1 / 35

International Fraud Scene

International Fraud Scene. Clifford M. Jordan February 13, 2007, Las Vegas, NV. International Fraud Scene. Top International Fraud Schemes International PRS Bypass Carrier Surfing Subscription Fraud Roaming Fraud Subsidy Fraud International SMS Frauds. International PRS Fraud.

melisande
Download Presentation

International Fraud Scene

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. International Fraud Scene Clifford M. Jordan February 13, 2007, Las Vegas, NV

  2. International Fraud Scene Top International Fraud Schemes • International PRS • Bypass • Carrier Surfing • Subscription Fraud • Roaming Fraud • Subsidy Fraud • International SMS Frauds

  3. International PRS Fraud • Also called: • Revenue Sharing Fraud • Audiotext Fraud • Telesex Fraud • Objective • The objective of the fraud is to generate as many minutes of traffic possible to a PRS (premium rate service) number. The more minutes of traffic generated, the more revenue that the content owner of the PRS number receives.

  4. International PRS Fraud • Methods Utilized • Subscription Fraud to get postpaid phone which then calls PRS number. • Subscription Fraud to get postpaid or prepaid phone which then roams internationally in order to call PRS number. • Clip-on Fraud or PBX Fraud to make calls to PRS number. • Basically most any type of fraud possible just to make free phone calls to a PRS number. • Net Result • The content owner of the PRS number gets paid via the Intl Carrier who owns the physical number. The Intl Carrier gets paid via settlement charges between carriers. The carriers most often do NOT get paid because of the fraud involved. The content owner wins. The carriers lose.

  5. International PRS Fraud • Another variant called “Modem Hijacking” • This is where websites (usually porn sites) allow users (victims) to download an executable script called a “Dialer” that will call via the computer modem to an International PRS number that is also a modem. • Upon completion of the call the victim is “re-connected” to the internet via the Intl PRS modem. • The victim then can surf the website gaining access to the content for the duration his modem is connected to the Intl PRS number. • Many times, this is all done WITHOUT the victim knowing his modem is being used. These such cases are called “Modem Hijacking”

  6. International PRS Fraud Flow of Money for Intl PRS Fraud: • Client A uses International Telesex Service • Client A pays Long Distance Provider for calls on invoice • Long Distance Provider pays International Carrier a percentage for interconnect costs • International Carrier pays a percentage to Service Bureau (Level 1) • Service Bureau (Level 1) pays a percentage to Service Bureau (Level 2) • Service Bureau (Level 2) pays a percentage to Service Bureau (Level X) • Service Bureau (Level X) pays a percentage to Content Provider Hence the name: Revenue Share Fraud Client A Long Distance Provider International Carrier Service Bureau Level 1 Service Bureau Level 2 Service Bureau Level X Content Provider

  7. International PRS Fraud Example of Level 1 Service Bureau: Internext Conference, Jan 6, 2003

  8. International PRS Fraud Another Example of Level 1 Service Bureau: Internext Conference, Jan 6, 2003

  9. Example of “Good Dialer” International PRS Fraud Choose your Originating Country so dialer knows how to dial out.

  10. Example of “Good Dialer” continued... International PRS Fraud Choose type of Access. “MODEM/ISDN” will give you a Dialer “CABLE-DSL/LAN-WEBTV” will give you an intl phone number to call.

  11. Example of “Good Dialer” continued... International PRS Fraud Executing the Dialer. Notice the option of “Silent Dialing” In some “Bad Dialers” this is the default

  12. Example of “Good Dialer” continued... International PRS Fraud Executing the Dialer... Logging into the site. Observation: To prevent unauthorized access from direct connect, an IP address is auotmatically assigned to client on Login, and website will only work for that IP range

  13. Example of “Bad Dialer” International PRS Fraud • Look up in Google key words: • Hobby Hacker Carding • Go to sites and download dialer and execute • Dialer will silence modem tones and will not give any information of what it is doing. • In addition to being connected to an international destination, your machine will be infected with various trojans and viruses inabling your machine and requiring re-loading of the operating system. ! ! • Please do not try this on a machine with: • A LAN connection • Important or Sensitive Information • A Critical Function

  14. Bypass Fraud • Objective • Bypass Fraud: The objective of the bypasser is to make money bypassing legal international routing. • Method Utilized • VOIP Feed – Through the internet, the bypasser will setup a VPN with an International Carrier and then receive calls to be terminated locally. The calls will come across the VPN, to a digital PBX and out through a SIM Box. The incoming international calls are then re-originated through the SIM Box accounts and appear and charged as local calls.

