Telecoms Fraud Liability and Responsibility

Danny Preiskel of Preiskel & Co is one of the world’s leading telecoms lawyers. In this final post of Manuel Basilavecchia curated posts on telecom fraud Danny looks at the subject of telecoms fraud liability from a legal perspective.

Considering the devastating effects telecoms fraud can have on a wholesale or retail telecoms business this post looks at some of the legal aspects and provides some guidance to minimise the impact from a contractual perspective.

Civil Litigation for Civil Fraud

Successfully suing in civil litigation for fraud and recovering damages is only possible in certain circumstances, and with fraud being notoriously difficult to prove, the risk of losing in court and being liable for the defendant’s costs often outweighs the potential award of damages.  This is exacerbated by the fact that even if the telco victim is successful, the defendant company may not have the funds to actually satisfy any judgment awarded.

As with other jurisdictions, English law also allows shareholders and directors to hide behind the veil of incorporation.  Only in limited circumstances will the English courts pierce the veil of incorporation to convict or fine the individual shareholders behind a company, though directors can incur liability in addition to the company.   Typically in the UK we have seen that fraudsters can simply re-appear and commit more fraud by hiding behind another company name.

Another legal principle which may accidentally protect fraudsters is the privity of contract doctrine, whereby contractual obligations are only due to the contracting party and not its sub-contractors. For example BT fraud department will usually not deal with carriers with whom it is not directly contracted with. This can be problematic as often BT’s call records as well as the knowledge and actions of its fraud department can be hugely useful.

And finally, there are the UK insolvency laws which make it hard and expensive to recover monies from a company in liquidation or administration.

Insolvency Proceedings

Insolvency proceedings in the UK involve an application to court for the winding up of the company, usually after service of a Statutory Demand; and the appointment of an insolvency practitioner (to collect and distribute amounts for all the creditors).  

If the insolvency practitioner is not convinced there are sufficient funds in the insolvent company then it will ask the company appointing it to guarantee its costs. Whilst this is understandable it can be a huge disincentive bearing in mind that any amounts recovered by the insolvency practitioner will be for the benefit of all the creditors. It is not just in the telecoms sector that it is rare for creditors who are unsecured to get any meaningful percentage recovery.

If an insolvency practitioner is funded then it could potentially sue the fraudulent director and attempt to get a recovery as well as make a report recommending the person be disqualified as a director for several years. However the harsh reality regarding insolvency related proceedings in the UK, means that the failure to properly fund an insolvency practitioner often results in a director getting away with the telecoms fraud.

The Telecoms LCR Chain – Profiting From Fraud

When it comes to the wholesale industry we find ourselves in the curious position that, often it is not just the perpetrator of the fraud who seeks to profit. Understandably carriers in the chain want to be paid in full (including their profit margin), meaning that they profit from fraud, albeit not a fraud they have committed themselves. In essence it can be quite galling for a carrier that has been left with a gaping revenue hole, to have its supplier insist on recovering not only its cost of transiting the traffic but also its profit margin.

Contractual Protection

Please consider the important recent case Frontier Systems Ltd (t/a Voiceflex) v Frip Finishing Ltd [2014] EWHC 1907 (TCC), where the Court required the telecoms carrier to be liable for the calling costs, even if the traffic was fraudulently generated.  We advise that in light of this judgment in particular that carrier review carefully and make amendments to their end user and wholesale agreements.

Carrier contracts should not only exclude, to the fullest extent permitted by applicable law, all express and implied warranties but should require the other party to be responsible, even if traffic was fraudulently generated by a third party.  Looking up the supply chain, we advise our client carriers to require that the supplier’s systems should be set to block fraudulent traffic and accordingly be liable in the event that they fail to block such fraud, even if it has passed through our client’s system undetected.

There is a lot to be said for such provisions to avoid uncertainty at the outset, minimising our clients’ exposure in terms of liability whilst importantly drawing the carriers’ minds to implementing appropriate anti-fraud measures before exchanging traffic.

