Report from the CFCA/FIINA Lisbon Meeting

It has been over a week since I flew to Lisbon, Portugal for back-to-back events: a joint meeting of the Communications Fraud Control Association (CFCA) and the Forum for International Irregular Network Access (FIINA), followed by WeDo’s User Group conference. It is a measure of how many contacts I made and the number of ideas and proposals they stimulated that it has taken so long to write up my notes. The problem I now face is this: how can I share those notes with you, whilst keeping them to a manageable length? One solution is to write separate reports for each event; later this week I will share my review of the WeDo User Group & Summit. The other solution is just to give you only the abbreviated highlights, starting with the opening presentation at the CFCA/FIINA meeting. Even so, I fear there will be an awful lot to share… which ultimately shows the event was very stimulating and successful.

Anti-piracy: a welcome addition to the agenda, but we need more substance and fewer platitudes

Portuguese multiplay operator NOS acted as hosts for the CFCA/FIINA event, and their influence was very evident during the opening talk, which was given by Paulo Santos of FEVIP, the Portuguese anti-piracy lobbyists. An increasing share of the revenues generated by operators like NOS comes from the sale of visual and audio content; NOS even owns a chain of cinemas. I agree with NOS that it is absolutely vital for the remit of risk and assurance professionals to be extended to cover anti-piracy, and I have repeatedly argued that Commsrisk readers need to understand copyright and the implications of copyright infringement. Even if we are not protecting the revenues generated from intellectual property now, we probably should be protecting those revenues in future. It is a step forward for CFCA and FIINA to welcome an anti-piracy speaker to their event. However, the step they took was too small, because the information relayed by Mr. Santos was so simplistic that it was useless.

Preferring not to speak in English, Mr. Santos played a video of himself talking in Portuguese about the need to counter piracy. This was subtitled in English, but I was not impressed by the production quality of the subtitles, especially as this video was made by an agency that represents the TV and movie industry. I imagine there is not much demand for this video outside of Portugal, which is why they saw fit to put white-lettered subtitles against a light-colored background, making them very hard to read! However, anyone who failed to read the subtitles was not missing much, because instead of getting practical advice the audience was subjected to a litany of industry propaganda. We were told that copyright is a ‘human right’. That may be so, but whilst people are still locked up for speaking their mind and others go hungry and homeless, it is hard to worry about the ‘human rights’ of the multinational corporations that mostly suffer from piracy. The emotive presentation then talked about ‘defending culture and civilization’. I agree with wanting to defend culture and civilization in general, but not many of us have metrics relating to culture and civilization listed amongst the specific KPIs used to measure our workplace performance.

Finally I was amazed at the cheek of Mr. Santos when he asserted that all telcos have a common interest with rightsholders. This is plainly nonsense. Many rightsholders have viciously lobbied governments to transfer the costs involved in protecting copyright by forcing them upon telcos. Some of these proposals have been downright ridiculous, with the seeming intention being to upset and criminalize telco customers whilst the rightsholders hide behind the telcos and make them do all the dirty work. At times the rightsholders’ end game appeared to be to make telcos unpopular with customers because the telcos ‘deserve’ punishment in exchange for ‘profiting’ from copyright infringement. Whilst a firm like NOS has a foot in both camps, not every telco is a rightsholder too, and so the burdens placed on telcos must be fair. Sadly Mr. Santos wasted his opportunity to talk about what would be a fair way to spread the cost of anti-piracy measures. Nor did he talk about the practical measures that can be used to prevent and discourage piracy. These include appropriate safeguards around security, encryption and validation, and they also involve the adoption of a common sense approach to tariffing which seeks to turn potential pirates into paying customers. So whilst it was good to have an anti-piracy speaker at this event, if we want real change we must stop talking in platitudes and start examining the detail of how telcos can take reasonable and cost-effective measures to counter piracy.

How Vodafone Group monitors fraud through a shared service center

People have been predicting the rise of shared service centers for cross-border fraud management but several groups have been bogged down by the practical and legal obstacles involved. It was hence a pleasure to listen to Andy Mayo explain how Vodafone succeeded in transforming their approach to fraud detection. Andy’s talk was refreshingly honest, and he crucially admitted that Vodafone Group is not a highly centralized group, meaning the strategies for managing fraud cannot be dictated from the head office but must evolve in cooperation with the anti-fraud teams in each opco. As a consequence, each Vodafone opco is currently running a different FMS. However, an increasing number of fraud management activities have been migrated to one of the group’s shared service centers (SSCs) in India or Romania. Andy gave a stimulating view on how groups can drive increased efficiency and effectiveness of anti-fraud activities that actually benefits from the need to make a genuine base case for migration of tasks to an SSC.

Because of the size of Vodafone’s Indian operations they served as the test case for centralization, with many separate regional functions being consolidated into a single national operation. The Indian experience was then extended to other countries: Ireland, UK, Greece, Italy, and progressively all the Vodafone opcos where there was no legal obstacle to moving data across borders. Andy was keen to emphasize that the transformation program had not lead to a reduction of headcount in any opcos, saying they positioned centralization as a means to improve quality, not to reduce costs. In total 140 FTE are now employed to manage fraud in their SSCs. And Andy pointed out that there are good reasons not to poach the best opco fraud staff for an SSC team, as that inevitably leads to resentment in the opco.

