Email a colleague    

November 2012

International Revenue Share Fraud: Are We Winning the Battle Against Telecom Pirates?

International Revenue Share Fraud: Are We Winning the Battle Against Telecom Pirates?

International Revenue Share Fraud (IRSF) is one of the telecom industry’s most enduring problems.  Yet many of us who are familiar with IRSF have only a foggy notion of how it works and how operators around the globe are coping with the issue.

Well, here to give us a first class briefing on IRSF is a true international expert on the issue, Colin Yates, who only a few months ago left his post as the head of Fraud Management at the Vodafone Group to start a consulting practice.  Our interview covers the bases: the origins of IRSF, typical fraud scenarios, efforts to get international cooperation on the issue, and the future outlook of IRSF.

Dan Baker: Colin, international revenue share fraud is a well-known issue today, but the practice is actually not very old.

Colin Yates Yes, Dan.  It started on the internet and has gradually migrated into mobile and fixed line networks

It was around 2005 or 2006 when IRSF fraud termination in the Pacific Islands really accelerated as a fraud issue.  New technology is what’s really opened up opportunities for fraudsters.

In particular, you can trace the rise in mobile fraud to the success of mobile marketing, particularly the ease of obtaining a Simcard for international roaming.  Most of the fraud methods in those early days involved getting access to SIM cards and using them while roaming to call international revenue share numbers, knowing it would take 24 to 36 hours for those call records to get back to the home network.

In that window of opportunity, the fraudsters could dial as many IRSF numbers as they could before the home network became aware of the traffic and terminated the simcard.

As mobile phone technology progressed, we gave them the smartphone with the ability to make 6 simultaneous calls by utilizing the conference call facility on the handset.  On your mobile handset, you can call a number, put it on hold, then call a second number, put it on hold, etc.  So if the bad guys make 6 calls at once off of one SIM card, at $5 a minute, that’s a pretty nice income.

There were other features as well.  International call forwarding was another boon to fraudsters.  You could call forward a fraudulent simcard to an IRSF number in Somalia for example, make a local call into the forwarded device and have that automatically transferred to an IRSF number in Somalia, which could be repeated after each call connected.

What are the trends in mobile generated IRSF?

Over the last six or seven years, I would say IRSF has changed character, but the problem has not abated.

Back in 2005 or 2006 timeframes, it wasn’t unusual to hear about a fraudster armed with four SIM cards pulling in $100,000 of revenue over a weekend of calls.  The more organized groups with 40 to 50 hijacked SIM cards could pull down several million $ over a weekend.

Then, about four years ago the GSM association approved a project to implement Near Real-Time Roaming Data Exchange (NRTRDE), allowing operators to get their hands on their international roaming call data much faster.  That new process reduced that 24-36 hour time period between the fraud taking place and getting the roaming records at the home network.  So NRTRDE was key to reducing the IRSF window to only 4 hours, which helped to take away many of the big fraud hits.  However despite this initiative, if you have a Fraudster operating with a cluster of 30 or 40 cards with a number of ‘Mules’ making calls at the same time, you can still do plenty of damage -- even in 4 hours, this level of activity can result in losses in the $50,000 to $100,000 range.

Who are the operators getting the traffic?

A lot of the calls were related to premium rate services around the world.  Once again, technology advancements made it easier for the fraudsters to inflate traffic into high value premium rate numbers.  There are now software based techniques to block international premium rate numbers from being completed, which helps operators reduce this risk.

Why Certain Countries are IRSF Destinations

To get around the issue of blocked international premium rate numbers, fraudsters have picked on countries that have high interconnect or termination rates.  If I made a call from the UK into AT&T for example, the international call rate might be 2 cents a minute.  That’s the charge AT&T will bill BT for terminating the call in the U.S.

But in countries such as Cook Island and many other small countries in the Pacific, their international termination rate is more like 60 cents a minute.  This high termination fee is a magnet to fraudsters.  It means the fraudster can make money in a much tighter window.

A common issue now being experienced by the industry is number misappropriation or number hijacking.  For example, a call from the UK to a Pacific Island country code may never get there.  It will be stopped somewhere in the call routing chain and rerouted to an information line, chat line, fortune telling, etc, or simply terminated onto a ringing or other tone

Fraud management teams around the world are closely monitoring the fraud calling destinations and as fraud numbers become known, may block these numbers at their switches Unfortunately , the precise numbers being exploited change on a daily basis and it’s a constant challenge to keep up with these new numbers.

Colin, why can’t the operator being socked with the huge fraud bill refuse payment?

I know the stop payment option on known fraudulent numbers seems like a good strategy and an obvious way to go.  Unfortunately, we tried doing that believing that if we could stop the money flow, we would disrupt the fraudster’s business case, but we failed.  The problem is, to do that, you need cooperation from every operator in the call transit chain.  The fraudulent calls may pass through 6 or 7 operators to get to their termination point and getting agreement from that many operators is very difficult.  Now you might be able to get 4 out of 5 operators to cooperate, but invariably there’s one operator who won’t give you the routing information you need to identify who they routed the call to.

