[VoiceOps] Toll Fraud

Fri Oct 23 15:08:21 EDT 2009

I haven't had much trouble with Nigeria and Romania as destinations, but
special services numbers in the UK, Germany, Netherlands  etc have all
been a magnet for IRSF. I think your dollar notification is on the right
path though since ultimately that is what matters, with the destination
being a moving target.

Some tips I can offer:

Collect CDR's in as near to real-time as possible. If possible use
radius from your SBC or a live feed from the softswitch. 

Get actual CDR's that show start and stop events for calls, not just
billing records that are cut at the completion of a call. It is useless
to be told after the fact that you just got burned on a series of 6 hour
calls.

Limit calls per Customer/IP/AOR to something reasonable. This prevents
one exploited customer from nailing up 300 calls to high dollar
destinations. You will need to feel this out in your own business
model. 

Limit call length, and do it somewhere that it cannot be circumvented.
This will prevent the guy that does manage to nail up a few dozen calls
on an exploited account to Liberia from keeping them up for 12+ hours
while you snooze away blissfully ignorant of your bank account emptying.
I typically go for 3-4 hour limits but your customer base will make this
determination. 

Finally, monitor your CDR's, constantly. Even a script that crawls your
radius logs every few minutes looking for open calls to high dollar
destinations and takes preventative measures (notification etc) when the
potential cost of the call breaches a limit can save you tons of
heartache. Obviously you will need to determine for yourself what is
normal and what is not. 

There are of course dozens of other places to implement preventative
measures, and the best approach is a multi-tiered one where you guard at
the access side to your network (IPsec, locked down devices etc etc),
core (methods described above), and even at the ordering process (filter
as many fishy customers out before they are customers). All measures
taken in the switch should be considered "last resort" since the
fraudulent calls only get there if everything else fails, and once they
do there is no way they wont cost you money. 

Though at this point it would be worth discussing we collectively
maintain a list of confirmed toll-fraud destinations. I have some ranges
I have just black-holed since the offenders were quite persistent, and I
am certain you all do too and a place where we could all share that
information would be great. 

On Fri, 2009-10-23 at 14:29 -0400, Peter Beckman wrote:

> On Fri, 23 Oct 2009, Nick Vermeer wrote:
> 
> > I'd like tap the collective knowledge here for some fraud prevention and detection resources.
> >
> > Anyone have any information they can share on common fraudulent calls (i.e. Countries and associated digit strings)
> > What metrics have worked best to match to detect fraud before it becomes a significant cost?
> > What platforms have people used to analyze the raw data?
> >
> > Links or RTFM pointers appreciated :).
> 
>   Nigeria and Romania are the biggest (+232 and +40).  Any time a call is
>   made to either of those destinations we are notified.
> 
>   We also get notified when people spend more than $10 our cost in
>   termination, anywhere, in a period of time.
> 
> ---------------------------------------------------------------------------
> Peter Beckman                                                  Internet Guy
> beckman at angryox.com                                 http://www.angryox.com/
> ---------------------------------------------------------------------------
> _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20091023/1b3a3f42/attachment.html>