Categories
Bad Stuff Business scams voip

Mechanics behind International Shared Revenue Fraud

VoIP fraud continues to rear its head this week with a post on ISRF mechanics.

Continuing with his week as guest editor covering VoIP fraud issues David Cargill has invited industry expert Martin John from AQL to discuss IRSF mechanics – how it actually works:

As we all know International Shared Revenue Fraud (ISRF) plays a large part in the overall fraud that we see in the industry, even though services are marketed legitimately they are widely used for fraudulent purposes and the artificial inflation of traffic, whilst some of the traffic will terminate in the target country a high percentage will never reach the expected destination (commonly referred to as short transit or short stopping)

Whilst the ITU governs the allocations of Country Codes once the code is allocated the usage and numbering plan is controlled by the responsible authority in the recipient country, the ITU publishes updates on the reported use of each numbering block for each allocated Country Code (http://www.itu.int/oth/T0202.aspx?parent=T0202) however this is based on information submitted by the responsible authority and is not always an up to date source of information.

Historically Telecoms Operators interconnected directly via TDM on a bilateral basis, a settlement rate would be negotiated with a key objective being the balance of traffic to reduce any financial settlement between the parties, using this method the majority of ISRF traffic actually terminated in the country that holds the number allocation.

isrf mechanics

Smaller countries or those with financial constraints could not justify or afford this method and opted for a cascade accounting method, cascade accounting meant that the smaller operator would make an agreement with one or two larger international operators whereby the larger operators became an aggregation point for the allocated country code and in return kept a percentage of the revenue.

isrf mechanics

With cascade accounting traffic to designated number ranges could potentially be short transited, the authority responsible for the allocation and administration of the number ranges may have requested that the cascade accounting partner terminate certain prefixes to alternate carriers/partners for other services, these opportunities were very financially rewarding due to the expensive part of the network (the international circuits) not being utilised.

isrf mechanics

 

 

As the market developed and with the establishment of VoIP clearing houses/exchanges and traffic aggregators cascade accounting has become less popular, operators favour being able to interconnect to lots of different operators in one place, increase their profitability as they no longer have to give a percentage to the cascade accounting partner and lower their cost base as they would no longer need to purchase other international routes via their previous cascade accounting partner, however this simply made ISRF easier, the telecoms market is more cost driven today than it has ever been operators strive to  maintain lcr with the minimum of man power and international destinations that are outside of their main business area are commonly terminated through large traffic aggregators or clearing houses, interconnection between the aggregators and clearing houses is a common practice it is in their business interest for a call attempt to complete and convert to revenue and therefore as the financial barriers to connect to clearing houses are small the interconnection by parties that want to abuse the situation is relatively easy.

Take for example the following scenario:-

The island of High Termination Rate is assigned the country code of +997 from the ITU the and files a numbering plan. The island of High Termination Rate Telecommunication Regulatory Authority (HTRRA), announces the following:
isrf mechanics table

 

 

The national operator of the island of HighTerminationRate HTRT is a respectable and ethical company that interconnects to a large traffic aggregator and a clearing house to not only gain access to a full international A-Z for terminating traffic but also to ease interconnection with other international carriers so that the residents of The island of HighTerminationRate are globally reachable, the per minute rate is advertised as £1.00 ppm

aql4
To this point everything is legitimate however there is nothing stopping the aforementioned opportunistic man in the middle/ISRF reseller from also interconnecting to an aggregator and clearing house and advertising a rate of £0.98 ppm supporting either the full list of breakouts or “specialising” in certain areas such as HTR Mobile +99780

aql5

 

 

In the background the ISRF reseller has been busy harvesting numbers and happily upsetting the observed statistics (reduced ASR’s etc) whilst tying up network capacity to obtain a better understanding of the utilisation of the ITU allocation.  Once this understanding has been obtained numbers can be tested and resold to customers.

