1 / 35

CFCA Americas Fraud and Revenue Assurance Workshop Brasil

CFCA Americas Fraud and Revenue Assurance Workshop Brasil. CFCA 3030 N. Central Ave., Suite 707 Phoenix, Arizona 85012 USA +1 602 265 CFCA (2322) +1 602 265 1015 Fax Fraud@CFCA.org www.CFCA.org. Dialer Fraud. Cliff Jordan. a.k.a:.

feryal
Download Presentation

CFCA Americas Fraud and Revenue Assurance Workshop Brasil

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CFCA Americas Fraud and Revenue Assurance WorkshopBrasil CFCA 3030 N. Central Ave., Suite 707 Phoenix, Arizona 85012 USA +1 602 265 CFCA (2322) +1 602 265 1015 Fax Fraud@CFCA.org www.CFCA.org

  2. Dialer Fraud Cliff Jordan

  3. a.k.a: • Internet dumping - Modem Hijacking - Rogue Dialers

  4. Dialer Fraud • Web Dialers • The “Good”, the “Bad” & the “Ugly” • The Victims • Solutions? • Big Business • The Problem • Losses • Example • Kind of Action • Conclusion

  5. Web Dialers • Online billing tools for web content which base on premium rate telephone numbers • Users can pay directly for web content via their telephone bills • Widely accepted payment procedure • Customer doesn’t have to provide sensitive data • Customer always retains his anonymity • Security for the user and security for the provider

  6. Pay by Click • User clicks on the Web Dialer icon and downloads from a server • Installs itself on the user’s computer • Ready to be used in a matter of seconds • Actual internet connection is cut and a new connection is built up automatically with the payment net • When leaving the protected content area the link with the payment net should be cut

  7. Web Dialers – Flow of Money • Client A uses International Dialer Service • Client A pays Long Distance Provider for calls on invoice • Long Distance Provider pays International Carrier a percentage for interconnect costs • International Carrier pays a percentage to Service Bureau (Level 1) • Service Bureau (Level 1) pays a percentage to Service Bureau (Level 2) • Service Bureau (Level 2) pays a percentage to Service Bureau (Level X) • Service Bureau (Level X) pays a percentage to Content Provider Client A Long Distance Provider International Carrier Service Bureau Level 1 Service Bureau Level 2 Service Bureau Level X Content Provider

  8. The Good • Explain in the customer’s own language • Ask customer about his age • Warn about downloading software to be installed on the customer’s computer • Warn about dialing an international telephone number • Do not silence the modem • Explain to the user about modem disconnect/reconnect in his language • Give price per minute of call

  9. The Good - Example Choose type of Access. “MODEM/ISDN” will give you a Dialer “CABLE-DSL/LAN-WEBTV” will give you an intl phone number to call.

  10. The Good - Example

  11. The “Bad” • Do not explain… • Do not warn: • about disconnection from the ISP • about dialling international destination • Simply operate in silent mode • (connection established automatically) • Come in as a Trojan  the “Ugly”

  12. The “Not so Good - Bad” - Example Choose your Originating Country so dialer knows how to dial out.

  13. The “Ugly” example • March 2003 - “Zelig worm” • The “trojan” lured its victims with offers to download a screensaver related to Zelig • Altered the ISP dial-up settings into a dial-out connection to the 889 international phone exhange which was a phantom ISP in Aruba (Dutch Antilles) • The “unauthorized calls” generated payments sent from a bank in NY to a Venezuelan living in Italy • With 30 telephone lines the fraud was worth 1 million Euro per month

  14. The Victims • Customers using dial-up internet connection • Customers using xDSL but still having an integrated modem in their PCs • Customers surfing for “added value?” • porn-sites • crack-sites • games • music • The telecom operator • Dealing with all these problems

  15. The Easy Solutions • For the customer • Avoid the internet • Choose xDSL connection • Look for “legal” added value • Get back to “physical” • For the telecom operator • Forget the billing

  16. Unfortunately • There are no “easy” solutions: • The internet is not regulated, • Don’t expect anything from this side • Customer education almost an impossible task • Too many “dummies” on the net • Too much ignorance • Only aware about his rights not about compliance • Don’t expect anything from this side either

  17. The Problem • The customer doesn’t care about interconnection • The customer only knows the “easy” way to get back the money he should have paid and puts pressure on: • Incumbent operator • National government • Consumer organizations • National press • Dialer fraud is linked to Premium Rate and of course it is “big, …very big business”

  18. Big Business Audiotext Conference in Las Vegas - Audiotext and Dialers

  19. Big Business Audiotext Conference in Las Vegas - Audiotext and Dialers Internext Conference, Jan 6, 2003

  20. Big Business Another Example of Level 1 Service Bureau: Audiotext Conference in Las Vegas - Audiotext and Dialers Internext Conference, Jan 6, 2003

