Index Home About Blog
Date: 8 Nov 1993 18:34:14 -0800
From: Erik Ramberg <>
Subject: Re: TRW Phone Print to Fight Cellular Fraud 

[Moderator's Note: Erik sent in a couple replies in this thread which
got mangled in processing. They've been reconstructed below and I
apologize for the delay in using them.   PAT]

Paul R. Joslin  wrote:

> In article <>, Willie Smith (wpns@newshost.
> wrote:

>> (Erik Ramberg) writes:

>> Ha!  All this probably means is you have to clone the same
>> manufacturer and model of phone.  Especially with the big push to Six
>> Sigma (every product is identical to one part in a million), it's
>> going to be really difficult to tell phones of the same model apart
>> without denying service to folks at slightly different temperatures,
>> battery charge levels, and altitudes.  How long do you think it'll
>> take the cloners to crack this one?

> In the short term, how are cloners supposed to find out the make and
> model of the phone from the transmission they're stealing the ESN
> from?  Buy their own TRW system, and start characterizing signatures?

> I think you're right in the long term.  Professional thieves will
> "borrow" a phone from a parked car, get the ESN, then return the
> phone, or buy model number/ESN pairs from dishonest employees of the
> cell companies.  Perhaps this system will at least prevent the
> "casual" thieves.

First of all, one of our test fixtures is to take five phones that
were manufactured one after another on the assembly line, and see if
our system can differentiate the phones.  In other words, six sigma
only has relevance if the six standard deviations are of a feature
that we look at.  And since these features are the result of
complicated mechanical/electrical/RF factors, the six sigma standard
has little relevance to us.

Second, it will be a long time (if ever) before one can modify a phone
to match another.

John R. Covert wrote:

> Interesting.

> But, of course, there's a problem.  I can legitimately use my cellular
> phone's telephone number and ESN on three different transmitters:

>	1. The Micro-TAC itself.
>	2. The 3W VA in my own car
>	3. The Extended System in my wife's car.

> Actually, I can legitimately use it in _any_ compatible transmitter
> that provides the plug to go into the bottom of the phone.

We know of these situations and our algorithms take this into account,
thus allowing your legitiment use but denying the criminal access to
your account.

John Nagle wrote:

> (Erik Ramberg) writes:

>> Each cellular telephone emits unique signal transmission
>> characteristics - an electronic version of a human fingerprint - which
>> cannot be duplicated.  These characteristics are matched with the
>> mobile identification number (MIN) and the electronic serial number
>> (ENS) of the phone to develop a unique pattern for each legitimate
>> customer, TRW PhonePrintTM uses sophisticated signal analysis hardware
>> and software to analyze and file the patterns belonging to legitimate
>> customers.  When a caller attempts to access the network, the system
>> compares incoming patterns to those on file.  If the patterns do not
>> match the call is immediately terminated.

>       I suspect this is an exaggeration of the actual capabilities.
> There are only a few chipsets used for these things, after all, and
> two units with the same chipset should perform very similarly.  But
> they might be able to tell which chipset was being used. Statisti-
> cally, though, that alone gives them a good chance of catching
> someone who records over-the-air info.

 Unfortunatly I cannot disclose the workings of our algorithms, but we
can distinguish between identical phones.  You have to remember that
there are many steps that a signal takes between formulation and
transmission...and though these may be non-performance impacting
variations they are nevertheless variations that can be measured.
It's these parts that we call the PhonePrint(tm) and if you use a
phone in a heavy fraud area I'm sure you'll notice an improvement in
the cellular service.

> Cellular ID systems should have been public-key from day one.
> Someday, they will be, government opposition or not.

 Why not public key?  There are several companies with commercial
applications using public key ... the government only gets antsy when
it's used for general purpose encryption of data/messages and the
register bits are long enough to eliminate any realistic crunch by a
supercomputer (i.e. a day or two).  Use as an authentication device
(i.e. digital signitures) is not a big deal.  In fact my Mac at home
implements this capability in the operating system!


Date: Mon, 7 Apr 1997 13:10:35 -0700
From: John Higdon <>
Newsgroups: comp.dcom.telecom
Subject: The Final Cellular Straw

As we all know, the aging cellular network in this country (using
AMPS) has absolutely no security built into it. Cloning is a way of
life. In the past year, cellular equipment providers have produced a
system that they hailed as a breakthrough in fraud detection/prevention: 
RF fingerprinting.

Simply, this is a system that detects and stores details about a
legitimate user's cellular phone's transmitter. On the theory that no
two transmitters would create the same profile, the system compares
the fingerprint of a phone attempting to make or receive a call with
the stored profile. If they don't match, the call is dumped.

After months of using my handheld Motorola exclusively in its car
adaptor, I needed to use it has a handheld. Important, expected calls
never got through. Why? It turns out (verified by GTE Mobilnet's
control center) that my handheld was rejected by the fingerprint
detector which was expecting to see the car transceiver.

Although the cellular industry is notorious for inconveniencing
customers in the name of preventing fraud, this is the ultimate
outrage. As far as I am concerned, any procedure that errs on the side
of the denial of service to a legitimate customer is unacceptable. 
Since GTE did not agree with me, I am no longer a customer.

I have, this day, activated a Pacific Bell PCS phone. Say what you
want, but at least Pacific Bell knows that people depend upon
telephone service and does not go out of its way to throw banana peels
in front of customers who expect to be able to rely on
communications. There are no doubt others who feel this way.

John Higdon  |    P.O. Box 7648   |   +1 408 264 4115     |       FAX: | San Jose, CA 95150 |   +1 500 FOR-A-MOO    | +1 408 264 4407
             |            |

Index Home About Blog