Friday, October 21, 2011

SEC asks companies to disclose cyber attacks - is Telecom Fraud next

According to an article in today Reuters the SECasks companies to disclose cyber attacks set new guidelines on Thursday about cyber events that could lead to monetary losses.
U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes. 
Senator John Rockefeller has asked the SEC to set guidelines related to losses due to security breaches.
"Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything," Rockefeller said in a statement.
"It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it," Rockefeller said in a statement.
Now as the SEC asks companies to disclose financial affecting cyber attacks, here is a question to ponder is telecom fraud next? It is almost entirely financial, and has the possibility of exposing intellectual property and customer information while by-passing normal cyber security procedures.

Consider for a minute, with more than $80 billion worth of telecom fraud happening each year, how long will it be before companies are required to disclose this to stockholders or the SEC?

What is the fiscal responsibility of a company’s management to protect and or disclose this risk to stockholders?

What are you doing to protect your company?

Proactive monitoring and active security are a must to protect companies from this kind of loss.

For suggestions on how you can protect your company please see my guest blog Telecom Fraud Is Alive & Kickin’ or visit the Humbug Labs site to sign up for analytics and Fraud Detection.

Tuesday, October 18, 2011

Term Tuesdays - Subscription Fraud

Guest post by Boaz Bechar, VP Business Development at Humbug Labs

Consumer-facing ITSPs are battling to optimize their user-acquisition costs versus lifetime value – and are constantly trying out new techniques for signing up users. Registration form fields are reduced, making it as simple as possible for newcomers to join the service, while leaving the ITSP with many questions on who the user is – which may be a challenge when tackling subscription fraud.

In many cases, a free call or free calling credit is offered before/after account creation, allowing the user to familiarize with the system. The revenue-assurance decision tree from here can only get longer and wider, for example: If providing the user with a free call after signing up, what stops them from creating multiple accounts and making multiple free calls?

The low-hanging fruit would clearly be to place limits on the IP address and phone number the user is dialing from/ to, however this can get problematic if disposable phone numbers are brought into the equation, and even more-so with hackers who have full number- ranges in their war chest. There is no easy way to tackle this problem – but taking steps to greatly limit the financial exposure can be taken, such as limiting the total calls on a per-destination level, routing all free calls through cost-limited trunks, as well as carefully scrutinizing daily cost, duration and call volume user leader-boards, to make sure they are consistent with your rule-set.  Additionally, maintaining blacklists of numbers and registration domains (i.e. blocking sites such as from registering) increases the barriers for fake-subscriptions while not effecting valued users.

Paying users, while the bread and butter of the ITSP, can also be a great concern in terms of subscription fraud. While pay-as-you go based programs do have a certain limit on the financial exposure per user, margins can easily diminish due to costs associated with credit card charge-back fees from accounts using stolen credit cards or hacked online payment accounts (paypal, etc).  Scrutinizing paying users becomes even more critical with postpaid accounts, which may bypass initial checks as a seeming legitimate business, but then the account is used for fraud with no intent to pay (NITP).

To minimize exposure to fraud from paying users, it's important that an 'activation process' take place, where payment details are matched against the users registration data. Other vital indicators become relevant on a case-by-case basis, including review of the users credentials, looking for similar registered accounts, similar billing details previously used on the system, etc.

 While ITSPs don't currently have the sophistication level of traditional carrier subscription fraud prevention techniques, they do have the ability to leverage new sets of data unique to their environment, in order to create new activation funnels. One proven technique is matching the password- hash used during registration, against a blacklist of known unwanted passwords as well as against previously flagged accounts. Creating more opportunities for unique data sets and matching against historical information is one method that can easily be deployed in an ITSP environment.

Relying on rule-based results completely can be ineffective and its important to have mechanisms in place which allow anomalies to be spotted. For example, a South-American ITSP serving Brazil may find it an anomaly to receive a transaction from an account with a billing address in Congo. Different techniques work well in different operational scales and requirements, and it's up to the ITSP to find the balance between financial risk and rules required to activate an account prior to manual checks.

You can learn more by reading Boaz’s White Paper - Fraud Management in an ITSP Environment

Monday, October 17, 2011

Term Tuesdays - Telecom Fraud Explained

Each Tuesday I will be attempting to explain a different Telecom Fraud related term or concept. 