  21. You said “big business” !? • Wednesday June 23rd 2004 • MADRID - Spain's civil guard on Wednesday arrested five people suspected of defrauding Internet users by using hidden software to divert their dialup calls to premium high-cost phone numbers. The group may have made over 35 million euros ($42 million) from a scheme that could have affected more than 45,000 people across the country, officials said in a statement. They said those arrested, all aged between 30 and 39, had set up more than 150 music, pornography, car, leisure and travel Web Sites to carry out the fraud. • "When web surfers opened these pages, a program of the "dialer" type was secretly installed and hidden on their computers, which diverted their connections without express consent," the civil guard said in a statement. The phone numbers cost around one Euro a minute to call, and some fraud victims received phone bills for over 3,000 euros. Police uncovered the server for the pages in the north-western city of Vigo, while the business headquarters was in Madrid. The Company believed to be behind this is: Gana Internet SL

  22. You said “big business” !? • January 31st 2005 • German federal police arrested 2 persons in Paderborn & Riga suspected of being part of the Dialer mafia • The organization was using illegal Dialers that changed security settings on victim’s pc’s which would call expensive telephone number without noticing • Total damage: 20 million Euro! • The fraudsters set up letterbox companies in the US and Panama, money was channeled through a Swiss company to the accounts of a US bank in the UK and the US • Source : Neue Osnabrücker Zeitung • www.heise.de/english/newsticker/news/55636

  23. Losses Modem Hijacks – 2003 Estimated Range of Global Fraud Loss Dollars € Low end of range $ 904,693,878 € 740,902,999 High end of range $1,037,346,939 € 849,863,628 Mid-Point $ 994,897,959 € 815,234,176 Source:

  24. Just an example • DTMF tones emitted by the victimized PC allowed us, via DTMF decoder, to identify the dialled number • Number dialled by the PC-modem belonged to GNA – 00823470150000 - rate of €10,24 p/m • Download starts via Telephone network instead of via the Internet directly • To thank us for helping him, the customer changed their ISP

  25. Detection • Easy… • If you have FMS • Abnormal calling pattern • Customer behaviour doesn’t match the profile • Long duration calls, internet sessions • Expensive international calls • Hot destinations (country or satellite) • Traffic explosion

  26. Detection: Traffic explosion

  27. Tools to Identify Content Provider • Ipconfig • Traceroute • Sniffer • Samspade.org • Reverse Engineering Tools

  28. What kind of action ? • ITU/QSDG meeting of July 2004 (Lyon) proposed that: • “Operators can block access to any premium number they believe is being used by rogue dial-ups.”

  29. What kind of action? - 1 - • An estimated 19,000 BT customers have been stung by rogue Dialers, and the problem is growing. • BT will block access to any premium number it believes is being used by "rogue dial-ups". It will do this straight away, rather than wait for regulators to take action. • Independent Committee for the Supervision of Telephone Information Services (ICSTIS), the regulator of premium rate services, is supporting BT's action. Rogue Dialers represented 43 per cent of Internet-related premium rate complaints received by ICSTIS in 2002; by 2003 this had risen to 70 per cent. • June 30th 2004

  30. What kind of action ? – block abuser - BT abandons scheme to block rogue Dialers • BThas stopped blocking UK-based premium rate numbers suspected of being used by rogue Dialer companies. However, it's understood that BT has now decided to abandon its "block now ask questions later" policy. • Instead, it will only block numbers if given the go-ahead by UK premium-rate regulator ICSTIS, although The Register understands the telco is still prepared to block suspected numbers that originate from outside the UK. • In the first four months in operation BT blocked 1,000 numbers. During that time it dealt with 45,000 cases where customers had run up inflated phone bills because of rogue Dialers. • February 18th 2005

  31. What kind of reaction? BT sued for blocking suspected 'rogue Dialer' numbers • BT is facing legal action over its decision to block premium-rate lines suspected of being used by rogue Dialer companies. • Birmingham-based Opera Telecom is suing BT for blocking access to lines Opera leases to adult content outfit Netcollex and is seeking compensation for lost revenues. • February 22, 2005 • But a very efficient new solution was found ….

  32. What kind of reaction? – fine abusers - • The British premium rate phone service regulator, ICSTIS, has fined a Swiss company €75,000 (£50,000) for modem hijacking. DDD Telecom AG received the fine for installing software without the informed consent of PC users, and for failing to terminate calls once a €30 (£20) limit had been reached. Once installed, the software had set itself up as the default Dialer, connecting to a premium rate line whenever the user tried to access the internet. "This resulted in every connection to the internet being charged at a premium rate, despite the complainants believing that they were connecting through their usual internet service provider," said ICSTIS in a written decision of 30/09/2004.

  33. What kind of reaction? – do not pay! - • Another option for Carriers wanting to prevent this type of traffic is simply the refusal to pay for International Interconnect traffic deemed to be related to Fraud or Fraudulent activity. When International Carrier does loses money on this traffic, he will opt to block the traffic rather than lose money.

  34. Other Detection Techniques? • Black lists • Not useful in the long term • Dialer fraudsters are changing number ranges all the time • Immediate alerts can be helpful • White Lists • Diego Garcia? • Domain names?

  35. Conclusion… • Dialer fraud is a bigger problem than SPAM • PRS-fraudsters are sure to get the money because of the interconnection agreements between operators • Customer claims that the network operator should prevent this kind of malicious operation and he is not willing to pay although he is responsible for his PC • … the operator is the only “fear” factor left to take action

More Related