From the Telephony Archives Additional resources on the Net
Telephone fraud: Can you outwit the enemy?
Observing a huge customer increase in early 1994, police expected Allman's Fashion Discount, a small Miami clothing shop, to be doing a brisk business. But few customers left with packages. Drugs sales were suspected, but the customer profile didn't fit. Customers were matrons, older men, children and families. That summer, 17 cell phones were found in the back of Allman's. Customers were paying the store's owners for calls to friends and family in Central and South America using stolen cellular phone numbers. Net profit: $200,000.
If you combine the amount of land-based and cellular phone time stolen, phone thieves are adding $60 a year to every phone line billed in the nation. This figure is based on recent estimates that domestic phone fraud steals $10 billion annually--or $320 per second.
Phone fraud is so pervasive it is jokingly known as "our fourth largest carrier." Until now, industry consensus held that there was no true solution. New scams appear regularly, recruits are anxious to learn a trade in an afternoon and law enforcement is seldom trained nor technically equipped to fight this so-called "victimless" crime.
Loss estimates from credible sources vary wildly.
INDUSTRY ESTIMATES OF FRAUD LOSSES
Bellcore $3 billion Telecom &
Network Security Review $4.0 billion
IXC Executives $1.4 billion to $7 billion
Beck Computer Systems $10.5 billion
Hewlett-Packard $12 billion
But higher estimates are undoubtedly more accurate, for many reasons:
Good fraud detection systems almost always find more fraud on the network than was suspected. Many carriers understate losses because it is embarrassing to admit security lapses and publicity attracts more criminals to their insecure system. When long-distance toll fraud hits a local exchange carrier, the LEC often collects from the long-distance company.
Scams, Rip-offs and Ruses
A Los Angeles LEC contacted a small business customer in early April 1994 to ask about a 2300-minute spike in calls to the Middle East. Crooks had gotten into the building's junction box and simply rerouted the line to their location.
Such "clip-on" fraud, so-called because of the use of alligator clips, is basic. Once lines are rerouted, "call-sell" operations can be set up in storefronts, often in areas where there are a large number of immigrants who want to call their friends and family back home.
Customers can call their home countries at a fraction of normal rates. One operation in Queens, N.Y., for example, charged a flat rate of $3 to $5 for a ten-minute call from a semi-private cubicle.
Another time-honored gambit is "shoulder surfing." The surfer, working primarily in crowded train stations, airports and bus terminals, loiters near a pay phone and watches a potential victim punch in a calling card number and personal identification number (PIN), or listens as the number is told to an operator.
More ambitious surfers direct video cameras at a bank of pay phones and then review the video later for PINs. One "surfer," an extremely attractive young woman, would graze past men as they dialed to getting a better look at their card number. As she puts it, "Guys don't mind a 'hot babe' brushing up against them." While long-distance carriers normally shoulder the cost of the fraud, the cardholder is legally responsible for up to $50 in unapproved calling card charges.
Perhaps the oldest phone scam is "subscription fraud." A classic example occurred in Chicago recently, where a telecrook's application for 12 lines was accepted by Ameritech, his local Baby Bell, after a small deposit and a routine credit check. In 30 days of service the new subscriber's call-sell operation racked up more than $400,000 in long-distance charges, taking in $280,000 profit. When MCI tried to collect, the crook had vanished, leaving MCI with enormous uncollectible debt that included $260,000 in destination fees to foreign telephone companies and $4500 due to Ameritech in access fees.
Spectacular expansion in the cellular phone industry has created ideal conditions for fraud. Stressing growth over security can abbreviate credit and background checks, leading to subscription fraud. "Cloning" uses an inexpensive device to scan and record cell phone frequencies and codes.
The trends are alarming: Cell phone fraud in 1995 was just over $400 million. It reached $650 million in 1996, a 60% jump. Recent digital challenge-response technologies based on random algorithms, however, offer promise of respite.
