Email a colleague    

March 2015

IRSF Protection: Software that Blocks Telecom Fraud at the Enterprise PBX

IRSF Protection: Software that Blocks Telecom Fraud at the Enterprise PBX

In archery we have something like the way of the
Higher Man.  When the archer misses the center
of the target, he turns round and seeks the cause
of failure in himself.
   Confucius, Will Durant, The Story of Civilization

International Revenue Share Fraud (IRSF) is one of those fraud prevention problems where the arrow of blame always seems to point to someone else in the call delivery and revenue protection chain.

But everybody: the PBX maker, retail operator, wholesaler, police — and customer — all share some responsibility for a problem that’s persisted for 15 years and has cost the telecom industry and its customers countless billions of dollars a year.

However, one company that’s delivering an effective and affordable fraud defense at the enterprise PBX point is The Callista Group, a tight band of PBX experts based in Auckland, New Zealand.

And joining us to talk about that innovation and provide a detailed explanation of PBX protection issues is Roger Ansin, Callista’s chairman.

Dan Baker: Roger, I’m curious how you first got involved building a product to block IRSF?

Roger Ansin: Well, Dan, we had been producing call account systems for 20 years or more.  Then around ten years ago someone in our UK office said a customer needed help creating alerts to detect large fraudulent call volumes coming through PBXs.

So that was our first knowledge of IRSF.  And we soon discovered this was a huge problem that was totally unmanaged.  That caused us to develop some software to protect enterprises from the threat.  So that’s the genesis of our Control Phreak product.

What’s the worst case you’ve seen of IRSF at the enterprise level?

Well, there was one customer doing thousands of calls a day, but they were losing 27,000 English pounds per weekend.  They just couldn‘t stop the attacks.  And they ended up taking down their voice mail system, the situation was so drastic.  But at a big company, you can’t do that.

When they installed our Control Phreak, it all ended.  We saw in the logs about 20 or 30 attempts to break in: they were all blocked, but we noted the fraudsters tried to break in again a few months later.

As is common in these cases, the damage was done over the weekend.  The carrier sends alerts after a pre-determined threshold, but if nobody at the enterprise picks up their email, nothing is done.  So when the manager came in Monday morning he found a stack of email alerts starting on Friday night.

And, of course, the PBX owner has to pay the bill because a fraudster is making a chunk of money on the other end.

Does the type of PBX you have make a difference?  Analog, digital, or SIP line?

To the phreaker, it really doesn‘t matter what kind of PBX you have.  The advantage they get with SIP lines is they can be used to pump out more premium rate calls per hour.

The phreakers are basically concerned with only two things: what type of phone system it is and how they can get the system to redirect calls.  By the sound and response they get from the PBX, they can figure out what sort of PBX it is.  And once they know the brand name of the PBX, they know the default password, maybe even the hidden factory-installed passwords in the system.

And, of course, VoIP has made it easier to hack into phone systems: the hacker targeting a U.S. business could just as easily be operating out the Philippines, for instance.

Don‘t the PBXs know when dozens of attempts are made to call into the phone system?

Surprisingly, most PBXs don‘t have that sort of control in them.  However there’s one European PBX brand I know that allows three attempts to log in with a successful password, then it locks out the caller for some time.

But hackers have found ways around that.  For instance, they would automate two phone calls to test passwords, then disconnect, then reconnect and try another two till they found the numbers.

Of course, it doesn‘t matter how many days or nights it takes to break in because it’s an automated process running on someone’s PC.  And a single PC can be running dozens of these processes at one time.

Can‘t the business take some simple security steps like changing passwords?

Dan, changing the passwords is one of the most common pieces of advice you hear, but it’s actually not effective.  Here’s why: the fraudster is not making the calls himself, he’s using a software program to break into your PBX.  So all the fraudster does is run an automated brute force attack.  If your password is 4 digits long, they just run through every possible combination till they break through.

In fact, a hacked PBX can be groomed to allow the passwords to be changed.  So for all you know, your PBX may already be compromised: you just don‘t know it.  Then, one day it will be turned on and away it goes.

Now PBX engineers will tell customers, “We can fix that.” And what do they do?  They get paid by the customer to come in and “secure” the phone system with some customizations.  But a few weeks — or a few months later — it gets compromised again.

One customer of ours was hacked three times on the same PBX before they actually put in our product.  In fact, 70% of our customers who run Control Phreak have been hacked before they buy it.

How do the hackers get paid for breaking into PBXs?