Some may wish to offer chat services or other services of the like whilst avoiding any national regulation and of course this then opens the door to parties that wish to generate fraudulent traffic.  To expand further after number harvesting it is discovered that anything that starts +99780752 can NOT be completed via the legitimate route offered by HTRT.  It is a range that falls within the allocation but perhaps due to demand has not been opened yet.

Any traffic generated to this range will fail on the HTRT route if in fact it even attempts the HTRT route first due to the ISRF route being marketed at a lower rate. Once that call has failed the aggregator/clearing house would normally route advance the call to the next available route where ISRF are happy to complete it.  Legitimate traffic that the ISRF route receives is simply terminated back to another carrier. Whilst this incurs a loss with restrictive routing and capacity the impact is minimal and aesthetically legitimises the service offering provided by the ISRF route.

aql6

 

 

 

 

 

 

 

Martin John is the General Manager of aql wholesale. aql, established in 1998, is a wholesale integrated Telecommunications Operator, Regulated by Ofcom. Providing services to many of the FTSE 100 and is one of the UK’s largest IP Telephony fixed line operators.  It is recognised as a significant market force in fixed and mobile services by the UK Regulator.

Check out our other VoIP fraud posts here. Below are links to other fraud related posts this week:

PABX fraud by Manuel Basilavecchia here
IRSF Fraud by Colin Yates here
CLI Spoofing detection by Matt Anthony here

Categories
Bad Stuff Business scams security voip

Caller ID Is Broken – How Can We Fix It?

matt anthony pindropCLI spoofing doesn’t have to be as big a problem as it is.

In the third of this week’s posts on VoIP fraud guest editor David Cargill has Matt Anthony, Vice President of Marketing at Pindrop Security as a contributor.

There was once a time when people trusted the number that showed up on their Caller ID. Phone companies charged extra for the service. Even banks allowed you to activate your credit card just by calling from a registered phone number. Today, that is no longer the case.

Caller ID (CLI) and Automatic Number Identification (ANI) were originally designed as systems to be used internally by the phone companies. As such, they didn’t need any real security. As they emerged as consumer facing tools, they never developed the security features that we expect today.

The result is that spoofing Caller ID data, or ANIs, is very easy. A quick Google search turns up pages of articles on how to spoof a number. App stores are full of easy to use apps that enable spoofing. One smartphone app, Caller ID Faker, has over 1,000,000 downloads.

spook card - disguise your caller id

Adding to the problem is the fact that in general, Calling Liner ID spoofing is completely legal. Though it is always illegal to use CLI spoofing for fraud or threatening messages, it is perfectly legal to spoof a number as a friendly prank, or as a helpful business practice. (Think doctors on call who don’t want to give out their cell phone number.) While it might be fun to spoof a CLI in a prank call to your friend, too often fraudsters are the ones disguising their numbers to hide their criminal activity.

Pindrop Security tracks phone fraud activity and trends. We have found that CLI and ANI spoofing is the most common technique used by phone fraudsters. In addition, more than half of the caller ID spoofing attacks cross international boundaries, meaning they are almost impossible to track down and prosecute.

Consider the case of one attacker, known to Pindrop researchers as “Fritz.” This fraudster is likely based in Europe and works alone. Fritz is in the business of account takeover. He calls financial institution call centres, impersonating legitimate customers by spoofing ANIs, and socially engineers the bank into transferring money out of an account. In one four month period, we found that Fritz had targeted 15 accounts. We estimate that he has netted more than £650,000 a year for at least several years.

While there is no technology that can prevent CLI spoofing, it is possible to detect these calls. The key is to detect anomalies between the information being sent over the Caller ID and the actual audio characteristics of a call using phoneprintingTM, created by Pindrop Security.

Phoneprinting technology analyses the audio content of a phone call, measuring 147 characteristics of the audio signal in order to form a unique fingerprint for the call. Phoneprinting can identify the region the call originated from and determine if the call was from a landline, cell phone or specific VoIP provider. These pieces of information provide an unprecedented level of insight into caller behavior.

