[VoiceOps] fraud protection

Ryan Delgrosso ryandelgrosso at gmail.com
Thu May 17 12:01:41 EDT 2012 

I know I'm a little late to the party on this topic but it is 
unfortunately something I have a lot of experience with.

I would never rely on upstream carriers to do your fraud detection for 
you. The rationale here is that their definition of fraud is likely 
dramatically different from yours, and they may have customers that 
exclusively do 10M minutes of traffic to Belarus or Somalia, and so 
might not consider that as fraud for the first few days, but you know 
your customers and you know your traffic, so you are best equipped to 
make that determination. They will almost always inform you, but it will 
be when a threshold they consider scary has been breached, which may be 
orders of magnitude worse than what you can metabolize.

I am not sure what your business model is, if you use exclusively 
managed devices, or just sell straight sip trunks to anyone with a 
credit card, or if you screen customers by locality, and if you normally 
deal in heavy international, but most switch vendors will tell you to 
lock down the number of concurrent calls per subscriber and perform 
numerous other highly restrictive actions that will chafe you and your 
customers and possibly hurt your service delivery model. My experience 
has been to simply plot customer spending trends (you bill them with the 
same data so this is easy) and then raise an alarm whenever their 
calling patterns deviate significantly from the norm (obviously 
calculating customer spend more than once a day is important here). What 
you do with those alarms is up to you. We have an automated system with 
a sliding scale that immediately terminates the active suspect calls, 
and removes the ability to dial internationally and flags the account 
for review all the way up to suspending the account with extreme 
prejudice which is based on a lot of logic we have developed over the 
years. I have seen some companies just fire off alarm emails to their 
noc to have a human put eyes on it which works just as well, and can 
certainly lend intelligence to the process but also may introduce a 
human element of failure.

Don't rely on anyone else to watch your customers, since they don't 
understand what is normal like you will, and in the end you always get 
stuck with the check.

-Ryan



On 05/14/2012 09:33 AM, Mark Kent wrote:
> Hello,
>
> We just had an unfortunate compromise and racked up a large amount of
> calls in a 12 hour period. The attack seems to be for financial gain
> in that the most frequent destination is a conference call service in
> Poland, that possibly keeps calls open waiting for a PIN to be entered.
>
> Is there any basis for expecting that the upstream carrier should have
> some protections that would limit our liability?
>
> Thanks,
> -mark
>
> P.S.  For those people who feel compelled to point out that we should
> have (better) protection on our end: Yes, Thank you, message received!
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

More information about the VoiceOps mailing list