Why IP Networks Will Kill Telecoms Fraud Detectives

Nothing clears up a case so much as stating it to another person.

Arthur Conan Doyle, The Memoirs of Sherlock Holmes

Fiction has given us plenty of great detectives. Each strives to solve the case they are working on, and then moves on to another case. That is why characters like Hercule Poirot and Alex Cross can appear in many sequels that span decades of a writer’s career. The detective’s livelihood depends on the tragic demise of others; if nobody fell victim to crime then the detectives would be unemployed. The paradigm of managing a case is familiar to everybody, and is applied across law enforcement. This includes the detectives who work in the private sector, such as the fraud analysts who work for telcos. But what if there were no cases to solve? It may seem outlandish to speculate about the cessation of the flow of new cases, but it has become a real possibility thanks to better technology in general, and the transition to IP-based networks in particular.

Consider the following case study shared by US vendor Transnexus. A new customer was adopting their SIP-powered ClearIP system when they came under attack. This created an unusual opportunity to compare the performance of SIP-based analytics with the results obtained by reviewing CDRs via a fraud management system (FMS).

CDR-based FMS response

When the CDR-based FMS detected the fraud attack, it alerted the NOC. The NOC shut down the fraud attack after 228 fraudulent calls had completed over 56 minutes. The CDR-based FMS allowed fraud losses of $2,133.58.

ClearIP response

ClearIP detected the fraud attack on the fifth call, 1 minute and 15 seconds into the attack. Unfortunately, it was still in report-only mode. Had blocking been enabled, fraud losses would have been only $2.03, or 0.1% of the actual losses. Relying on the CDR-based FMS cost the provider $2,131.55.

Transnexus is not the only business expecting that the transition to all-IP networks will lead to a tectonic shift in the mitigation of fraud. German firm Oculeus recently won the ‘Most Innovative Telecoms Fraud Protection’ category at the Infosec Awards of Cyber Defense Magazine, because of the way their Oculeus-Protect service uses SIP-enabled analytics to rapidly identify and stop PBX hacking.

Both the ClearIP and Oculeus Protect services are strikingly accessible when contrasted to the effort involved in implementing a traditional fraud management system. Both companies provide services that are based in the cloud. A business with 10 employees can get Oculeus to protect them from PBX hacking for just USD5 per month. Meanwhile, Transnexus are so keen to get operators to use their STIR/SHAKEN caller ID authentication service that they offered a free trial for the first million calls.

When firms like Transnexus associate the prevention of fraud with the prevention of nuisance calls they are also highlighting a realignment of the parameters for criminal behavior, as well as a fundamental shift in telecoms technology. When a member of the public reads about ‘telephone frauds’ the story will typically be about scammers pretending to be officials, calling people with the intention of swindling their money. These frauds are becoming more widespread because IP networks are making calls cheaper, and their impact is becoming so great that countries like China have resorted to harsh penalties and a systematic program of extraditing fraudsters based overseas to maintain the confidence of the public.

The diminishing cost of voice calls is also behind the global rise in wangiri, call ID spoofing, and all forms of robocalling. The average telecoms fraud manager may feel these frauds are not his responsibility; we do not hold telcos liable for the misrepresentations that people make when speaking over the phone. However, telcos cannot afford to be idle whilst their customers suffer a huge rise in fraudulent phone calls and an even larger rise in nuisance calls. If customers stop answering calls because they are being bombarded by scammers and marketeers then this will further accelerate the decline in voice revenues. So even if telcos previously had little interest in combating wangiri and call ID spoofing, they now have to implement methods to prevent them.

We can learn a lesson about the importance of prevention, and the obstacles that might get in our way, from what has happened in the realm of email. As the cost of voice calls trends towards zero, patterns of use will become increasingly similar to those found with email, where bad actors are motivated to pump out spam in the hopes of reaching a few suckers alongside the millions they annoy. Academic research has shown why initiatives designed to improve the security of email have made limited progress. Put simply, it is not possible to get the various businesses involved to submit to a common authority, so there will always be phishing emails from criminals pretending to be someone else. The world of email has best responded through the widespread use of junk filters – the email is still delivered to your email server, which may block it, or the email is delivered to your junk folder, where you never read it. A similar approach can be used to mitigate voice spam, but only up to a point. Junk filters are imperfect, and nobody wants you to miss important calls from your dearest relative because of overly aggressive filtering.

What voice providers can do differently is to submit to a common approach for digital signatures that will validate the identity of every caller, as exemplified by the US Federal Communications Commission (FCC) making STIR/SHAKEN mandatory for American telcos. These signatures have been made viable by the transition to IP networks, completing the circle that explains why firms like Transnexus offer SIP-enabled fraud prevention alongside the authentication of caller IDs.