What the Industry Can Do

Beyond the various technical measures (not mentioned in this blog note), the blocking of certain destinations by the way of default and some anti-fraud security provisions in the contract protecting the single carrier, the telecoms industry should consider an industry code of practice:

agreeing to help other carriers in the chain in identifying the fraud, even though there is no contractual relationship;

agreeing not to profit from fraud, i.e. take out profit element of charges;

appointing industry representatives to have a better working relationship with the fraud sections of the police and the regulator;

allowing companies to refuse to pay up the supply chain where there has been fraud suspected, albeit subject to certain provisos to ensure that nobody unduly benefits in such case;

providing a reseller kitemark approach to help combat dial-through fraud (e.g. the FCS’ fraud group that Preiskel & Co helped set up; or the International Interconnection Forum For Services Over IP (I3 Forum))

considering an industry fund to make a contribution towards costs of bringing enforcement action against fraudsters

identifying a cost effective insolvency practitioner who understands the industry

This concludes telecom fraud week on trefor.net, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts from the week:

Colin Duffy on “is encryption the answer to data loss”
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s“
Manuel Basilavecchia on “A mobile operator fraud case study”
Jonathan Rodwell on “Telecoms and IT Security” and with part 2 here

SIP Trunk Plus CEO Jonathan Rodwell in Part two of his posts on Telecoms and IT Security

Fraud week sponsored by Netaxis continues with part two of Jonathan Rodwell’s post on Telecoms and IT Security. In part one Jonathan discussed “Telecoms and IT security in the UK” together with “Technical best practice”.

The second post  concludes with  “the human wild card” and says “we need a new way of thinking”

The weak link?

The elephant in the room is the weak link in all telecoms/network scenarios. Us human beings. The bigger question being that if the ‘human’ wildcard element cannot be controlled, can any network (Telecoms or otherwise) ever be truly secure?

I suspect that even some of the most technically astute individuals cut corners.  We just can’t help ourselves sometimes. Using similar passwords on email accounts perhaps?  Not bothering with voicemail passwords?  User log on credentials that are not sufficiently robust?  No matter how robust a technical architecture is when people cut corners they expose their business to another’s malicious intent.

Larger organisations certainly have more tools at their disposal to exercise greater control over protecting their services, or offering training and technical solutions to manage passwords and so forth. But even they face challenges, particularly when staff bring their own devices onto the network.  Larger organisations often present a more attractive target to groups of individuals intent on hacking. It is generally accepted that if a group of skilled individuals with sufficient resources wants to penetrate your security, they will undoubtedly find a way. TalkTalk can tell you all about it.

As Telecoms providers, we know that as our service is predominantly IP Based, our clients and our businesses are exposed to potentially massive costs.

Both The Federation of Communication Services (FCS) and the Internet Telephony Service Providers Association (ITSPA) understands these challenges and is working with industry experts, the police and stakeholders across the board to try and help mitigate the potential risks. The FCS have a Fraud panel dedicated to working with industry professionals to help deliver best practice. ITSPA work closely with the likes of Action Fraud and the Metropolitan Police. 

FCS’s experience is instructive:  less than two years ago, fraud was a taboo subject at FCS meetings.  No business CP liked to talk about it, for fear of admitting weakness to their competitors.  Today it’s the industry’s number one pain-point.  

These trade associations provide a single voice for their members to Ofcom and to policy-makers. This protects members from the risk of individual damage to their brands. 

What can we do?

This all seems somewhat daunting, particularly for the small business owner – remember, the challenges for a multi-national are immense, too. So where do we start? A good place is the set of recommendations from GCHQ: The Cyber Essentials Scheme. Essentially, this focuses on protecting against Internet-Originated attacks against IT/IP Comms services. Cyber Essentials focuses on five key controls:

1. Boundary Firewalls and Internet Gateways – devices designed to prevent unauthorised access, and setting them up effectively.
2. Secure Configuration – of systems relative to the needs of the organisation.
3. Access Control – Ensuring appropriate permissions within systems, with sensible passwords.
4. Malware Protection – Ensuring it is installed and correctly maintained.
5. Patch Management – Ensuring they are applied and utilised this is particularly pertinent for users of all PBXs. They need to be patched as much as any other network device.

