SE523227C2 - Cellular radio telephone system fraud detection - Google Patents

Abstract

The method for detecting fraud in a cellular radio telephone system involves receiving a first system access over a first RF channel. A second system access is received at the system over a second RF channel. The second system access has the same mobile identification data as the first. The channel identification data is compared and fraud is determined if they do not match. Pref., the RF channels are control channels. The mobile identifying data includes a mobile identification number, an electronic serial number and a station class mark. The channel identifying data includes a channel number and a digital colour code.

Description

'tions Commission, nnn an: n o en nnn n u nn no n nu nn n »n n nn vn u nu n o u: nn nn c n n n n n nn 2: e ===; = = .- = = | | n n n -_- n n n n n n n c n | n o z n n o n n n n nn n: en un: 2 32-35. Additional background material on the subject can be found in an article entitled "Spoofers can Defraud Users and Carriers" by Geoffrey S. Goodfellow et al. dated November 1985. in Personal Communications Technology, In historical perspective, the development of some of the modern communication technologies, such as digital time division and broadcasting, has been greatly influenced by the security and individual integrity considerations of early communication system designers; in particular in this regard did not consider the military area. In contrast, designers of early analog cellular telephone systems consider security considerations as important as other aspects of wireless voice quality. At the same time, the governing state authorities, e.g. “The Federal Communica communication, e.g.

FCC 'ether waves mostly as public property. The result is that with certain exceptions everyone has the right to take in and. receive which. radio signal sonx preferably.

Encouraged by this freedom and by the curiosity of people in general, an "eavesdropping industry" has emerged that openly markets scanning devices that can monitor the airwaves.

However, as more and more cellular systems developed and the subscriber base grew, an interest in the lack of security in existing analog cellular telephone systems began to emerge. This interest has centered not only on the lack of talent integrity but also on the widespread possibility of stealing cellular service. In recent years, the industry has witnessed a significant increase in the number of mobile stations that gain access to cellular service by illegally identifying themselves as legitimate subscribers. These illegal activities are largely possible due to certain limitations in existing cellular systems which are best understood through a general review of the structure and mode of operation of a typical cellular system. 10 15 20 25 30 35 523 227: ߧæߧæ * A conventional cellular telephone system arises by dividing the system service area into physical cells. Typically, each cell has a size of from a few city blocks to a radius of 48.2 km. Each cell is served by an assigned base station which. communicates 'with the system via a' switch known. as a mobile telephone exchange (MCS). Calls are made to and received by the system using individual mobile stations (portable, portable or car-mounted radiotelephone units) via these base stations. When each individual mobile station is moved from cell to cell, or “roams” from system to system, it is served by the base station covering the cell in which the mobile station. then located. Each base station in the system has at least one assigned control channel through which the system coordinates the service. The other radio channels in the base station are used for voice connections. Each control and speech channel is of the “full duplex” (two-way) type and consists of a forward frequency channel from the base station to the mobile station and a return frequency channel from the mobile station to the base station.

To route incoming calls to a mobile station, the position of the mobile station must be known to the system. To facilitate the location of mobile stations, a service area for the mobile telephone system can be divided into location areas, each consisting of one or more cells.

A mobile telephone system tracks the position of the mobile station in each location area through a registration process. Upon registration, the mobile station sends a registration request on the return control channel to which it is tuned (usually the one for the nearest base station). If the registration request is accepted, the base station will send a registration confirmation on the forward channel to the mobile station. This registration confirmation confirms that the system has registered the mobile station in the location area that contains the cell served by the base station either time-based or nen. The registration can be position-based. 10 15 20 25 30 35 523 227 4 Time-based or periodic registration occurs independently of other activities in the mobile station and is performed periodically at predefined time intervals. The system periodically sends certain registration time constants in a randomly generated message train (OMT) on the forwarding channels to the base stations serving the cells in which the mobile units happen to be located. The mobile units then send a registration request to the system, at the same time as they move around the system, at times calculated by the mobile station in accordance with these time constants. The registration request is received by the system at the base station serving the cell in which the mobile unit is located at the time of transmission.

When the registration request is received, the system registers the current mobile unit in the location area containing the cell of the base station that received the registration request and this base station will send a registration confirmation back to the mobile station.

Position-based registration occurs as a result of a mobile station moving from one location area to another and / or from one system area to another. Each base station periodically transmits in OMT data as. identifies the location area and / or the system in which the base station is located. A mobile station periodically scans the control channels as it moves in the system and by tuning to the control channel having the strongest signal it receives data identifying the location area and / or system where it is then located. The mobile station compares the most recently received data for location area and / or system with the corresponding data in its memory that identifies the most recent location area and / or system from which it received a registration confirmation. If the corresponding sets of identification data match, the mobile unit is located in the location area and / or system in which it is currently registered. However, if the mobile unit has moved to a new location area or systeni and consequently the mobile data sets do not match, the unit will send a registration request received at the base station serving the cell belonging to the new one. the location area and / or the system in which it is now located.

The system will then register the mobile station in the broadcast a new location area and / or the system and registration confirmation to the mobile station.

The mobile station can always be connected to the system for making a call by sending a connection request for outgoing calls. The call request is received by the base station serving the cell in which the mobile station is located.

The system registers the mobile station in the relevant location area (ie outgoing calls are treated in the same way as recordings for position identification) and sends a first message (IVCD) about an analog voice channel or a first message (IDTC) about a digital voice channel to assign it mobile station to a free voice channel. When the system receives an incoming call to a mobile station, the system sends a paging message via the control channels to the location area where the mobile station is registered. The mobile station responds by sending a paging response message back to the system. When the system receives the paging message from the mobile station, it will assign a free voice channel to the mobile station by sending an IVCD or IDTC message.

I n ifi 'h v' 'V In existing plurality of information elements for identifying and validating a legitimate analog system, one is used. These elements include the mobile identification number and the electrical identifier of the mobile station. subscriber.

(MIN), which identifies the telephone subscription, the serial number (ESN), In the United States, MIN consists of a digital representation of the area code and directory number of the ~ mobile subscriber (ie 'MIN' is a digital representation of NPA / NXX-XXXX, where NPA is a three-digit number that identifies the numbering plan area in which the cellular system is located, NXX is a three-digit number that identifies the mobile operator and the mobile exchange, and XXXX is a four-digit number that identifies a mobile subscriber). A MIN is assigned by the service provider (network operator) and is usually programmed into a mobile station either when purchased by the original buyer or when sold to another user. An ESN is provided by the manufacturer of the mobile station and is intended to uniquely identify a mobile station in any cellular system and allow automatic detection of stolen mobile phones which may be permanently refused. According to the analog known as EIA-553, telephone services must be the industry standard for ether interfaces, an ESN must be set at the factory and must not be easily altered in the field. Furthermore, the circuits that provide an ESN must be isolated so that it is tamper-proof and any attempt to change the ESN circuits must render the mobile telephone inoperable.

In addition to MIN and ESN, each mobile station can also be identified by a station rating label (SCM) indicating the transmission power class, mode and bandwidth of the mobile station.

Mobile stations in different power classes (portable, transportable and vehicle-mounted) transmit at one of several specified (0.6, 1.6 or 4 W).

The transmit power level within a given range can be increased or decreased power levels in different output power ranges by means of a power change command from the base station.

Furthermore, some mobile stations have the ability to operate in (DTX) between two transmission power levels in which it can switch itself ("DTx high" and "DTX 1àg"). assigned cellular systems while others are also set to operate in extended frequency ranges which are assigned later.In the same way as MIN and ESN, relevant SCM information is stored in each mobile station.

User authorization for mobile telephone services is usually performed at each system connection (eg registration request, outgoing call or paging response) of a mobile station. When connected, the mobile station sends MIN, ESN and SCM to the system. Each exchange maintains a white list containing MIN / ESN pairs for valid subscribers and a blacklist containing ESN numbers for stolen or otherwise no longer valid mobile stations. The system validates received MIN to ensure that the station belongs to a known subscriber and compares received ESN with what is stored in the system together with MIN. If these validations are successful, the user is considered legitimate and connection is accepted. Services are then provided and controlled in accordance with the received SCM. l "r r" i Unauthorized access to a cellular system is possible due to the possibility of fraudulently obtaining or generating mobile identification information (MIN / ESN) which is then used to trick the system into providing services. There are many ways in which valid MIN / ESN information can fall into the hands of anyone who wants to steal online services.

Because the MIN / ESN is transmitted through the air from each mobile device when connected, it is easily accessible to anyone with suitable scanning equipment. In addition to radio interception, the identification information. For example, there are reports on ESN- there are much simpler means of accessing chips that can be bought from the shelf, ESN-BBSs and employees at mobile phone shops that have access to MY / ESN information and sell it.

The commercial tools for cyber thieves can also vary. Some of the mobile stations sold today do not meet the requirement for tamper-proof ESN and consequently these mobile phones can be easily programmed with a new ESN (there is no requirement for MIN all mobile stations are easily programmed with a new MIN). There is tampering security for and consequently even reports of tampered phones programmed to either automatically scan the return control channel. and capture the identification information or use different MIN / ESN identification at each access. Other reports have described which affect computers which automate hidden mailboxes fraud.

