Network Fraud - Bypass-Premium Rate Number - IRS

Page 1

TERALIGHT

NETWORK FRAUD – BYPASS/PREMIUM RATE NUMBER – IRS

Author: Tom Wilson

Contents Executive Summary .............................................................................................................................................................................. Introduction ....................................................................................................................................................................................... 2 Bypass ........................................................................................................................................................................................... 2 IRSF ............................................................................................................................................................................................... 2 Who is affected? ................................................................................................................................................................................ 5 How bypass fraud works? .................................................................................................................................................................. 5 Legal Call Termination ................................................................................................................................................................... 5 Illegal Call Termination ................................................................................................................................................................. 5 On-­‐Net Fraud ........................................................................................................................................................................... 6 Off-­‐Net Fraud ........................................................................................................................................................................... 6 IRSF -­‐ Premium Number Fraud ................................................................................................................................................. 6 Fraud Prevention ............................................................................................................................................................................... 7 Bypass Route Detection ................................................................................................................................................................ 7 SIM Box Detection using Fraud Management Systems ................................................................................................................ 7 IRSF -­‐ Premium Number Fraud Prevention ................................................................................................................................... 9 Conclusion .......................................................................................................................................................................................... 9

Executive Summary Bypass fraud along with IRSF has proven they are highly costly types of network fraud in the modern telecommunications environment. The menace of telecom fraud has made the telecom operators and the regulators face staggering annual revenues losses numbering in the multiple billions in US Dollars. Bypass fraud is more predominant in countries where the cost of terminating international call is much higher than the cost of a national call by a substantial margin or the countries where government carriers monopolize international gateways. These fraud committers (fraudsters), who can be both individuals and organizations, through the use of various bypass contrivances, sell capacity to terminate calls cheaply in these countries, either on the open market or via direct connections with interconnect operators. Operators sending outbound international traffic are then attracted by these interconnect operators with lower interconnect rates, usually with lower quality and no delivery of CLI. This leads to loss of revenue for terminating network operators as well as causing potential social harm to society. Premium rate services have been hit with IRSF (international Revenue Share Fraud) that exploits the interconnection of premium rate services. The major way to commit IRSF is by significantly increasing the number of calls to a premium number in a variety of ways to increase the revenue. These are two types of international fraud which account for a major portion of operator’s network fraud losses. The purpose of this paper is to discuss comprehensive and best in class solutions to combat bypass fraud and premium number hijacking.

1 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

Introduction This paper discusses two distinctly different types of telecom network fraud. One is commonly called international network bypass fraud (bypass) and the other is called international revenue sharing fraud (IRSF). Both are considered to be costing operators and governments billions USD in losses.

Bypass Bypass fraud is also known as “Grey routing”, ‘SIM Boxing’ and ‘Leaky PABX’, is a widespread and problematic telecom risk. Bypass Fraud is prevalent in countries where there is a big difference between the national retail calling rates/national interconnect rates and international terminating rates. This is set either by the regulator in the country or by individual (or group of) operators (unregulated). It is also popular in countries where government operators monopolize international gateways. The difference in rates ensures there are enough profit margins for bypass service providers to construct their networks and even handle certain amounts of losses due to discovery of their routes and business practices to elude detection. Countries where the international to national terminating charge margins are low, nil or negative, the Bypass fraud either doesn’t exist or is conducted on a low scale, or is considered insider billing fraud. According to surveys of CFCA, ACFE and ETNO the potential commercial loss due to fraud in telecommunication networks equates to 0.5% to 5% of operator’s revenue. Additionally, bypass fraud consumes a substantial amount of signaling and voice bandwidth as well as the resources of individual network elements (i.e. STPs, switches, databases). In order to properly identify By-­‐Pass Fraud one needs to understand the issues around this fraud.

IRSF Premium-­‐rate numbers provide certain services for prices higher than normal calls. Unlike a normal call, a part of the call charge is paid to the service provider, enabling businesses to be funded via them. While the billing is different, calls are usually routed the same way they are for a toll-­‐free telephone number. These telephone numbers are usually allocated from a national telephone numbering plan in a way that they are distinguishable from other numbers. In many cases of premium rate calls, the transmission of the call goes through multiple operator networks. Most involve the use of GSM SIM cards, being taken across international borders to originate calls on effected originator networks, utilizing the roaming capability of the SIM cards. IRSF fraud is very difficult to nail down, given the multiple operators involved, the complexity of networks and BSS systems involved and the lack of total end-­‐to-­‐end cooperation of all stakeholders to assist in elimination of these types of fraud. Origination operator networks are left hanging with the invoice for these high cost calls, either on a premium-­‐rate number call or on a call to a high cost per minute destination country.