 

This is all perfectly sensible and a good starting point, especially if your staff are office-based, but many businesses in 2014 support flexible working environments, such as staff who work from home and so forth. Indeed, some businesses do not have offices at all; so consider item 3: how do you control access when a home internet service is provided by BT or Sky and they have direct access to the router? If your IT support is provided by a third party, what happens if their own security is penetrated; are you vulnerable too?

BYOD (Bring Your Own Device) adds a further layer of complexity when employee or visitor devices are allowed access to the network. Companies must balance the benefits versus the risks and what mitigation can be implemented (realistically) on a technical basis.

Suppliers must emphasise and help implement best practice when it comes to the protection of PBX and handset architecture. Granted, some end clients are more willing than others to be proactive on this front, but suppliers have an obligation to emphasise the security protocols that can best protect the PBX and handsets (essentially network devices). Suppliers should also take some expert advice when it comes to their client contracts, with terms and conditions requiring specific attention paid to liabilities in case clients simply do not implement best practice.

Carriers and Telecommunications providers are in an interesting and powerful position in the equation. The carrier position is interesting because they can in theory, actually benefit from Telecoms Security breaches – a £20,000 phone bill still has to be paid after all, be it by the resale partner or by the client. Moral issues aside, the dilemma arise when fraudulent activity places the client’s business in jeopardy: if a business folds, then recovering the money becomes a much harder proposition. This is not to suggest that carriers encourage fraud, rather that history has shown that the responsibility of managing security and cost has always been pushed down the supply chain. Most carriers, at best, offer simple credit limiting or algorithmic analysis of traffic patterns.

The industry has a responsibility to do more, not just from an ethical point of view, but by offering enhanced protection at the Carrier level.  Doing so means changing the whole dynamic between resellers and end clients. If we can empower both the end client, and the reseller to control in real time the volume of minutes to every possible global destination (or group of destination), we can ensure end clients will always know what their maximum liability would be. This is minute limiting for the global business environment that is both dynamic and at the control of both key stakeholders – the business and supplier chain.

Consider now the dynamic of the supplier / client relationship if ‘cost of fraud’ wasn’t an issue. How would your approach to IT and Telecoms security change if a business-crippling financial penalty wasn’t threatening to be the end result of a security breach?

If the acceptance of ‘risk’ becomes easier to tolerate because there is a layer of protection and mitigation delivered through the telecoms supply chain by partners who are proactive, rather than reactive, then choices made by end clients become simpler, and could actually be different.

This can be taken a step further, so much so that if we accept that there is no perfect system and there is always a risk, then we can decide which method of working, or what telephony connectivity represents an acceptable level of ‘risk’. Clients can then assess the practicality of a heavily locked down infrastructure versus the ability to be dynamic and innovative in working practice.

We are not advocating businesses becomes an open door to hacks, rather that the whole supply chain can be chosen to facilitate a sensible approach to IT and Telecoms security that is simple to manage and doesn’t become a rod to the back of a business.

Thought leaders for the future

So what do we do about it? Well first of all, there is no perfect solution. If you admit to yourself and accept that people by nature will always be the weak link when it comes to telecoms security, then how you deal with peoples’ nature will be the defining aspect of IT and Telecoms security for your business, either globally or domestically.

Accept the view that once a file is emailed, voicemail sent out, or words have left your mouth, you have ultimately lost control over them. From that point on they can be copied, re-purposed and distributed without your permission on an exponential scale. Within Telecoms security however, you can at least limit the financial damage to an almost negligible level.

We are therefore in a more fortunate position than our friends in the IT and Data security industry where personal information, intellectual property and company data stores are also at risk.

It is time for the telecommunications industry to regain the initiative, the ‘old way’ of doing things, and the old business paradigms the industry that apply brakes to progress. Instead of playing catch-up and adopting a siege mentality, we have to change the way with think about security. Acceptance of risk, balanced with technical mitigation solutions should be weighed against the potential cost of a security penetration.

Suppliers and clients must be both pragmatic in the implementation of security protocols, and both parties must understand their responsibilities and the corresponding risks of waiving them. This is certainly an matter of education, and business owners have a responsibility to take the time to understand what those risks are, as there are currently no formal benchmarks in the industry currently that relate to telecoms security to guide selection.

