How a tiny telco is fighting back against text message fraud

Luxembourg, a country with just 600,000 people, has had an outsized impact on the European telecoms industry.

That is mostly due to the work of Viviane Reding, the Luxembourgish European Commissioner who became the public face of the regulatory battle against expensive roaming rates and other high charges when she was the bloc’s commissioner for information, society and media between 2004 and 2010.

Now, the country’s telecoms sector has produced a tool to fight cyber attacks over telecoms networks, including suspicious text messages sent to defraud consumers. Once again, the benefits could be significant: according to a 2018 report compiled by the industry’s leaders, telecoms fraud costs the sector $17bn a year.

The software, which monitors telecoms networks for signs of intrusion, was developed by Cyberforce, a division of Post Luxembourg, the country’s integrated telecoms, financial services and post office company. Though it was initially created to protect Post Luxembourg’s own banking and telecoms customers — including EU institutions such as the European Court of Justice and the European Investment Bank — Cyberforce is now selling the tool to external customers, including larger peers in the telecoms sector. 

Cyberforce, which was launched in 2018, is a product of the tiny market that Post Luxembourg serves. For small telecoms companies like Post Luxembourg, the only way to grow is to develop innovative new services that they can sell to larger peers. The need to find new sources of revenue became more pressing after Reding’s clampdown, which hit operators in small countries dependent on tourism and business travellers hard.

But smaller telecoms companies plugged into large global networks can be vulnerable to cyber attacks. They cannot invest in protecting themselves at the same level as large companies such as the UK’s BT, which suffers up to 125,000 attempted attacks on its network every month.

“Post Luxembourg’s Telecom core network, like any other operator’s, could be misused by hackers to target someone else,” says Mohamed Ourdane, head of Cyberforce. “That’s why we developed these capabilities. We needed innovative means to detect any kind of intrusions.”

Those attacks include fraudsters’ attempts to target phone users via text messages. Such attacks range from so-called Wangiri fraud, which entices a customer to return what looks like a missed call at a huge cost, to more sophisticated threats, such as call hijacking, where criminals take over a phone to steal an identity.

A recent spate of bogus text messages sent to mobile phone users in Europe informed them that they had been in contact with a person infected with Covid-19. It requested payments for tests. In the UK, thousands of spam texts were sent out by fraudsters claiming to be from HM Revenue & Customs, the government tax office, demanding payment of a fine for breaching lockdown rules. 

Cyberforce’s monitoring system is now built into the anti-fraud operations of BICS, a global wholesale telecoms operator that connects traffic around the world, to spot abnormal data patterns. 

Katia Gonzalez, head of fraud at BICS, says Luxembourgish technology has strengthened its network auditing products and has been deployed by at least one major European telecoms company. “At a time when operators are coming under increasing attack — and facing a rapidly evolving threat landscape — this has been critical,” she says.

The product could embellish Luxembourg’s burgeoning reputation in cybersecurity and data protection. It is the base for a number of senior European Commission staff working at DG Connect, the EU’s digital agency, in fields including artificial intelligence, digital security and data policy.

The country was shortlisted as a potential site for the new EU Cybersecurity Competence Centre, aimed at strengthening cybersecurity across member states, but lost out to Bucharest in Romania late last year.

For Post Luxembourg, small remains beautiful. Ourdane says Cyberforce took only two years to develop because his company could afford to take on a disruptive mindset in the mould of a tech start-up. That would be much tougher at a larger telecoms business set in its ways. “It is therefore important as a small player to be dynamic, even better agile,” he says.

This story is part of a special report Luxembourg: Data and Innovation.