Researchers Merve Sahin of SAP Security Research and Aurélien Francillon of EURECOM have published a new paper which looked for methods to reduce international revenue share fraud (IRSF) by analyzing data relating to 3 million premium rate numbers and the records of 689,000 calls. Their chief conclusions were that proactive monitoring of providers of international premium rate numbers (IPRNs) offered the best initial defense and that combining this intelligence with machine learning resulted in a method that could detect 98% of IRSF calls with a 0.28% false positive error rate.
The authors treat IRSF as a blanket term covering multiple kinds of frauds which criminals have monetized by terminating traffic on a premium rate number. These include wangiri, PBX hacking, roaming fraud, subscription fraud, and the use of mobile malware to make calls without the phone user’s knowledge.
Some of the best work in this paper was based upon the scraping of information for test numbers supplied by IPRN providers. However, the authors’ analysis is less comprehensive than that provided through the PRISM database of Yates Fraud Consulting, whose commercial fraud intelligence service uses essentially the same approach to gathering information. Neither PRISM nor Yates are mentioned in the paper.
The data on the IPRN test numbers was incorporated by the researchers into metrics that assess the likelihood that real-life calls are instances of IRSF fraud. The researchers found that machine learning built upon these foundations generated impressive results when the apparent source of the IRSF calls was a hacked PBX. Results were less effective for an instance where the source of the calls appeared to be a stolen SIM. The researchers’ methods were of no use for identifying wangiri, and they theorized that effecting machine learning techniques for wangiri detection might require more data than an individual telco possesses:
In terms of machine learning approach, additional features can be computed to detect Wangiri fraud such as the number of distinct users contacted by a certain A-Number. However, to compute this feature, the operator would need to access all its call records and maybe multiple operators would need to exchange data.
The authors also made an important but often neglected point about fraudsters not being obliged to stick to the same techniques just to make the life of a fraud manager easier.
Finally, fraudsters might try to avoid detection by changing their call patterns: Instead of generating large volume of calls in a few hours, they can spread out the calls over a longer time period, especially in the case of compromised PBX. This could make our CDR-related features less useful and make the calls more difficult to detect.
Anyone interested in IRSF or the application of machine learning to fraud detection should read through this paper. You will find the full text of “Understanding and Detecting International Revenue Share Fraud” by Merve Sahin and Aurélien Francillon by clicking here.