Call selling

Continuing our series on different types of mobile fraud, Mark Yelland analyses the risks of call selling to mobile operators

Call selling is the practice of selling service to customers at below market rates but using another person’s system and equipment to deliver that service.

The usual practice is to sell cheap international calls to an expat community.  The community may well not be aware that the service they are using is illegal and is generally in support of cheaper calls back home. 

The operator may have to make payments to his international partners as they will have connected a call.  He will have a potential irate customer who will be experiencing bill shock and have the option of writing off all or part of the bill and the possibility of the customer churning.  There is no relationship between the fraudster and the calls being made.

In addition to the System Access Fraud described above, there are other ways of getting access to the network, some are:

1.       Voicemail feed through – where someone has left open their voicemail platform and as one of the options is to “dial another number” without restricting the number to be internal to the organisation.

2.       Stolen mobile phones – using the three-way calling to set up numerous concurrent calls from the customers to the mobile and then three-way calling to the far end.

3.       Seizing the circuit from a cordless phone from outside the premises

4.       Friendly switch engineer providing a circuit that does not generate a billing record

5.       Out-of-hours security accessing the PBX

The fraudster makes money by selling the calls to his customers.  The key indicator is the traffic pattern unexpectedly changing for a customer.

Although the network could legally require the customer to pay for the fraudulent traffic, there is usually some compromise agreement reached.  Again, the weakness being exploited is the failure of the customer to secure his equipment from external or internal threats by implementing a strong security policy.  

System Access Fraud

Continuing our occasional series on the different kinds of fraud that take place on mobile networks, Mark Yelland, an international expert on mobile fraud and revenue protection looks at System Access Fraud:

Most PABX systems have a means for the maintainer to dial into the system to perform remote diagnostics and system maintenance through dialling a number (often a freephone number) and entering a password.  This access is often referred to as the Direct Inward System Access port (DISA port).  This port gives total access to the system and allows outgoing calls to be made.

By chaining several of these hacked PABXs, and relying on the lack of co-operation across different telecommunications providers, the fraudster is able to hide.  Having access to an external line, the fraudster is then able to generate revenue by providing services at a cheaper rate than through the legitimate operators.

Although traditionally these frauds have been initiated by fixed line fraudsters, as calls to Freephone numbers from mobiles may be charged, with the advent of web sites which provide the translated number, these can now be access using mobiles with unlimited calls to fixed lines.

In addition, as convergent services are being developed, and the proliferation of ip-pbx systems, the fraudster first hacks the company website to gain access to the internal intranet network.  He then uses this to access the pbx and can initiate calls from the pbx.    Potentially, with the growth of smartphones and LTE equipment, the opportunity for the fraudster to attempt to hack the web address can be delivered from anywhere, and the service can be sold anywhere, simply breaking out in the local country.

From a mobile network operator’s perspective, the contract between the customer and the network usually specifies that the customer is liable for all calls originating from his equipment.  Theoretically, this means that the customer could be charged for all fraudulent traffic, but in practice there is usually an agreement reached whereby the network writes off part of the losses.

The key indicator for this type of fraud is traffic being generated outside normal parameters for this type of business, for example out-of-office calls, excessive number of destinations called, and so on.

The weakness being exploited is the failure of the customer to secure his equipment from external or internal threats by implementing a strong security policy.

Subscription fraud

Continuing our occasional series on the different kinds of fraud that take place on mobile networks, Mark Yelland, an international expert on mobile fraud and revenue protection looks at the risks associated with subscription fraud:

Subscription fraud is usually described as using a service with no intention to pay.  The concept is straightforward: the fraudster signs up for a service, exploits that service and then defaults on the bill. 

For post-paid (or contract) customers, the fraudster uses a number of tricks to overcome the simple checks implemented by networks, for example he builds up a picture of a user with some small usage regularly settling the bill on time.  At the appointed time the fraud is initiated: the fraudster then uses the phone to run up a significant bill and uses his social engineering skills and ‘good behaviour’ to keep the service going until such time as the network terminates service.

A more recent trend is for genuine customers to have fraudsters’ phone numbers added to their accounts and settled by the customer unwittingly or not.  This can be achieved through a number of different methods from postal interception, refuse examination for account details, passing off or simply contacting the relevant helpdesk to request the addition of another handset and bluffing.  The key indicator is the level of bad debt and whether it is in line with the industry average.  

For pre-paid customers, the situation is slightly more complex.  The fraudster tops up the credit on the phone regularly using a number of stolen credit card numbers.  There is nothing in the payment process to alert the network to a potential issue, until the cards are actually cancelled and a chargeback is applied by the card issuer to the network.  For the network the losses are not simply the value of the traffic, but potentially any fines levied by the card issuers and as a last resort, the removal of the ability to take card payments directly or even indirectly through services such as PayPal.  Hence the key indicator is the level of card transactions being refused by the relevant card processor.

 The weakness being exploited is the failure to confirm the identity of the person making the request for service.  The first check needs to be a check that the request does not come from an originating country that has been blacklisted as a high risk environment.   If it is, then additional verification steps should be implemented or the service declined.  The second check is that the Media Access Control (MAC) address is valid and not registered on a fraud database.  However, with the introduction of virtualisation software, it is possible to spoof MAC addresses and those should also be disallowed.  Having verified, as far as is practicable, that the originating address is valid, the next requirement needs to be a two-stage sign-up process, whereby the person signing up has to activate the account by replying to an email. This method is not foolproof as there are a number of email services, such as GuerillaMail.org that can provide a disposable email account that is valid for a few hours, which gives the fraudster time to reply to the verification email. In the case of passing off, the email should be sent to the account holder, not the individual concerned.

Recognising that these checks can always be beaten, the next step is to minimise the exposure.  This can be limiting the number of SIMs that can be bought at any one time or restricting the services available until certain behaviours have been observed, for example:

·         disabling calls to Premium Rate Services or Roaming

·         putting a limit on the number of different cards that can be used to top up a service on a single SIM

·         putting a limit on the number of SIMs that can be topped up by a single card

implementing the 3D Secure process appropriately but recognising its limitations, for example it cannot be used alongside an auto top-up process but should be invoked for any change to a service.