So, if a Caller ID says a call is coming from London, but the phoneprint of the call shows that the individual is calling from 1,000 miles away, it should be a red flag for anyone running a call centre that the caller has malicious intent.

pindrop caller id verification

 

 

 

 

 

 

 

 

One recent fraud attempt thwarted by Pindrop tools happened on a Saturday night, a time when most call centre employees are not at their most vigilant. The caller asked to transfer £63,900 from one bank to another. The Caller ID matched the phone number associated with the account, and the caller knew all the answers to the identity questions the agent asked. However, while the Caller ID said the call was coming from San Francisco, Pindrop detected that the call was actually coming from a Skype phone in Nigeria. As a result, the wire transfer was put on hold, and the bank was able to verify with the account holder that the request was fraudulent.

Pindrop phoneprinting solutions are already protecting calls to top banks, financial institutions, and retailers. The Pindrop platform is a comprehensive solution designed to protect the entire call system: inbound, outbound, live, recorded and in the IVR, customer-facing and employee-facing interactions. Pindrop uses the information from the phoneprint to create a highly accurate and highly actionable risk score for each call, which has allowed it to catch more than 80 percent of fraud calls within 30 seconds after the call has been initiated.

Historically, the phone channel has been over-trusted and under-protected, making it a major target for fraudster exploitation. Today, technology is available to detect spoofing and stop phone fraud.

Matt Anthony, Vice President of Marketing

www.pindropsecurity.com

Matt Anthony is the Vice President of Marketing at Pindrop Security. With over twenty years of experience in the technology industry, Matt is a frequent speaker at technical conferences. Prior to joining Pindrop, Matt served as Director of Marketing at Dell SecureWorks. Matt has also held marketing roles at CipherTrust, Monorail, and Dell Computer. He is a graduate of the University of Texas at Austin.

Check out our other VoIP fraud posts here. Below are links to other fraud related posts this week:

PABX fraud by Manuel Basilavecchia here
IRSF Fraud by Colin Yates here

Categories
Business scams security voip

Telecom Fraud – Investment in Prevention and Detection initiatives not always available.

colin yatesIRSF- International Revenue Share Fraud

This week we have David Cargill as guest editor. David runs the Operations Working Group at  the Internet Telephony Sevice Providers’ Association (ITSPA) and takes a special interest in VoIP Fraud. David has invited a number of experts to contribute guest posts on fraud related subjects. This ties in with the ITSPA/trefor.net Workshop on Wednesday that has VoIP fraud and WebRTC as its main themes. This is his second choice of post, in which IRSF is discussed, is written by Colin Yates, Managing Director of Yates Fraud Consulting Limited:

The telecommunications industry has a huge gap between those operators who manage fraud effectively and those who do not. Those who are effective fraud managers, whether they are a Tier 1, 2 or 3 operator, are generally those who have matured over the years with a strong mandate and support from their Executive to do the job, while being provided with the necessary budget, resources and tools to do it well. Some senior management unfortunately view fraud losses simply as a cost of business, and allocate very little budget and resource to it. In these cases fraud losses are generally not measured or reported, so will remain unknown and not reflected in quarterly, half yearly or annual financial reporting.

There are some CSP’s who have enjoyed reputations within the industry as leaders in the management of fraud, but over time these reputations have diminished and their fraud losses have increased. Some of this could be blamed on a change of senior leadership who failed to appreciate the importance of effective fraud management. This could also be a result of a fraud manager who failed to continually make it clear to the organisation how much value they were adding to the business by effectively managing fraud. An effective Fraud Manager will take whatever steps are necessary to ensure that the papers for every Board meeting will include his quarterly fraud report to clearly identify the fraud recoveries and averted losses they have achieved during the period since the last meeting.

