Reducing Telecoms Fraud Losses

Transcription

1 Reducing Telecoms Fraud Losses A Telsis White Paper Intelligence for Your Network

2 Introduction According to the Communication Fraud Control Association (CFCA), fraud costs the telecoms industry 1.69% of all revenues that s over $38bn annually. The techniques that criminals are using are becoming increasingly sophisticated and telecoms interconnect agreements and international trading agreements make it difficult to prevent the criminals from receiving the proceeds of their fraud. This white paper looks at some of the common ways in which these criminals are committing telecommunications fraud and what steps Network Operators may take in order to prevent it happening. Introduction to Telecoms Fraud Since the origination of the first telephony services, criminals have sought ways to use them for fraudulent purposes. Early types of fraud were basic (such as using the phone to impersonate someone), however fraudsters have become more sophisticated and the types of fraud being perpetrated have become far more difficult to detect and prevent. The Communication Fraud Control Association (CFCA) estimates that fraud is costing the telecoms industry 1.69% of all revenues. The biggest single type of fraud is International Revenue Share Fraud (IRSF) which alone accounts for over 28% of all fraud. Traditional switched telephone networks have suffered from a range of different types of attack by fraudsters. However, the liberalisation of the telecoms market and the move to IP based telephony has opened up telephony networks and increased the opportunities that criminals have to commit telephony fraud. SS7 based telephony networks were inherently secure due to difficulties in gaining physical access and technical obscurity. Modern IP networks do not provide the same level of physical security. Packet based networks are more accessible than TDM networks and SIP is more widely understood than SS7. This means that in general, SIP based networks are less secure than SS7 networks. As we enter the world of SIP interconnects, operators will need to implement robust fraud control measures to detect and manage fraud. Otherwise their losses are set to increase. The ease of configuration of SIP based systems will also lead to an increase in fraud. Whereas it was difficult to configure TDM equipment (often requiring proprietary management tools), configuring VoIP equipment is trivial by comparison. This opens the window for disgruntled employees to make malicious configuration changes to network systems.

3 International Revenue Share Fraud International Revenue Share Fraud (IRSF) relates to fraudulent calls to international numbers where the criminal receives revenue from those calls. Revenue comes either directly from the terminating Network Operator as part of a revenue share agreement or by other means, such as hijacking of the interconnect. Calls may be made by a number of different means, such as hacking, tricking people into making calls, or by illegally obtaining SIM cards. In each case, the result is the same calls are made to these IRSF numbers. In most circumstances, Network Operators try to pass the liability for the cost of these calls onto the person or company whose account has made the fraudulent calls. While this approach can damage the Network Operator s brand, recent cases in some jurisdictions mean that it is actually the Network Operator that is responsible for these losses. Many jurisdictions now take the approach that a Network Operator cannot enforce charges for fraudulent calls as they cannot benefit from the proceeds of a crime. Differences between International and Domestic Revenue Share Fraud International Revenue Share Fraud (IRSF) and Domestic Revenue Share Fraud (DRSF) (also known as Premium Rate Service Fraud), may be committed using similar methods. However, it is IRSF that is used by the majority of organised criminals. Interconnect Hijacking In order to maximise profits, organised fraudsters may look to hijack interconnects. To hijack interconnects, fraudsters obtain a number range in an island state, such as a small Caribbean island that has a relatively high international call termination rate and set up an international interconnect service. They then advertise a low interconnect rate for calls to that island and have calls routed via their interconnect. Legitimate calls to the island are routed correctly (often at a loss) such that the interconnect passes any call tests but calls to their number ranges are terminated before they reach the island, ensuring that the fraudsters maximise their revenue. For example, if we assume that the island s regulators impose a $0.10/minute termination charge for international calls, then legitimate interconnect carriers would charge at least $0.11/ minute for calls to that island, allowing them to make a margin for handling the call. If a fraudster offers an interconnect at $0.10/minute for calls to the island, then least cost routing rules would ensure that their route is chosen, providing the route passes call quality tests. In reality, the fraudster would simply use another interconnect company to route legitimate calls to the island at a loss, however for calls to their numbers, they would not route calls to the island and would take the full $0.10/minute for their calls. If there are 10,000 legitimate call minutes per day to the island but the fraudster manages to artificially inflate traffic to their numbers by 100,000 per day, then the legitimate calls would cost them $100 per day (10,000 minutes at $0.01/minute) but their income from fraudulent traffic would be $10,000, resulting in a net profit of $9,900. The main advantage of IRSF over DRSF for criminals is that due to the international nature of the fraud, it is very difficult for payments to be stopped and for police agencies to co-ordinate efforts to disrupt the fraud. International interconnect agreements typically state that payments must be made even if fraud is suspected. Given that a typical case of IRSF may involve three or more different countries, it is difficult for national police agencies to track the fraud. On the other hand, many domestic telecoms regulators allow network operators to delay or stop payments for suspected fraudulent calls. If the criminal is not going to be paid for calls, or faces arrest from a national policing agency, then they will not commit that type of fraud.