A crucial step to understanding your risks and developing a strategy that suits your business is obviously working with the right supply chain: Partners can be trusted advisors to business owners and IT specialists, that offer the right solutions, even if those solutions don’t necessarily come from an established brand that has been around for decades. Telecommunications has become a managed service.

We are now, more than ever, part of a corporate ecosystem of applications. The more you lock it down, the more you dampen the dynamism and creativity within a business. So think carefully about how you deliver services to your clients.  Deliver value and don’t be afraid of breaking from tradition.  Learn from the past, but don’t be shackled by it.

This is telecom fraud week on trefor.net, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss”
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s“
Manuel Basilavecchia on “A mobile operator fraud case study”
Jonathan Rodwell on “Telecoms and IT Security”

This second post is an adaptation of an article first published by Jonathan Rodwell last year in the Journal of the Institute of Telecoms Professionals but is only available to members behind a firewall.

Telecoms and IT security in the UK and Technical best practice

In an excellent and wide ranging two part series, SIP Trunk Plus CEO Jonathan Rodwell dives into the world of telecom fraud. In this first post he looks at Telecoms and IT security in the UK and Technical best practice.

Executive Summary

Telecoms and IT security is a massive industry in 2015, but the lack of security and the results thereof are talked about much more quietly. Instead service providers and technology delivery partners prefer to speak of uptime, and resilience. It is hardly surprising that what we don’t hear mentioned is who suffers from fraud. Big consumer data breaches hit the headlines frequently though only vast corporations like Target, TalkTalk and Sony really hit the headlines of the business community. Target was the result of a third party supplier breach but the snowball effect affects the entire business community.

Fraud is perpetrated every day. We fear being the victim but the reality is that often we are the problem as much as we are the solution. The IT and Telecommunications industry’s challenge is to effectively address the “elephant in the room”.  Talking about fraud with clients is interesting because service providers don’t want to sell on ‘fear’. Yet, at the same time, when they provide only one aspect of client infrastructure (e.g. telecoms), they may have no direct control over the infrastructure or the end user’s business or employees. When ‘fraud’ is perpetrated the initial and historical reaction is ‘fire fighting’ by identifying the cause and implementing a solution. Finally, they determine who gets the blame. One thing is certain, regardless of ‘fault’, the provider’s brand is damaged simply by association.

This first post is an examination of:

1. The Telecoms and IT security in the UK
2. Technical best practice

 

The second post  addresses:

1. The human wild card
2. We need a new way of thinking

 

Perfect solutions may not be available, but by removing the most painful and immediate result of a telecoms security breach – the financial cost – companies can change the way they approach security. Removing the risk of an expensive pay-out – which a service provider does not want to request, nor a client receive – massively changes the dynamic of the whole security equation.

By removing the risk, core stakeholders can then (in theory at least) work together in a cooperative, and constructive ways to firstly, ensure that a process of best practice is implemented, but also ensure that the cause of most hacks – human error – means that scapegoating and blame can be turned into a justification and positive reinforcement exercise that strengthens the client’s focus on increasing their information and network security across the board. Happy clients mean happy service providers and protection for the industry’s reputation.

Telecoms and IT security in the UK – where are we today?

In 2015, Telecoms and IT security are one and the same. A Legacy or IP PBX, or IP handsets are simply network devices that can provide huge business benefit and are crucial to most business operations. They are, however, devices that must be managed carefully along with every other network device so that they are not open to misuse. Similarly to the Local Network, infrastructure services like ISDN and SIP Trunks must also be managed, and some legacy services such as ISDN have more inherent risks associated. PBX security does not happen ‘out of the box’, it requires careful planning and control of both the network and connectivity.

Worldwide spending on Information Security showed an increase of 7.9 percent on 2013 and is predicted reach $71.1 billion in 2014 and to grow a further 8.2 percent in 2015, with roughly 10% of security capabilities delivered through cloud services¹. Malware and processing power are available on an industrial scale at relatively low cost and businesses must prepare themselves to prevent becoming targets.

