One of the biggest challenges in fighting telecom fraud is simply knowing where to start. Fraud threats are so diverse and complex that’s it’s hard for fraud managers to get their minds around the problems.
Jim Bolzenius is Head of Anti-Fraud Services at TNS, a leading provider of roaming, clearing/settlement, signaling, interoperability, and information validation solutions to the telecom industry. Prior to joining TNS two years ago, Jim held the high profile job of Executive Director of Fraud and Prevention at Verizon Wireless.
I think you’ll thoroughly enjoy reading Jim’s clear, cut-to-the-chase way of explaining fraud management issues. He begins by giving us a quick backgrounder on International Revenue Share Fraud (IRSF) and subscription fraud. He then follows that with nine solid strategies for aiming a carrier’s or MVNO’s fraud prevention program in the right direction.
Dan Baker: Jim, people are familiar with the basics of IRSF fraud, but the details on exactly how fraudsters make their money there are less clear. Can you shed some light on that?
Jim Bolzenius: Sure, Dan. It’s really a case of “following the money.” If you trace the way money flows in these schemes, understanding IRSF and premium rate fraud becomes rather simple. Basically the fraudsters need to cut a deal with a supportive local exchange carrier (LEC) in a country that has a high exchange rate. Historically, these locations included Somalia, Gambia, and Latvia. These are the popular destinations.
In some cases the LEC is owned by the government, so if you seek help from that government to stop the fraud, they really don’t care. This is especially true if the government official working with the fraudster just bought himself a new Bentley :-)
To generate traffic, the fraudsters use a conference call line, a hacked PBX, stolen wireless service or a variety of other means to push traffic to these high rate destinations. And then the terminating carrier splits the revenue with the fraudster who generates all of the calls.
In the end, it’s the “A number” home carriers who lose money. Whoever’s customer generated those calls has to pay the bills all the way down the line. And there’s no relief from that.
Now the US domestic version of IRSF is called “traffic pumping”. And here the LECs are located in various States: Iowa has been a typical location.
You see a lot of calls being pumped to those LECs for things like free conference calls. And it’s the same model as IRSF: they are paying someone to pump phone calls into these locations so the carrier can make money and share the revenue with the people generating the calls. Please note that this Domestic Traffic Pumping is not illegal and some businesses are valid, but not all. Carriers just need to be aware of this process and look for suspicious activity.
Now you can think of IRSF as US domestic traffic pumping times 20 — because that’s the likely exchange rate difference.
So when you add it all up, IRSF, premium rate fraud, and traffic pumping are based on a very simple model.
Of course, the other big hurdle for the bad guys is getting in the door. They need to gain access to actual phone lines to do their traffic pumping fraud.
That’s right. And subscription fraud remains the number one method of gaining access. Now there are many ways to perform subscription fraud, and how to prevent and identify subscription fraud is a subject I could talk about for hours.
But the two basic schemes are to steal a person’s ID (True Name Fraud) or to take over an existing account or add-on lines to an existing account via social engineering.
Of course, what the fraudsters really love is a faceless transaction. That way, the bad guys don’t have to go to a store, show an ID, or risk having their picture taken by the store’s video camera. This is why much of today’s fraud occurs over the internet and through wholesalers or telesales. Dealers need to be closely monitored because we pay them a commission on sales. Do they really care if this guy is a little bit suspicious? Maybe not if the carrier has not implemented a commission charge-back process for subscription fraud activations.
Jim, how can carriers get their fraud management problems into high gear? What are some of the programs you feel are essential?
Well, I’ve put together a short list of 9 things that guide my own thinking. So here they are:
1. Make Timely Detection & Blocking your Key Goal
As a fraud fighter, you need to be realistic. You can’t really stop IRSF. The only way to totally stop it would be to disallow all international calls. And if you did that, I think sales would have a bit of a problem with that strategy.
So if you can’t stop it entirely, your key mission is to detect and block fraud as soon as possible.
The fraud losses can add up very fast. Let’s say you’ve got a fraudulent phone that’s reaching a $2 a minute destination and the fraudster is using the conference call function to generate six simultaneous calls or they activate lines via subscription fraud.
Now if you have real-time tools in place to look for that type of fraud, in 30 minutes or less you could identify and stop the fraud, so your fraud loss is still going to be around $360. No matter what, you are still going to lose money because you are not preventing the initial call, just detecting it as fast as possible.
But if you have no monitoring in place and are waiting, say, for the TAP records or CIBER records to come in, it could be two-days before you catch the fraud. So by not having the proper tools in place, that one fraud account could cost you $34,000. And that’s potentially just one phone with a six-way conference feature.
Now imagine your subscription fraud account had 10 phones with a six-way conference call feature. Well, you’re then talking about $300,000 in a matter of two days! That’s the money you lost because you didn’t have a real-time data feed and a Fraud Management System.
Real-time data exchange is quite critical. If you don’t have a NRTDE feed set up, you’re waiting for the billing records to come in. And by the way, the carriers partnering with the fraudsters are in no hurry to send you a billing record because the longer the fraud goes undetected, the more money they make.
This is why actively monitoring for calls to suspicious locations is key. You need to know where these are so you can identify them on the first call.
2. Use Social Network Analysis to Multiply Your Blocking Capability
It’s clear that when the first call from the first phone is identified as a fraudster, you should shut down that entire account right away.