There’s quite an organization supporting this crime.  Groups of phreakers sell the PBX numbers they’ve hacked into on the open market.  Then the fraudsters lease a group of IRSF numbers and start pumping calls through those PBX lines.

Some of hacker web sites even offer the free download of a call generator, so they are very efficient and clever.

Of course, premium rate numbers look like any other phone number.  Consultant Colin Yates has a list of 72,000 phone numbers he’s identified as fraud numbers, but that’s a horrendous list to keep up to date.

How much of IRSF fraud is coming through the PBX do you figure?  What are the smartphone as an IRSF launch pad?

So far at least, the IRSF threat via smartphones is much lower because there are active limits and controls on making calls.  We figure the PBX is still the primary gateway to IRSF.

And the PBX is useful to the criminals because it helps cover their tracks.  A few years ago, AT&T broke up a big crime syndicate based in Spain and Italy.  The fraud cost AT&T and its customers quite a few million dollars.  The criminals were eventually found by tracking back calls through hacked PBXs.

Likewise, I’ve seen a number of investigations where a chain of five PBXs were used to make calls.  When you do that, it becomes hard to determine where the originating call are coming from.

There was a case in New Zealand where calls were coming in from a PBX in Italy through Auckland and then finally out through Algeria.  As you can imagine, the police authorities are hampered because so much of the problem is out of their jurisdiction.

So how does your PBX fraud blocker work?

Our Control Phreak sits on a PC and monitors everything that goes in inside the PBX.  So if you pick up the handset of your office phone, it knows that.  When you start to dial, it detects that.  When a call comes in, it knows that, too.  So it’s tracking in real-time everything that happening on the PBX.

Basically our system operates using three sets of rules:

  1. Incoming Call Rules allow you to block callers.  For instance, if an ex-boyfriend is harassing one of your staff, you can block the numbers.  Same goes for nuisance phone calls;
  2. Outgoing Call Rules control who calls who and at what time.  PBXs do have this ability, but in a limited way.  In our product, it’s more flexible: you can set exactly the rules you want; and,
  3. Divergent Call Rules is where we block the calls used for fraud.  Our system can distinguish calls that you legitimately want to pass through to an internal extension versus those coming in from a fraudster.

Now the trick is to control the PBX without taking away the great convenience features that people expect from a modern phone system.  Certain security solutions that the PBX manufacturers supply actually lock down phones, and that’s frustrating to customers because they can‘t make phone calls out and use the features they paid for.

But we’ve solved this issue so the PBX is both fully protected and its full complement of features is available.  A video on our website explains how it works.

Dashboard for PBX Fraud Blocking

And what does it cost for an enterprise to be protected?

Dan, generally a company has one PBX per office.  So the protection we sell is software for one PBX at a time and the cost is less than $500 U.S.  The solution is installed on a local PC that our specialists remotely load for the customer from here in New Zealand.

The PC at the company communicates with the PBX, but it doesn‘t need to be a dedicated PC, just one that’s running all the time and is reliable.

Wow, $500 for a life-time of protection sounds very reasonable.  So what’s the catch?  Why isn‘t Callista a famous software brand already?

Well, unfortunately, our solution doesn‘t work for all PBXs.  We need the cooperation of the PBX companies to actually build the interface.  Now manufacturer such as Panasonic and Alcatel-Lucent do work with us and we are fully certified with Panasonic.

But other PBX makers aren‘t as willing to publicly admit there’s an issue: they’re not eager to advertise that their PBXs can be hacked.  And that’s unfortunate because when you buy a PC, it well known that you better have virus and malware protection.

Now most of our sales are to PBX manufacturers and individual enterprises.  But sometimes we get orders from carriers who buy a solution for their customer.  To make a customer problem go away, Control Phreak is useful.

Thanks, Roger, for this fine education on protecting the PBX.  Nice to know there a class act in New Zealand to complement Hayley Westenra.