Drug dealers and organized crime favor cloned phone numbers because they are cheap, mobile and impossible to trace. Combining cell phone fraud with call-sell, one fraud ring was literally a moving target, driving its regular route around New York City in a van with built-in phone cubicles for customer privacy.
Probably the fastest-growing target of telecrooks is the corporate and institutional PBX. Their remote access feature allows employees to call the system using an 800 number, then enter an access code to get an outside line, thus eliminating calling cards.
Unfortunately, the codes are sometimes easy to crack and frequently not kept secure. In one memorable example, the U.S. Drug Enforcement Agency was bilked for $2 million. Using a local number given to Houston's DEA field staff, hackers accessed the branch PBX and, through trial and error, figured out its access codes. For 18 months, they placed long-distance calls on the DEA nickel before a phone company investigation dropped the dime on that scam.
Remote maintenance ports, designed to cut PBX support costs, are vulnerable. Default codes are common knowledge to the hacker community--sometimes posted on the Internet. Nonstandard codes, if simple, are easy to crack. Once a hacker is in the system, it is easy to obtain outside lines for call-sell purposes.
Automated attendant and voice mail systems are similarly compromised. In one notorious example, hackers took control of 2500 unused voice mailboxes at a mid-sized California company. One weekend, they changed all mailbox greetings to impersonate live people. The recordings would say hello, pause, accept third-party charges and politely hang up.
Almost immediately, a huge volume of toll calls were billed to the company from telephones all over the country. Though a regional phone company caught this crime fairly early, criminals had already profited hugely at the customer's expense.
A difficulty compounding fraud detection is that most penetrations occur after hours or on weekends. Worse, the company is legally liable for toll charges that are generated in this way. In 1996, PBX fraud alone accounted for losses of $1.5 million--all due and payable.
"Social engineering" is a term that describes manipulating others into divulging a credit or calling card number, or getting an outside line. A persuasive con man, for example, calls a hospital and asks for Dr. Smith, one of the doctors who practices there. After being connected, he explains that he must have reached a wrong number and asks for a transfer back to the operator. He then claims to be Dr. Smith and asks for an outside line. Since the call is apparently coming from Dr. Smith's extension, the operator complies. The resultant "looped line" can then call anywhere in the world.
Conventional Detection/Prevention
Despite successes in some quarters, traditional detection and prevention programs are losing ground. The anonymous nature of the crime and meager resources of police departments make it difficult for law enforcement to capture phreaks and hackers. The lack of well-defined laws hampers convictions.
Police are so technically ill-equipped that Gail Thackeray, the former Assistant Attorney General of Arizona says, "Those guys move in nanoseconds and I'm on the Pony Express." By default, the burden of self-protection falls on the private sector.
Today, PBXs, voice mail systems and carriers exploring new and unfamiliar phone services are favorite targets. The Telecommunications Act of 1996 took down the fences.
In response to the fraud onslaught, the telephone industry has adopted a "computer virus" model for detection and prevention. Detection schemes rely on knowing the type of fraud, plotting one or more of its characteristics, then searching for the known characteristics. In short, you must detect the fraud before you can actually detect it! If this approach were effective, fraud would be shrinking or vanquished.
Instead, new scams continuously evolve. Before they are characterized well enough to be even partially detected, they wreak financial havoc to service providers, customers and business relationships.
A new solution would have to work faster in real time than the "virus" approach. It would have to be work better in calendar time than America's legal system. The emerging answer: Starve the crooks.
Finding a Solution
Usage signature (or usage fingerprint) technology is proving it can combat fraud. It does not rely upon learning and detecting indicators of fraud. Instead, it detects fraudulent activity itself--which makes the species of scam irrelevant.
Critical specifications of every call detail report (CDR) on the network or switch are captured and put in a database. These specs include originating number, terminating number, call duration, answered/busy/no answer, date, time of day, even routing data.
From these bits of information, complex software mathematically models the unique calling "signature" on every individual line, even individual authorization code users. Every type of fraud distorts someone's previous usage signature.