But that one phone call can lead to other fraud prevention opportunities too. The secret is to run a linkage analysis back for accounts who the fraudulent account also called.
If I now have one bad account A, there’s an account B, account C and so forth that are associated with Account A, so you can potentially shut down 50 or 60 lines by doing that social network analysis. So detecting one bad phone call should lead you to other suspicious numbers.
3. Don’t Make PBX Hacking Easy for the Fraudster
Hacking a PBX to pump traffic to international destinations has been around for two decades or more, but it’s still a huge business for the fraudsters.
There are MVNOs out there serving business clients, and if they are not diligent with their security procedures regarding access ports, default passwords, and training employees regarding social engineering techniques, people will get into that PBX.
It’s amazing how many times a PBX is hacked because the default password on the PBX was never changed. Most hackers know the PBX manufacturer’s default password. So if you never change it, you’re going to have a lot of fraud.
4. Educate Customers and Call Center Reps about Social Engineering Schemes
One of the weakest points in a carrier’s defense is that customers and call center reps are often easy prey for the fraudsters.
Calling into a call center is a very popular path. They pretend to be a customer and attempt to take over accounts to add lines of service and international dialing features.
“Hi, I’m from General Motors (GM) and I’m the new telecom account manager here. I need 10 more mobile phone lines.” So with social engineering and phishing, people who are very experienced at this game can get your customer care rep to send them phones and add it to GM’s bill.
Another tactic is to send a text message to customers directly, saying, “Hey, I’m with Verizon Wireless, and you need to verify this information on your account or we will have to shut it off.” You’d be surprised how many people will send their sensitive ID information back by text or call the 800-number left by the message.
Or the text will send the customer to a website owned by the criminal where they gather information. They may have a Verizon or AT&T logo on the web page to convince the customer that the web site is valid.
5. Implement Processes to Limit Wangiri Fraud
One of the easier methods to commit IRSF or PRS fraud is via a method called Wangiri fraud (also known as a One Ring Scheme). Once again, it’s a very easy process. The fraudster sets up an auto-dialer to call thousands or millions of your customers; after one ring the call disconnects.
Now, amazingly, about 15% of people will actually call that number back.
So let’s say the call goes to Grenada. Well, the idea is to keep the customer on the line, talk to them with recorded messages, and all that time they’re being charged $10 a minute. Then, when your customer sees the bill, he calls to say, “Hey, Mr. Carrier, I don’t have international service with you, so why are you billing me for international calls?” So you guessed it: the carrier gets stuck with the bill.
And the fraudsters setup the Wangiri fraud by choosing the right call back numbers. If you aim to defraud US customers, the best place for the fraudsters to have their premium rate numbers is in places like Jamaica, the Dominican Republic, or Grenada. Calls to these countries are 10-digit numbers, so the customer looks at the area code and figures it’s a free US long distance call.
Now the cure to blocking this Wangiri fraud is to put in the right processes. Do you allow the Caribbean to be 10-digit dialing? It’s part of the North American dialing plan, so an International Dialing feature is not required to call these locations unless the carrier has established these locations as requiring that feature in their networks.
As these attacks are identified, it is imperative that the carrier notify and educate their customers to prevent further losses.
6. Control or Turn Off Dangerous Calling Features and Destinations
Does someone who lives in rural Minnesota ever need to call someone in the country of Latvia? I think the prudent thing is to block certain capabilities and dangerous calling features.
You really should consider blocking call-forwarding, multi-party calls, and explicit call transfers for all international roamers and international calls. The need for a valid customer to forward their phone to an international location or establish 10 simultaneous calls to an international location is very small and not worth the fraud risk. People doing that — 99% of the time — are criminals. And for the 1% who need that capability, well, I’m not sure those customers are worth the risk.
7. Monitor and Test your International Roaming Rules
Ok, you’ve set up your roaming rules to block six simultaneous calls because there’s a strong likelihood that’s criminal activity. It’s too much risk.
But how do you know your roaming partners are following these rules? How do you know they are not over-riding those rules?
Well, you need to test that. Depending on what switches they are using, the fraud prevention rules you set up may not be read properly. So make sure to test that your roaming rules are being followed in every market you roam.
8. Don’t Let Your Guard Down over the Holidays
What is the number one day for fraud losses in the USA? In the United States, it’s the Wednesday before Thanksgiving. That’s because many carrier fraud centers are closed on Thursday, Friday, Saturday and Sunday over the Thanksgiving holiday. Go back and look at write-offs and fraud losses for that time last year.
If you don’t have a 24/7 shop that cycles through the big alarms — or if your system doesn’t send you alerts or text message alerts — you will be hit hard during the Thanksgiving break. On Monday morning you could have thousands of alarms waiting for you.
People really need to come in over the holidays and watch for the big alarms.
9. Recognize that a Fraud Management System Alone is Not Enough
Finally, you need to ensure that the three legs of your program — systems, processes and people — all work together.
You need all of them. You could have the greatest system in the world, but if you don’t have the processes and trained people behind it, the system doesn’t do any good. People may not be working the system properly or identifying the right things. Your processes and system may be outdated if you do not stay current with the new fraud trends and types of attacks.
So that’s a critical point if you want to ever have a chance of identifying and mitigating your fraud losses.
This article was originally published by Black Swan and has been reproduced with their permission.