Many common fraud types are now detected and prevented by Vodafone’s fraud SSC. These include IRSF and PBX hacking. Vodafone’s SSC also covers related functions like anti-money laundering checks for M-PESA. Other frauds may be detected centrally whilst local teams remain responsible for dealing with them. By centralizing monitoring for more common types of fraud the local teams can spend more time concentrating on complex frauds that may be particular to their market. Another obvious benefit of the centralization is that opcos which struggled to monitor fraud on a 24/7 basis are much more easily covered by an international team.

In a sign of how improved efficiency can be used as a springboard for a more extensive scope of work, the next objective for Vodafone is to broaden the remit of the fraud management teams in the SSCs. For example, they now intend to provide support for remote investigations and travel security. In conclusion, Andy’s talk laid out a viable blueprint for how international groups can streamline anti-fraud work across several countries in order to invest in extending the protection provided.

Helping the police to counter the theft of mobile phones in Barcelona

Barcelona is notorious for pickpockets that steal phones and then rack up huge bills as they pump traffic towards international premium rate numbers, as emphasized by a recent Commsrisk article written by a victim who attended the Mobile World Congress. We can all complain, but who is doing anything about it? Hats off to Enrique Hernandez of the Spanish National Police and Adam Panagia of AT&T, who were the stars of the conference after they talked us through the steps they had taken to send a string of criminals to prison.

I cannot share all the information presented during this riveting case study, but I hope other telcos will follow AT&T’s example and put in the necessary resources to provide the Spanish Police with the data they need to catch the criminals. Inspector Hernandez is a willing ally in the fight against crime, and he told me how he wanted to remove the blight that scars Barcelona’s reputation and causes so much stress and upset for its visitors. Perhaps the best and simplest thing is for telcos to use bodies like the CFCA and FIINA to liaise and agree common protocols for sharing crime data with the police, as it would reduce the burden on the police forces if they could receive all the information they needed from different telcos in a consistent format.

Orange Group: why fraud and security functions also need to defend the telco’s reputation

I was heartened by the presentation given by Mark Broom of Orange Group. His team takes an inclusive view of the impact of fraud, including such diverse issues as:

  • financial misstatement;
  • managing fraud remotely when the ebola virus means staff cannot go to their place of work;
  • missing trader fraud;
  • CEO fraud; and
  • cybersecurity.

One reason to take on such a disparate range of threats is the recognition that the business has only one reputation, and there are many ways it can be undermined. In line with that, Mark also talked through the full range of techniques that must be deployed to protect the business, which range far beyond the analysis of network data. For example, his team finds that some of the best (and cheapest) anti-fraud methods include:

  • educating the board and executives about new and emerging risks;
  • teaching front-line staff so they are aware of the dangers they may face;
  • empowering junior staff to say ‘no’ when they are told to break a process or security constraint by someone posing as a ‘CEO’ or ‘government minister’;
  • executing regular risk assessments;
  • performing due diligence on partners, suppliers etc; and
  • doing research and development on vulnerabilities that might be exploited in future.

Mark’s impressive recipe for success was complemented by lots of common sense. I particularly liked his observation that fraud controls should not be invasive, because if a control impacts efficiency then people will be naturally inclined to bypass the control in order to get their job done.

When I hear other fraud managers talking in a narrow way about the financial impact of losses, or the need to spend more and more effort scrutinizing data, I will take some comfort that leaders like Mark are showing how it is possible to do more to protect their business whilst embracing a wider view of how they can positively influence their business.

Get data, use data, share data

As much as I agreed with Mark Broom’s promotion of a fuller spread of anti-fraud activities, telcos can still do a lot more with data, and that was underlined by the talk given by Taejin Ahn of Korea Telecom. He explained how KT had reduced fraud losses by an astounding 70 percent thanks to deep packet inspection and real-time controls. By looking at packet headers his system could even check IP addresses and block unwelcome network activity before the call was connected. Traditional CDR-based analysis still provided complimentary controls for KT; for example, the approximately 50 rules implemented in the real-time system were derived from the experience KT had gained by inspecting CDRs.

Taejin went on to offer to share valuable data with other telcos, by wanting to start a ‘Hot IP’ list. By adding hot IPs to a detection policy telcos would be able to stop calls originating from those addresses. This is a commendable initiative and I hope other telcos will soon respond to KT’s offer.

Too much to share

I could go on and on. I met a lot of wonderful and knowledgeable people; see above for the group photo. Please forgive that I cannot mention every speaker. There was simply too much good content to refer to it all. I could share what I learned about machine learning from Jaskaran Singh Bawa of Mobileum, and how impressed I was by Sky UK’s plan to voice fingerprint their customers, as explained by Simon Mackenzie-Crooks. However, I must conclude by observing that if you want to learn more, you should probably attend the next event run by CFCA and/or FIINA!

As for the organization of this event, it was excellent on every level. Again there are too many names to list everybody who deserves praise, from the executives to the doers to the supporters in the sponsoring businesses. The agenda was strong, the facilities were top notch and the social events in the evening were superb.

This was the first time I have attended this conference, and I would heartily recommend it to anyone wanting to learn about recent developments in telecoms fraud management from the people who are leading the way. Bravo to the CFCA and FIINA, and I sincerely hope they invite me to attend more of their conferences!

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.