Email a colleague    

April 2017

A Herculean Task: Battling Fraud in an Increasingly Complex Comms World

A Herculean Task: Battling Fraud in an Increasingly Complex Comms World

The myths of the ancient Greeks continue to teach us valuable lessons.  Heroes such as Odysseus and Hercules were merely average men.  They had every human weakness and made plenty of dumb mistakes, yet their smarts and adaptability allowed them to conquer even the toughest of opponents.

Take the case of Hercules.  His mission was to kill Hydra, a multi-headed, serpent-like monster, but that wasn’t easy.  For every time you succeeded in chopped off one serpent head, the Hydra would quickly grow back two heads to replace the one it lost!

And isn’t that a fitting metaphor for the fraudsters?  As fraud control teams get better at cutting off one particular type of fraud, the fraudsters grow new fraud avenues and schemes to compensate for the loss.

Well, Michalis Mavis, consultant and former head of fraud control at OTE in Greece, is someone highly experienced at fighting fraud from multiple directions.

In my interview with Michalis, he walks us through some interesting cases, gives us his advice on FMS software, and offers four key lessons on the path to fraud management excellence.

Dan Baker, Editor, Black Swan Journal: Michalis, it would be great to hear about your career in fraud control, and I understand the Olympics had something to do with it.

Michalis Mavis: Yes, Dan, I got started in fraud management at OTE in the early 2000s.  At the time, OTE was Greece’s government-owned operator: they have since gone private and are owned in part by Deutsche Telekom.

And the Olympics did play a key role!  We launched our fraud management system just before the Olympic Games in 2004 which took place in Greece.  Now, since I was president of the Hellenic Fraud Forum (HFF), I was privy to the fact that Greek operators experienced heavy losses at that time.  In addition to OTE, we had Wind Greece, COSMOTE, Vodafone and other operators in the forum.

And since it was already reported in the newspapers, I can tell you that the fraud losses in Greece for that year were about 100 million Euros for all HFF member companies.

Fortunately I proposed to our CEO to start building a fraud control division and within a few months we bought the Hewlett-Packard FMS, a very good system.  Soon thereafter, we cut our fraud losses at OTE by 50% and they were very significant savings.

What kind of frauds did you experience there?

Many different types, but the most significant at that time were PBX related.  For example, Olympic Airways (previously owned by the well-known Greek millionaire Onassis) was hacked and the fraud cost them $5 million Euros in some weeks’ time.  Then the National Nuclear Research Center Democritus, lost a half million Euros from frauds in only 3 weeks.  The National Bank of Greece, the British Council in Athens, the ACS Courier and many other companies faced PBX fraud and were quite unaware of the fraud threat.

Now some say, “Why alert the big enterprises?  When they get fraud, they have to pay the operator anyway.”

Well I think that strategy is bound to backfire.  Even for a large enterprise, when the losses get heavy, the enterprise will often say, "Sorry we cannot pay you." So the telecom often ends up eating the cost.

It happens on the consumer side too.  In one fraud case, young children at home were told to call a primary rate phone number advertised on television.  And many times the father of the house couldn’t pay the bill because it was 20 or 30 times the normal amount.

The tricky part of that fraud was it appeared on the books as bad debt — not fraud — so it was important to communicate internally to close that gap and our FMS did a good job of resolving the issue.

Criminal minds can be quite cunning.  Is there a particular fraud case that stands out as highly usual?

One of the more memorable fraud problems we saw was on the island of Crete, south of Greece.  Crete is a big island and lots of tourists visit there each year.  Crete was home to many immigrants from Syria, and the Syrian mafia eventually started operating there too.

So a company in Crete calls us and says they need 20 telephone lines.  And as soon as they got those lines, they started making fraudulent international calls.  We sent the first bill in some weeks time but it was never paid.  Then they would close their shop, go to a new address, and start the same scheme again.  Unfortunately no FMS was monitoring their accounts so we lost major revenue at first.

But once we did zero in on the case, we discovered them in two or three days time and we had the police arrest the leaders of the criminal ring, putting them in a Crete jail for six months.

Only a few months later another company calls us saying, “We are setting up an internet café business, we need 3 ISDN lines".  Soon thereafter we noticed high rate IRSF calls were being made from those ISDN lines.  And the calls were actually originating from the cardphone of the same jail in Crete where the criminal ring leaders were locked up.