Fraud within Telecom operators is generally measured as a percentage of total revenue, and depending on which organisation is providing the figures, this could be estimated at anywhere between 1% and 5% of total revenue. In my experience an operator with a mature fraud team with the necessary fraud detection/prevention tools, along with the support of his management team is likely to maintain their fraud losses at under 0.50%. Assuming this is a tier 2 operator with total revenues of $US1.5 billion, if the effectiveness of the fraud team was permitted to deteriorate to a point where fraud losses increased by another 0.25% of total revenue, this would add a further $US3.75 million to the annual fraud losses. To recover this revenue through adding new customers would require upwards of 10,000 new customers to be added to the business, assuming an average ARPU of around $US370 per year. Would it not make better business sense to continue to support the fraud management function with resources and tools at a cost of probably 10% of the additional fraud losses suffered.

Subscription fraud is without a doubt the biggest contributor to fraud losses across the industry. While most operators would agree that their aggregated subscription fraud loss far exceeds those suffered by any other fraud type, the drive to attract and connect new customers can make it difficult to manage. Most sales channels will require that a potential customer who meets basic identity verification checks will be provided service during that one visit to a physical or on-line store. Without investment in real time subscription fraud detection tools, this type of fraud is always going to be difficult to manage. Some of these tools are no longer expensive and can allow a CSP to take more risk when providing service to new customers.

International Revenue Share Fraud (IRSF)1 has to be regarded as the one fraud type that the industry has failed to manage effectively, primarily again because of a lack of investment in tools and resources by some to prevent and detect an attack early to minimise losses. IRSF Fraudsters can attack a business using many enablers, for example subscription fraud, roaming Fraud, PBX hacking, Mobile Malware, Wangiri Fraud and others. Some CSP’s use tools, either developed in-house or obtained from an FMS provider and do manage their IRSF risk effectively, but many others simply operate in the belief that this fraud will never impact them, so they will make no investment in a defensive strategy, and simply take the risk.  This decision is typically not taken by those accountable for managing fraud, but by those a level or two above who control the budgets. In most cases, this decision maker will have no idea what the actual risk is, and the impact of not implementing these controls may result in losses way above his delegated financial authority. It is still not unusual to hear of IRSF losses that have amounted to over $US500,000 in a 2 or 3 day period. An investment of under $US30,000 could have avoided most of these losses.

It is well documented now that around 85 to 90% of all IRSF incidents occur in the period between Friday evening and Monday morning when many CSP’s fraud monitoring staff are not in the office. Unfortunately even some of those who have made the investment in monitoring tools will continue to ‘take the risk’ over weekends and will not take that monitoring a step further to enable some automation, or diversion of outputs from their monitoring systems to a 24×7 activity within their business. In a roaming situation, NRTRDE (high roaming usage) records are delivered within 4 hours of a roaming call completing, and this includes the period right through the weekend. Having made an investment to implement this fraud control, it is hard to understand why no-one would be looking at these in real time to identify fraud, or have some automated process set up to manage an obvious fraud indicator.

Without effective monitoring tools, some operators will simply block what they consider are high risk destinations assuming that this will reduce their risk of becoming a victim to IRSF. We currently monitor destinations and numbers used for IRSF and the total Countries advertised by IPRN Providers number 221 and the test numbers we have recorded in to these countries number over 100,000. However the top 10 high risk destinations very seldom change and are as indicated in the graph below. These 10 destinations are responsible for 50% of the IPR numbers being advertised, but any of the remaining 211 country International Revenue Share numbers advertised could result in significant fraud losses being suffered.

VoIP fraud by country
Sources of telecom fraud by country

Fortunately there are more and more operators who have identified the value of 24 x 7 fraud monitoring, and have managed to make the argument for resources and tools to allow this compelling enough to obtain sufficient budget to implement this strategy.

Unfortunately this has not resulted in a reduction of the overall IRSF problem. It has simply driven the fraudsters to look for easier targets and these are currently smaller MNO’s and more recently MVNO’s. Fraudsters have come to realise that many MVNO’s do not have Fraud Management expertise in-house, or access to the information and networking industry forums that most MNO’s have available to them.