4 How to Commit Fraud IRSF may be committed using a number of different methods. Some of the common methods are outlined below. PBX Hacking In this case, Network Operators provide SIP and ISDN trunking to their enterprise customers. These enterprise customers typically connect their trunks to premises based PBX systems. (Some enterprise customers are moving towards Network Operator hosted PBX solutions.) Once a hacker has gained access to a PBX, they may use it to commit international or domestic revenue share fraud. IP Device Hacking Although SIP telephony has been mainly restricted to business use, residential use of SIP telephony is on the increase. A number of broadband routers now support SIP Gateway functionality, providing an interface that allows analogue telephones to be connected. Vulnerabilities in early devices have allowed hackers to take over these devices and use them to make calls. Calls made by the enterprises are made through the PBX to the Network Operator. The calls may then traverse one or more transit carriers before reaching their destination. Many PBXs, particularly new IP PBXs that offer remote management, are not secure and may be vulnerable to attack by hackers. Common weaknesses include default passwords, poor password security, software bugs, weak dial-in PIN codes and poorly configured controls. An increasing number of devices support this functionality and have the potential to suffer the same vulnerability. Due to the nature of consumer behaviour, such devices are likely to remain unpatched, even where fixes are available. Once a hacker has gained access to an IP device, they may use it to commit international or domestic revenue share fraud.

5 Subscription Fraud Post-paid (often called contract) SIM cards allow users to make calls on account, and settle their bills on a monthly payment schedule. As with Subscription Fraud, the proceeds may be enhanced by using the SIM with Multiparty Conferencing or Explicit Call Transfer to establish multiple simultaneous calls. In order to obtain a post-paid SIM card, customers must go through a series of checks in order to confirm who they are and that they are credit worthy. Criminals may use fake or stolen identity in order to obtain a post-paid SIM card. Dealers may also work with criminals to make it easier for them to obtain post-paid SIMs. Once the fraudster has got hold of the SIM card, they may use it to commit international or domestic revenue share fraud. The proceeds from this type of fraud may be enhanced by using the card whilst roaming (in an effort to maximise the time taken to detect the fraud) and by using GSM techniques such as Multiparty Conferencing or Explicit Call Transfer to establish multiple simultaneous calls from a single SIM. Stolen Devices Mobile phones are an attractive target for criminals such as pickpockets. In addition to being able to resell the actual phone, they are able to exploit the SIM card to commit fraud before the owner reports the phone as being stolen. Criminals often target foreign tourists, as they are generally unfamiliar with where they are and may take time to understand how they can report their phone as being stolen whilst they are abroad. Once the fraudster has the SIM card, they may use it to commit international or domestic revenue share fraud by placing the SIM in an auto-dialler device. Where CAMEL based roaming is not available, operators rely on CDR based reconciliation. This makes it more difficult for operators to detect this type of fraud. Account Takeover Most VoIP services rely on the use of private credentials that are used to identify user accounts and allow devices to register with the network. There are a number of ways in which a fraudster may steal user account credentials such as: Snooping insecure data networks for login details Phishing/social engineering to trick the user into providing their details Tricking the service provider to provide account details. For example, calling customer support to say that they have a new device, but can t remember their account details. Once they have obtained the user s credentials, they may change those credentials to lock the user out of the account. Once a fraudster has taken over an account, they may use it to make calls and commit international or domestic revenue share fraud. Wangiri Wangiri (literally, One [ring] and cut ) is a type of fraud that originated in Japan. The aim of Wangiri is to get users to call a premium rate number (national or international).