Troublemakers and fraudsters both benefit by being able to hide or disguise their identity, so end-to-end authentication of every caller also has enormous implications for the telecoms ecosystem. It may take a while for authentication programs like that adopted in the USA to gain international traction. Nevertheless, governments will be motivated to cooperate because systems of authentication can only be a partial success if overseas callers are exempt. We should keep in mind the efforts being made by the Chinese police to tackle scammers based in other countries. Although China and the USA currently have many reasons to oppose each other, this is an area where both could benefit by working together. Meanwhile, countries like Canada have strong motives to align themselves to an authentication scheme that is common to their neighbors.

Though the primary motive of such cross-border authentication programs would be the reduction of nuisance calls, there will inevitably be a knock-on impact on many kinds of fraud. Knowing the real source of a call would quickly lead to the elimination of some kinds of fraud by making it easy to punish the telcos that allowed them to happen. All of these factors point towards a significant change in emphasis, from the detection of the frauds that have already occurred to the prevention of crimes before they were committed. This is not just desirable but necessary, because a large rise in network usage, driven by increased capacity, falling prices, and the internet of things, would make it prohibitively expensive to keep recruiting more fraud analysts to retrospectively identify abuse.

Machine intelligence will also displace human analysts. Better artificial intelligence means telcos can be more confident about implementing systems that will open and close fraud ‘cases’ within seconds. SIP-based intelligence will feed into algorithms that can be used to stop fraudsters almost as soon as they venture on to the network. For those cases that do persist long enough to need proper retrospective management, Robot Process Automation (RPA) will carry more of the load. Work that was done by a human analyst will increasingly be performed by bots. The job of telecoms anti-fraud professionals will then be to oversee the technology that prevents and detects fraud, rather than supervising specific cases.

Those working in fraud management may believe their jobs are indispensable because they will be needed to detect other kinds of criminal activity that cannot be prevented or handled using a combination of IP networks, artificial intelligence and robots. For example, people will still walk into shops with fake identities, trying to buy handsets in somebody else’s name. Whilst these frauds will persist, limiting the scope of a telco’s fraud department to crimes like these will beg a question about the training and recruitment of anti-fraud staff. Telco fraud teams have always contained a relatively specialist element because of the nature of network technology; nobody ever stole from a bank using a whistle they found in a cereal box, but infamous phone ‘phreaks’ graduated from exploiting the weaknesses of in-band signaling to other methods when SS7 was adopted. However, the adoption of sophisticated technology used in concert with IP networks may have the paradoxical result of reducing the training required for staff working in anti-fraud teams by narrowing their remit and limiting the job requirements to skills which can be more easily acquired on the job market.

Fraudsters have steadily become more educated about the operation of telco networks, and the education of anti-fraud managers has needed to improve in response, though often it has lagged behind. The result is that fraud analysts have needed more CDR data and better tools to help them understand what is happening on the network. If this is no longer a significant aspect of their work, because the fraudster’s phone calls are being proactively barred, then their remaining duties will be more common to those used by anti-fraud professionals working in other industries.

In telecoms risk management we have often concentrated on the technical niches that are unique to the industry. For example, revenue assurance departments usually focus more on errors in the billing system and hiccups with the flow of CDRs than on the chasing of payment from customers who are a bad credit risk. This is because the collection of payment is a function that is common to many industries. Telcos can recruit staff versed in credit risk from sectors that sell totally different services and products, and a collection agent need not have any idea how the telco’s core systems work. Some frauds may not be affected by the transition to IP networks, but they are likely to be more generic in nature, making the role of the telco’s fraud management department less specialized to the industry in which it operates.

It is not clear to me if any established telecoms anti-fraud association has accepted the need for a top-to-bottom review of its educational syllabus to ensure it remains relevant in an all-IP world. The educational changes may involve preparing staff to manage robots, or guiding telcos on how to purchase the right cloud-based service for them, or simply refocusing efforts on older frauds which may grow in popularity, such as the alarming rise in handset fraud at US telco Verizon. The absence of evidence is not evidence of an absence, but nobody is loudly arguing for a major change of emphasis. This may prove a mistake, as widespread data indicates the industry is undergoing a rapid change in the profile of fraudulent and nuisance calls.

This is my case for the greatly accelerated revision of fraud training, and I have stated it as plainly as I can. Without a change in education, some fraud detectives will find themselves surplus to the requirements of their telcos. The clues to this mystery have been scattered liberally around the world, and they include: regulators issuing warnings about wangiri; the extradition of fraudsters to China; the US regulator demanding action on spoofing; agile businesses offering cheap services to stop PBX hacking; and even the declining value of historically significant frauds like IRSF.

I believe this all spells the death or reinvention of fraud analysts who manage cases based on CDR data. A lot of anti-fraud work will become synonymous with security. Some anti-fraud efforts will more closely align to nuisance prevention. Other fraud-related work will become separated from the analysis of activity on the network. The switch to all-IP networks should be blamed for all this upheaval, but new technology also means we will have new tools to fight crime.

The unsolved part of our mystery is the rate of transformation. Do others believe change will be gradual, allowing fraud managers and analysts to learn whilst on the job? Perhaps they will be proven right, but fundamental transformation stalks the entire telecoms industry, and responding too slowly could be the biggest risk of all.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.