An enormous telephony bill at the end of the month, for some, could be the only indication that they are the victim of Telecommunications fraud. A frightening situation for anyone – be it the business owner or the IT Manager responsible for making sure that such a situation doesn’t happen. What is the initial reaction? Apportion blame? Deny liability for the costs? Fire a supplier or an employee? Contact the police or seek remedy in court? Two things are certain, a business will not be happy to pay such costs; and the resulting fallout can destroy even the longest standing business relationships.

The first question is what we can define fraud as? Is it simply exploitation of third party resources for financial gain? Or does it also extend to company employees costing their employer more, by extending their use of services provided by the company for personal benefit? We work on the basis of the full definition and focus on any expenditure that would not have been authorised by a company (in relation to their Telecommunication systems) is fraud.

Experience to date shows that the costs of fraud often never see the light of day. The reporting rate to the police the Action Fraud Bureau is just the tip of the iceberg. The Telecoms industry has been forced into a position where liability is the responsibility of the end clients simply to protect their own businesses, which in turn stimulated the development of the entire Info Security industry.

European Commissioner Neelie Kroes, Vice President for the Digital Agenda, was typically direct in her views of the Telecommunications industry: ‘Sometimes I think the telecoms sector is its own worst enemy.’ She went on to ask whether we will be leading the industry or whether we will be dragged ‘kicking and screaming’². This may seem negative, but the Telecommunications industry has been around for over a hundred years, and like many mature industries, change can come very slowly.  While consumer telecoms, driven by the likes of Apple and Samsung, has commoditised the industry and radically adjusted consumer perception, the more traditional business to business market moves much more slowly.

The business and technical challenges

The fact is that we, as providers of telecommunications services, are providers of business critical services; the security of which we don’t necessarily have control over. This seems counter intuitive, doesn’t it? However, the challenge does not end there; types of exposure to fraudulent activity can vary significantly depending on a number of factors, not the least of which is the actual size of organisations.

For example, a company with 5 employees may have no IT expertise in house; they could rely on outsourced network support (or no network support at all) and leave themselves exposed on a variety of levels. A FTSE100 company on the other hand, may have an IT department consisting of dozens (or even hundreds) of staff, with a multimillion pound budget, but the sheer volume of devices that access their network and potential complexity of the network alone doesn’t offer them certain protection. Consider the recent cases of Home Depot and Target in the US, for example, who were penetrated at the point of sale at a cost to their own brand and their bottom line.

So what are the key considerations when it comes to telecoms security?

An onsite PBX is inherently vulnerable.

Physicality – As we know, unless equipment is in a secure environment with biometric and prescribed access control procedures, the PBX can be accessed and call routing tables amended. Note that organisations such as the NICC refer to a plethora of documentation in respect to best practice for such installations; however, how many companies are in a position to adopt such best practice?

Unauthorised access can be gained by anyone, from a systems administrator to a cleaner.

Remotely – many PBX’s are connected to the internet to enable remote access from their providers and to interface with cloud servers such as Jabber for IM and contact centre technologies, for example.

The first challenge is securing the local network, such as blocking port 5060; however, who controls the network? Is it the IT support company (in-house or contracted) or the communications provider? More often than not it is both – two brains potentially acting separately. This creates grey areas of responsibility as demonstrated by a recent High Court case where £35K of fraud was held against the communications provider.

There are two principal methods by which fraud is perpetrated:

1. Hacks over the internet
2. Dial-through fraud – Hacks via voicemail pin

 

Both of these methods aim to divert traffic to premium rate numbers (usually international) whereby the fraudsters are rewarded with the profit generated from such numbers.

What about at a national and global level?

Typical Methods of Prevention

The Telecoms supply chain can be very complex.  A carrier provides minutes to a sub-carrier and in turn to a reseller and in turn to, say, a SIP trunk provider and then again to the end client, or indeed another reseller. There are many combinations and permutations in the supply network.

What about at a Carrier Level?

Responsible carriers will offer protection using two principal methods:

1. Referring to a fraudulent number repository – and blocking calls to such destinations
2. Algorithmic – detecting unusual traffic patterns and blocking calls accordingly.