Fraud control solutions based on encryption and authentication systems are being introduced for the next generation of two-mode systems (combined analog and digital) specified in the industry standard known as IS-54. The same functionality will be supported by a revised standard EIA-553 for analog systems. For the existing analogue mobile station population, a number of security measures have been used to counteract the problem of unauthorized access. These measures have had varying degrees of success depending on the form of fraud. To date, the following fraud techniques have been identified: subscription fraud, roaming fraud, snooping fraud, cloning fraud and channel-using fraud (theft fraud). nmn "ri Subscription fraud is one of the earliest forms of fraud. The perpetrator, obtains a telephone subscription 'with the help of false personal information (false name, address, etc.). Although this form of fraud is very difficult to detect, the solution is quite simple: Network operators and / or their sales representatives can verify the subscriber's identity before the subscription is issued. "Vn nr" ri a subscriber can move outside his subscription area (home area) and without difficulty receive services in an area (visiting or serving) in a cooperating system.To receive service in the visited area, each subscriber who was entitled according to a 10 15 20 25 30 35 nu nnn nn nn non nu nn on n en nn nnn I i, nn n nn uf un ao snon. Un nn nn nnn n n, nn n,,,,,,, n n n n n n n q a n,. . n n n n nn n nnn un annu no roaming agreement a temporary roaming number from the number series used in the visited area. Calling as. wishes to reach the subscriber. when this roams in the visited area could dial the temporary number and be connected to the subscriber via the switch in the visited system. Opportunity for outgoing calls was generally given to the roaming subscriber after placing his first call in the visited area. This first call was usually connected to a telephone operator who verified that the roaming subscriber was entitled to receive service credit card numbers (eg roaming numbers, etc.).

A fake mobile phone subscriber could obtain roaming service by illegally obtaining the roaming number from a legitimate subscriber. Armed with this information, the perpetrator could e.g. program their mobile phone with the roaming number, have a call placed on this number and a voice channel assigned to the mobile station and then issue a request for third party service via the voice channel to a desired telephone number.

The fake subscriber acts against the visited system as a legitimate roaming subscriber from another system. Due to the lack of equipment for communication between the visited system and the home system of the legitimate roaming subscriber MIN / HSN- easily accessible to the visited system. When there was no information about roaming subscribers (eg identity) suitable verification bodies were missing, the serving system accepted all roaming calls in order not to refuse service to legitimate roaming subscribers. Again, this form of fraud was normally detected only when the legitimate subscriber detected discrepancies in the telephone service bills.

The industry has successfully reduced roaming fraud to a manageable level by installing subscriber identification validation systems, such as an authentication center, and updating switching systems (MSCs) with instant roaming validation equipment.

However, the early validation rates were too slow (ie did not work in real time). Consequently, and in order not to risk the refusal of service to a legitimate subscriber, the strategy used was to accept the first call from a roaming subscriber and then initiate an identification verification process, either through the authentication center or by other means (eg the home exchange). . If the validation is not successful, the associated ESN can then be placed in a block list to give the permanent refusal of access. Otherwise, all subsequent accesses assigned to this ESN would be readily accepted.

These anti-roaming systems typically worked as follows. During calls from a roaming subscriber, the serving mobile exchange (eg by X.25 signaling) sent the MIN / ESN pair received from the mobile station to the roaming subscriber's home exchange or to an authentication center requesting verification. To avoid the denial of service to a legitimate subscriber, it was initially assumed that the MIN / ESN pair was valid and this first call from the roaming subscriber was approved to wait for the outcome of the verification request. The home exchange or approval center compared the MIN / ESN pair received from the serving exchange with a list of valid MIN / ESN pairs and reported to the serving exchange. If the MIN / ESN pair was not verified by the PBX or the approval center as applicable, it terminated all continued blacklisted corresponding ESNs (blacklisting of the corresponding MIN would entail a risk of service denial to a valid MIN holder). service switching call connection and for more than a short period of time, e.g. However, due to signaling and processing times in connection with receiving a response to a verification request, a fake roaming subscriber may enjoy several minutes or in some cases several hours of free talk time before disconnecting. (no Newer mobile system supports so-called automatic roaming operator service) and will be connected to signal links that work in real time according to a common signaling protocol, e.g. S.S.7 or IS41 protocol. In these systems, the validation of the MIN / ESN for a roaming subscriber through the home exchange is almost instantaneous. 2 1. I ir "in Reversal Fraud. Is really a1 advanced for fl x of the roaming fraud technology that has emerged to circumvent the roaming fraud control solutions used in the switching systems. ) ESN, MIN or both ESN and MIN after placing one or more roaming calls using the first MIN / ESN combination A fake mobile subscriber using MIN / ESN reversal selected a roaming MIN / NXX belongs to a network operator who has a roaming agreement with the local network operator) and a randomly selected ESN to generate a MIN / ESN pair and make at least one call before the selected ESN value is blocked during the verification, at which time a another MIN or ESN value was selected and an additional call could be made.

A typical MIN / ESN reversal scenario could proceed as follows. A perpetrator first places a successful roaming call. Since it takes some time for the serving system to validate the rover subscriber's identity, the perpetrator can get away with at least a few free calls. If the roaming validation is successful, the roaming identity can be used repeatedly until its service is denied. At this time, the perpetrator requests service by changing the MIN. If ESN is blocked, the perpetrator switches to another ESN and then to another MIN and so on. By reversing MIN / ESN, you can thus change the identity at each access and make each call look like a first call from a roaming subscriber. targeted at included removal of abused NPA / NXX combinations The first solutions reversal fraud from use in the system, validation of ESN with respect to format compliance before calls, diversion of 10 15 20 25 30 35 5 2 5 2 2 7 = 1 IlÉï êffš 12 roaming calls to a telephone operator (number dialing with O +) and also cancellation of roaming agreements. As a long-term solution, the industry has sought to facilitate the exchange of subscriber and call information between switching systems through the development of a common communication protocol for communication between systems, such as that specified in the industry standard known as IS-41.

K n'n "i Kloningsbesdägeri occurs when a perpetrator programs a duplicate mobile station with the identity of a legitimate mobile station. Fake mobile phones' ability to automatically assume any identity when making calls (ie so-called manipulated phones) falls into this category of fraud.

It should be noted that when a mobile phone illegally obtains access, regardless of the specific fraud technology used, the mobile phone has assumed the identity of a legitimate subscriber from a system point of view.

Thus, all these fake mobiles could be considered cloned. There is currently no exchange-based solution for this form of fraud.

T 'vki "r' Thief fraud or channel abuse occurs when a perpetrator takes over a voice channel used for conversation and where a legitimate subscriber is involved. The thief usually scans the frequencies of the cellular system to find an active voice channel used for calling a valid mobile station.

The thief then tunes his mobile to this voice channel and takes over the valid mobile station by increasing the transmitter output power. At this time, the thief has effectively taken over the voice connection with the base station and can make a request for third party service to establish a connection to a desired telephone number (this is normally done by pressing a button on: the mobile station's keyboard for to send a cue signal during a call). The base station will interrupt the call and connect the thief to the desired number (meanwhile the legitimate mobile subscriber ends the previous call due to the interruption). Again, there is no known exchange-based solution to this form of fraud. rin From the previous discussion it can be seen that there is more on identification information for mobile phones, the mobile phone manufacturers' dimensions of the fraud problem: the lack of availability in terms of meeting security-related standards, the inability of exchange systems to exchange subscriber / call information, and issuance of subscriptions without sufficient control of ability to pay / identity. From a technical point of view, long-term solutions to these problems are not out of reach. requirements would make it difficult, if not impossible, to change Getting mobile phone manufacturers to fulfill a mobile phone's identity in the field. Encryption and authentication systems, such as those used in the two-mode standard (IS-54), make it difficult to access the mobile's identification from the ether waves. The current (EIA-553) Furthermore, with the introduction of IS-41 different ring information analog specification can also be revised to include safety features. system. exchange subscriber / call information and validate the subscriber's authenticity. Furthermore, future mobile communication systems are likely to become more intelligent (ie improved with detecting, anti-fraud properties) to deter and prevent fraud.

Today, however, there are over l5 million analogue mobile stations in North America alone. The long-term solutions mentioned above will bear fruit only if the mobile phones are also modified so that they comply with the technical requirements associated with these solutions. Thus, while newer mobile stations become more secure, a switch-based interim solution is required to counter the threat of unauthorized accesses from the existing analogue mobile population while avoiding the need to recall and upgrade these telephones. The invention provides this solution by detecting deviations in subscriber behavior that may indicate fraud.The fraud indications are reported to the operator and repeated such indications may result in the request for service from a suspected fake mobile station being rejected.

THE INVENTION OF PFI N N The invention provides a method for detecting fraud in a radio communication system which communicates with a plurality of mobile stations over a plurality of radio frequency (RF) channels, each mobile station transmitting identification data for the mobile at system access and each RF channel being designated. channel identification data. The method comprises the steps of the system receiving a first system access via a first RF channel and the system receiving a second system access via a second, the second system access having the same identifier channel identification data for the first and the second RF channel RF signal, data for 'mobile as. the first system access, is compared and that fraud is detected if the channel identification data for the first and the second RF channel do not correspond to each other.

In another aspect, the invention provides a method for detecting fraud in a cellular radiotelephone system comprising a switch connected to a plurality of mobile stations via a plurality of radio channels (RF) comprising at least one voice channel and at least one control channel. The method comprises the steps of receiving a system access via a control channel in the system, identifying which mobile station is seeking access, determining whether the identified mobile station is indicated as currently connected to a voice channel in the system, verifying whether the identified the mobile station is still connected to the voice channel and that fraud is detected if the identified mobile station is verified to be connected to the voice channel.

According to a further aspect, the invention provides a method for detecting fraud in a radio communication network consisting of a plurality of systems which. serves a number of mobile stations. The method comprises the steps of determining in one of the systems whether the mobile station is specified as a service request received from one of the mobile stations, actively receiving service in another of the systems and fraud being detected if the mobile station is determined to be active in another of the systems. .

