The use of fake addresses is also on the way up. Studies show that more fraud is being set up on legitimate accounts with good credit, indicating that outsiders are stealing ID information from good customers and opening fraudulent accounts they subsequently abuse and abandon. A bad address is the key indicator in 90 percent of fraud cases.
According to telecom security firms, no sector of the industry is immune. Perpetrators, through fraudulent access to networks, can avoid paying for wireless service, steal and resell long-distance minutes to friends and strangers, or hijack a network device to send unsolicited commercial email or pornographic spam to unsuspecting end users.
Databases Weak on Security
When one understands that every telecom service ever invented is subject to attacks from fraudulent users, it’s easy to see why subscription fraud leads the list. Each kind of telecom offering, from voice to wireless data, is supported by a customer database that contains billing name and address information and a product catalog that matches the customer’s account number to the service ordered.
These disparate databases, if not managed or protected properly, are easy targets. Because databases aren’t uniform in their use of fields, the same customer’s name may be spelled differently in each database, making for confusion in billing and customer care. Once fraudsters get past a weak or non-existent firewall, these perpetrators know how to manipulate a database and to exploit its weaknesses, says Bob Bender, senior industry consultant with Teradata’s Communications Solutions Group. “Some telcos manage their databases tightly, others have average processes around those databases,” he says. “If the database is managed loosely, the hacker tries to work the system, tries a different spelling of the name, an address change, etc. He need only come up with a combination of different pieces of data, including ZIP Code and telephone number if possible.”
Teradata, for example, creates a single database for all the separate services. “It’s a massively parallel process, and “the tighter the data, the cleaner the process; the tighter the process, the easier you’ll find your fraudster,” Bender says.
Carriers and operators are sensitive to the idea of exposing customer information. To expose customers in such a way is a public relations disaster.
Cingular: Halting Potential Problems
Cingular Wireless in June halted its trial of an online customer account system that let users access their account balance and remaining minutes through a combination of phone number and ZIP Code. Cingular shut down the system after customers called to complain that they didn’t want that information so easily available to hackers, says Cingular spokesperson Patrick Foarde. He says no information was ever exposed to unauthorized users.
The company immediately disengaged sensitive portions of the platform, including an IVR system that let customers pay using a method they’d already used, such as a credit card. “What we’ve disabled on the phone system is the feature that lets customers use a prior payment method to pay their bills,” Foarde says. Cingular wanted to stop the possibility of that happening, though an unauthorized user would have only been able to pay someone else’s bill without the real subscriber’s knowledge.
Though industry press reported that Cingular’s system had inadvertently exposed customer credit card and Social Security numbers, the only information any hacker would have seen were the balance a customer owed and the minutes remaining, Foarde says.
As with traditional revenue-assurance efforts, the carriers with the most closely managed databases are the safest, says David West, executive vice president of Equinox Information Systems. And this is no mere cliché. The truth is that most carriers have sloppy customer data, Bender says. Most CSRs have to manage multiple front ends and computer screens, turning their chairs to click on a mouse that corresponds with its wireless billing system, then turn again to access the ISP division’s customer database. Known as “swivel chair management,” it’s still a reality in the industry.
Some 70 percent of telecom fraud occurs in and around weaknesses in a carrier’s subscription processes. An overwhelmingly typical fraud scheme begins when someone gets hold of a customer’s good name and uses it to sign up for service. Add to that, traditional shoulder-surfing, and it’s easy to see how subscribers lose control of their PINs and other dialing information.
Once the perpetrator has a customer’s information, he calls the phone company, impersonating a potential subscriber then tells the CSR over the phone that he’s moved to a new address (within the original carrier’s calling area, of course). The carrier takes down the new address and the database contains a new fraudulent address matched with the real customer’s credit, employment, billing and payment history.
Another place to get customer information is from promotions and other material the carrier mails to customers. Bulk mailing presents a satisfying and easy-to-mine pool of personal identifying information.
Marketing material urging existing subscribers to buy new calling plans or larger buckets of minutes is inserted into monthly phone bills and mailed to a subscriber’s home. Included in that information is billing name and address, the customer’s account number and a list of itemized calls made that month. Sometimes thieves take phone bills with valuable personal information on them straight from the mailbox, but more likely they come across them in dumpsters or other places. For some tips on what carriers can do to protect themselves, see “Tracking the Fraudsters”.