Copyright 2015 Black Swan Telecom Journal

Roger Ansin

Roger Ansin

Roger Ansin is chairman of the Callista Group, the privately held call accounting software firm he co-founded in 1988.  Callista is the developer of Control Phreak active voice security system designed to protect the enterprise PBX.  The firm also develops call management and hospitality management systems out of offices in three countriesl, including a global 24-hour installation and support service.   Contact Roger via

Black Swan Solution Guides & Papers

cSwans of a Feather

Related Articles

  • Black Swan Guide: Araxxe’s Revenue Assurance Consulting, Testing, and High Definition Billing Analysis Service by Dan Baker — How Araxxe’s end-to-end revenue assurance complements switch-to-bill RA  through telescope RA (external and partner data) and microscope RA (high-definition analysis of complex services like bundling and digital services).
  • Subex’s IDcentral Monetizes Telco & Enterprise Data to Deliver Digital ID & Risk Metric Services for Financing, KYC & More interview with Shankar Roddam — A new digital intelligence service that monetizes the idle data of telecoms and enterprises while also earning a good return for the owner of the data.
  • Opportunities & Obstacles: Consultant Luke Taylor Muses on the State of the Telecom Risk Assurance Business interview with Luke Taylor — A rambling discussion on the state of the risk assurance business with Luke Taylor, independent consultant in telecom revenue/fraud assurance and solution requirements and marketing.
  • LATRO’s Tips for Launching a Successful Revenue & Fraud Assurance Program for Mobile Money Operations in Developing Countries interview with Don Reinhart — A company building mobile money RA/FM tools and  managed services gives a concise, but detailed tutorial on how the Mobile Money Ecosystem works.  Revenue assurance pros will get tips on  what to look for in analytics/assurance tools, controls, and professional services.
  • A WeDo Conference Talk: Consulting & Analytics: Improving your Business Today, Enhancing it Tomorrow interview with Carla Cardoso & Bernado Lucas & Thomas Steagall — Leading risk management consultants explain their mission and walk-through RA, subscription fraud, and collections cases.  They also explain how analytics and machine learning can supplement process optimization.
  • PrologMobile’s Simple and Brilliant Plan to Save US MNOs Billions a Year in Recovered Phones & Retained Customers interview with Seth Heine — An expert in the mobile phone reverse supply chain explains how MNOs — via a neutral third party information exchange — can recover their original phones on the used market and save huge sums in multi-year customer retention.
  • WeDo Explores the IoT Ecosystem in Search of Tomorrow’s Pivotal Fraud & Business Assurance Solutions interview with Carlos Marques — A veteran product manager scans the IoT terrain, discusses key fraud and assurance challenges, and explains the preparatory steps WeDo is taking to become a key player in this emerging market.
  • New Report: Telecom Fraud & Business Assurance Solutions, Services & Strategies by Dan Baker & Luke Taylor & Colin Yates — TRI publishes a new market research report, Telecom Fraud & Business Assurance Solutions, Services & Strategies.  Free executive summary available.
  • Subex Juggles a Wide Variety of Business Assurance and Big Data Analytics Use Cases interview with Rohit Maheshwari — A expert in business assurance solutions explains top use cases such as: IoT security, big data analytics/AI, network asset optimization, multi-player gaming assurance, onboarding mobile subs, and AI customer analytics.
  • MTN Agility: Mastering Exponential Technologies in Revenue/Fraud Assurance and Beyond interview with Danie Maritz & Tony Sani & Luke Taylor — An in-depth look at RAFM operations and innovation at the MTN Group.  Topics discussed include RA/fraud control challenges, strategies, and MTN’s journey to exploit exponential tech (AI, robotics, and ML) in its RAFM program and support of internal non-telco businesses.
  • From Byzantine Software Contracts to Simple & Flexible RA Managed Services interview with Philippe Orsini — Is the way B2B/enterprise software is sold and delivered today progressive — or is it Byzantine in the age of cloud?  An expert lays out the case for managed services in RA and billing verification.
  • Premiere Experts Set to Speak at Summer RAG Conference in London, July 7th and 8th by Dan Baker — The Risk and Assurance Group (RAG) has announced that its 2016 summer conference will expand into a two-day event and feature many premiere experts. 
  • WeDo Hosts Revenue Assurance & Fraud Management Conference in Washington DC by Dan Baker — Black Swan is pleased to announce what looks to be a first class revenue assurance and fraud management conference being put on by WeDo Technologies, on October 1st and 2nd in beautiful Washington DC.
  • Test Call Generators: An Essential Test & Debugging Tool in Mobile Billing Assurance interview with Steffen Öftring — An “active” test call generator (TCG) can see problems that a “passive” revenue assurance system is blind to.  Here’s a discussion on the test call RA  process, over-the-air calls versus core call injection, and test call networks in global roaming RA.
