Sprint calls on open source analytics to prevent cyberfraud

Mobile phone-related fraud is big business. Fraudsters, hackers, and other bad actors employ creative techniques to compromise networks, hijack user information, and piece together customer identities that are then sold for big bucks on the dark web. To protect its customers, Sprint needed to transform the way it detected and blocked fraudulent activity.

“In the mobile phone business, there’s no markup on selling devices — our bread and butter is the network and the services that are delivered on that network, through the devices,” says Scott Rice, CIO of Sprint. “Identity theft is a huge problem and the ability for nefarious actors to use that theft of information to impersonate our customers means we were eating the costs of the devices and the costs of services delivery.”

Sprint’s fraud management team, led by Helen Schallenberg-Tillhof, director of fraud management, with support and guidance from Rice and members of IT and the company’s project management and compliance divisions, knew they needed a better way to quickly identify and stop fraudulent activity before customer data was exposed. By implementing a set of open source monitoring, data analysis, and search tools using Elastic Stack, Sprint was able to identify, search, monitor, and analyze data from multiple sources and formats. The anti-fraud system, which received a CIO 100 Award in IT Excellence, has completely transformed how Sprint detects and blocks fraudulent activity, Rice says.

The power of open source

“When you’re selling tens of thousands of items a day, we needed a way to identify nefarious activities. Elastic Stack allows us to monitor activity on our system stack and to identify fraudulent activity trends,” Rice says. “Are we seeing a run on a certain device being purchased? Where does a certain IP address come from? Then, we can quickly decide, ‘Someone just ordered three iPhones — but is it fraud? Do we need to shut that transaction down?’ and send out an alert one way or the other.”

Sprint already used Elastic Stack and Elastic’s X-Pack commercial extensions throughout its organization for data ingest, search, logging, and analytics, Rice says. Because it’s open source and because of Sprint’s successful implementation of Elastic Stack in other areas of the business, it was a logical solution to tackle the challenge of fraud prevention, Rice says.

“One challenge that we face is the magnitude of the problem. We have terabytes of data streaming daily; hundreds or thousands of potential fraud alerts that can take teams of people hours or even days to comb through. Off-the-shelf security solutions require immense customization that were difficult to adapt and couldn’t keep up with the pace of fraudsters’ ever-changing behavior,” he says.

Cybercriminals often attack when they believe their targets are busy, or when their target’s attention is diverted elsewhere. They’re also constantly evolving their methods, Rice says. The Elastic Stack solution streamlined the process of data analysis so that Sprint’s IT, fraud management, and compliance teams could first watch and understand normal customer behavior. Once that was determined, it was much more obvious when anomalous or atypical behavior that could indicate fraud was occurring, Rice says.

“For example, the day a new iPhone is launched, we tend to see a spike in fraudulent activity. The fraudsters come after us because our customer volumes are so high they think they can slip into our systems unnoticed. With Elastic, we can find and tag the behavior and shut it down immediately,” Rice says.

Proving the value of IT

Elastic allowed Sprint to take a much more predictive and proactive approach to finding and stopping fraud, and increased speed of detection. In the past, it would often take a customer complaint to identify fraud, and then that customer would have to wait to be referred through general customer care to a fraud department specialist — often over five or six days. But now, the Elastic Stack solution allows Sprint to head off cybercrime before it impacts the customer; identifying and stopping fraud and theft attempts in hours or even minute. The solution has been effective in reducing fraud by 90 percent to 95 percent per day, Rice says.

Within a few days of agreeing on a solution, Elastic Stack was up and running, albeit a bare-bones implementation. Over time, Rice says, IT, fraud management and compliance teams at Sprint have further iterated to develop a robust, full-featured solution that works incredibly fast to detect fraud.

“Our fraud team might see a single account that was compromised; our IT team can now take that information and look across hundreds of systems to identify other customers impacted by the same activity. Normally this would take days of tedious work involving a lot of personnel, but with Elastic, one person can monitor and search massive data sets in minutes. It’s now as simple as a Google search,” he says.

The Elastic Stack solution for fraud management also has changed the way IT is viewed inside Sprint, Rice says. Through this project, fraud management and IT teams are providing real, tangible value to improve the performance and efficiency of different business units inside Sprint, which in turn improves customer satisfaction.

“We also look at ROI, and our IT team notes that they receive a return on the Elastic investment every 90 days,” he says.

One of the most telling business metrics, and one of the best ways to gauge the success of a fraud prevention solution, is to track the availability and price of stolen customer credentials on the dark web, Rice says. Sprint contracts with a vendor specializing in dark web visibility, which found that the amount of Sprint credentials available has decreased dramatically while the value of Sprint credentials have skyrocketed because of decreased supply.

“Often these fraudsters will steal a vast amount of credentials and then post them for sale to other bad characters. We’ve determined that fraudsters are compromising fewer Sprint user accounts, and often we are able to disable or deactivate those accounts before the data can be sold. Today on the dark web, over 50 percent of Sprint customer credential buyers want a refund versus five percent previously — that means that more than half of the bad guys purchased our credentials only to find that they were useless. That’s a direct reflection of our fraud detection efforts,” Rice says.