345 | 2015-06-17 | ||
| ZA2015/04345 | 2015-06-17 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| AU2016204016A1 AU2016204016A1 (en) | 2017-01-12 |
| AU2016204016B2 true AU2016204016B2 (en) | 2020-11-05 |
Family
ID=57724836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2016204016A Active AU2016204016B2 (en) | 2015-06-17 | 2016-06-15 | A method and system for authenticating a messaging route with a mobile subscriber of a mobile device |
Country Status (2)
| Country | Link |
|---|---|
| AU (1) | AU2016204016B2 (en) |
| ZA (1) | ZA201604099B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP4052499B1 (en) * | 2019-10-30 | 2024-01-10 | Telefonaktiebolaget Lm Ericsson (Publ) | Sim swap fraud detection |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003067506A2 (en) * | 2002-02-06 | 2003-08-14 | Citibank, N.A. | Method and system of transaction card fraud mitigation utilizing location based services |
| US20100048171A1 (en) * | 2006-12-22 | 2010-02-25 | Deutsche Telekom Ag | Method for fraud recognition in the case of roaming connections in mobile communications networks |
| WO2010043722A1 (en) * | 2008-10-17 | 2010-04-22 | Carter Robert A | Multifactor authentication |
| US20150038120A1 (en) * | 2012-03-15 | 2015-02-05 | Moqom Limited | Mobile phone takeover protection system and method |
| GB2517276A (en) * | 2014-06-18 | 2015-02-18 | Validsoft Uk Ltd | Detecting porting or redirection of a mobile telephone number |
-
2016
- 2016-06-15 AU AU2016204016A patent/AU2016204016B2/en active Active
- 2016-06-17 ZA ZA2016/04099A patent/ZA201604099B/en unknown
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003067506A2 (en) * | 2002-02-06 | 2003-08-14 | Citibank, N.A. | Method and system of transaction card fraud mitigation utilizing location based services |
| US20100048171A1 (en) * | 2006-12-22 | 2010-02-25 | Deutsche Telekom Ag | Method for fraud recognition in the case of roaming connections in mobile communications networks |
| WO2010043722A1 (en) * | 2008-10-17 | 2010-04-22 | Carter Robert A | Multifactor authentication |
| US20150038120A1 (en) * | 2012-03-15 | 2015-02-05 | Moqom Limited | Mobile phone takeover protection system and method |
| GB2517276A (en) * | 2014-06-18 | 2015-02-18 | Validsoft Uk Ltd | Detecting porting or redirection of a mobile telephone number |
Also Published As
| Publication number | Publication date |
|---|---|
| AU2016204016A1 (en) | 2017-01-12 |
| ZA201604099B (en) | 2017-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11700529B2 (en) | Methods and systems for validating mobile devices of customers via third parties | |
| KR102321781B1 (en) | Processing electronic tokens | |
| US8447699B2 (en) | Global secure service provider directory | |
| KR102013683B1 (en) | Machine-to-machine bootstrapping | |
| US11564094B1 (en) | Secondary device authentication proxied from authenticated primary device | |
| CN110199509A (en) | It is detected using the unauthorized access point that multipath is verified | |
| US10694381B1 (en) | System and method for authentication and sharing of subscriber data | |
| US11102006B2 (en) | Blockchain intelligent security implementation | |
| US10516690B2 (en) | Physical device detection for a mobile application | |
| US11575671B2 (en) | Network ID device history and mobile account attributes used as a risk indicator in mobile network-based authentication | |
| US10868808B1 (en) | Server application access authentication based on SIM | |
| US11570620B2 (en) | Network profile anti-spoofing on wireless gateways | |
| US10735491B2 (en) | Network attack detection on a mobile API of a web service | |
| AU2015273144A1 (en) | Methods and systems for authentication of a communication device | |
| EP3993471A1 (en) | Sim swap scam protection via passive monitoring | |
| AU2016204016B2 (en) | A method and system for authenticating a messaging route with a mobile subscriber of a mobile device | |
| US20230284025A1 (en) | Hyperledger Authorization into a Radio Access Network (RAN) | |
| US20230300621A1 (en) | Subscriber Identification Module (SIM) Authentication Protections | |
| US20200245142A1 (en) | Mobile number device history used as a risk indicator in mobile network-based authentication | |
| US20230254696A1 (en) | Sim based application action authentication | |
| US20230254306A1 (en) | Systems and methods for authenticating access to a service by a mobile device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FGA | Letters patent sealed or granted (standard patent) |