  • The Revenue Assurance Game: How the Rules Change in the Era of IoT & Mobile Broadband interview with Rene Felber & Gadi Solotorevsky — Revenue assurance is perhaps the hardest of telecom functions to define because the term is used in so many different senses.  This discussion on the evolving role of revenue assurance was catalyzed by a survey of experts in the profession.
  • Day in the Life of a Revenue Assurance Analyst interview with Michael Lazarou — Revenue assurance is much more than a software category.  It’s individual analysts struggling to help their larger organizations get a handle on system errors and coordination problems.  In this interview, an analyst reveals the many challenges of getting the revenue assurance job done at a small GSM operator in Europe.
  • Revenue Assurance: History and New Beginnings in RA Maturity interview with Daniela Giacomantonio & Gadi Solotorevsky — The Roman Forum was the center of commercial life in ancient Rome.  Now, two millennia later, the Forum lives on in the exchange of ideas across countless professions and  media.  In this interview, two Revenue Assurance experts discuss both the new RA Maturity initiative of the TM Forum and the value of telco/solution vendor collaboration.
  • Migrating systems or launching LTE next year?  Don‘t forget transformation assurance & optimisation by Efrat Nissimov — System transformations and network migrations are major  revenue impacting events and they should raise a big red flag.  Why?  Because data integrity issues are bound to crop up as CSPs move vital data from a legacy system to something new.  It’s time for transformation assurance.
  • How can Cable/DSL Internet Providers Meet the Usage-Based Billing Mandate? interview with Ryan Guthrie — The popularity of YouTube, Netflix, and Hulu other video outlets has turned the tables on service profitability for cable/DSL service providers.  Many are moving to usage-based billing, but that largely unprepared for the revenue assurance aspects of this move.  This interview explains the technical challenge and points to solutions in billing, speed caps, and traffic revenue monitoring.
  • CABS Revenue Assurance: How Rural LECs can Recover $284 Million in Revenue Shortfalls interview with Kelly Cannon & Darrell Merschak — Independent rural LECs in the U.S. still rely on the AMA/EMI billing formats for CABS billing, even as that format has proven to be highly inaccurate as a source of inter-carrier records.  This interview includes an analysis and discussion of revenue recovery techniques ILECs can use by leveraging SS7 probes.  Also discussed are billing strategies, traffic dumping threats, and the possible fallout from the FCC’s bill-and-keep mandate.
  • Make Business Assurance Progress Every Day: How to Set Goals, Automate, and Energize Your Team interview with Kathleen Romano — Business assurance (BA) skills have wide applicability outside the revenue assurance and fraud mangement domains.  In this article, a telecom executive explains how she’s applying her BA skills in the Payments area.  In addition to discussing the key operational challenges in Payments, the interview also provides keen insights on setting goals in business assurance, leading a team, and making critical decisions.
  • LTE Rollout: Make it a Smashing Success with Risk Assessment, Controls, and Marketing Offer Analytics by Gadi Solotorevsky — LTE brings splendid new capabilities to mobile users.  But like 2G and 3G deployments before, operators can only make money if they successfuly plan, coordinate, deploy fast, and pay attention to pricing plans and the customer experience.  This article lays out a 3-phase tactical guide on  how revenue analytics professionals can add value in LTE service risk assessment, controls, and marketing offer analytics.
  • RA Prevention: How to Manage Revenue Risks and Communicate RA’s Value to Senior Execs by Shaul Moav — The era of revenue assurance prevention and risk assessment is here.  Several of the mature operators of the world have developed their own methodologies and tools.  Using firefighting and fire prevention as a metaphor, the article details a new commercial software approach explaining the goals, method of risk evaluation, and senior executive dashboards developed for the process.
  • Precision Clockworks: How Revenue Assurance Synchronizes with the Business at Swisscom interview with Marco Pollinger — An expert revenue assurance department is one whose work dovetails well with the lines of businesses it supports.  In this interview you’ll learn how Swisscom manages its revenue assurance function for maximum effect.  The article discusses: the operator’s innovative RA organization, the screening and RA approval of new services, its pre-production bill audits, and its coordination with corporate risk management.
  • Versatile, Portable & Corrections-Savvy: Quest for the Swiss Army Knife of Revenue Assurance Software by Mark Yelland — Revenue assurance maturity models are not cast in stone.  Since  best practices will change over time, it’s healthy to explore moving maturity models forward.  For example, great gains have been made in leakage detection, but RA corrections has been harder to master.  The author dreams about seven functions that should ideally come together in a single all-purpose revenue assurance software tool.
