Guest post by Boaz Bechar, VP Business Development at Humbug Labs
ITSPs are constantly innovating the telephony marketplace, releasing new services and applications on various platforms, and it can be challenging to continue and maintain, administer and implement new revenue assurance techniques. From online and mobile applications to calling-cards and dial- in services, ITSPs have many gates to watch, and to add to the complexity of the matter, each service may have its own set of security rules. For example, a web-based calling application may want to limit the amount of simultaneous calls an account may place, while this limit might need to be increased for a multi-line office using SIP connectivity.
Marketing efforts often require complex and dynamic pricing schemes and bundled packages to be offered to users, having direct implications on the accounting and billing systems. Revenue-assurance should play a central role in creating and shaping the available offers, which if left unmanaged, can create fraud and abuse vulnerabilities. For example, calls to low-cost termination points such as the
are often offered as free destinations, and as such require additional sets of
rules in order to avoid exploitation. Limitations on the total duration and
call quantities an account can place per destination, time period, as well as
setting duration limits on a per-call basis, are all basic steps which can help
avoid abuse. Additionally, the implications of subscription fraud can fuel
exploitation of calling-plans, through multiple subscriptions of a user
maximizing usage to uncharged destinations. Avoiding this is in most cases
straightforward, by placing time-based limitations on originating/ terminating
phone numbers, or depending on the scale of the ITSP, limitations on the first
6-7 digits of the number in order to secure against banks of number-ranges
being used. Canada
Although internet based, ITSPs also provide a wide spectrum of traditional telephony services, including IVRs, dial-in services such as DISA/calling cards, and voicemail capabilities. Each application, capability and feature can potentially become a source for fraud, and should be included in all revenue- assurance considerations. For example, given that a hacker can find or break a users voicemail password (typically 4 digits, i.e. 1111), they can call-in to a voicemail system to remotely check the users messages. While not a revenue assurance problem at first, this can quickly turn into a costly attack if the voicemail system has the capability to “call back the user who left this message”. Essentially this causes the attacker to make use of the voicemail system to place calls to a premium number under their control, gaining them revenue for each minute they hold the line.
Traditionally ITSPs take a network- security approach to preventing telecom fraud (i.e. IP blacklists, firewalls, etc), when in fact this should be considered the last line of defense. Once breached, the internal network of the ITSP is compromised, and the aftermath can be catastrophic, leading to hundreds of thousands of dollars in financial exposure over the course of mere hours. Without the luxury of traffic monitoring by a dedicated network-operation- center (NOC), weekends and holidays can become a particular soft-spot for hacking and fraud attempts.