Zero-Rating Services (services which enable internet access to specific domains but do not debit your data allowance) have become more popular and necessary in recent times for telecom organizations. Both for user access to essential services and for competitive promotion of new services. Some examples are:

• Promotional social media access – e.g., zero-rated WhatsApp and Facebook in Brazil.
• Educational and public services – e.g., free access to public benefit organizations (PBOs) in South Africa.
• Commercial promotions – e.g., free Uber data provided by Safaricom.

Some of these capabilities have extended from the pandemic and are tracked by organizations like Cullen International with their report on “Role of ZeroRating Offers”. Over time, both users and regulators have become more knowledgeable about these policies and their value, leading to expectations that essential services should remain widely available, while region-specific promotional services may be permitted under regulatory oversight. As an example in the recent Ofcom report, the practice of zero-rating was requalified to be ’more generally allowable’ for different types of service for UK-based communication service providers (CSP).

These services are open to abuse by fraudulent users, with an example of a single attack possibly costing the CSP as much as $80k USD in lost revenue. It is critical that for new zero-rated services the CSP develops an integrated plan for:

• How much data will be used by the average user
• What are the T’s & Cs’ on a new service (ensuring it is not open-ended)
• How will the enablement work in the network

These are foundational steps, in order to have a strategy for essential services and a promotional vehicle for new services. There are a number of examples where users can legitimately exploit badly implemented terms and conditions or share information via SNI buglists of vulnerable services which can be targeted to get ‘free’ data access. These attacks can be viral, transient and costly to the CSP.

In the longer term they also represent a gap in planning both from a capacity and security perspective. Capacity planning is essential but difficult as data service capacity is increasing 25% year on year – building a pattern of how much data users are consuming (and where & when) is indispensable for capacity planning. In respect of security – tracking destinations by IP address is no feasible because of their sheer number. Alternate forms of being able to trace where users are accessing content and whether it is permitted via regulator policy or CSP promotion plan is key. Ensuring that users get the service they are paying for, that the service is permitted under their policy is essential in a shared, regulated network environment.

What are the types of threat? How can a plan for enabling zero-rating access be delivered while stopping fraud? How can this be implemented from Day 1 but, also tracked and reviewed in Day N. This is the detailed topic of our new paper “Data Charging Bypass: Stopping Zero Rating Fraud”.

If you want know more then download the paper here

Review our Enea capabilities for managing data traffic @  https://www.enea.com/solutions/traffic-management/