Tuesday, November 8, 2011

Term Tuesdays -Service & Application Level Fraud

Guest post by Boaz Bechar, VP Business Development at Humbug Labs

ITSPs are constantly innovating the telephony marketplace, releasing new services and applications on various platforms, and it can be challenging to continue and maintain, administer and implement new revenue assurance techniques. From online and mobile applications to calling-cards and dial- in services, ITSPs have many gates to watch, and to add to the complexity of the matter, each service may have its own set of security rules. For example, a web-based calling application may want to limit the amount of simultaneous calls an account may place, while this limit might need to be increased for a multi-line office using SIP connectivity. 

Marketing efforts often require complex and dynamic pricing schemes and bundled packages to be offered to users, having direct implications on the accounting and billing systems.  Revenue-assurance should play a central role in creating and shaping the available offers, which if left unmanaged, can create fraud and abuse vulnerabilities. For example, calls to low-cost termination points such as the US and Canada are often offered as free destinations, and as such require additional sets of rules in order to avoid exploitation. Limitations on the total duration and call quantities an account can place per destination, time period, as well as setting duration limits on a per-call basis, are all basic steps which can help avoid abuse. Additionally, the implications of subscription fraud can fuel exploitation of calling-plans, through multiple subscriptions of a user maximizing usage to uncharged destinations. Avoiding this is in most cases straightforward, by placing time-based limitations on originating/ terminating phone numbers, or depending on the scale of the ITSP, limitations on the first 6-7 digits of the number in order to secure against banks of number-ranges being used.

Although internet based, ITSPs also provide a wide spectrum of traditional telephony services, including IVRs, dial-in services such as DISA/calling cards, and voicemail capabilities. Each application, capability and feature can potentially become a source for fraud, and should be included in all revenue- assurance considerations. For example, given that a hacker can find or break a users voicemail password (typically 4 digits, i.e. 1111), they can call-in to a voicemail system to remotely check the users messages. While not a revenue assurance problem at first, this can quickly turn into a costly attack if the voicemail system has the capability to “call back the user who left this message”. Essentially this causes the attacker to make use of the voicemail system to place calls to a premium number under their control, gaining them revenue for each minute they hold the line.

Traditionally ITSPs take a network- security approach to preventing telecom fraud (i.e. IP blacklists, firewalls, etc), when in fact this should be considered the last line of defense. Once breached, the internal network of the ITSP is compromised, and the aftermath can be catastrophic, leading to hundreds of thousands of dollars in financial exposure over the course of mere hours.  Without the luxury of traffic monitoring by a dedicated network-operation- center (NOC), weekends and holidays can become a particular soft-spot for hacking and fraud attempts.

You can learn more by reading Boaz’s White Paper - Fraud Management in an ITSP Environment