According to a further aspect, the invention provides a method for detecting fraud in a cellular network comprising a plurality of mobile stations which subscribe to service from a home system and can receive service in a plurality of other systems, the home system maintaining a register of which systems at each The method comprises the steps of receiving in the home system a message that one of the other systems has received a request for service from one of the new car stations, that the home system determines whether the other system which has received a service request is the same as the system registered as the one currently serving the mobile station, that if the other system is different from the registered system send from the home system to the registered system an order to interrupt the service to the mobile station, to determine in the registered system in response to the receipt of the order current activity status for nmbilstation one, if the mobile station is indicated as currently active in the registered system, confirm that the mobile station is still active in the registered system and detect fraud if the mobile station is confirmed to still be active in the registered system while also being active in the other system.

In another aspect, the invention provides a method for detecting fraud in a radio communication system in which a plurality of mobile stations register in the system at predefined time intervals. The method includes the steps of determining the current time interval between two registrations received by the system from a particular mobile station, comparing the current time interval with the predefined time interval between the two registrations and detecting fraud if the current time interval between the two registrations is less than the predefined time interval.

According to a further aspect, the invention provides a method for detecting fraud in a radio communication system in which a mobile station periodically registers in The method comprises the steps of storing the time at which the system. which. the first registration. received by the system, estimating the arrival time of a second registration from the mobile station, measuring the current arrival time in the system for the second registration from the mobile station, comparing the estimated arrival time with the current arrival time of the second registration and detecting fraud if the current arrival time is less than the estimated time of arrival for the second registration.

In a further aspect, the invention provides a method for detecting the occurrence of a fake mobile station.

The method includes the steps of registering a mobile station in a first area, receiving a system access from the mobile station in a second area, examining the mobile station in the first area and detecting the presence of a fake mobile station if the examination reveals that the mobile station is in the first area while the system access received in the second area.

The invention also provides a method for locating a mobile station suspected of fraud in a communication network. The method includes the steps of selecting an area in which the mobile station is to be searched, issuing a review order for the mobile station in the area, detecting a response from the mobile station. on the review order. and determining the location of the mobile station based on the location from which the response was detected.

Furthermore, the invention provides a method for detecting false activity connected to a mobile station. The method includes the steps of marking the mobile station for activity reporting, reporting the activities of the mobile station for a predetermined period of time or in a predetermined geographical area and analyzing the reported activities to determine whether these constitute false activities from other mobile stations with the same identity.

BRIEF DESCRIPTION OF THE DRAWINGS For a more detailed understanding of the invention, its objects and advantages, reference is now made to the following description taken in conjunction with the accompanying drawings, in which: Fig. 1 depicts a conventional cellular radio communication network; Fig. 2 shows multiple access in the network according to Fig. 1; Figs. 3A-B are flow charts as. illustrates * the method according to the invention for detecting multiple access fraud; Fig. 4 illustrates colliding activity in the network of Fig. 1; Figs. 5-6 are flow charts illustrating the method of the invention for detecting fraud in the form of colliding activity; Figs. 7-8 show mobile station registration in the network according to Fig. 1; Figures 9A-B show premature registrations in the network of Figure 1; Fig. 10 is a flow chart illustrating the method of the invention for detecting early detection fraud; Fig. 11 shows an examination of a mobile station over a control or voice channel; Fig. 12 shows the use of scrutiny to locate fraud according to the invention; Fig. 13 is a flow chart illustrating telephonist-initiated location of fake mobile stations according to the invention; Fig. 14 shows tracking of subscriber activity according to the invention; Fig. 15 is a flow chart showing. illustrates marking of subscribers for tracking according to the invention; Fig. 16 is a flow chart showing marking of regions for tracking according to the invention, and Fig. 17 is a flow chart showing tracking of subscriber activity according to the invention.

DETAILED DESCRIPTION OF THE COMPANY Referring to Fig. 1, there is shown a conventional cellular radio communication network of the type to which the invention generally relates. The network comprises two exchanges or mobile switching centers MSCa and MSCb which can control different parts of a simple cellular system served by the same licensed operator or different (but in this example related) systems serving different licensed operators. MSCa is connected to and controls a first group of base stations BO-B9 which provide radio coverage for the cells CO-C9 while. MSCb is connected to and controls a second group of base stations B10-B19 which provide radio coverage for cells C10-C19. The relevant connections that can be used between the MSCs and the base stations are well known and include analog links and the digital T1 lines. In a known manner, each of the base stations B0 ~ B19 comprises a control device and at least one radio transmitter / receiver connected to an antenna. The base stations BO-B19 can be located at or near the center or periphery of the cells CO-C19 and can irradiate the cells CO-C19 with radio signals either in a radiant or directional form. While the network in Fig. 1 is shown with two MSCs and 20 base stations, it is clear that in practice the number of MDCs or base stations can vary depending on the application.

With further reference to Fig. 1, a plurality of the mobile stations M1 + M9 can be seen in some of the cells CO-C19. Thus, e.g. the mobile station M1 located in the cell C17 located in the service area of the MSCb while the mobile stations M3 and M4 are located in the cell C5 located in the service area of the MSCa. Again, it should be understood that even if only 10 mobile stations are shown in Fig. 1, the actual number of mobile stations may be much larger in practice. While no mobile stations are shown in some of the cells CO-C19, it should be further understood that the presence or absence of mobile stations in any of the cells CO-C19 or in any part of them in practice depends on individual wishes of the mobile subscribers who may roam from one place to another. in a cell or from a cell to an adjacent cell or neighboring cell and even from the service area of the MSCa to the service area of the MSCb, or vice versa.

Each of the mobile stations M1-M9 can make or receive telephone calls or transmit data through the nearest of the base stations BO-B19. The base stations forward calls or data to the mobile exchanges MSCa or MSCb which are connected to the public landline telephone network (PSTN) a digital network with integrated service or other fixed network, eg (ISDN). For simplicity, the connections between switches MSCa or MSCb and PSTN or ISDN are not shown in Fig. 1 but are well known to those skilled in the art.

Call connections between the mobile stations M1-M9 and the landline telephones are established by the exchanges MSCa and MSCb. Each exchange controls the communication between the associated base stations and the mobile stations located in its service area. For example, the MSCa controls the search of a mobile station believed to be in one of the cells CO-C9 served by the base stations BO-B9 when a call is received for this mobile telephone, the assignment of a radio channel to the mobile station through the base station upon receipt of a search response. from the mobile station as well as the handover of the communication with a mobile station from one base station to another when the mobile station is moved from cell to cell within the service area of the MSCa.

The M1-M9 mobile stations are approved for service with MSCa or MSCb if they are either home subscribers or valid rovers from cooperating systems. If in Fig. 1 MSCa and MSCb are in different systems served by different network operators, for MSCa, the home subscribers are such subscribers as. subscribes to If, for example, service from the operator of the system where MSCa is included. thus M1 and M3 subscribe to service from the system for MSCa are both home subscribers in terms of MSCa and M1, which is shown to be roaming in cell 17 in the service area for MSCb, is considered a rover in terms of MSCb. Each exchange maintains a database for home subscribers either internally or in a home register (CPR) that is linked to the exchange. CPR stores subscriber records that contain identification and location information activity status, (eg dormant, off, tion, busy, roaming, etc.) and a service profile for each home subscriber.

Similar visitor records, including an identification of the home system, are kept temporarily for each rover registered in the exchange (eg through the system area registration process described earlier). The visitor records are deleted when the wanderers register in another system.

In early cellular systems, the exchanges connected incoming calls to mobile stations located in their respective service areas by searching for the called mobile station in each of the cells forming these areas. In order to avoid unnecessarily allocating system resources, newer systems limit the search to a smaller location area that includes the cell 1 where the mobile station was last registered. In Fig. 1, the cells CO-C19 are divided into a plurality of localization areas, each of which contains at least one cell. Mobile stations moving from one location area to another will send a registration message and the system will register the mobile station in the new location area (eg as it UPP through the location area registration process previously described) The mobile station can then be searched in the current location area to successfully connect a conversation. Each of the cells CO-C19 is assigned a subset of radio frequency (RF) channels which are available for use in the system. Each RF channel is identified by a channel number (CHN) and has full duplex, ie consists of a frequency pair, a forward frequency used for transmission from a base station to a mobile station and a return frequency used for transmission from the mobile station to the base station. One of the RF channels in each cell, called the control channel, is used for signaling and the remaining RF channels monitoring communication are used for voice transmission.

In idle mode, the mobile stations M1-M9 continuously monitor the control channel in a nearby cell and periodically scan all available control channels in the system to locate the control channel having the highest signal strength. When making a call or when a call is received by a mobile station listening to the control channel in a given cell, the MSC will assign a free voice channel in that cell and order the mobile station to leave the control channel. and. go over to the designated voice channel where conversation can take place. (channel numbers) assigned to a cell, the RF channels being reused in a remote cell in the system in accordance with a frequency reuse pattern may be well known.

For example, cells C3 and C6 may use a common group of RF channels (co-channels). To avoid a base station being intercepted by a mobile station listening to the control channel in a remote base station, each control channel is identified by a digital color code (DCC) transmitted from the base station and returned by the mobile station (a similar code is used for the voice channels). The base station will detect the capture of a disturbing mobile station when the DCC received from the mobile station does not correspond to the DCC transmitted by the base station.

The forward control channel normally transmits parent system information including system identification, location area identification and periodic registration information as well as the present. in the year. s o: nu s = x 0 1 n av a: a u | n y m- n. -. . v »g a s o v e v 1 g I I u o m n mobile-specific information including signals about incoming calls (search), assigned voice channels, maintenance instructions and handover instructions when a mobile station moves from the radio coverage of one cell to the radio coverage of another cell. The return control channel usually transmits signals of the desired call, paging response signals and registration signals generated by the mobile stations listening to the forward control channel.