The same guys were behind the fraud.  They figured out how to connect special equipment to the ISDN lines and were making the international calls on one of the ISDN channels, by calling from inside the prison cardphones, selling international calls to other prisoners, and using fraudulent telecards.

Syrian Prisoner Fraud Case

The trick the Syrian Mafia used in Greece was what the police called “playing the Joker” calling card.  Those telecards were used in public phones that are found in the streets.  The calling cards would decrement the charge for each call, but as soon as the card reached zero balance, it would be fraudulently reloaded with a new 30 Euro balance.  So these cards would never expire.

These were very interesting cases.  What about the fraud of one operator against another?

Well, the fraud done by criminal rings gets most of the attention, but quite a bit of fraud also occurs between telecom operators.

For example, mobile operators can manipulate the signaling information to avoid paying.

If I make a telephone call from Greece to United States and the call cost is 10 Euros; 5 Euros is taken by the Greek telecom and the rest goes to the US operator.  But if an operator in the interconnect chain manipulates the SS7 information for an SMS, let’s say, then the originating point of that SMS is not known and there is no cost to be shared.

FMS tools: what’s your experience with them?

Actually, the FMS is an excellent tool, but it’s critical to program it properly.  If the filters are good, then you can locate and target a wide variety of frauds.

Profiling and categorizing subscribers for their individual usage is very valuable.  If you never speak no more than 30 minutes with someone or you don’t work on Christmas, Easter, or weekends, that’s valuable fraud prevention intelligence.

One of the first significant problems we found with our new FMS was not fraud at all, but revenue assurance problems with our digital exchanges.  We found many mistakes in the CDR processing chain, CDRs lost, not correctly rated and many other issues there.  So FMS can be a key tool for testing things, even though other systems exist today covering revenue assurance needs.  Whenever a new version of the digital exchange is installed, new problems arise and the rating of calls has to be examined.  The fraud management system is also of great assistance in solving these problems, especially in the first steps following the installation of the new system.

Networks these days are actually computers: the nodes of mobile networks, the home and visiting location register databases, the rater and the billing systems are all based on computer systems that can be manipulated and/or attacked.  For this reason, security measures used in computer networks should be in place to guard against various threats.

Another important issue related to privacy is traffic analysis, which provides information on who is talking to whom and when.  For example, if you know that I am talking to the US President, even though you don’t know what we are talking about, it is still significant intelligence.  So it’s critical that CDRs be kept confidential and secured.  That way, if someone hacks the mobile node, CDRs can be deleted, so traffic is not billed or stolen (allowing traffic analysis).  In fact, a Denial of Service (DoS) attack can bring the whole mobile infrastructure down.

This is why the security of network equipment and hardware in the mobile system is very, very critical.

What fraud control challenges do you see going forward?

I think FMS systems need to step up and support both traditional circuit, VoIP services and new network platforms (IMS).  There’s a need to combine CDRs with IP CDRs in one FMS.  Modern systems are delivering many advances in this area.

We also need systems that take feeds from security modules: input from firewalls, IDS/IPS and security systems are most important now.

Television and video services from IP players like Netflix are expanding.  And in those cases, people are paying for specific packages and there are intellectual property rights and QoS issues too.

So quality of service (QoS) issues have risen in importance.  If I’m paying for a gold quality IP service, then I need to guarantee that traffic’s quality and ensure it’s being routed properly.  And other big issue to monitor is Telco-OTT (Over-The-Top) fraud and the internet of things (IoT) and that will be everywhere, including your refrigerator and wearable gadgets.

Privacy violations are another big area where operators can run into trouble.  We must build secure systems that protect CDRs and other sensitive data so it’s not disclosed to unauthorized people.  And we also know that law enforcement needs access to certain information for lawful intercept reasons, such as identifying terrorist rings.

When you consult with clients, what are the problems you see?

Mainly I provide training courses in different countries, but as a follow-up to my training course, if they need some specific advice, I am happy to go in and fix them.

To generalize, I would say the problems are mixed.  In some countries, you find people who have an inadequate fraud management system, built on very low value IT systems processing CDRs.

In other countries, the operator is equipped with an FMS, but those systems are not properly tuned.  They are getting so many alarms that the really significant problems are not detected in time.  This is a common problem where the fraud control division is under-staffed.  If you have ten people looking at one thousand alerts per day, it’s hard to do keep track of that volume.

