Email a colleague    

December 2018

Oculeus Launches IRSF Fraud Defense-in-Depth for Enterprises; Cloud Service Screens & Blocks Calls at PBX

Oculeus Launches IRSF Fraud Defense-in-Depth for Enterprises; Cloud Service Screens & Blocks Calls at PBX

defense-in-depth   ( noun )

an assurance strategy where multiple layers of security controls (defense) protect a system.  It provides redundancy in the event a security control fails or a vulnerability is exploited.

It’s the burden — and privilege — of an industry analyst/journalist to report on technical advances and innovations that affect a professional domain.

In telecom fraud control, technical advances include the gradual adoption of big data, AI, and Machine Learning technologies.  Innovations are often process improvements that enable fraud control at a lower cost, a higher detection accuracy, or a greater convenience for the fraud analyst.

Bur rarely have I seen real “game changers” — radically new approaches to fraud control that promise to deliver a big impact as opposed to mere incremental gains.

The Oculeus-Protect service, formally launched last week, is one of those game changers.

The service brings enterprises fully into fraud prevention — at a cost of only $5 a month.  It’s a promising new weapon in the fraud control fight, one that provides a new layer of fraud protection: true defense-in-depth.

Now while Oculeus is a small company, it’s an agile, well-connected innovator, particularly in its specialty, wholesale billing, where it serves over 100 telco customers, including a few of the world’s largest Tier 1 operators.

I spoke with Arnd Baranowski, Oculeus’ CEO, who analyzes global fraud trends for us and provides an in-depth view of the solution including: its SIP signaling tech, global on-line registration, security features, and plans to have carriers offer the service to their enterprise customers.

Dan Baker, Editor, Black Swan Journal: Arnd, congratulations on the launch of this service.  Can you give us a basic overview of it?  How does it work?

Arnd Baranowski: Dan, this is a telecoms fraud protection service designed to stop fraud at the enterprise PBX, which is the biggest enabler of IRSF fraud.  It’s a cloud-based service that passively collects SIP IP signaling data for all calls passing through a PBX.  It also continuously monitors and blocks calls at the PBX via signaling.

The service is simple to set up: the enterprise registers for the service by going to our homepage where they can order fraud protection service billed at $5 a month for each company office.

Behind the scenes we have a global system that manages registration.  This central system hooks into protection systems hosted in Cloud environments on each continent.  The central system consists of an anti-fraud call controller for telecom rating/evaluation of fraud, intelligent behavior analytics, a prevention system, and enterprise customer management.

We launched a few days ago in Europe and the Americas.  Early next year we will launch in Asia and Africa.

What’s the system look like to the user?  How is the system set up?

The only enterprise person who needs to get involved is the administrator who runs the PBX system on its site.  When a company registers on the service homepage, it get an activation code to enter into its PBX.  Then, on the first call, the system will verify the activation code once more.  After that, the company is fully protected.

We have actually had the solution up and running for three months now, supporting our interconnect clients.  The enterprise who orders the service can see on the screen its ongoing calls and has the ability to review the calling destinations.  Staff can also manage the company’s profile on-line by choosing to limit calls by time of day, country, etc.  Regardless of whether or not the administrator chooses to customize, the service fully automates fraud detection and blocking.

The PBX remains totally secure.  Oculeus doesn’t access any of the private data inside the PBX because all that’s transmitted to the Anti-Fraud Controller is the signaling data, not the voice call content.

We not only check to ensure a call is being made to a good number, we also monitor the call in progress and can drop the call, for instance, if the duration reaches a threshold or other issue.  In other words, exchange of SIP signaling data is active throughout each call.

Anti-Fraud Protection System for PBX

Now your system diagram shows plumbers, car dealers, and banks as typical enterprise customers.  Is a small business going to need such a solution?

It depends.  I’ll grant you that a one-person plumbing shop is an exception.  But in a typical office, a small PBX supports wireline phones for several employees with off-hour forwarding of calls to their mobile phones.  And a company like that is highly vulnerable.

And I wouldn’t be surprised to see the use of sophisticated IP-PBX communication greatly expand in the years ahead.  Here in Germany, for instance, some of the car dealers are extremely big.  A car dealer in a city like Frankfurt area can have as big a PBX system as a city bank.