Careful analysis of the context, timing or frequency of these mobile station activities can, as the invention teaches, detect the presence of fake mobile stations. In particular, by monitoring multi-access events, activity collisions and early registration and using auditing, operator-initiated location and tracking of subscriber activity, fraud cases can be detected and attacked.

Multiple access Multiple access occurs when a system access (eg original access, paging response or registration access) from a mobile station is detected over two or more identifiable control channels (CHN) (DCC). Although preferably two control channels operating on the same with the same channel number and the same digital color code frequency (co-channels) should never be identified with the same DCC, the DCC is only a few bits long, e.g. two bits, and there are a limited number of RF channels that can be used as control channels (in the US there are 21 dedicated Consequently, there are a limited number of control channels and possible control channels in each system). values for DCC available and due to the frequency reuse a certain probability that more than one control channel will have the same channel identification data (CHN and CNN).

To avoid false access of an interfering mobile station is screened in existing cellular systems. all accesses before approval on the basis of the following criteria. All accesses of the same type (ie all registrations or all search responses or all origin accesses) received from a given subscriber within a short period of time (typically 100 ms) are considered to be caused by multiple accesses. The access with the highest signal strength (SS) is considered as the true access (SS is measured at each base station when an access is received). Improvement of screening criteria in accordance with the invention can lead to the detection of fake mobile stations.

In accordance with the improved screening process, during the screening period, multiple accesses from more than one mobile station with the same MIN / ESN identity are processed. sk the screening process so that multiple accesses are detected which will not co-channel / samDCC criteria that improve meet the co-channel / samDCC criteria to allow detection of cloned stations. Figs. 2 and 3 illustrate the scenario of multiple access and the treatment of multiple accesses according to the invention.

Referring to Fig. 2, a new car station M1 responds to a search by transmitting a search response via a first control channel CCI used by a first base station BS1. This access is detected by a second base station BS2 which uses a second control channel CC2 which has the same frequency fx and digital color code dccl as CCI. Meanwhile, a second mobile station M2 with the same identity as M1 also responds to the search by sending a paging response via a third control channel CC3 used by a third base station BS3. CC3 uses a different frequency fy and digital color code dcc2 than those used by CCl and CC2. In conventional systems, the multi-access screening process would treat all three accesses as multiple accesses. However, the improved screening method of the invention distinguishes between true multiple accesses and accesses from cloned mobile stations. In the example shown in Fig. 2 comes the improved method. to flag access to CC3 as a security breach.

The improved multi-access screening process is shown in the flow charts of Figures 3A-B. Referring first to Fig. 3A, the system is initially assumed to monitor the system control channels with respect to the request for system access from the mobile stations. In block 302, the process for detecting multiple access is called when the system receives a request for system access from a mobile station on a control channel. Requests for system access can be any type of access transmitted from a mobile station on a control channel. if call or one contains This includes a registration request, a success request, a called or unannounced search answer service call. Any such request for system access data as is necessary for the system to accept the request and the CHN and SS for the control channel on which, in accordance with the enhanced screen, associated with the DCC, the access request was received. The multi-access method, the DCC, CHN and SS values are considered as part of the access request and will be stored and manipulated in a multi-access buffer together with other access data.

In block 304, the system identifies the mobile station and accepts the new access request with associated values DCCM CHNn and $ S. In block 306, the multi-access screening process activated by the system operator (nze) system determines whether clean. If multi-access screening is disabled, the system proceeds to step 318 and ends the process. If multi-access screening is activated, the system proceeds to step 308 where it determines if a previous access from this mobile station (MIN / ESN) has stored the multi-access buffer. If no such previous access request is stored in the multi-access buffer, the system proceeds to step 316 where it stores the new access request in the multi-access buffer and starts a multi-access timer for this mobile station. The system then goes to block 318 and leaves the screening process for multiple CQSS.

The multi-access timer is started each time a first access for a particular mobile station is stored in the multi-access buffer. The timer is set to run a predetermined time which defines how long the multi-access sales process will monitor the system control channels with respect to subsequent accesses for the same mobile station after the time of the first access. A value of 100 ms, which is used in conventional screening methods 10 15 20 25 30 35 523 227 25 - | | | for multiple access, could be used to set the multiple access timer in the screening process of the invention.

If in block 308 a previous system access for the same mobile station is found stored in the multi-access buffer, in this case the system proceeds to step 310 and retrieves the values of DCCp, (pze) can be compared with the corresponding values for the new mern already started of a previous access.

CHNp and SSp for each previous access so that they (nze) access.

In step 312, the system searches for a stored access that has the same DCC and CHN values as the new access. If a stored access is found that has the same DCC and CHN as the new access, the system proceeds to step 314. In step 314, the system determines which of the two accesses with the same DCC and CHN has the highest SS and retains this access in the multi-access buffer and discards takes the second access. If in block 312 it is found that there is no stored previous access with the same DCC and CHN as the new one (this occurs if In block 320 access the system proceeds to block 320 either the DCC or CHN comparison fails). the new access is stored in the multi-access buffer together with previous accesses from the same mobile station with different DCC or CHN values. The system then proceeds to step 318, leaving the multi-access screening process.

The system will recall the screening process for multi-acne a multi-access timer interrupt is generated. cess when a system access is received or when When a new system access is received, the process of Fig. 3A will be repeated. When a multi-access timer interrupt is generated, the system will perform the steps shown in the flow chart in Fig. 3B. A multi-access timer interrupt is an interrupt signal that. generated periodically in the system. The period time for this interrupt signal can be, for example, 30 ms. 3B, the process is called in block 322 In the block for a Referring now to Fig. When a multi-access timer interrupt is generated by the system. 324 the multi-access buffer regarding accesses is scanned 10 15 20 25 30 35 523 227 26 mobile station whose multiple access hours have expired. The system then proceeds to block 326 and executes the same subroutine for each mobile station whose multiple access hours have expired. In block 328, the system determines if more than one access from the mobile station. If only one access is stored in block 336, the single access is removed from the multi-access buffer and stored in the multi-access buffer. the multi-access buffer, the system proceeds to block 336. is transferred for normal processing of the system.

If in block 328 more than one access from a mobile station is found stored in the multi-access buffer, the system first goes to 330 where an intruder alarm. generated and. then to 332 where MIN / ESN- In block 334, relevant fraud information is removed, e.g. and location data, are provided to the system operator. the access from the multi-access buffer and is transferred for further processing which may include the refusal of service to the identified mobile station or the blocking of the service subscription for this mobile station. In block 338, the subroutine returns to the beginning of block 326 and is repeated for the next mobile station whose timer has expired. The system leaves the subroutine j. Block 340 when the multi-access buffer has been emptied of all accesses from mobile stations whose multi-access hours have expired.

E; M _. "M: Hr l As previously described, SCM is transmitted together with MIN / ESN at system access to enable the system to identify the operating parameters (ie transmission power, mode and frequency range). except for i. rare system access to the next.The power class of the mobile station should, for example, be the same for two consecutive accesses.

Exceptions may occur where, for example, a portable mobile station is configured as a vehicle-borne mobile station or an RF booster is connected to a portable station to increase its output power. Similarly, the frequency range of the mobile station, which may have initially been set to the base frequency band, can be reset to include the extended frequency band. With the exception of 10 15 20 25 30 35 523 227 27 n u ø Q | n for such isolated cases, however, the SCM information for a mobile station shall not be changed between two consecutive mobile station at one access and one vehicle-mounted mobile station access (eg the power class does not specify a portable at subsequent access from the same mobile station).

In accordance with the invention, SCM information transmitted from a particular mobile station (interconnected with a particular MIN / ESN pair) during a system access is compared with SCM information transmitted from the mobile station at another access. If the SCM information for the two accesses is different, fraud can be detected. In general, incorrect compliance in SCM information can occur either during multiple access or during normal call handling when the SCM information stored in the subscriber record differs from the previous access. The SCM information included in the access just received by the system. In both the presence of a fake mobile station. In this case, the variation in SCM information may signal Activity collision An activity collision occurs when the system determines that a mobile station has made several service orders at the same time.

The orders may have been received by a single MSC or by several different MSCs in a network. In an MSC, an activity collision occurs when a service request (eg an initial call, a registration, a search response or a cancellation order for a visitor record) is received from or for a mobile station while the mobile station is busy marked as already receiving service.

For example, the receipt of a registration attempt while the mobile phone is perceived by the system as being in use is an activity collision. At the network level, an activity collision can occur when the home system or CPR considers a mobile as active in a call in the service area of one MSC and still receives an indication that the mobile station is in the service area of another MSC, e.g. when CPR receives a registration message or a control message regarding a remote parameter. In conventional systems, conflicting registrations are always accepted. 10 15 20 25 30 35 525 227 n n »; - ~:; I «| »Now 28 For all other types of collisions, the system terminates the colliding accesses. conventional realizes In contrast to the invention, activity collisions can indicate that several systems according to mobile stations use the same identity. According to the invention, it is further understood that an occurring collision does not always involve fraud. Some collisions may be caused by other factors. For example, an activity collision can occur if an access seeker immediately after ending an not correctly detected that the call mobile station calls but the system is terminated and therefore still considers the mobile station as an active receiving service. Another example occurs when a voice channel used for a call picks up another call in progress on a joint channel. Before the co-channel interference, the user can decide to end the call and try again. Because. of 'the existing co-channel disturbance. however, the ongoing and access attempt will collide with the busy system may consider the interrupted call as still the selection.

In order to get over false collision indications whenever an access collides with a busy marking in an MSC, the previously marked to first verify the mobile station by transmitting a system is still connected to the voice channel.