Automated Alerts Catch Perpetrators
So, what’s left to do? Automated alerts are a great way to catch uncharacteristic behavior on a network, which can indicate fraud. Mediation systems can be given rules to react, for instance, when a customer who never calls outside his state suddenly is registering dozens of calls a day to Egypt. Mediation systems can be adjusted to alert network managers based on any number of parameters. Equinox, Teradata and BellSouth’s fraud experts say that such automated alert systems are the most effective way to keep an eye on the network. The network engineer on call can go to dinner knowing that the network will automatically send him a text message if something goes wrong. Or he can preset a series of reports to be created and printed out for his inspection in the morning. Such reports can also be generated by the network switches or mediation system and emailed to him before he gets to his desk in the morning.
One of the swiftest tasks automated fraud systems can perform is to trigger an alarm when traffic patterns emerge that match the modus operandi of a carrier’s more infamous professional fraud perpetrators.
VoIP and Fraud
Now that technical issues that once blocked VoIP network expansion are getting worked out, cable and DSL providers are turning their attention to building anti-fraud tools for VoIP networks.
Cable providers have so far avoided the widespread fraud their PSTN counterparts have had to deal with. But they’ll soon have to come up with some automated, anti-fraud measures because they’re poised to go into VoIP in a big way. Comcast, for example, announced in late May that it will offer Internet telephony to more than 40 million households by 2006.
The very architecture of VoIP networks creates an openness that has to be plugged, says Stephen Waldis, CEO of Synchronoss. “Openness and unauthorized use of the networks are a continuing issue,” he says. “Enterprises are seeing [VoIP] quality improve now that it’s getting more mature. The fact that it’s open makes it more complex to battle fraud,” he says.
As VoIP becomes more commonplace, networks will see more people using false identification to open accounts, or share or steal access codes so they can rob services from another user’s VoIP account.
Waldis and others at Synchronoss say that AT&T and Verizon are taking precautions by building dedicated VoIP networks. Dedicated networks are a bit harder for unauthorized users to leap onto—the fewer the handoffs between VoIP and public networks, the fewer the opportunities to break into the network. But to break down PSTN traffic into packets and reassemble them at the other end (which is what VoIP does) means that originating and terminating phone numbers will be mapped to a local IP address. So users, when keying in a traditional NPA-NXX configuration, don’t see the IP addresses behind their phone number or those of the person one is calling. If hackers can get to the network at the point of mapping and number conversion, they may be able to perform the function themselves, thus finding a way to get online with their calls.
“Access to IP networks is largely unrestricted, and IP fraud may be performed from multiple points on the network,” says Rakesh Shukla, business manager for mediation at Hughes Software Systems. “Fraud can be committed using a borrowed, legitimate IP address.” Or it could be a stolen, legitimate IP address.
Owners of IP networks can detect fraud attempts at various points on the network by observing service usage metrics. IP fraud management systems should be equipped with a way to collect service usage data as well as real-time data collection.
“Usage data collection is crucial to detecting fraud,” Shukla says.
Usage data can be pulled off several sources on the IP network, including the VoIP gatekeeper, the media gateway controller, broadcast servers and email and Web servers, Shukla says.
“They can also find usage data at the login and authentication levels, on the RADIUS, LDAP, RAS, DHCP servers, firewalls and the VPN gateway,” he says, and usage data can also be pulled off switches and routers on the network level.
The fraud system should also be able to assimilate fraud patterns, create online presentation of patterns and enable some kind of counteraction.
In the wireless data world, for instance, if a fraudulent user has access to a wireless router he can find all the unique IP addresses of any device the VoIP network manages. He or she can then sell those numbers. Might the same be true of VoIP networks? Take DHCP servers, for instance, where the IP address may be assigned to a static phone number for a single session. When that call ends, the VoIP session for that call ends, too, forever breaking the numeric string between the two.
But until VoIP really takes off, there’s not enough to whet the appetites of but a few IP pirates who know how to set up VoIP to get free calling for themselves through their PCs at home, for instance.
VoIP network managers can set parameters on customer accounts when their calling patterns change drastically. Network managers can tell the mediation system to notify the fraud management system of any non-U.S. long distance calls. If a bucket of non-U.S. calls shows up, someone else may be using the number.
Equinox, using its Protector 10 product, helps networks monitor network traffic in real time and interrogates each CDR to identify potential fraud.
Some of the activity the software looks for includes traffic by billing entity and customer to identify suspicious network behavior. It also uses dynamic profiles to distinguish fraud from honest customer usage; it can compare current usage to expected usage, based on detailed regions and the time of day. The software also monitors the duration of each call, as well as the total number of calls made during a certain time window, and it tracks sudden spurts of credit usage.
Network Monitoring Grows More Sophisticated
Improvements in recent years have come to the discipline of network and transaction monitoring. Peder Jungck, founder and chief technology officer of CloudShield, talks about new techniques in fraud control. The Sunnyvale, Calif., company develops content control platforms its customers use for developing new applications and functions on packet networks. One of those functions—the ability to interrupt sessions and insert information—has fraud applications. “There are a lot of new techniques in fraud control out there,” Jungck says. “It’s not just taking networks down as soon as you know something’s being done illegally.”
