International roaming services had been around since the early beginnings of mobile networks, well, not all that early – but still fairly early. Most people believe that international roaming relies on your phone number, but actually, it involves the usage of something called an MSRN – A Mobile Station Roaming Number.

Wikipedia describes an MSRN as:
The Mobile Station Roaming Number is an E.214 defined
telephone number used to route telephone calls in a mobile
network from a GMSC (Gateway Mobile Switching Centre) to
the target MSC (seeNetwork Switching Subsystem). It can
also be defined as a directory number temporarily assigned
to a mobile for a mobile terminated call. A MSRN is assigned
for every mobile terminated call, not only the calls where
the terminating MS lives on a different MSC than the originating
MS. Although this seems unnecessary since many vendors' VLR's
are integrated with the MSC, the
also be defined as a directory number temporarily assigned
to a mobile for a mobile terminated call. A MSRN is assigned
for every mobile terminated call, not only the calls where
the terminating MS lives on a different MSC than the originating
MS. Although this seems unnecessary since many vendors' VLR's
are integrated with the MSC, the GSMspecification indicates
that the MSC and VLR (Visitor Location Register) do not need
to reside on the same switch. They are considered two different
nodes as they have their own routing addresses. i.e.the MSRN is
one of the returned parameters into SRI_Response message. In
particular the MSRN is used into an MNP scenario (in this
case it can be modified as 'RgN + MSISDN').
to reside on the same switch. They are considered two different
nodes as they have their own routing addresses. i.e.the MSRN is
one of the returned parameters into SRI_Response message. In
particular the MSRN is used into an MNP scenario (in this
case it can be modified as 'RgN + MSISDN').

Another temporary address that hides the identity of a subscriber.
The VLR generates this address on request from the MSC,and the
address is also stored in the HLR. MSRN contains the current
visitor country code(VCC), the visitor national destination
code (VNDC), the identification of the current MSC together with
the subscriber number. If we have all the MSC working as a GMSC
like the latest technologies so what would be the states of the
MSRN ? we can use it only for test to route the calls to a specific
MSC otherwise we don't need it to use it.
<span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; line-height: 19px; white-space: normal;">
</span>

To put into lame terms, the MSRN is a virtually assigned telephone number, in the country you are currently roaming at. When that number is called, your roaming mobile will ring and you will receive the call. The MSRN is assigned to you out of a dynamic range, usually consisting of thousands of E.214 numbers and is usually assigned for only 60 seconds – or another predefined period of time. Now, depending on your mobile roaming partner, this number may change according to internal policies, however, the fact remains.

The MSRNs can be easily exploitable. Most european romaing providers make their money from inbound traffic. Each inbound second generates some inbound cash – it’s as simple as that. Imagine, that I as a roaming provider will generate calls to the world wide MSRN number ranges, with caller ID’s setup in my network. Now, when the user of the MSRN calls back to the my network, I get cash for it – while the calling user pays for it. The call will reach a real person who will answer with: “Sorry, wrong number”. As the calls are originated to multiple roaming carriers and multiple customers on my network – the end result is an almost un-detectable fraud scenario. Of course, this fraud will require massive infrastructure on the fraudster’s part – but they have the infrastructure in there, might as well use it.

Question be: how easy is it to get the list of globally assigned MSRN numbers?  The answer is: Very Simple. Every paid member of the GSMA (which is basically any mobile carrier in the world) has access to this list.

So, when you are abroad and you get a phone call from a number you don’t really know – think twice before returning a call to that person :-)