Voice channel connection can be verified e.g. review signal to the mobile station via the front channel.

Fraud can be suspected if the mobile station returns an audit confirmation on the return talk channel. Furthermore, a collision in CPR shall trigger the cancellation of the visitor record in the previously serving MSC. automatically activate the process for verification of voice channels. the mobile station is still considered busy in calls. The result of the verification attempt must then be returned to the CPR. Based on the verification result, CPR can flag the colliding access as a security breach. 10 15 20 25 30 35 525 227 29 | a | An example of a collision detection scenario is shown in Fig. 4 which shows a network comprising two switches MSCa and MSCb. I busy in voice conversation via the nearest base station BS. the service area for MSCa is a first mobile station M1 Meanwhile, an access attempt is received from a second mobile station (MIN / ESN) identity as M1. The system retrieves tion M2 with the same corresponding subscriber record and finds M1 already busy.

At this point, the MSCa issues a review order over the number channel. the other access came from another mobile station with tion to be in conversation over the voice channel and at the same time broadcast access over the control channel.

Fig. 5 shows a flow chart of the process of detecting activity collision fraud that can be executed in an MSC operating in accordance with the invention. Block 502 calls the activity collision detection process upon receipt in the MSC of a request for system access from a mobile station. In step 504, the MSC identifies the mobile station making the access request and retrieves activity information for the mobile. The MSC then proceeds to step 506 where the activity information is examined to determine if the mobile is already equipped with another service. If the mobile is not provided with another service, the MSC proceeds to step 514 and proceeds with normal call handling procedures and in step 522 the MSC leaves the collision detection process.

However, if it is determined in step 506 that the mobile is provided with another service, the MSC proceeds to 508 and determines whether the mobile has already been assigned a voice channel and connected to it. If the mobile is not assigned or connected to a voice channel, the MSC proceeds to step 514 and continues with normal call handling and in step 522 the MSC leaves the collision- that the mobile has been assigned and connected to a voice channel, the MSC goes through the texting process. If. on the other hand, it is further determined to step 510 and performs a check to verify that the mobile is still connected to the voice channel. 10 l5 20 25 30 35 523 227 30> 1 v | | o en If connected to In step 512, the MSC evaluates the results of the audit. the review discovers that the mobile is not the voice channel, the MSC proceeds to step 514 and continues with 522 MSC If, however. the review normal call handling and in steps leaves the collision detection process. indicates that the mobile is still connected to the voice channel, the MSC proceeds to step 516 where an intruder alarm is generated. The MSC then proceeds to step 518 and provides information about suspected fraudulent activities to the system operator. In step 520, the received access is transferred for appropriate processing which may include refusing service to the mobile or blocking future use of the subscription. The MSC then leaves the collision detection process in step 522. 4, an activity collision 4, the MSCb may receive a With reference again to Fig. Also detected at the network level. In Fig. Origin call from a third mobile station M3 having the same identity as M1. The MSCb retrieves the corresponding subscriber profile from the home system or CPR, assigns a voice channel to the M3 and informs the CPR that the mobile is active in the MSCb. As a result, Mlz's previous activities in MSCa, however, CPR has noted MSCa as M1's current location. The new activity reporting from MSCb will now result in the mobile station's temporary location (TLOC) being set in CPR. Setting up TLOC means that the mobile station currently receives in a exchange where it has not previously been registered for service (ie is busy on calls). Because activity for the same mobile identity is reported from a new MSC, CPR orders the MSC to cancel the M1 subscriber record. If upon receipt of the cancellation order MSCa determines that M1 is stated to be active in its coverage area, MSCa will initiate a process for verification of a voice channel connection through the review process. If M1 still receives service in MSCa, M1 will respond with an audit confirmation. The MSCa can then postpone the execution of the cancellation order and return the result of the verification of the voice channel connection to the CPR. CPR can then flag this activity collision as a fraud incident 10 15 20 25 30 35 523 zzvšfïï fi ïïï 31 because it is not possible for a mobile station to actively receive service in more than one place.

Fig. 6 shows a flow chart of the process for detecting activity collision fraud that can be executed in a cellular network operating according to the invention. This process of detecting activity collision fraud is called in step 602 upon notification (home MSC and / or CPR) that a system access has been made somewhere in the network by (home) reception in the home system by one of its own subscribers. This access can be of some kind that is transmitted on a control channel (eg a registration request, a call set-up request, a called or unannounced paging answer or a service call). In step 604, the subscription of the mobile transmitting access is identified and activity information is retrieved about the mobile. In step 606, the home system determines if a temporary location (TLOC) is set for this mobile station. If the temporary location is not set, the mobile is not busy in another call and the home system proceeds to step 626 where the call is handled normally. The home system exits the collision detection process in step 632.

If in step 606 it is determined that a temporary location is set, the home system proceeds to step 608 and determines if the switch reporting the current activity is the same as that indicated by the temporary location value. If so, the home system proceeds to step 626 and the call is handled normally. However, if the switch that reports the current activity and the switch indicated by the temporary location are different, the home system proceeds to step 610 and orders the cancellation of the mobile's visitor record in the temporary location switch. In step 612, the home system waits for a response while the temporary location MSC processes the cancellation order. 614 the temporary location ~ MSC In step receives the cancellation order, identifies the mobile and retrieves activity ~ 10 15 20 25 30 35 525 227 32 status of the mobile in this MSC. In step 616, the temporary location MDC determines whether the activity status indicates that the mobile is busy on calls. If the activity status indicates that the location MSC proceeds to step 618 and examines the mobile step 620 the mobile is busy on call, the temporary tion goes to verify the voice channel connection. In, the temporary location MSC sends information about the voice channel connection as well as activity status in a cancellation order response to the home system. However, if in step 616 the activity status indicates that the mobile is not busy in calls, the temporary location MSC jumps to step 620 and returns only the activity status in the cancellation order response back to the home system.

In step 622, the home system receives the cancellation command response from the temporary location MSC and proceeds to step 624 where the cancellation command response is evaluated to determine if the mobile is still busy. in conversation in it. temporary location switch. If the answer indicates that the mobile is not busy with calls, the home system proceeds to step 626 and the call is processed normally. In step 632, the network leaves the process of detecting activity collision. If in step 624 the cancellation response indicates that the mobile is busy in calls, the home system generates an intruder alarm in step 628 and then delivers information about near-fraudulent activity to affected system operators in step 630. In step 632 the network leaves the activity collision detection process.

F ".1...

A mobile registration mechanism is used in cellular systems for two primary reasons. First, registration allows a system to keep track of the location of mobile stations to enable the routing of incoming calls to them. Secondly, registration allows the system to determine whether a mobile station is active (switched on and within the radio area) in the system.

Incoming calls to inactive mobile stations can be routed “The mobile subscriber you have to a recorded message (eg 10 15 20 25 30 35 enn nan nn nn nnnn I n» nn nn nnn nnn nn = z = = -. ~ 0 nnon; n 33 nnnon called has disconnected from his mobile or moved out of the service area ”) in order to avoid having to search these mobile stations to only find that they are inactive (ie. no search response). Elimination of these unnecessary searches results in more efficient use of the limited control channel capacity.

A mobile station can register either autonomously or non-autonomously. Autonomous registration takes place automatically without user intervention. Non-autonomous registration on the other hand is initiated by the user. Existing cellular systems support three types of autonomous registration, namely system area registration, location area registration and periodic registration. and that the System area registration Location area registration functions a mobile station may register when it enters a new system area or a new location area (an exception to system area registration is the mobile station with multi-system memory which stores system identification for a number of systems in which it has recently been registered and can therefore move between these systems without registration). The periodic registration function causes the mobile station to register at predetermined time intervals defined by the system operator.

Referring to Fig. 7, the different types of registration functions are shown. In Fig. 7, two adjacent cellular system areas A and B contain location areas LA1-LA3 and LB1-LB3, respectively, the example shown in Fig. 7 registers M1 when passing through in which the mobile stations M1-M3 can move. In the boundary line between LA2 and LA3 (location area registration). M2 registers when it crosses the boundary line between LA1, which is located in system area A, and LB1, which is located in M3, this system area B (system area registration) moves. in LB3 and registers periodically within the localization area (periodic registration).

When the periodic registration function is activated in a 10 15 20 25 30 35 n »n: v» u vvn v o vi 00 v v. U; 1 u a n. N; g v! I _,. o. -. n | u n I OI m; nu u u: v n y - n I I I -, n v X u x. n; u n; n a, .v. 4 ::; == Yen 'II location area in the system, mobile phones with autonomous registration must register at predefined regular intervals while in this location area. The parameters that control the periodic registration function include the registration function status bit (REGH or REGR), the registration identification number (REGID), the registration increment (REGINCR). The status bit REGH or REGR and indicates whether periodic registration is activated for home subscribers or roaming subscribers. REGINCR defines the length of the periodic registration interval (how often registration should take place). step for each REGID message sent to the mobile station REGID is a 20-bit counter that is incremented by one (this counter corresponds to a system clock that reflects the current time). message train (OMT) on the forward control channel from the base station (BS) (MS) These parameters are transmitted in a parent to the mobile station as generally shown in Fig. 8.

The mobile station stores the last received REGID value in a temporary memory and stores j. A semi-permanent memory the last received REGINCR value and a value on the next registration (NXTREG) which is calculated by the mobile station by adding REGID and REGINCR (the values on REGINCR and NXTREG is held by the mobile station for a certain time, eg 48 hours according to EIA-553, the mobile station assigns a default value of 450 to REGINCR as well as the value zero to NXTREG.The system sends REGID and REGINCR at regular intervals. of the first even after the mobile is switched off). When initializing the REGID / REGINCR message after initialization, the mobile phone stores these values in a suitable memory.