  15. Bypass Fraud Intl Carrier at&t MCI VPN Switch Internet Legal Route Jamaica Bypass Route SIM Box competitor Digicel SIM Box

  16. Bypass Fraud • Net Result • The bypasser is paid a rate (less than the normal rate) for the termination of the calls. The bypasser pays the local rate for the termination of through the SIM Box. The bypasser then keeps the difference as his profit.

  17. Bypass Fraud • Detection • Behavioral Analysis: • Accounts with high volumes of calls per day AND • With calls throughout the day (early morning to late night) AND • All calls are Local or Domestic AND • Accounts do not RECEIVE calls AND • Accounts are NOT a Call Center of any type AND • High Diversity meaning the number of unique destinations called is 90% or greater. (number of unique destinations / number of calls made) AND • Number of cell-sites is 3 or less consistently OR account is Land Line • The certainty of Behavioral analysis is always less than 100%. For example, Call Centers look exactly like Bypassers.

  18. Bypass Fraud • Detection • Test Call Analysis: • Test calls are made from outside the country to test numbers in-country. The termination CDRs from these test calls are then analyzed. If the call came into the network via an acceptable international route, then no problem. If the call that was terminated was from a local number, then this is bypass. • When a test call is found to terminate via a bypass route, the certainty of that route being bypass is 100%. However, it is not a 100% probability that a test call will be routed down a bypass route. Hence, many test calls are statistically needed in order to increase the probability of hitting a bypass route. • There are companies that can provide this service (eg. TJTVIDS www.identitel.com )

  19. Carrier Surfing Fraud • Background • In some developing countries, regulatory agencies have a goal of insuring that telephone service reaches ALL the public and not just to the rich. To accomplish this goal, they may control or limit the ability of a carrier to deny a subscription for service. This could be by: • making it against the law to deny any subscription • make it illegal to perform a credit check prior to subscription • make it illegal to share credit information (bad debt) with another telecom • One example of this is Brazil.

  20. Carrier Surfing Fraud • Objective • In such countries, fraudsters will try to use a carrier for as long as possible without payment for services. Once blocked for non-payment or bad debt, the fraudster will simply switch networks or carriers and begin all over again with the same identity. Eventually when all the networks and carriers have blocked this fraudster for non-payment, he will assume a new identity, and start all over again. Can be used to sell traffic or obtain free service. • In Brazil, such a fraudster can go 2 years without ever paying for long distance service from a land line.

  21. Carrier Surfing Fraud Example Case: Surfing LD Carriers A local • External fraudster gives true documentation to local carrier in order to provision a prepaid line. • Local carrier provisions line for fraudster. • Fraudster then can perform local prepaid calls and postpaid long distance calls via LD1. He never pays LD1 and is blocked by LD1 • Fraudster then performs long distance calls via LD2 • Fraudster never pays and is blocked by LD2. • Fraudster then performs long distance calls via LD3 • Fraudster never pays and is blocked by LD3. • And so on... LD1 LD2 X LD3 X X B

  22. Carrier Surfing Fraud • Methods Utilized • Fraudsters will most often use Subscription Fraud as the way to obtain the initial service. • Net Result • The fraudster can obtain free service sometimes for many months until he has run out of carriers. ALL the carriers are victims.

  23. Carrier Surfing Fraud • Detection • Have the carriers share as much information about such abusers as the regulatory agency will allow them to. When a person is seen with an outstanding debt in two or more carriers, assume he is a fraudster and block as soon as possible. In Brazil, it was illegal to share information about bad debtors, however, it was NOT illegal to share information about fraudsters. • Also, look for tell-tale signs of no intention to pay such as: • Higher than normal usage for the neighborhood of the user. • Calls at all hours • Receiving lots of collect calls • User cannot pass a validation OR PERFECTLY passes the validation without the least variation.

  24. Subscription Fraud • Objective • In many under developed countries, where telephone service is still at premium prices, Subscription Fraud is still being used to obtain free service. • As voice calls and SMS’s are increasingly less expensive in the US, the need to use Subscription Fraud with the objective of receiving free service is declining. In fact, in the US, the objective of Subscription Fraud is evolving to allow a fraudster (Identity Thief) to be validated for more profitable frauds, such as Bank fraud, Card fraud, Mortgage fraud, Insurance fraud.

  25. Subscription Fraud • Methods Utilized • The user’s True Identity – often used in the developing countries by people who purchase phones/service to sell to others to earn money. Oftentimes the user himself purchases the phone/service with the intention of not paying. • Identity Theft – fraudsters purchase or steal other people’s identity information from them in order to facilitate Subscription Fraud. Also, Identity Theft is becoming more and more popular via hacking, dumpster diving, Phishing, and Pharming. • A Fake Identity – due to the lack of methods of authentication, people can easily create new fake identities altogether.