2 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

IRSF has many different types of perpetrators. Normal callers can also become unwitting contributors to IRSF, where they want specific content that is derived from premium rate number content providers. However in some cases, the content provider is the same party (individual or group of individuals or company in some cases) as the fraudsters forcing high volumes of calls to those illicit content premium number services. Premium-­‐rate numbers have also been used to defraud unsuspecting users. One scheme involves inducing users to download a program known as a dialer. This surreptitiously dials a premium-­‐rate number, accumulating charges on the user's phone bill without their knowledge. Another premium-­‐rate scam involves television programming. This induces young children to dial the number, banking on the notion that they will be unaware of the incurred charges. In other cases, newer version of smart phones have the capacity to make six calls to each conference call they make and thus six calls at a time increasing call volumes quickly. This is done to elude blockage induced by some of the telecoms software fraud detection systems, which can detect high volume suspicious call traffic patterns to premium rate numbers and or long call duration (usually up to 59.9 minutes) to the same type of numbers. Briefly summarizing IRSF -­‐ Premium Rate Service fraud; this type of fraud occurs when a person, group of persons, or a company or group of companies scheme with either the content provider or the international network providing the content to find different measures to falsely increase the total number of calls significantly and or enacting methods to increase falsely generate longer call/billing time to increase the revenue generated by the use of the premium rate number. The various parties to the call share this revenue; if a part of IRSF, some of the parties are traditional network operators transmitting the calls and some parties who are a part of the fraud itself. The premium rate numbers are easy to obtain, and very blatantly, these companies and the content generators advertise publicly for persons to find ways to earn money by generation of call traffic to these premium rate numbers. Again, IRSF can be either via the use of Premium Rate Numbers or simply high rate termination country termination numbers.

3 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

Pirated Mobile GSM SIM chips in a Roaming Scenario generating IRSF “Fraud” Illegal fraud generated usually by generalon of high volume of calls to a Premium Rate Number vis a vis pirated GSM SIM chips taken to another country to roam call traffic Home market for SIM chip

SIM chip(s) taken to another country to roam originalon of call from. The SIM home country operator is not PAID for cost of Premium Rate Number Call. Example $2.50.

Call is generated in this visled country, where the home of the SIM chip operator wil pay $2.50 The network where the call is made, gets to retain $.34.

This operator, where the call is actually made, pays $2.16 to the carrier next in line to handle the call.

Operator A transits the call. Receives the call from network where call originates from. Operator A collects from originalng network operators $2.16, and will keep $.25.

Operator A sends the call to Operator B and pays the receiving operator $1.91.

Operator B transits the call. Receives the call from Operator A Operator B collects $1.91 from Operator A and will keep $.20.

Operator B sends the call to Operator C and pays Operator C $1.71.

Operator C tansits the call. Receives the call from Operator B Operator C collects $1.71 from Operator B and will keep $.25.

Operator C sends the call to an enlty "owning the Premium Number Range". Operator C pays the PNRO pass thorugh $1.46.

The Premium Number owner passes through the revenue to the Internalonal Revenue Share Number provider which is usually (not always) the same enlty as the content porovider. The revenue of $1.46 being passed through to the IRSN If the final network which owns or leases the Premium number from an Number range owner, does not own the content, they will keep example of $1.00 and pay to content holder $.46.

The Internalonal Revenue Share Number Network will terminate the call to the premium number called.

The content provider or the final network providing the internalonal premium number service may be in cahoots with the fraudsters to generate higher volumes of calls to the premium number or make amempts to lengthen calls to generate higher call revenues. * the call costs and rates are merely examples for purpose of this illustralon

4 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

Who is affected? Bypass fraud or grey telephony is a serious issue for: Telecom Operators -­‐ Telecom Regulators – Subscribers Bypass fraud can have the following adverse effects: * Revenue loss to government treasuries. Especially in emerging markets, where the state entity has equity in the operators. Regulators, both national and regional such as Berec, PTA, STRA, JTRC and others have taken a real serious look at these types of network fraud. * Bypass fraud disturbs planned and predicted revenue streams of telecom operators who have invested millions of dollars. The investment may be in form of license fees, deployment of infrastructure and other government charges. * Foreign investment in telecom sector is reduced as a result of lack of investor confidence in the market, especially in developing countries where a large portion of the national GDP is from telecoms. * Social anxiety where people do not wish to answer non CLI (generally indicative of a grey route being used to terminate the call) low quality network calls, due to passage over very low quality, highly compressed and congested IP routes with no network management whatsoever. * Social safety where people may only answer those calls where the called party receives CLI and is able to identify the calling party. It has happened, where a non CLI call is ignored, due to general knowledge of low quality calls and the called party is unsuspecting of the nature of the call, where it may be a family emergency but they don’t know it, for the CLI is not passed on most bypass routes.