Each reception of a REGID message in the mobile station triggers the periodic registration determination (register or not). When receiving a REGID message, the mobile station checks whether the REGID value during the step has passed zero. If so, set NXTREG to MAX [O, NXTREG-2 ** 20].

The mobile station then compares the last received REGID value with the stored value for NXTREG. If REGID is greater than or equal to the stored NXTREG, the mobile station performs a registration access as generally shown in Fig. 8. If the system confirms the registration, the mobile station updates the NXTREG with the value of the most recently received REGID plus REGINCR. If the registration attempt is not successful, the mobile will try to register again after a random selection delay by setting the NXTREG value to the value of REGID plus a random number (NRANDOM). When making or receiving calls, the mobile station NXTREG updates, as described above, after each successful assignment of voice channel (because by making or receiving a call a mobile shows activity, dialed and received calls are treated as normal recordings).

The invention uses the periodic recording to detect fraud. More specifically, fraud can be suspected when a periodic registration access arrives from a mobile phone prematurely, the time of registration. For detection of early registration, ie before the determined next ring in a location area where periodic registration is active, the system for each mobile subscriber can retain the latest registration type (periodic, forced, etc.), the latest registration access time (REGID value at the time of the most recent the registration) and the location registration identity (LOCAID) last registration originated. The arrival of a new registration for the locating area from which the call from the same locating area will trigger a comparison of the arrival time with the expected next registration time (or alternatively a comparison between the elapsed time since last registration and the REGINCR registration period). The arrival time can be the time of registration, the time of or, for incoming or outgoing calls, the voice channel assignment. The expected next registration time can be estimated as the sum of REGINCR and REGID at the time of the most recent registration. An early registration is indicated when a new registration access arrives before the expected next registration period (or alternatively when the time interval between the previous registration and the 10 15 20 25 30 35 523 227 .š. ". =: I = lI = 36 the current registration is less than the registration period).

Fig. 9A graphically shows a premature registration. In Fig. 9A, the vertical axis represents the value of the REGID most recently received by a particular mobile station, while the horizontal axis represents current time in the system. For simplicity, all mobile records listed in Fig. 9A are assumed to come from a single location area in the system. The most recent registration access from this mobile station took place at the time tl when REGID was equal to NXTREGl. At tl, the mobile calculated the next registration time NXTREG2 (= REGID at tl + REGINCR) = t3 and kept this in memory. Similarly, the system expects the next registration from this mobile station at time t3. At time t2, however, the system receives a registration access from the same mobile station. Since t2 is earlier than t3, the mobile that made the early access must have estimated a next registration time (NXTREGX) that is different from NXTREG2. The new registration at t2 is therefore an early registration that raises the possibility that the new registration was made by another (cloned) mobile station with the same identity as the first mobile station that registered at t1.

Fig. 9B shows a scenario with early registration in which a call is received between periodic registrations. The timeline of Fig. 9B is analogous to that of Fig. 9A. In Fig. 9B, a mobile station registers at time t1 and its next registration is expected at (t1 + T), where T = REGINCR. A call arrives at the time t2 before (t1 + T) and the system recalculates the next registration time to become (t2 + T). A registration then arrives at t3. Because the system did not expect a registration before (t2 + T), the new registration is flagged as premature.

The process. for the detection of fraud in the form of early registration according to the invention is shown in the flow chart in Fig. 10. In block 1002, the fraud detection process for early registration is called when the system receives one. request for registration access. In step 1004, the system identifies the mobile station requesting registration access and retrieves activity information for this mobile in this system. In step 1006, the system determines whether the received request for registration access is a periodic registration. If the access request is not a periodic registration, the system jumps to step 1018 and records the time (REGID) and identification (LOCAID) The system then proceeds to step 1020 and manages the access for the access request location area. in the normal way. In step 1026, the system exits the fraud detection process for early registration.

If in step 1006 the request for registration access is found to be a periodic registration, the system proceeds to step 1008 and examines the activity information to determine if the mobile has been registered in this system before. If the nmbile has not been registered in the system before, the system goes to step 1018 and records REGID and LOCAID for the request to register cess. The system then proceeds to step 1020, accessing normally and leaving the process in step 1026.

If it is found in step 1008 that the mobile has previously been registered in this system, the system proceeds to step 1010 and receives from the mobile's activity information REGID and LOCAID at the time of the last registration. In step 1012, the LOCAID values for the current and most recent registration access are compared. If the LOCAID values are different, the system proceeds to step 1018 and records REGID and LOCAID for the current registration success. The system then proceeds to step 1020, handles access in the normal way and leaves the process in step 1026.

If in step 1012 it is found that the LOCAID values for current and last registration access are equal, the system proceeds to step 1014 where an expected next registration time is calculated as the sum of REGINCR and REGID at the time of last registration.

The system then proceeds to step 1016 and determines if the current registration access is premature, ie if the time of the current registration access is earlier than the expected time. next registration time. If the current registration access is not premature, the system goes to step 1018 REGID and LOCAID current registration access. The system then proceeds to step 10 and records for it 1020, handles the call normally and leaves the process in step 1026.

If in step 1016 the current registration access is found prematurely, the system goes to step 1022 and issues an intrusion. This is followed by a step 1024 where information about suspected fraudulent activity to the system operator alarm. the system emits törend In step 1026 leaves the system. the process of early registration and returns to monitoring the control channels regarding additional orders for registration access from mobiles.

It should be noted that there are a limited number of situations where the fraud detection process for early registration according to the invention may indicate fraud when the early registration is due to other factors. For example, a mobile station may re-register prematurely in the event of a strike before the next registration time it finds that stored registration data is distorted and therefore makes a registration access.

Another example is when the mobile station enters a new location area and tries to register, but the registration attempt fails. When it tries to register again, the mobile station again scans the control channels and tunes to the control channel in the old location area and then sends a registration message on this control channel before the next registration time is calculated while it was in the old location area. However, these irregular early registrations are likely to be relatively rare in practice and should not adversely affect the overall usefulness of the early detection fraud detection process of the invention. review 10 15 20 25 30 35 523 227 39 Through the review function and across the ether interface, a cellular system may request that a mobile station indicate its position without the user's knowledge. The review procedure can be performed over a control channel or over a voice channel (analog or digital) shown in Fig. 11. A base station (BS) sends to a mobile station (MS) a review order on the forward control channel (FOCC) or the forwarding channel (FVC) received on FOCC or FVC by sending to BS a review and MS responds to the review order in response to the return control channel (RECC ) or an order confirmation on the return channel (RVC).

The scan function can be used to detect the presence of several mobile stations with the same identity. Whenever a mobile station requests access from a new location area, for example, a review order can be issued to verify that the mobile station is in the previous location area. If the mobile phone answers from the previous area, fraud can be suspected.

There are many situations where scrutiny can be used to detect fraud. Some of these situations require an examination of the control channel, while others require an examination of the speech channel. Eg. As described above, an activity collision with a mobile station engaged in calls may require review of this mobile station on the voice channel. Examination of the control channel An unreasonable load on it can, on the other hand, mean limited control channel capacity. Thus, it is preferred to use control channel review only in more suspicious situations including the following cases (in each such situation the receipt of one or more review responses will indicate fraud): (a) as a fraud area (frequently reported fraud events) area known, the presence of the mobile station in the previous area is examined. (b) where it has not previously been registered, the mobile station's whenever a mobile station makes a call from a switching presence in the switching station where it was last registered. 10 15 20 25 30 35 523 227 40 (c) two separate location areas within a time period that is Whenever two consecutive registrations are made from less than the minimum time required for movement between these two locations, the mobile station's presence in the location areas where the registrations are accepted is examined.

Fig. 12 shows the use of the audit procedure to detect fraud at the switch level and network level. In Fig. 12, a first mobile station M1 makes a call access in the service area of the MSCa. In the first example (switch level), M1 is currently assumed to be registered in MSCa and the access is assumed to have come from a known fraud area. Due to suspicion of activity from a fraud area, MSCa examines M1 in its previously registered area. Assuming that a response is received from a second mobile station M2 with the same identity as M1, fraud is detected in the exchange.

In the second example (network level), M1 is assumed to be currently registered in MCSb. As a result of the call access activity for M1 in MCSb, the home system orders MCSb to cancel the subscriber subscription for M1. Upon receipt of the cancellation order, MCSb M1 checks in its last known (registered) position whether the mobile station is still considered active. Assume now that the MCSb receives a review response from a third mobile station M3 having the same identity as the M1. This audit result is then transmitted to the home system which announces fraud.

Operator-initiated location When fraud is detected e.g. through any of the fraud detection mechanisms of the invention, it may be useful to verify the presence and identify the location of mobile target stations before any remedial action is taken. In conventional cellular systems, the determination of the exact position of the mobile station is initiated automatically when the call is ended. The invention provides an operator-initiated aid for determining the position of the mobile station by a command. This aid enables the system operator to search for and verify the existence of the mobile target station in a particular area before taking any action against the fraud. The operator has the opportunity to specify a search area, e.g. MSC service areas, location areas or individual cells. When the search area is not specified, the last known area retained by the system can be used as the default value for the search area.

The search command (location) can be issued by the operator either in the operating gear or in the home system. The issuance of a localization command in the home system triggers the sending of one to the MSC. The MSC location command will send a review order. If the search request specified as receiving the mobile destination station is found to be active in calls, the review order will be sent on the voice channel to confirm that the mobile is still connected. Otherwise, the review order will be sent via the control channel. From the response to the review order, the system can determine the activity status and geographical location of the target station. In the case of several answers, answers are collected regarding all those (cell identity or coordinates) for the mobile detected locations. This information is returned to the home system (if the location command is issued by the home system) and reported to the operator.

