Packet retransmission is a fundamental TCP feature that ensures reliable data transfer between two end nodes. This feature creates an important policy issue in case of accounting cellular data packet retransmission. For the Cellular ISPs view, all packets should be accounted for billing regardless the data is retransmitted or not since packet transmission consumes the infrastructure resources. On the other hand, the user might want to bill-ing only for the application data by taking out the amount for retransmission. Regardless of the policies, howev-er, we find that TCP retransmission can be easily abused to manipulate the current practice of cellular traffic accounting.In this work, we investigate the TCP retransmission accounting policies of three major cellular ISPs in South Korea and report the accounting vulnerabilities with TCP retransmission attack by utilize forged TCP packet. First, we find that cellular data accounting policies in South Korea does not accounting packet retrans-mission data for the user bill for fairness. Second, since South Korean ISPs that do not account for retransmis-sion we find that South Korean ISPs exposes to the attack called “free-riding” attack which is implemented by tunneling the payload under fake TCP headers that look like retransmission. By using this attack, we can transfer the data in the cellular network with reduced charge. We show that the “free-riding” attack system we imple-mented successfully bypass cellular data accounting system without any alarm and the system does not much performance degrade to the attacker’s device which is bypass the cellular data accounting. In addition to the “free-riding” attack, we also find that there is a chance to expose to the “usage-inflation” attack even if the ISP’s accounting system does not account for retransmission packet.As a countermeasure the attack, we argue that the ISPs should consider ignoring TCP retransmission for billing while detecting the tunneling attacks by ...