Dan, let me walk you through four key initiatives I’m passionate about.  If you can do these four things right, I think you’re well on the road to fraud control excellence:

  1. Staff and Train your Company on Fraud
  2. Training the larger company is part of the mission of a well-organized anti-crime and fraud team.  In particular, you need to give seminars to the senior executive team and CEO if possible.  Otherwise, they will never know about the risks they face.

    The training should also reach your internal teams, such as product management, technical folks and sales people.

    Educate them on what happens globally, and emphasize proactive controls.  For example, when launching a new product — a mobile service, a new bundle, whatever — examine the security and fraud issues in advance.  If fraud issues are not baked into the design of a service, fraudsters may exploit those weaknesses — and you can lose a lot of money before you fully understand what’s happening.

  3. Participate in International and National Forums.
  4. There are several good international forums on fraud: the GSM fraud forum, FIINA (Forum for International Irregular Network Access), the CFCA, the Risk Assurance Group (RAG) and others.  There’s even a European Union working group focused on fraud.  And I always urge my colleagues to get involved in these groups.

    Don’t think this is waste of time.  As frauds jump from one operator to another, you are prepared because you’re sitting next to a person who will share threat information with you.  Often these forums deliver cutting edge information you can take back to your team.

    National fraud forums are also valuable.  There’s one in Germany (DFF) and the UK (TUFF).  In Greece I was the first chairman of the Hellenic Fraud Forum (HFF) formed back in 2000.

  5. Conduct Technical and Procedure Audits.
  6. Auditing is another priority: you need to regularly assess your vulnerabilities.  Also, your technical auditors should be audited for all the procedures of maintaining the mobile nodes.

    The mobile infrastructure is nothing more than a mashup of computers.  The HLR, VLR, mediation and billing systems, the rating engines — all of these blocks must be regularly audited.

    Consider this: a mobile phone is either prepaid or post paid, and only one computer bit — a setting of 1 or 0 — determines how you treat a particular phone.  And if that one bit is error, then a postpaid mobile phone will never issue a bill.

    So this illustrates my point.  Even if the bill is correct, there may still be problems with specific network equipment or devices.

  7. Be on the Lookout for Insider Fraud
  8. Insider fraud is one of the biggest challenges today, yet people in many countries lack the knowledge to deal it.

    At an operator in Armenia, we were checking to see if the agreements with international carriers were being followed, or if people were bypassing traffic through other operators to get more money.

    And at one point, we discovered an agreement from inside the company around the PBX service that made international and PRS (Premium Rate Service) expensive calls.  They were making the calls by creating PBX phantom numbers.  If a PBX has 500 extensions, it’s hard to figure out when new extensions are created without authorization.  Then the new, unauthorized phantom numbers are used for IRSF fraud.

    We were able to stop this big business of internal fraud.  Inside fraud is very critical and it may represent very high losses.

    And when you discover internal fraud, you should be very careful because the steps you should follow are different from what you follow whenever there is an outside fraud: it is very sensitive.

IRSF Phantom PBX Numbers Fraud Case

Thanks for this great tactical advice, Michalis.  I’m sure there are many operators out there who could use your help slaying the fraud monsters causing them pain.

Copyright 2017 Black Swan Telecom Journal

Michalis Mavis

Michalis Mavis

Michalis Mavis was the founder and first Chairman of the Hellenic Fraud Forum (HFF) that was established in the year 2000 (4 years before the Olympic Games in Greece) by the Hellenic Telecom Operators to fight telecom fraud.

Michalis studied Physics and got two Masters degrees in Telecommunications and Computer automation from the University of Athens.

He was head of the telecom fraud division of OTE (Hellenic Telco).  He worked as a crypto engineer for NATO Communications and Information Systems Agency (in Brussels) and as Project Supervisor at EURESCOM (European Institute for Research and Strategic Studies in Telecom) in Heidelberg-Germany.

He also became chairman of the ETNO (European Telecom Operators) WG on Information Security.  He cooperates with EUROJUST (in the Haag-NL) and the Hellenic Police on electronic crime prevention.  He also provides training and consultancy on fraud & security topics for telecom companies in Europe, Africa and Asia.   Contact Michalis via

Black Swan Solution Guides & Papers

Recent Stories