An example of a location procedure according to the invention can be described with general reference to Fig. 12. In this example, the home system alerts the operator of an activity collision where the mobile station M1 and the switches MSCa and MSCb are involved.

Assume that the current activity of the mobile is in the service area of MSCa and its most recent activity was in the service area of MSCb.

The operator issues a localization command from the home system to the MSCa and MSCb. the subscriber dormant and sends the review order over the strengths- When the search request. received 'MSCa now Assume that a review response is received by MSCa from MSCa len. then returns the location-related mobile station. information to the home system. 10 15 20 25 30 35 523 227 Ézš 42 As there is no subscriber record for the mobile station M1 in the MSCb (the record has been canceled sonx as a result of the mobile activity in the service area for the MSCa), the MSCb in the meantime issues a review order over the control channel in each of the cells in its service area. Now assume that several audit responses are received by MSCs from multiple locations. The MSCb then transmits location-related information to the home system. The home system makes all location-related information received from MSCa and MSCb available to the operator. At this point, the operator has not only validated the suspicion of fraud but has found several cloned stations and has received specific information regarding the situation of each of the perpetrators.

Fig. 13 shows a flow chart with steps executed by (home MSC or CPR) (MSC) participating in the operator-initiated location process according to the home system and at least one switch as the invention. II block 1302 is called. operator-initiated locating process when an operator issues a command in the home system to locate the position of a particular mobile station. In step 1304, the home system identifies the mobile station and retrieves activity information for that mobile station. In step 1306, the home system determines if the operator has specified the switch where the mobile is to be searched. If the operator has not specified the switch, the system proceeds to step 1308 where it retrieves the latest location information (LOCAID) for this mobile based on the mobile activity information and then issues a search request to the MSC controlling this location area. If the operator is found to have specified a search switch, the system proceeds to step 1310 and issues a search request to the MSC specified by the operator. In step 1312, the home system waits for a response from the exchange to which the search request is sent.

In step 1314, it identifies. MSC who, received the search request mobile station and retrieves activity information about this mobile.

This MSC then proceeds to step 1316 and determines from the activity information if the mobile is busy in calls. If the mobile is busy in calls, the MSC proceeds to step 1318 and examines the mobile on the voice channel assigned for the call. If the mobile is not engaged in calls, the MSC goes to step 1332 and examines the mobile on the control channel.A response to the control on the control channel can be received over the control channel on the MSC that sent the review order or, if the mobile station has re-scanned and tuned to the control channel on a nearby MSC In the former case, in the former case the answer is called "a called answer" while an answer in the latter case is called "an unallocated answer".

In step 1320, the MSC that received the order confirmation, or the called or non-called audit response, returns to include for each response the returned or acknowledgment audit result the home system. the mobile activity's activity status and geographical location. In step 1322, the home system receives the review result and proceeds to step 1324 where the review responses are placed in a table for a 100 ms) sufficient to Vid. the end of this time goes to a predetermined time period (eg filter out multiple accesses. the home system proceeds to step 1326 and determines if more than one review confirmation or response has been received. If only one review confirmation or response is received, the home system proceeds to step 1328 and provides location information) If more than one audit confirmation or response is received, the home system goes to step 1334 where it generates an intruder alarm, and also provides information regarding suspected fraud to the operator.

The location process is left in block 1330. ° r in v a 'v' Mobile stations with the same (MIN / ESN) identity may not always be active at the same time. Instead, their activities may be randomly distributed over different time periods and. locations within the service area for one or more switches. According to the invention, fraud can be detected by tracking activities for a given mobile station for a period of time. During this time period, data is collected concerning one or more aspects of the mobile station's activities (eg activity type, activity time, activity location, activity frequency, etc.) which could lead to fraud being detected. Through post-processing means, collected data can be analyzed to determine or substantiate fraud. For example, activity time and location data can be used to determine if the time between mobile station activities from two different locations is significantly less than the normal time required to travel at motorway speeds (eg between these two locations. Fraud can be detected if the analysis shows that the distance between the two places is greater than the maximum distance that could be traversed by the mobile with the given time between the activities.

The system operator can select both the type of activity (eg registrations, call requests, call requests, etc.) and the specific subscribers to be tracked. Subscribers can be selected for tracking either on an individual subscriber basis where selected subscribers are tracked in any network or system area to which they can travel and receive service or on the basis of a special geographical region where selected subscribers are tracked only when they receive service in a particular area. or cell). Tracking across networks or systems is useful in detecting or proving the use of a particular subscription, while location-based or monitoring areas suspected of having a fraud rate that cell-based tracking allows the operator to accurately exceed is normal.

For tracking on an individual basis, subscribers can be marked with a subscriber tracking class by adding an activity tracking parameter (MAT) for the mobile to the service profiles in the subscriber database in their home system (home MSC or CPR). The MAT parameter forms part of the service profile for each mobile station in the subscriber tracking class. and. sent to. the operating gear in the usual way (ie when the service profile is requested by the operating gear or by the home gear). Individual tracking is activated or deactivated for each subscriber in the tracking class by operator commands in the home system.

For tracking on a regional basis, the regions to be tracked may be marked with a tracking parameter (RAT) for regional activity in the governing MSC. Regional tracking is activated when a subscriber accesses a RAT-marked area. Enabling tracking in a particular area enables tracking for all active subscribers in that region, including all subscribers in the tracking class. Thus, activation on regional bsis also entails activation of tracking on an individual basis for each subscriber in the tracking class that makes access in the activated tracking region. The serving exchange informs the home system of the tracking activation for home subscribers roaming in the area of the serving exchange. Regional tracking is automatically deactivated for a subscriber who is tracked on a regional basis as soon as the subscriber makes access from a non-RAT-marked area.

In conventional cellular systenx is always reported. certain mobile station activities in. a visited system. (eg first registration or first call request) to the home system.

In accordance with the invention, however, whenever the subscriber tracking class is activated service switch will continuously report all mobile activities selected for tracking to the home system. This information can be sent to the home system as part of the automatic roaming signaling which transmits information about various mobile activities in the visited system (eg registration message, registration cancellation, remote control of function and message about inactive network subscriber stations specified in IS-41) . Activity reporting ends when tracking is disabled by an operator command (or when a tracking timer has expired) in the home system or by a mobile station accessing a region that is not RAT marked.

In general, the tracking function provided by the invention operates in the following manner. To begin with 10 15 20 25 30 35 523 227 ï “46 the home system activates the tracking function and specifies the activities to be tracked. The subscribers who require tracking are then assigned to the Mobile Activity Tracking (MAT) group by entering the MAT parameter in their service profiles. When a subscriber roams outside his home exchange, the tracking group is transferred to the serving exchange together with other information in the subscriber's service profile. In the operating gear, the regions selected for tracking are marked with the RAT parameter. When a mobile activity selected for tracking is detected and the subscriber's tracking group is activated, the switching station immediately reports this activity to the home system. When a mobile roams in a region where the RAT parameter is activated, the operating switch activates tracking of this subscriber and starts reporting the mobile's activities to the home system. Regional tracking is disabled when this subscriber accesses a region that is not tracked. The home system checks all signaling related to the activities specified for tracking and collects the data elements required for fraud analysis. These data elements should include information sufficient for identification MIN / ESN) information related to activity time, of the subscription (eg and activity status (eg activity type, activity location, dialed number, etc).

Fig. 14 shows tracking of subscriber activity in accordance with the invention. Four mobile stations M1-M4 are shown in Fig. 14 roaming in the service area for MSCa or MSCb. The mobile stations M1-M3 are assumed to be registered in MSCa while the mobile station M4 is not assumed to be registered in either MSCa or in MSCb.

In this example, M1 and M2 are assumed to be subscribers from the home system that are now roaming in the service area for MSCa. The home system is assumed to have assigned both M1 and M2 to the tracking group and to have specified tracking for two activities, call request and registration. In MSCa, tracking has been activated for cells A1 and A2 (shown as shaded regions).

With further reference to Fig. 14, M1 requests a call while 10 15 20 25 30 35 o: no oo oo non oo oo oo o »p oo oo on nu nu '- s -. o o o o o n: o u: man but .o it is in the service area for MSCa. Because Mlz's tracking group is enabled, the MSCa reports this activity to the current location, the time of the call request, and dialed the home system along with information such as Mlz's number. This activity information is logged in a format suitable for later processing in the home system. The MSCb then detects a registration from M3 which is assumed to have the same identity as M1. Since MSCb does not have a subscriber record for M3 (M3 was assumed to be registered in MSCa), the subscriber profile (with the tracking group) is retrieved from the home system. When the registration has been accepted, a registration message is sent to the home system with tracking-related data. This activity is also logged in the home system. The home system continues to record data relating to specified activities for the subscriber in the same manner.

To illustrate regional (in this case cell-based) tracking, it is assumed that M2 wanders into cell A2, where tracking is activated, and makes a call request. The MSCa receives the call and checks the subscriber profile for M2 (M2 was currently assumed to be registered in the MSCa which therefore already has the subscriber profile).

From the subscriber profile, the MSCa determines that M2 is assigned to the tracking group. Because M2 has placed a call from a (cell A2) tracking by M2 and the region being tracked, the MSCa automatically informs the home system. The home system then starts logging M2's activities. Assume that M4, which has the same identity as M2, requests a call from another cell that is not tracked. MSCa then deactivates tracking for M2 and reports this to the home system together with the call access information. This activity is also logged in the home system. If M2 makes another access at a later time from the tracked cell A2, the activity will be logged in a similar way.