6 To commit Wangiri, short calls are made to a number of users. These calls appear to originate from the fraudster s international number, however they may actually be made from another location using CLI spoofing. The calls are short enough that they are not answered, but long enough to leave a missed call on their phone. Usually mobile phones are attacked by this fraud but other phones could also be targeted. When the user sees the missed call on their phone, they think that it is a genuine missed call and call the number back. They are then charged for this call. The fraudster may simply play ring tone for a period of time leading to increased call durations. Victims of this fraud may not realise that they have been subject to fraud until they receive their monthly bill. Detecting Fraud For many Network Operators, the easiest way to detect call fraud is to perform statistical analysis of Call Detail Records (CDRs). By analysing CDRs, network operators are able to: Detect when the call volumes to certain destinations increase Detect unusual call patterns such as a sudden increase in overnight calls from a customer Detect unusual patterns of overlapping calls (for example multiparty calls) From this analysis of CDRs, Network Operators are able to identify compromised accounts and high risk destinations that terminate fraudulent traffic. Once the fraud has been detected, they may configure their network to block subsequent calls. Although this CDR analysis approach is useful for blocking future fraud, it s only effective once fraud has occurred and the Network Operator has already incurred costs. In other words, it s a reactive approach. Reducing Fraud Windows Most early CDR processing analysis tools processed CDRs a few times each day. This resulted in quite large fraud windows, as it may take several hours for the fraud to be detected. One of the strategies for reducing fraud is to process CDRs more frequently with a lower latency. Some newer CDR analysis tools are able to cut the time required to detect fraud down to 30 minutes or even less. Automation Even when CDR analysis tools flag up an incident to action, the manual nature of the processes required to reconfigure the network to block fraud, mean that it may still take time to stop the fraud occuring. This is especially true out of hours, in the evenings and at weekends. This has led to a change in the behaviour of fraudsters, with most starting to commit fraud overnight or at the weekend to maximise their income before the fraud is blocked. In order to overcome these limitations, fraud management tools are starting to integrate with network systems in order to automate the process of blocking fraudulent calls. When fraud is detected, the fraud management system automatically provisions call blocking rules to the core network, reducing the latency between detection and blocking. Honeypots and Hot Numbers The above strategies are all based around detecting fraud after it has occurred. An alternative approach that is used to detect the numbers used to commit IRSF is the use of honeypots to generate lists of hot numbers. A honeypot is an PBX that is left unsecured with its default password. This may typically be an Asterisk PBX that is exposed to the Internet in its default configuration. Such open devices are quickly detected by hackers, who then create their own access accounts and take over the device. Once a hacker has taken over a device, at some point (typically on an evening or weekend), they will start to attempt to make calls to the IRSF numbers which they own. By monitoring these calls, Network Operators are able to use these numbers to block subsequent calls to those numbers. In order to increase the effectiveness of hot number databases, telecoms trade associations may collate and share lists of hot numbers generated by its members with other members.