  • Bringing Strategic Planning & Value Engineering to Revenue Assurance interview with Maged Fawzy — Engineering and architectural techniques have a role in revenue assurance.  This interview with a top Egyptian RA consultant explains how continuous risk assessment and long range — yet flexible — RA planning can sharpen a carrier’s RA program and lead to better use of revenue assurance software and integration services.
  • Forensic Fossils: Is Your Revenue Assurance Shop Fit for Display at a Natural History Museum? interview with Jim Marsh — Without the continuous guiding light of seasoned revenue assurance leaders, even the best teams of RA professionals, technology, and business processes can fossilize and lose their vitality.
  • Revenue Assurance: The Magical Market Cap Multiplier by Van Howard & Curtis Mills — Many operators today consider revenue assurance yesterday’s opportunity.  But this article shows why significant revenue and cost leakage can still go undetected, even in companies with dedicated RA departments.  Also discussed are the benefits of a broader or more “forensic” approach to revenue assurance, an approach that boosts the bottom line regardless of the automated tools already in place.
  • From Risk to Robust: Turning the Big Picture Into a Real Agenda for Change in Telecoms by Eric Priezkalns — Inspired by a Financial Times article written by Nassim Taleb, author of “The Black Swan”, here is an insightful and entertaining primer on telecom risk management.  The article takes ten risk management lessons from Taleb and applies them specifically to the communications industry.  You’ll learn about the value of small scale trials, organization accountability, cures for a blame culture, incentives that work, the power of simplicity, and more.
  • Synthesizing the Telecom Business Assurance Practice With the Analytics World by Dan Baker — Business assurance is a wrapper term that allows you to draw a circle around various telecom assurance, control, and optimization activities.  This article maps business assurance as a subset of telecom analytics, constrasting it with marketing analytics while a diagram shows where biz assurance fits in the larger B/OSS world.
  • CABS Revenue Assurance Disputes: May the Carrier With the Best Data Win by Cheryl Smith Rardin & David West — Revenue assurance innovation is far easier when partners cooperate to make it happen.  This articles shows how a U.S. operator, software vendor, and consultant teamed to develop a breakthrough in Carrier Access Billing (CABS) assurance.  Learn about: the dispute resolution data gap that needed to be filled, the partnering strategy, the implementation challenges, and payback results.
  • Revenue Assurance vs.  Business Assurance: Who’s the Rightful King of Controls Software? interview with Sergio Luis Silvestre — Business controls software, originally developed for RA, is finding application in other areas of the business such as internal audit, collections, security and risk management.  This article argues that “business assurance” is the best term to describe this broader set of  controls software that can find a home in numerous departments or functions of a CSP’s business.
  • PwC on the Business of Revenue Assurance Consulting & Mentoring interview with Tim Banks & Dan Stevens — Revenue assurance consulting firms offer a broad range of services to clients these days.  The article explains the practice of mentoring RA mangers and providing a CFO with visibility on the status of an operator’s business controls.  Perspective is also offered on the value of RA software and the opportunity to broaden the RA practice scope.
  • Robots for Hire: Verifying Accuracy In the Age of Complex Mobile Billing/Charging interview with Xavier Lesage — As real-time charging and complex lifestyle calling plans gain credence across the globe in wireless, billing quality issues will rise in importance.  This article discusses a unique managed services approach to invoice testing and roaming fraud protection that checks results against advertised or published source data for the utmost accuracy.
  • Ericsson: Revenue Assurance Consulting With an NGN Flavor interview with Thomas Steagall — Helping operators detect billing and provisioning problem is merely table stakes in the RA services business these days.  The article discuss why operators need to ramp up their RA function with service experience and group-wide financial health monitoring.  Advise is also offered on: key RA maturity questions, risk-and-reward contracts, and how to extract greater value from software investments.
  • Do-It-Yourself RA for Small Operators and MVNOs interview with Mark Yelland — Budget-minded small operators and MVNOs are no longer hamstrung in RA capability anymore.  This article offers high-leverage strategies for operators who cannot afford expensive RA software tools.  With  data access, brains, and a DIY philosophy, any small operator can map a  path to greater RA savings, maturity, and program growth.
  • Revenue Assurance Maturity: Report From the Arena interview with Eric Nelson — Revenue assurance maturity can‘t be easily computed.  How do you  compare the KPIs of Comcast billing with that of mobile money RA in Western Africa?  Even still, this article offers some universal RA wisdom from a straight-shooting veteran of carriers large and small.  Topics discussed include: dashboard or process, COTS vs. inhouse solutions, and tips on gaining internal support for the RA practice.