Prevention and Detection are the fundamentals of Fraud Management, which is particularly relevant for the telecommunications industry. The costs of pursuing a fraud strategy based on implementing the resources and tools required to monitor network usage are insignificant when compared to the likely losses you will suffer if you simply rely on luck. Anyone with any doubt in this area should arrange for an independent contractor to come in to their business and conduct a fraud risk review so that the full extent of the risks can be identified. A simple example of an MNO with an effective fraud monitoring process in place identifying and stopping an IRSF attack within 30 minutes, compared to an MVNO with no fraud process, allowing an IRSF attack to continue for 48 hours before detection, is demonstrated in the diagram below.

IRSF effective telecom fraud momitoring
effective telecom fraud momitoring

IRSF has now been around for at least 10 years in some form or another. Some CSP’s have lost significant amounts of money to it, and some fraudsters have generated small fortunes in fraudulent income from it. Many customers have been impacted through bill shock after their handset has been stolen or their PBX hacked, and many small countries have suffered social and economic impact as a result of their number ranges being hijacked by these fraudsters.

The argument for effective prevention and detection initiatives is compelling, but this does require some support and investment by an MNO or MVNO’s senior management team. After around 10 years of suffering from this fraud, it should be apparent that the various industry groups who have been searching for solutions are unlikely to come up with anything positive in the next year or two, so it really is up to the individual operators to take action to protect themselves.

1IRSF involves fraudsters calling international numbers that attract a high termination rate, from a stolen or fraudulently obtained connection, with an intention to inflate traffic in to those numbers and be paid a per minute fee from a number provider for each call made. Payment for these calls will eventually be required from the originating network, who will have no hope of recovering these costs.

Colin Yates is a telecommunications professional with over twenty five years’ experience, specifically in the area of fraud, investigations, RevenueAssurance and threat management. Colin specialises in the areas of Telecoms Fraud (Internal and External) and Investigations. He also has considerable experience with Personnel and Physical Security, Law Enforcement Agency Liaison,Intelligence Management, Regulatory Compliance, Revenue Assurance and Policy development.

Check out his website at www.yatesfraudconsulting.com. Also check out our other VoIP fraud posts here.

Read yesterday’s post on PABX fraud by Manuel Basilavecchia here

Categories
Business security voip

PABX fraud is on the up – by Manuel Basilavecchia of Netaxis

PABX fraud growth

This week we have David Cargill as guest editor. David runs the Operations Working Group at  the Internet Telephony Sevice Providers’ Association (ITSPA) and takes a special interest in VoIP Fraud. David has invited a number of experts to contribute guest posts on fraud related subjects. This ties in with the ITSPA/trefor.net Workshop on Wednesday that has VoIP fraud and WebRTC as its main themes. This is his first choice of post, in which PABX fraud growth and is discussed, is written by Manuel Basilavecchia – Co-owner, Sales and Marketing Director of NetAxis Solutions.

It is commonly agreed to estimate that the loss due to fraud in the telecommunication industry represents 0.5% to 5% of revenue of telecommunications operators.

Even if all of those scenarios are well known for years, many of them are still impacting the telecom industry. Of course, not only Telecom providers are impacted, as retail/corporate customers are impacted as well by telecom fraud.

In this article, we’ll focus on a specific kind of PABX fraud (and all mechanisms related) which is PABX hacking.

To make a fraud possible and generate money, a fraudster needs two things:  Traffic (generation) and a termination (Cash collection).

In order to generate the traffic the fraudster will hijack a PABX. Alternatively the fraudster will pay a third party to perform the hijacking. In that case, we’ll talk about IRSF fraud type (International Revenue Shared Fraud). Once the access to the PABX is effective, the PABX will be used as resource to generate calls to high cost destinations.  As the fraudster owns the numbers targeted by the fraud, a money flow will be established and the fraudster could retrieve the money.