Where possible, I will include real world examples. For some cases I may not be allowed to release the specific information about the customer and then will provide the cases in general terms.

Topics will include
  • Calls to Known Fraudulent Numbers or Destinations
  • Hacking
  • Internal Misconduct
  • Malware
  • Off Hour Call
  • PBX Dial-Through
  • Phishing
  • Proactive Monitoring
  • Service & Application Level Fraud
  • Subscription Fraud

As this is intended to be educational I will try to include links to original articles or sources where the information originated, where they exist. Many of these will be related to white papers I, or my coworkers publish on the Humbug Telecom Labs site.

Where they are applicable to a specific market segment or product type, I will identify them.

When ever possible I will give tips or suggestions on how to prevent this type of fraud.

Thursday, October 13, 2011

New Phishing Technique - Mobile Apps

Symantec has a nice blog post about a new type of phishing scam that has emerged in the mobile world.

Apparently the fragmentation of the Android operating system has enabled a window of opportunity for people who wish Phish mobile users. As the Symantec blog explains:
The official app, which was initially released in the early part of the year, was only recently published to the Android Market with support for multiple devices. A gap in availability, combined with the large interest of users attempting to get the popular service running on their Android device, created the perfect cover for Android.Fakeneflic to exploit.

In the images below you can see the subtle differences between the real and fake versions.

Once a user has clicked on the “Sign in” button, they are presented with a screen indicating incompatibility with the current hardware and a recommendation to install another version of the app in order to resolve the issue. There is no attempt to automatically download the recommended solution. Upon hitting the “Cancel” button, the app attempts to uninstall itself. Any attempt to prevent the uninstall process results in the user being returned to the previous screen with the incompatibility message.
In spite of the list of permissions that is requested, it is unclear what  Android.Fakeneflic will collect from your phone or what it can do. But if past experience with PC based malware is any indication then it could be used to capture your passwords or credit card information, and could even be used to hijack your voice or data connection to enable them to use them for fraudulent calls from your phone. Calls for which you would be required to pay.

To protect yourself make sure you have a proper mobile security management product installed. There are several out there: Symantec,  Mcafee, Lookout , and Webroot all offer good products. In fact PC Magazine recently named Webroot Editor's Choice.

Do your research and protect yourself::

Thursday, October 6, 2011

Steve Jobs explains his involvement in Telecom Fraud

Cross posting from Humbug Blog

We  are all saddened by the death of Steve Jobs (1955 - 2011)
He didn't just create products, he created a new way of life.  But looking back we find that this great innovator started by phreaking AT&T with his own home built blue box.

In this video, Steve explains how he and Steve Wozniak built Blue Boxes to make illegal free long distance calls, and how there would be no Apple today if they hadn't been such hooligans.

Steve Jobs Interview about the Blue Box Story

Why isn't everyone hacked every day? VoIP security is not the same as on PC

Michael Kassner has a good interview on TechRepublic today called Why isn't everyone hacked every day? In this article he interviews Microsoft Principal Researcher, Cormac Herley, along with Dinei Florencio, also a Microsoft Researcher about their paper “Where Do All the Attacks Go?"

Now, both the article and the paper are quite informative, but the conclusions they give are valid for personal and corporate computer networks but do not translate to VoIP Security.

So let me explain why. First the premise of the paper is what we thought we know about security is not correct.
“Internet security has a puzzling fact at its core. If security is only as strong as the weakest link; then all who choose weak passwords, reuse credentials across accounts, fail to heed security warnings or neglect patches and updates, should be hacked — regularly and repeatedly.Clearly this fails to happen.”

Wednesday, October 5, 2011

VoIP not so safe says Ian Kilpatrick

Ian Kilpatrick has written a nice piece highlighting the problems with how people deal with VoIP Security as they extend services.  In his article VoIP not so safe he says that

Many companies have now adopted VoIP, and many more are considering adopting it. But they don't necessarily realise that, by moving to VoIP, they have also moved into converged (phone/data) systems and a potentially dangerous security environment.
As companies deal with both the advent of VoIP services and employees connecting their mobile devices to the company network service the risks to the company increase exponentially.

I have  a new whitepaper that offers some insights to the Benefits of Telecom Analytics and Fraud Detection for Enterprises that shows some of the risks companies face and ways to deal with them.