If Ann's regular calls to Austin, for example, suddenly appear on Joe's phone bill, Joe's usage signature is distended and a polite call from his long-distance carrier checks the authorship of those calls. If two cell phone users simply switch phones, both usage signatures are changed and both would get authentication calls from their wireless carrier - often within minutes.
Contrary to scams above that were stopped only after hundreds of minutes and thousands of dollars were stolen, one long-distance carrier shut down 310 call-sell operations after they averaged 11 minutes on the air. Fast clamp time averted a potentially relationship-ending dispute between a large business and its carrier.
A long-distance reseller with usage signature technology detected fraud on its wholesaler's network and reported it, pinpointing exactly where the fraud originated. Even using these clues, the wholesaler's system couldn't verify the fraud. The reseller's report was ignored. Months later, that wholesaler quietly wrote off tens of millions of dollars of internal fraud from the area reported.
A usage signature system can provide data and information to help trace honest errors in the call accounting/billing process by checking for dropped, overwritten, duplicate or corrupted CDRs. One long-distance carrier's system detected and corrected a 3.76% error rate in billing data. Reclaimed revenue was $7.5 million annually.
Fraud, among other things, depletes service capacity, ties up lines, accelerates capital expenditures, hastens rate hikes, drives off honest customers, and requires extra staff and consultants.
Carriers have now built these unnecessary costs into their budgets as a "cost of doing business." As an effective fraud system terminates fraud, though, such expenses taper off. In the beginning, this "unspent money" pays for the the fraud detection system. Thereafter, it becomes new revenue for the carrier.
Ironically, the length of this payback curve (weeks or months) is a direct function of the clamp-time (seconds or minutes) of the fraud system itself. The carrier that displays crippling knockdown power finds fraud rapidly fleeing its circuits in search of easier marks.
Discretionary cash reappears in several departments. The fraud manager at one long-distance reseller said his usage signature system "paid for itself and my entire department's annual expenses in the first month."
Realistically, some fraud will always sneak through, no matter how sophisticated the fraud detection systems become. Effective revenue reclamation, however, depends upon the ability to stop a very high percentage of fraud.
One usage signature customer was surprised to find $830,000 a month in fraud cut down to $2700 a month. That 99.99% plummet produced an incredibly fast payback time for the fraud detection system and a quick addition of discretionary revenues.
Hobbyist fraudsters will always be entertained by "beating the system" and tormenting service providers. Service providers that can rapidly snatch away the profit incentive keeps these amateurs from turning pro and diverts the pros to other, more vulnerable targets.
Link to Website:
http://www.internettelephony.com/archive/featurearchive/9_1_97.html
Visit the Beck Computer Systems Website at www.beckcomputers.com
From the Telephony Archives
Beating the bugs by Dan O'Shea, Technology Editor No single solution will bring about the end of fraud. But the problem can be managed through a proactive strategy
Fighting the telecom fraud war by Robert L. Fike
Wireless manhunt by Wayne Carter, Associate Editor-News New technologies have criminals on the run
Taking a bite out of cellular crime by Todd Petty Service providers, cellular equipment manufacturers and law enforcement agencies are a triple threat to cellular criminals
Outwitting cloners by Renee Saunders Fraud prevention takes the spotlight as cellular carriers compete with less vulnerable PCS networks
Additional resources on the Net
Cellular Phorum A collection of newspaper articles on fraud
Outfox Phone Fraud A cute page from Bell Atlantic on how to beat phone fraud
Some links to fraud information A page of information from Roseanna DeMaria, the Vice President of Business Security for AT&T Wireless Services, Inc.
Michigan Public Service Commission Some useful information on fraud from the Michigan PSC
CTIA's wireless fraud FAQ
How to stop telephone thievery
Telephone Toll Fraud and Your Business Some information from the FCC
Cellular Telephone Fraud by Kimberly A. Stewart, Virginia Tech's Bradley Department of Electrical Engineering
Portrait of a Con Artist Have you seen this man? Benjamin Hans Tenenbaum is wanted for telephone fraud in California.