7 Case Study - German Tier-2 Operator VSE NET, a regional telecommunications provider based in the Saarland region of south-west Germany, recently installed Telsis fraud prevention solution Voice SafeGuard. Having discovering a fraud attack on one of their customer s PBX, VSE NET started using CDRs to detect fraudulent usage. While this analysis led them estimate that the impact of fraud was costing them between 100k and 200k per annum, they could only detect the fraud once it had occurred, and they decided that they needed a proactive real time solution. Since installing Telsis Voice SafeGuard, VSE NET have seen a significant reduction in fraud losses. Michael Leidinger, Managing Director at VSE NET has said Comparing the before and after data, we observed the incidence of fraud reduced by a factor of 100:1. A typical fraud attack previously cost us an average of 1000 and we have now been able to reduce this to only 13. Voice SafeGuard Business Case Voice SafeGuard typically offers rapid payback and generous ROI. The tables below show payback and 3-year ROI for two of Telsis recent customers. Real-Time Fraud Prevention Telsis Voice SafeGuard takes an alternative approach to blocking IRSF. Rather than taking a reactive approach to blocking fraudulent calls once the fraud has taken place, the approach taken by Voice SafeGuard is to block calls in real time and works equally well at the weekend and holidays as it does during working hours. Rather than analysing CDRs, Voice SafeGuard sits within the telephone network and makes its decisions in real time, deciding whether a call should be allowed, before the call is actually connected. Voice SafeGuard uses the same call meta information as CDR based solutions, but does it at the network level, allowing it to analyse call patterns in real time as calls are being made, removing CDR generation and processing latencies. When a new call is made to a high value destination, such as an international or premium rate call, Voice SafeGuard is able to analyse the source and destination addresses and decide if it should allow or reject the call. Rather than rejecting calls, Voice SafeGuard is also able to operate in monitor mode, where it still detects fraudulent calls, but simply generates alerts rather than actually rejecting traffic. Challenges Facing MVNOs Thin Mobile Virtual Network Operators (MVNOs) face a particular challenge when looking to combat telephony fraud. Thin MVNOs do not have access to the network. They simply issue SIMs, invoice customers and pay charges to the MNOs that host their services. If they are the target of subscription fraud, then users could run up significant charges before the MVNO detects the fraud. Losses may be further compounded by the use of multiparty calling, which allows each SIM to have 6 simultaneous calls in progress at a given time. In order to detect fraud, MVNOs should ensure they receive Near Real Time Roaming Data Exchange (NRTRDE) records from their hosting provider. They should then pass these NRTRDE records through fraud detection algorithms, instructing their MNO to block any SIM cards that fail fraud checks. While this approach does not eliminate all fraud, it does reduce fraud windows and their associated losses.

8 In addition to simply blocking new calls, Voice SafeGuard also has the ability to tear down calls in progress once fraud has been detected. For example, should Voice SafeGuard detect a new IRSF number, it is able to clear any calls in progress to that IRSF number. This is particularly useful where the fraud involves multiple long calls to a fraudulent number further reducing operator losses. For more information on Voice SafeGuard, please visit or contact a Telsis representative. ABOUT TELSIS Telsis is a leading innovator in telecoms network service intelligence and has a wealth of experience in this area. Founded in 1987, Telsis has been promoting service innovation to both incumbent network operators and other licensed operators for more than a quarter of a century. The Ocean range of Voice and Next Generation Products are in service with some of the world s leading operator groups including BT, EE, Telefonica and Vodafone as well as regional operators including EWE Tel, KCom, M-Net and TalkTalk. Telsis can help operators make the most of their investment by providing service development and migration consultancy, helping operators to move from TDM to NGN at their own pace in small, reversible steps whilst offering the same services across both technologies. Glossary Acronym Term Definition CAMEL Customised Applications for Mobile network Enhanced Logic An application to easily extend the services offered within a GSM network CDR Call Detail Record A record of a call that is used for billing purposes and may also be used for analytical purposes CLI Calling Line Identity A telephone number that indicates the origin of a call. IP Internet Protocol A protocol for transferring data between two end points on a network IRSF ISDN NFV PBX PRS SDN SIGTRAN SIP SS7 TDM International Revenue Share Fraud Integrated Services Digital Network Network Function Virtualisation Private Branch Exchange Premium Rate Service Software Defined Network Signalling Transport Session Initiation Protocol Signalling System No. 7 Time Division Multiplexing A type of fraud involving premium rate numbers in different countries A standard for sending voice, video and data over digital phone lines A network architecture using IT virtualisation technology to create telephony networks A small telephone exchange device that serves a particular business or office A telephone service where the call charges are higher than normal call charges A network architecture where the control and management of the network is split from the actual network devices A technology for transporting SS7 signalling messages over an IP network A next generation telephony signalling protocol A telephony signalling protocol that is used within and between TDM telephony networks A method of transmitting multiple telephone calls over a single physical data link. VoIP Voice over IP A technology for carrying calls over an IP network Contact: contactus@telsis.com UK t: +44 (0) Germany t: +49 (0) Copyright Telsis Communication Services Limited Telsis products are subject to continual development and specifications may change. Prospective buyers should exercise their own independent judgement to confirm the suitability of our products for their particular application. All trademarks are the property of their respective holders.