  26. Subscription Fraud • Net Result • The Carriers suffer heavily in terms of bad debt and fraud losses due to Subscription Fraud. • Detection • Look for tell-tale signs of no intention to pay such as: • Higher than normal usage for the neighborhood of the user. • Calls at all hours • Receiving lots of collect calls • User cannot pass a validation OR PERFECTLY passes the validation without the least variation. • Welcome letter is returned. • User fails authentication attempt

  27. Roaming Fraud • Objective • The objective of the Roaming Fraud is to generate as many minutes of traffic possible in a limited period of time. It could be to sell traffic, make calls to PRS (premium rate service) number, or simply allow someone to use the service anonymously and/or for free (or at discounted price).

  28. Roaming Fraud • Methods Utilized • Subscription Fraud to get postpaid or prepaid phone which then is taken abroad so it can roam internationally. • If it is a postpaid account, then the fraudster usually has about 2 days of unlimited usage before the account is detected and shut down. • If it is a prepaid account, then the roamer must find a switch/network on the roaming network that is not CAMEL provisioned. If this is the case, the calls can be made for free. Again, fraudster will have only 2 days of unlimited usage before detected and shut down. • If the user has many such accounts, he can spread out the usage and “fly under the radar”. If his volume is less than 50 SDRs per day (1 SDR equals 1.4 USD) at the wholesale rate, then no HURs (High Usage Reports) will be created to alert the home network.

  29. Roaming Fraud • Net Result • Two days of unlimited usage equals 2880 minutes, which can be worth anywhere from $700 USD to $5000 USD depending on the destinations of the calls. If each account frauded costs the fraudster $30 USD, then the profit margin is huge. • 10 roaming accounts can profit a fraudster $6700 to $49,700 in a matter of a few days.

  30. Roaming Fraud • Detection • For standard networks, any roamer with over 50 SDRs of usage will generate an HUR (High Usage Report) sent back to the home network. The home network is then responsible to investigate and shut down the account if they deem it fraud. • Now many companies are moving to NRTDE systems (Near Real-time Roaming Data Exchange). These systems send and receive roaming CDRs in near real-time, ie. within minutes of the end of the call. Some NRTDE systems are Optel, Mach Ex, RoamEx, Syniverse Datanet, Neetrix, and others. • NRTDE systems are mandatory for GSM operators by Oct 1st, 2008.

  31. Subsidy Fraud • Objective • The fraudster wants to take advantage of the low subsidized price for handsets so they can sell them elsewhere at a marked up price for a profit. • Methods Utilized • Fraudsters will most often use Subscription Fraud as the way to purchase subsidized handsets. Or if he finds prepaid handsets sold without authentication at subsidized prices, then they are an even easier target. However, these lower priced handsets are not as much in demand.

  32. Subsidy Fraud • Net Result • The fraudster makes a profit re-selling the phones at a near real cost. The carrier who sold the phone to the fraudster loses the subsidy value. • Detection • Look for new accounts with very little or no initial usage and then no usage at all. Try calling the accounts and they will not be connected to the network. Try billing them and the bills will come back or not be paid. • Blacklist all names, contact numbers, and addresses used by fraudsters as part of Subscription Fraud.

  33. Subsidy Fraud • Other Symptoms • The DOUBLE WHAMMY: Look for immediate International Roaming on the account with a different IMEI (handset number). If this is the case, then the GSM SIM chip was used for Roaming Fraud and the handset was sold as a Subsidy Fraud.

  34. International SMS Fraud • Objective • Send SMS’s for free. Especially profitable for SMS Spammers. • Methods Utilized • A misconfigured switch can allow a Prepaid User to send an SMS while having a zero prepaid balance. In one scenario, the user will first attempt to send the SMS to a destination that does not accept SMS’s (eg. Cust Service, Land Line, etc). When it fails, user then resends same SMS to intended destination. • A SMSC that is not properly configured can allow users not belonging to a foreign network to send SMS’s.

  35. International SMS Fraud • Net Result • The SMS community is much like the internet community. The knowledge of any vulnerabilities found will spread like wildfire. • Detection • Monitor closely the number of SMS’s sent to each country. • Monitor SMS attempts to non-SMS numbers. Also, do a daily balance check for all accounts. • Monitor all SMS’s to non-standardized destination numbers. - = + Yesterday’s balance Today’s recharges Today’s balance Today’s usage

More Related