Araxxe Warns That EU Rules Encourage CLI Fraud

Customers benefit from low wholesale rates for telecoms traffic within the European Union as it moves toward the total elimination of roaming rates, a reform driven by Andrus Ansip, Vice-President of the EC in charge of the Digital Single Market (pictured above). However, an expert at test call vendor Araxxe warns these reforms are also causing an increase in frauds that disguise the true origin of traffic. Last week I spoke with Philippe Orsini, the long-serving Product Manager for test call provider Araxxe, and he told me their test results show fraud is rising in Europe because of differentials in interconnect prices relating to the origin of the call. Whilst the interconnect cost of calls that originate and terminate within the European Union has been forced down by government intervention, the gap between the EU rate and other rates creates a new opportunity for fraudsters who manipulate the apparent origin of a call.

Philippe explained the issue like this:

We see that there is an issue in Europe… especially due to the European regulation implementing the differential termination rates depending on the origin of the traffic. So this simple change in the regulation was a perfect story for the fraudsters, to make the simboxes come back to Europe.

Philippe told me the same kind of interconnect billing fraud is found in other parts of the world where there are also differentials between termination rates. For example, the same kind of fraud is found in Middle Eastern countries like Oman and Saudi Arabia. What makes Europe such a fascinating example is that simbox use had died out because fraudsters could not make a worthwhile profit margin, but they are now making a comeback because of this new opportunity.

It is worth pointing out that this fraud might involve using simboxes to manufacture a leg of the call which originates within the EU, but it can also be realized by manipulating the call data, as in the case of refiling the Calling Line Identity (CLI). Either way, the goal is generate a bogus origin that supersedes the real one.

Fortunately for telcos, test calling is a technique that can identify either criminal endeavor. By making large numbers of calls between ‘robot’ phones located around the world, Araxxe knows all about both the source and destination of each call. A simple comparison will then show if the data or the call has been manipulated to disguise the true origin. The successfulness of the test call method hence depends on performing enough test calls and getting a wide enough sample to catch the criminals.

Philippe told me that if telcos are unsophisticated they leave themselves vulnerable to very basic tricks. For example, the criminals might simply add the ‘+XX’ digits indicative of a call which originates in a particular foreign country, even if the rest of the number is unchanged and is hence inconsistent with the number range used in that country. As each year goes by, I am more convinced that many significant weaknesses would be addressed by a better understanding of number ranges. This is also a good example of how the defense against fraud may involve executing a layered strategy where controls at one level are reinforced by other controls elsewhere.

Talking about the sophistication of interconnect billing, Philippe said Araxxe’s test results indicate telcos and their suppliers need to improve.

…we see more and more basic CLI manipulation… just because it looks like it is effective… Origin-based billing is now available, is operational, but I would say it looks like a basic feature.

Obviously price differentials are an essential enabler for this kind of fraud, but I asked Philippe the importance of demand and traffic patterns too. I speculated that Germany may be more susceptible to fraud because of the number of Turkish immigrants living and working in the country, leading to a greater volume of relevant cross-border traffic. Philippe agreed but his data shows the problem is worse for Mediterranean countries with sizable populations from North Africa. When I asked Philippe to be specific he said:

It impacts incoming traffic to Italia, incoming traffic to Spain. Germany also [suffers] but not so much.

Whilst expat populations have an influence, so does the location of borders between EU and non-EU countries. For example, this encourages fraud involving the Baltic states and Russia. As Philippe put it:

On the left side of the border you have one price, on the right side of the border you have another price.

Without expecting precise numbers, I asked Philippe for his estimate of how much fraud had increased in Europe in recent years.

What is clear for us now, because we are monitoring that for our European customers, is the global level of fraud impacting their incoming traffic is something between 20 to 30 percent.

The starting point for our conversation was not a specific kind of fraud but a useful white paper from Araxxe which categorizes all the kinds of fraud involving simboxes; you can download it from here. I really liked the paper because it analyzed all the possible combinations of who might own the SIM card that is being exploited, whether the SIM card is roaming on another network or not, which number is being called and which kind of traffic is carried. Though it might sound dry, I find this kind of breakdown to be the cornerstone of good assurance work. Telcos should turn this kind of analysis into a checklist. Then the assurance, fraud and risk teams should collaboratively walk through every combination on the checklist, determining which controls they have in place for detecting and mitigating the related risks. This kind of exercise tends to be very powerful because it highlights the gaps in the telco’s defenses, and helps disparate teams to acknowledge where they are relying on work done elsewhere in the business.

As Philippe pointed out, some telcos monitor the impact of fraud on voice, but neglect SMS because of falling revenues. Whilst person-to-person (P2P) SMS may be in terminal decline, application-to-person (A2P) SMS revenues continue to be significant and need to be protected. A checklist-driven approach can help telcos to think more clearly about the gaps in their controls and the extent of the risk they are willing to tolerate.

Test call providers have an outsider’s perspective. Whatever telcos may think of themselves, if you make enough test calls you gain an accurate picture of what is really happening, whether you are seeking to measure the quality of a call, the preponderance of fraud, or the likelihood of a billing error. That kind of objective data is a useful sanity check for everybody involved in telcos, whether they are a CEO who wants better profits or a regulator that sets prices.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.