Jungck’s firm has worked with security agencies, telecom carriers and credit card companies that want to catch perpetrators in the act.
One role this software can play is rigging the game against a criminal who is stealing calling card numbers off a telco’s database or catching hackers trying to download a batch of 5,000 credit card numbers, for instance. “With our system, we can electronically pull one card out of the series and put an electronic watermark on it without interrupting the download; the criminal doesn’t know it,” Jungck says.
Watermarked data lets law enforcement track the use of the stolen card numbers, which could lead to other accomplices in the theft ring. The hacker who steals the card data, for instance, might lead investigators to an organized gang that can create new credit cards using blank Visa or MasterCard templates. CloudShield’s system also lets companies track monetary transactions from beginning to end, monitoring attempts by unauthorized people to insert themselves into the process. It can tell when hackers try to figure out passwords, or when something’s awry with other parts of the network when procedure isn’t followed.
For example, if a transaction task is a never-changing, choreographed effort among the employees and a deviation occurs, it could indicate a robbery attempt by employees or by hackers.
CloudShield tracks various transactions from beginning to end and from points along the electronic verification and access points. CloudShield, according to a company presentation, can record multiple failed attempts to get a PIN to work and can send alerts if a login session on a company Internet site repeatedly fails. The software is designed to track anything out of the ordinary, not only in the movement and access attempts by humans, but through conversations on email systems and other kinds of targeted communication.
Among the other notification abilities are monitoring and tracking valuable data and intellectual property, monitoring appropriate usage levels for information dissemination (large electronic files on the move), and continuously inspecting network conversations.
Whom Can You Trust?
The level of automation and anti-fraud protection a carrier or service provider wants to use is up to the carrier, but there’s no doubt that carriers need some kind of protection. Unstable international networks, new and untrusted employees and about a million people out there who think they can cheat the phone company or enterprise make it certain that money is going to come up missing from the time a customer logs in or initiates the dial tone.
In addition, carriers and ISPs have to be careful before they jump to conclusions about who is committing fraud and who isn’t. Customers that use a lot of bandwidth shouldn’t necessarily be treated as if they’re committing a crime.
Doug Miller, manager of new products at Narus, says carriers miss opportunities to charge and collect for bandwidth overages because they assume any improper use of the network is “fraud.” Though traffic analysis systems pinpoint fraudulent users by spotting IP addresses hogging industrial-strength bandwidth, many of those folks may simply be trying to avoid paying higher fees to the ISP. “I prefer to use the term ‘abuse’ instead of ‘fraud,’” Miller says. “Using the term fraud to describe what’s going on is too limiting,” he says. “A lot of people who aren’t hiding their identities are abusing their agreements.”
But real fraud does exist. Verizon Online, for instance, has found it necessary to warn its DSL subscribers not to install or host personal or commercial servers on their DSL circuits—something they’ve had problems with before.
Protecting Services Before They’re Launched
Jason Lane-Sellers, senior fraud & revenue assurance consultant with Neural Technologies, says fraud prevention begins before new services are launched. Any project that contains a revenue-generating aspect should undergo an assurance review with the goal of finding any holes where money could be lost. Payment mechanisms, account management, reporting and monitoring of the product’s support mechanism have to be examined for weaknesses. “Most organizations have an established process for creating new products,” he says. “It is essential that the fraud and security groups are involved in this process.” Fraud and security personnel should review every new product and service, removing major problems before launch.
As telecommunications services operate across more and more platforms, barriers against fraud become more difficult to place. Now that data can flow over wireless airwaves, through cable modems and telephone lines, fraudsters have three networks on which to attempt access. It is one thing to protect a switch from being hijacked, but it’s quite another to create an anti-fraud policy to cover the hundreds of service combinations offered by carriers, ISPs and other providers in this modern electronic marketplace. Subscribers are willing to share delicate personal information with their service providers only if they feel they can trust the provider to protect their privacy. The very success of m-commerce and other premium wireless data services depend on how much subscribers trust their provider to protect their most important financial information.
“We must recognize that the boundaries we impose on ourselves do not exist for the fraudsters,” says Dave Woods, director of fraud control services at Azure Solutions. “The world is a much smaller place in today’s technology driven environment. By working together, regardless of our imposed boundaries, we can have a positive impact on preventing and reducing fraud.”
The following should be double-checked before an application is approved:
• If the Social Security number and the name don’t match;
How to Catch the Fraudsters:
• Do a full credit check