In a world where enterprises are equipped with sophisticated phone systems, it makes you wonder: how can voice fraud be managed in an increasingly threat-rich digital world?

Dan, we need to rethink the paradigm of how fraudsters gain entry.  People talk about the “hacking of PBXs”, but that’s a bit misleading.  A fraudster rarely gains full administrative access to a PBX: he doesn’t need that.  All he needs is access to one line of the PBX.  That’s enough to do a lot of financial damage.

And hacking is only one method of gaining access.  You can also skim the credentials off a connected mobile device.  The widespread use of mobile devices has greatly expanded the fraud perimeter that need to be protected.

The other major threat is the tremendous capabilities of the SIP IP protocol, which opens up a Pandora’s box of goodies for fraudsters.  With SIP IP, as soon as you have the access credentials and a valid address, you can inject fraudulent traffic.

Here in Europe, for example, we recently had a case where 20,000 end customers with SIP IP based end devices were affected by fraud.  Someone had hacked into these devices and calls were generated via these 20,000 systems, injected in this case.

So we are coming to the point where anti-fraud software for your PBX should be treated like anti-virus software for your PC.

That anti-virus analogy is a powerful one.  Consumers are well-trained to pay for an annual anti-virus license.  So if greater voice fraud responsibility shifts to the enterprise, that’s a very welcome trend for telecoms.

Dan, most enterprises are not fully aware of the fraud threats they face.  In countries like the US, of course, the enterprise is legally responsible for fraud hits.  And helping to lower the risk is the practice of famous brand carriers to settle fraud damages quietly with enterprises.

But financial loss is not the only motivator.  The IT manager could lose her job over the issue and it’s a hassle to hire lawyers to fight against the carrier.  Who wants to waste time and money bickering over a fraud loss?

So enterprises are looking to exercise more control.  They want to ensure their phones are protected in the best possible way.  Paying $5 a month to avoid a future hassle is well worth the price.

I agree.  Enterprises will pay for higher quality.  Mobile carriers these days will not spend the money to help a company boost the wireless signal inside its large corporate buildings. 

So what happens?  The enterprise pays a premium for a systems integrator to bring in an in-building wireless booster system that the enterprise then controls.

By the way, where do telecom operators fit into your Anti-Fraud solution?

Well, as I said, our interconnect/wholesale carriers are already using the system and are pleased so far.  We will work with any operator who wants to protect their enterprise customers.  In fact, they can even charge the enterprise a monthly fee for the service.

The carrier can run the system within its own network or Cloud environment, leaving registration and customer setup to be managed via the central registration system.  However, any changes to the fraud identification scenarios will be done only by Oculeus — we don’t want our system compromised by external parties.

And nothing needs to be installed by the operator; no confidential third-party database is involved either.  The delays we are experiencing are in the range of 10 milliseconds mostly, with a maximum of around 100 milliseconds.  Customers won’t notice a difference.

What about the older generation hard PBXs that communicate via SS7.  Can you protect those?

Well, since it’s not SIP IP based communication, we would have to integrate with the switch of an operator to make that happen.  However, we are able to do that integration if a company is interested in pursuing it.

SIP IP has been around for quite some time, and all operators are moving to this as it’s now taken the lead.

Arnd, what can I say?  It’s truly an ingenious approach.  Good luck in the rollout.

Thanks, Dan.  I think the aspect of this that’s game-changing is we don’t need to install something at the enterprise.  We are completely transparent to the use of the PBX.

Using only signaling as our input, we have a globally deployed system that customizes the fraud protection for the individual PBX at a company office.  And being completely in the cloud, it can employ behavioral analytics, artificial intelligence and e-learning to the maximum extent possible.

Copyright 2018 Black Swan Telecom Journal

 
Arnd Baranowski

Arnd Baranowski

Arnd Baranowski founded Oculeus in 2004 and has been the sole managing director ever since.  With his background in aerospace technology, Arnd brings over 20 years of experience in software engineering and development of innovative solutions.

Under the premise that every problem has a solution, Arnd and his team continue to develop effective system solutions for managing telecommunications and quickly responding to the ever-changing needs of the global market.   Contact Arnd via

Black Swan Solution Guides & Papers

Recent Stories