The logging of the M2 activity tracking of the home system could continue until it is interrupted by an operator command or by the expiration of a tracking timer in the home system or by the detection of an access from M2 or M4 in a region where tracking is not activated. Fig. 15 shows the process for assigning subscribers to a tracking group in the home system. The process begins in step 1502 and proceeds to step 1504 where a suspicious subscription is selected from a subscriber tracking list. A given subscription can be listed, for example, as a result of scrutiny by means of one or more of the fraud detection mechanisms according to the invention. In step 1506, the home system determines if the subscriber selected from the list is a home subscriber. If the selected subscriber is not a home subscriber, the home system jumps to step 1510.

However, if the subscriber is a home subscriber, the home system proceeds to step 1508 and. attributes the home subscriber to. The FOOD group. From step 1508, the home system goes to step 1510 and determines if there are more suspicious subscriptions on the list. If there are more suspicious subscriptions, the home system returns to step 1504. If subscriptions are tracked, the home system goes to step 1512 and leaves, however, there are no more suspicious MAT mapping processes.

Fig. 16 shows the process of tracking activation in regions (cells or localization areas) within the service area of a system. The system starts in step 1602 and then goes to step 1604 where a suspect region is selected from a region tracking list. A given region can be listed, for example, if an unusually large number of mobile stations are reported to have been stolen in this region.

In step 1606, the system assigns a tracking activity (RAT) for region activity to the selected region to mark it as a fraud region. In step 1608, the system determines if more suspicious regions are on the list. If more suspicious regions are on the list, the system returns to step 1604. However, if no more suspicious regions remain, the system exits the RAT assignment process in step 1610.

Fig. 17 shows a flow chart illustrating the interaction between a serving system and a home system during tracking of subscriber activity in accordance with the invention.

The tracking function is called in block 1702 when the operating system detects an activity (access) from a mobile station. In step 1704, the mobile station is identified as a roaming subscriber and its service profile is retrieved from the home system. In step 1706, the system determines if the mobile station was made for tracking (MAT assigned to the mobile station) or if access was detected from a fraud region (RAT assigned to the region).

If the mobile is not marked for tracking and access has not been detected from a fraud region, the system goes to step 1710 and reports any information regarding this access that is usually transmitted to the home system (eg information on first registration or first call request). The serving system then proceeds to step 1712 where it updates the internal subscriber record with relevant activity information (eg mobile identity, test time, activity type, activity location, activity, etc.). If in step 1706 it is determined that the mobile has been marked for tracking or that its activity originated from a fraud region, the system goes to step 1708 and reports the activity and relevant fraud related information (eg mobile identity, test time, etc.) to the home system. The operating system goes activity type, activity location, activity to step 1712 where it updates its subscriber record with similar activity information.

In step 1714, the home system receives the activity information reported by the serving system in steps 1708 or 1710. As previously described, this activity information may be transmitted by automatic roaming messages. In step 1716, the home system identifies the subscription and retrieves the subscriber profile. In step 1718, the home system determines if the reported activity is selected for tracking. If the activity is not selected for tracking, the system jumps to step 1724 and updates the subscriber record with the received activity information.

The home system then goes from step 1724 to step 1726 and goes back to process other tasks.

If in step 1718 it is determined that the activity is actually selected for tracking, the home system goes to step 1720 and determines if the mobile 10 15 20 25 30 35 523 227 50 has been assigned to the tracking group (MAT included in the service profile) and if the current or most recent report activity originated in a fraud region. If it is found that the mobile is in the tracking group and if the current or most recently reported activity originates from a fraud region, the home system goes to 1722. In step 1722, the home system provides information regarding the mobile's activity to the system operator for tracking subscriber activity. The home system then proceeds to step 1724 and updates the subscriber record with the received activity information. The home system also goes directly to step 1724 if in step 1720 it finds that the mobile is not in the tracking group or that the current or most recently reported activity did not originate from a fraud region. From step 1724, the home system goes to step 1726 and returns for processing other data.

Fraud management When misuse of subscriptions is detected in accordance with the techniques according to the invention, the affected system operator has a number of possibilities for response action. For example, the system operator may choose to block the suspected subscriber from making or receiving calls or restrict him or her from making long distance calls until the location or authenticity of the mobile station can be verified either by contacting the subscriber directly or by using one or more of the techniques previously described (operator-initiated location or tracking of subscriber activity). When misuse of may assign a new MIN to the legitimate subscriber and / or have the subscription confirmed the system operator ESN for his or her mobile station changed. The system operator can then include the fake ESN in a block list to refuse service permanently (note that blocking ESN is not appropriate if ESN rotation is used because during the rotation any valid MIN / ESN combination can be selected in the system and over time the whole area with valid ESN could be blocked, at least in theory). w 10 15 20 25 30 35 525 227 51 Fr N ur r A network enhanced by one or more of the anti-fraud features of the invention, including multi-access detection mechanisms, activity collision and early registration as well as review, operator-initiated location and subscriber activity tracking allows that system operators can: (a) Detect and obtain a report of suspected fraudulent activities. (b) Track activities for specific subscribers. (c) Identify and collect data elements related to fraudulent and / or traced activities for further analysis. (d) subscribers. (e) cancellations of roaming agreements.

Locate a mobile's location in the network without notifying Improve subscriber service that may be adversely affected by (f) Receive an indication of the size of the fraud problem. (g) Receive real-time information. if. where and when fraud occurs. (h) Reduce money losses that may occur. (i) Achieve a deterrent effect against fraud as network operators increasingly refuse service. (j) subscribers as the anti-fraud enhanced system is Attract additional subscribers and retain existing more secure, intelligent and commercially attractive ones.

It will be readily appreciated by those skilled in the art that anti-fraud techniques of the invention may be used in combination or independently. It will also be appreciated that the foregoing detailed description shows only certain exemplary embodiments of the invention and that many modifications and variations may be made in these embodiments without substantially departing from the spirit of the invention. Accordingly, the described embodiments are exemplary only and are not intended to limit the scope of the invention as defined in the appended claims.

Claims (11)

. 1 »| .e 523 227 52, PATENTKRAV 1. l. Method for detecting fraud in a radio communication system which communicates with a number of mobile stations via a number of radio frequency (RF) channels, each of the mobile stations transmitting identification data for the mobile upon access to the system and each of the RF channels being designated with channel identification data, the method comprising the steps of: receiving in the system a first system access over a first RF channel; characterized in receiving in the system a second system access over a second RF channel, the second system access having the same mobile identification data as the first system access; comparing channel identification data for the first and second RF channels, and detecting fraud if the channel identification data for the first and second RF channels do not match. Method according to claim 1, wherein the radio communication system is a cellular radiotelephony system, characterized in that the RF channels consist of control channels in the cellular system and that the mobile identification data comprises a mobile identification number (MIN), an electronic serial number (ESN) and a station class marking (SCM). , and that the channel identification data includes a channel number (CHN) and a digital color code (DCC). Method according to claim 2, characterized in that each of the first and second system accesses comprises a registration, a call request, a called search answer, an unallocated search answer or a service call. Method according to claim 2, characterized in that the CHN and DCC for the first system access are first stored in an fl era access buffer and then retrieved for introduction with CHN and DCC for the second system access. »- i ~» u 525 227 sz »m» o: Method according to claim 4, characterized by measuring the signal strength (SS) for the first and second system accesses, and storing in the buffer DI-IN, DCC and SS for the system access having the highest signal strength and rejecting the second system access if CHN and The DCC of the second RF channel corresponds to CHN resp. DCC for the first RF channel. Method according to claim 5, characterized in that storage in the buffer CHN, DCC and SS for the second system access if either CHN or DCC for the second RF channel does not correspond to CHN resp. DCC for the first RF channel. A method for detecting fraud in a cellular radiotelephony system comprising a switch which communicates with a number of mobile stations via a number of radio frequency (RF) channels, which comprises at least one voice channel and at least one control channel, the method comprising the steps of: receiving at the switch a system access over a control channel in the system; characterized by identifying which mobile station performs the system access; determining whether the identified mobile station is currently connected to a voice channel in the system; if the identified mobile station is stated to be currently connected to the voice channel, sending to the identified mobile station a review order over the voice channel for the purpose of verifying whether the identified mobile station is still connected to the voice channel; and detecting fraud if a response to the review order is received from the identified mobile station over the voice channel, thereby verifying that the identified mobile station is still connected to the voice channel. Method according to claim 7, characterized in that the system access comprises a registration, a call request, a called search answer, an unallocated search answer or a service call. Method according to claim 7, characterized in that the step of determining whether the identified mobile station is stated to be currently connected to a voice channel in the system comprises the step of determining whether the identified oo ooo »no o oo ooo no ou oooo oo ovn oo o - o ooo = = _:. z o r o a o: o o o o oo oo o o o o o o o o o o o o o o o o o o o o o o o o o o o »oo oo o oo S4 The mobile station is busy marked in a home location register (CPR) connected to the exchange. A method for detecting fraud in a radio communication system, which communicates with a number of mobile stations, each of which transmits a mobile identification number (MIN), an electronic serial number (SCM) and a station class marker (SCM), when accessing the system, wherein the method comprises the steps of receiving in the system a first system access comprising MIN, ESN and SCM for the mobile station, characterized in receiving in the system a second system access comprising the same MIN and ESN as in the first system access, comparing SCM in the second system access with SCM in the first, and to detect fraud if SCM in the first and second system accesses do not match. A method according to claim 10, wherein the radio communication system is a cellular radiotelephony system, characterized in that the SCM comprises data identifying the power class, transmission mode or frequency range of the mobile station, and that each of the first and second system accesses comprises a registration, a called paging response, an unannounced search answer or a service call.