 

At Sub-Carrier Level

1. Credit Limits – Imposing credit limits on resellers globally

 

The only real way to protect against fraud is the intelligent and real time monitoring of call traffic via Call Detail Records, or the logging of minutes. The challenge the reseller community has is that they are reliant on carrier provided monthly CRDs which only deliver the information after an incident has taken place, over a period of time. A very large cost can be accumulated in the space of an hour, let alone a month.

There is a major consideration too for the reseller community: They will have a company credit / supply limit with their SIP Trunk carrier globally. If that reseller hits their credit limit an automatic block on their services is implemented (automatically); that could potentially mean a block on all of their clients trunk services – a total service outage in effect. It is absolutely crucial the telecoms channel be able to manage their client base at a granular level and in real time.

This is telecom fraud week on trefor.net, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss”
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s“
Manuel Basilavecchia on “A mobile operator fraud case study”

This post is an adaptation of an article first published by Jonathan Rodwell last year in the Journal of the Institute of Telecoms Professionals but is only available to members behind a firewall.

In his second post, to be published tomorrow at 1pm Jonathan conclude by looking at

1. The human wild card and
2. We need a new way of thinking

 

¹ Gartner Press Release, Sydney, Australia, August 22nd 2014
² Adapt or die: What I would do if I ran a telecom company, FT ETNO Summit 2014, Brussels, October 1st 2014

Missing Trader VAT Fraud

Fraud is for telecommunication companies a wide problem. Several fraud scenarios are well know like IRSF, PBX hacking, Bypass, and could be managed using a Fraud Management System (FMS).

Nevertheless, there is a fraud mechanism that could severely affect the business of a company even if this company is using an FMS. This fraud mechanism is called Missing Trader VAT fraud and is a significant problem for both business and tax authorities.

This type of fraud becomes possible because of the way the VAT system works within the European Union. This article aims to describe the Missing Trader VAT fraud mechanism at least at the top level.

How it works?

As a first step, fraudsters create a company (telecom reseller in this case). As a second step, traffic is purchased and resold.  Following the normal VAT mechanism, VAT is charged to and recovered from the end customer by the fraudster.

Up to this point, everything is ok. However the fraudster then disappears before having handed over the cash to the VAT authorities.

This in turn can cause a problem for the innocent party who has handed over the VAT to the crooks because the taxmen believe that they can recover it from said innocent party. This is a major risk for the business, especially as tax authorities can apply penalties. 

They get you with the “should have known” clause. They repeated say that you must know your customer and your suppliers and you have to prove to them that you’re innocent – a reversal of natural justice.

It is important that you read the leaflet linked to below. If you do not take due care and HMRC can demonstrate that you knew or should have known that your trading was linked to fraudulent tax losses then you will lose your entitlement to claim the input tax linked to those transactions.

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/366907/How-to-spot-missing-trader-fraud.pdf

In reality of course, when a MTIC is established, it is made is a more complex way than the basic principle described above.

Indeed, the fraud can be perpetrated on genuine traffic, meaning that no alarm will be triggered by the FMS. Also, a “clean” supplier with which a customer has business relations since years can suddenly enter in this bad game

Last but not least, in many cases several companies involved in the supply chain are complicit (buffers). This help to hide the full picture if the fraud and enable carousel mechanism.

How to detect Missing Trader VAT Fraud?

We have seen that this fraud can occur on legitimate traffic which makes detection more complicated. For that reason, a number of different checks must be made on various aspects of the workings of a business: legal, financial, and traffic analysis.

This is especially although not uniquely for new interconnections. Existing interconnections also should also be regularly checked.

Market intelligence is also a great added-value in order to avoid to connecting with suspect companies or companies managed by people who have had issues with tax authorities in the past

Considering the nature of this fraud it is important to set up alert processes across your finance, legal and fraud management departments.

Sources:

MTIC (VAT fraud) in VoIP- B.U school of law/Boston University, School of law Working Paper No10_03. Richard T.Ainsworth

ETNO/ Missing Trader Fraud. Telecommunications Industry Standard Risk Management Process

HM Revenue & customs/ Missing Trader Intra Community (MTIC). VAT Fraud presentation. Joanne Cheetam MTIC National Co-Ordination Unit . 2012