The accounting of data usage is the most important functionality in the management plane of cellular network. However, we find that the control-plane and management-plane functions of cellular network are not well designed from either charging accuracy or security aspect. In MOBICOM'12 and MOBISYS'13, our results yield three counter-intuitive findings: (1) we are charged for what we never receive in extreme case; (2) we can obtain what we want in data access free of charge; (3) we pay for the packets dropped by cellular network during user mobility cross different systems. We recognize that the fundamental problem is because the 3G/4G standards design a centralized network-element-based the accounting architecture. When things go wrong outside the charging elements, the resulting data volume deviates from what is observed at end devices. In CCS'12 and CCS'14, we discover several security vulnerabilities along improper coordination between control-plane and management-plane. First, the decoupling of authentication, authorization, and accounting of data service gives a great opportunity to attackers to send data packets which are spoofed with the fake source address, and the accounting element further charges the victim instead of the attacker. Second, mobile device cannot request the network to stop the malicious spamming packets have been accounted unless user tears down the bearer for all data services. We demonstrate that malicious attackers can incur any large traffic volume to the victim, while the victim may not be even aware of such spam traffic. Our contributions are to identify new security threat to cellular systems from the charging/accounting perspective and draw more people's attention to this important topic. Our research results have received several media reports including MIT review, Computer World, Fiscal Times, and TheVerge. Three major US operators adopt our approach to fix the free data service problem.