How bypass fraud works? Bypass fraud has different forms – international vs. national, incoming vs. outgoing, border bypass etc. – but the idea is simple: bypassing interconnect points via cheaper routes such as the Internet.

Legal Call Termination Call termination, also known as voice termination, refers to the routing of telephone calls from one Telephone Company to another. The terminating point is the called party or end point. The originating point is the calling party who initiates the call. This term often applies to calls while using voice over Internet protocol (VoIP): a call initiated as a VoIP call is terminated using the public switched telephone network (PSTN). In such cases, termination services may be sold as a separate commodity. The opposite of call termination is call origination, in which a call initiated from the PSTN is terminated using VoIP. Thus, in "origination" a call originates from PSTN and goes to VoIP, while in "termination" a call originates in VoIP and terminates to the PSTN.

Illegal Call Termination Illegal call termination utilizes least cost call termination techniques such as GSM Gateway SIM Boxes to bypass the legal call interconnection. This diverts international incoming calls to either on-­‐network or off-­‐network GSM/CDMA/Fixed calls through the use of VoIP or Satellite gateway. Doing this evades revenue for international call termination which operators and government regulators are entitled to. 5 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

On-­‐Net Fraud For an operator, if the person committing fraud uses their own network’s connections to terminate the bypassed calls, it is identified as On-­‐Net Bypass Fraud. On-­‐net calls are expected to provide the least national calling rates. Lot of modern Bypass equipment (GSM Gateway SIM Boxes, computer programs etc.) scan the terminating party numbers and re-­‐originate calls only from those connections which belong to the same operator’s network as the terminating party. For On-­‐Network terminating calls (connections used for Bypass Fraud belong to the home operator), the revenue loss per call is directly related to the difference between the international interconnect termination price and the retail price of on-­‐network call. Off-­‐Net Fraud If the fraud committer uses competitor’s connections or any other means for termination, it is identified as Off-­‐Net Bypass Fraud. In regions, where the off-­‐network call rates are equal to the on-­‐network calls, national calls may be originated from off-­‐network number to conduct the Bypass fraud which means that numbers can be from other networks as well. For Off-­‐Network terminating calls (connections used for Bypass Fraud belong to competitor), the revenue loss per call is directly related to the difference between the international interconnect termination price and the local interconnect termination price of off-­‐network calls. IRSF -­‐ Premium Num ber Fraud Premium rate services have attracted multiple types of fraud that exploit the interconnection of premium rate services. The basic scheme is that the fraud committer contracts with a terminating operator to provide a premium rate service and then separately subscribes for several lines with an originating operator, normally not the same operator as the terminating operator. 6 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

The fraud committer then runs auto dialers on the subscriber lines and calls the premium rate numbers continually running up very large invoices, where the fraudster is usually able to share a part of this fraudulent revenue. This is just one example of how the fraud is generated. There are many ways to falsely generate high volumes of calls from one country to another to the Premium Rate Numbers, which are commonly; magnets for this type of fraud. Fraudsters generate calls by new technology, by paying people to make calls upon calls to these termination numbers, which sometimes simply go to an answering machine, or a constantly cycled message recorder. The fraudsters attempt anyway to generate the highest number of calls and longest calls possible to create as high of a billing charge to the originating operator network the calls first arrive on. Another variant uses the computers of existing subscribers as the callers. The fraud committer contracts for a premium rate service and then distributes viruses or other types of programs through email or web sites that become resident in the computers of legitimate subscribers. If the subscribers have a modem connected to their computer for Internet access, the programs control the modem to dial the premium rate numbers. Some programs work during or immediately after an Internet dial-­‐up access session.

