Tuesday, October 18, 2011

Term Tuesdays - Subscription Fraud

Guest post by Boaz Bechar, VP Business Development at Humbug Labs

Consumer-facing ITSPs are battling to optimize their user-acquisition costs versus lifetime value – and are constantly trying out new techniques for signing up users. Registration form fields are reduced, making it as simple as possible for newcomers to join the service, while leaving the ITSP with many questions on who the user is – which may be a challenge when tackling subscription fraud.

In many cases, a free call or free calling credit is offered before/after account creation, allowing the user to familiarize with the system. The revenue-assurance decision tree from here can only get longer and wider, for example: If providing the user with a free call after signing up, what stops them from creating multiple accounts and making multiple free calls?

The low-hanging fruit would clearly be to place limits on the IP address and phone number the user is dialing from/ to, however this can get problematic if disposable phone numbers are brought into the equation, and even more-so with hackers who have full number- ranges in their war chest. There is no easy way to tackle this problem – but taking steps to greatly limit the financial exposure can be taken, such as limiting the total calls on a per-destination level, routing all free calls through cost-limited trunks, as well as carefully scrutinizing daily cost, duration and call volume user leader-boards, to make sure they are consistent with your rule-set.  Additionally, maintaining blacklists of numbers and registration domains (i.e. blocking sites such as 10minutemail.com from registering) increases the barriers for fake-subscriptions while not effecting valued users.

Paying users, while the bread and butter of the ITSP, can also be a great concern in terms of subscription fraud. While pay-as-you go based programs do have a certain limit on the financial exposure per user, margins can easily diminish due to costs associated with credit card charge-back fees from accounts using stolen credit cards or hacked online payment accounts (paypal, etc).  Scrutinizing paying users becomes even more critical with postpaid accounts, which may bypass initial checks as a seeming legitimate business, but then the account is used for fraud with no intent to pay (NITP).

To minimize exposure to fraud from paying users, it's important that an 'activation process' take place, where payment details are matched against the users registration data. Other vital indicators become relevant on a case-by-case basis, including review of the users credentials, looking for similar registered accounts, similar billing details previously used on the system, etc.

 While ITSPs don't currently have the sophistication level of traditional carrier subscription fraud prevention techniques, they do have the ability to leverage new sets of data unique to their environment, in order to create new activation funnels. One proven technique is matching the password- hash used during registration, against a blacklist of known unwanted passwords as well as against previously flagged accounts. Creating more opportunities for unique data sets and matching against historical information is one method that can easily be deployed in an ITSP environment.

Relying on rule-based results completely can be ineffective and its important to have mechanisms in place which allow anomalies to be spotted. For example, a South-American ITSP serving Brazil may find it an anomaly to receive a transaction from an account with a billing address in Congo. Different techniques work well in different operational scales and requirements, and it's up to the ITSP to find the balance between financial risk and rules required to activate an account prior to manual checks.

You can learn more by reading Boaz’s White Paper - Fraud Management in an ITSP Environment