At first glance, the mechanism is not that complex, but the thing is that it has worked for years and is still working nowadays.

Let’s try to figure out why

In most of the cases, hijack of the PABX is not that difficult. Indeed, very often the password by default has not been changed by the administrator. Also in case the password has been changed, a very basic password is used which is quite easy to guess by a fraudster. Alongside this, these systems are always subject to vulnerabilities which can be easily exploited by a basic hacker.

In most of the cases, that attack is made outside business hours  including weekends, assuming that the PABX activity is not monitored during these intervals.

In this way, the customer is even not aware that he has been victim of an attack.

This lack of monitoring during some times of the day/week has the consequence that very often the fraud is discovered when the customer receive his telecom supplier’s invoice.

There is also an aggravating factor which is the payment terms. Indeed, usually the billing period between retail customer and its telecom provider is monthly while the billing period for Premium rate numbers is weekly with as consequence that once the fraud is discovered, the fraudster already got the money and it is very difficult to get the money back (or withhold payment).

This is having negative consequence on the relationship between the retail or the corporate customer and the telecom provider. Indeed, as the fraud is involving international destinations, international carriers are part of the scheme.

Having several players in the scenario makes it quite complex and difficult to find a fair solution for all the parties and someone as to assume the loss generated by the fraud. Let’s consider a practical case that will illustrate all those considerations:

A fraudster buys some Premium rate numbers in a foreign country, keeping in mind the high cost per minute associated. As a second step, he will ask and pay (share revenue) somebody to generate traffic artificially towards those numbers.

Once the attacker gets access to the PABX, he will generate as much as possible traffic in the shortest time (night or week-end)

The fraudster will receive payment from the Premium rate number 7 days later.

Assuming that nobody will notice this traffic increase on customer side (same on operator side) this traffic will become visible when the customer will receive his telecom invoice; usually one month later.

Quite clearly it is too late to react and very difficult to avoid a loss. Indeed, the usual traffic flow for international traffic is the following. Traffic starts at a retail customer and is sent to his telecom operator. As it is regarding international traffic, the telecom operator will use one or several international wholesalers to terminate this traffic. Those international wholesalers could also use different suppliers to terminate the traffic. The number of intermediaries and the misalignment of the payment terms make it complex to withhold payment and very often a party will have to suffer a loss, in most cases being the retail customer of his telecom supplier

In case of fraud, the size of the operator could put him in a very difficult situation. There have been cases where the operator is forced to choose between losing the customer or have to assume the loss generated by the fraud. If the telecom supplier is not financially robust, this could have very big impact on business.

As a conclusion, to avoid risks linked to this type of fraud it is important to:

  • Take all appropriate measures to secure the PABX of the customer. This point is often difficult due to the diversity of the installed based or the lack of expertise at customer side. So a good information campaign needs to be setup.
  • Deploy a Fraud Management System that, in near real time, will look at any customer traffic patterns in order to detect abnormal activity in terms of volume or destination.

Of course, the FMS needs to be operated by people having skills in fraud detection, or better, expert consultants to detect fraud but also to avoid false positive cases and not block legitimate traffic (and revenues).

Additionally, this will provide the capabilities to the operator to mitigate the financial exposure by reacting quickly to fraud cases (reducing the impact) and by providing evidences in order to open claims towards authorities and upstream providers (Recovering losses).

Manuel Basilavecchia is Co-owner, Sales and Marketing Director of Belgium based NetAxis Solutions. Manuel Basilavecchia brings over 17 years of business strategy, innovation and technology experience to his role as co-founder. As Director of Sales and Marketing, Manuel is focused on developing NetAxis Solutions business by bringing advanced carrier-grade communications services to Service Providers and Corporations and by providing high-technology products to the industry. Manuel holds a Master in Electrical Engineering – Electronics and Physics, a Master on Medical Physics and Bioengineering, and an MBA in management.

Loads of posts on PBX fraud here. Also come back for a different VoIP fraud post each day this week.