Fraud Prevention Bypass Route Detection Bypass route detection can be performed via multiple methods. One measure that is definitive in nature providing real evidence with regard to Bypass Fraud is the use of non-­‐passive forced network call generation. In this method third party service providers generate traffic to operator networks from remote points and then analyze the traffic actually received (non published non active call to numbers, mobile or fixed) to identify instances where what should be showing as inbound international traffic as actually showing as on-­‐net traffic or traffic from another local network. These systems can be very different vendor by vendor. The software developed to operate these systems needs to be flexible, user definable and automated with regard to “detecting” where bypass fraud may be most relevant via origination market. This in itself, creates the ability to self manage call origination, which provides the quickest route to bypass number detection. In many cases, operators can create an environment that integrates such systems together, via API software instruction sets which automatically or via a manual selected method, validates the numbers detected and then “shuts down” or suspends detected numbers. Reporting is very important to operators; where they are looking to reduce international revenue losses by the minute with near real time notification systems and other very progressive call management and monitoring capabilities.

SIM Box Detection using Fraud Management Systems Another method to detect harmful inbound international bypass traffic to revenues is through passive software trending and analysis systems, generally referred to as fraud management systems (FMS). These systems work by collecting the total CDR activity of the operator and applying analytics against the CDR data (generally collected via a middle ware software feature) that produce unwarranted call traffic patterns of multiple types. 7 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

Operators make use of their fraud management systems (‘FMS’) to identify suspect devices on the network. Examples of some of the markers monitored include: ! ! ! ! ! ! !

Unusual traffic flows and volumes Mobile Origination to Mobile Termination ratio Unusual called number spreads A-­‐typical traffic peaks for on-­‐net traffic Many SIM card identities (IMSIs) to a single equipment identity (IMEI) Use of only one cell site An absence of SMS, data or roaming service use

Non-­‐passive systems are intelligent and become more effective over time, for trends are detected and all stakeholders involved in the detection process gain better understanding of where call traffic originates and terminates that has a higher probability of bypass routes being used. In addition, other types of fraud can be detected, such as false answer supervision; where billing mechanisms are used to alter answer supervision traits of calls, such as true call origination times versus billing start times, as well as the true call termination times versus call cutoff/termination times. Hybrid analysis is effective, where both passive, non-­‐passive (active) and other fraud management systems collaborate to merge their alerts in order to more efficiently detect instances of bypass fraud.

8 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

IRSF -­‐ Premium Number Fraud Prevention The following steps can be taken to prevent premium number fraud. • •

• • •

Monitor calls going to suspicious number ranges or premium numbers prefixes or high termination cost destinations Enlisting the services of black listed number databases, which operators can use to help monitor network termination usage and help block calls to suspicious number ranges or premium number ranges Call trending software management systems which can track calls and monitor the types of numbers they connect to, limiting length of calls and also velocity of calls to specific numbers designated by the user defined systems Education support to clients, customers and operators on various security procedures related to these types of fraud and collectively working together operator to operator to help reduce the money in the system. If the money is removed, the fraud will disappear. Reform Policy and Regulation to assist in setting progressive rules helping to create an environment in which fosters more secure network usage. Develop systems that share “billing data” as close to real time as possible in an inter-­‐operator ecosystem, thus helping reduce risk. Monitor calls to hot number lists like o GSMA Hot B Number list o CFCA Hot B Number list o Commercial Suppliers in this space also have blacklist databases

Conclusion There are multiple dimensions and types of telecoms fraud. In this effort, two of these, being IRSF and Bypass fraud are addressed, due to the propensity for very high losses to revenue of the operators. The operators are annually investing in infrastructure technology, such as LTE, FTTX and other high speed broadband enablers and the loss in above the line revenues and profits effect investment capability. Bypass fraud is an international, multi-­‐billion dollar criminal environment and a major threat to enterprises, as it can inflict monetary damages of hundreds of thousands of dollars almost overnight. These frauds are among the top 5 emerging threats to CSPs worldwide, and cost the industry over USD 3 billion per year according to the Communications Fraud Control Association (CFCA report 2011). On-­‐Net, Off-­‐Net and IRSF -­‐ Premium hijacking fraud are causing severe losses to telecommunication network operators worldwide. Advanced well thought out solutions need to be implemented depending upon requirements of the network and the type of fraud taking place. This paper has discussed the repercussions of telecom fraud as well as several potential measures that can be taken to reduce the risk of revenue losses. Most undoubtedly, the best way to truly attack this disease of revenue shifting, is for the network operators to find the means to momentarily put aside their kindred competitive spirit and work collectively together sharing data and information, along with contributing to international databases (as near real time basis as possible) jointly. 9 | P a g e

w w w . t e r a l i g h t . c o m -­‐ T L T + 9 7 1 . 5 0 . 4 5 9 . 7 2 1 7

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.