Bound by International Agreements

In essence, carriers are bound by international agreements for roaming and interconnect payments.  And as you might expect, the terms of these agreements were made long before IRSF came into existence.  The basic GSMA roaming agreement for example, which is bilaterally agreed between two operators says that the originating operator must pay for all calls originating from his network — whether it is fraud or not.

It’s a big controversy and I personally feel that the originating carrier has the right to know how his call was routed.

When it comes to payment time, each operator just pays the operator he passed the calls off to, with no knowledge who is next in that payment chain.

The Body of European Regulators (BEREC) are beginning to appreciate this issue more, and are currently talking about how to make it easier for operators to extract the details of exact routing of every call that may have been made fraudulently.  That would be a very big help indeed.  It will help operators ultimately to stop the money, which will reduce the problem, but the fraudsters will simply move onto something else.

What’s the impact of IRSF on all-IP networks and LTE?

More and more business customers are now moving to IP-PBXs and this can actually make it easier for technology savvy fraudsters to penetrate and use this access for IRSF.  However the vulnerabilities of some traditional PBX’s, which have allowed fraudsters easy access to networks for the past 10 years or so, are still cropping up on a weekly basis.

And the people involved are more sophisticated now: it’s organized crime, people who can afford to hire those with the knowledge to penetrate any controls put in place.

As the industry works on LTE and next generation networks and making sure we have effective security controls around that, we can guarantee that groups of fraudsters are also working hard to break those defenses.

I have no doubt that fraudsters will find ways around every obstacle we put in front of them.  They always do.  This is not their hobby, it is their business.

Going back six or seven years, most of the IRS fraud was called through fraudulent SIMs that were roaming.  But now we’re seeing a lot more through PBXs.  For instance, there are some groups based in the Philippines who are continually dialing out to nations of the world looking for a PBX that they can hack.  This could be through an insecure DISA line, a maintenance port or any other vulnerable entry point where they can gain access to an outgoing trunk.  They then contact their organized crime associates who pay them for that information and then use the access it provides to make IRSF calls.

Today, many in the industry believe that the PBX has become more common as an IRSF enabler than the mobile phone with fraudulent SIMs.

Are we making any headway as far as industry cooperation in IRSF?

Yes, various industry groups maintain a database of the latest fraudulent numbers.  A lot of information sharing goes on between operators who accept that fraud management is a non-competitive area of the business.  If a range of fraudulent numbers is found in say, a small African country, these will get reported through industry forums such as the GSM Association or the Communications Fraud Control Association, and a hot list is generated.

This is one area where Xintec offers a viable solution to keep the hot lists updated.  That helps you identify the known numbers being used for fraud and these are being updated on a daily basis.  Unfortunately someone has to have a fraud hit to find out what these new numbers being used are.

What’s being done to alleviate the issues in the Pacific Islands?

Well, the Pacific Island operators are very concerned at the impact this number hijacking is having on their customers, their communities and their reputation with other international operators.  This is something which is out of their control and really, they are also victims of this fraud.  Some of these islands only have a customer base of 2,000 or so people and some operators around the world are blocking the whole range in an Island from receiving calls because of a perceived fraud risk.  So if an islands number range is hijacked, it may take a couple of days before the routing returns to normal.

Typically we know the country codes where revenue share fraud is taking place, so Fraud Detection System thresholds on calls to those countries will to try to identify them early.

I’ve been recently working with the Pacific Island Telecom Association.  Because most islands have such high termination rates, they are very popular for revenue share.  The majority of Pacific Islands won’t entertain relationships with any of the number aggregators offering the numbers.

The fraudsters will likely have a relationship with a dishonest or unscrupulous operator which could be a traditional or Voice over IP operator who will terminate the traffic destined for those islands outside that country.  We call it short-stopping.  They will stop the call before it gets to the correct country, so it can be terminated into another country onto a voice mail system, information line or recorded message.  That’s instead of forwarding the call through the approved routing for termination in the correct country.  Because it’s a Pacific country code, it’s still billed at around 60 cents a minute instead of a few cents if the real termination rate for the country where it actually terminates was used..

This is highly interesting stuff, Colin.  But I’m still confused about how IRSF is pulled off.  What’s the role of the various parities in the IRSF transaction?  And how do some of these fraudsters get into the business in the first place.

Dan, IRSF scenarios can be very confusing and the fraudsters have an interest in keeping it that way to cover their tracks.  The following diagram and explanation shows a typical IRSF scenario using mobile roaming.

International Revenue Share Fraud
Mobile Roaming Scenario

IRSF Scenario

The flow of the IRSF case above is as follows:

  • Fraudster obtains Simcards (fraudulently) from the HPMN (Home Network) and takes these across an international border to a VPMN (Visited Network) and calls IRS numbers
  • HPMN receives no payment for these calls but must pay the VPMN for their origination
  • VPMN must then pay Carrier 1 to whom he passed the call.  In turn, Carrier 1 must pay Carrier 2, and so on, until the payment reaches the IPRN (International Premium Rate Network) provider.  The IPRN will, in turn pay Content Provider for supplying its content and keeping the call minutes as long as possible to increase the billing charge.
  • Content Provider will have a relationship with Fraudster who shares the proceeds.  Often the IPRN provider and the content provider are the same person.
  • In this case the IPRN provider will have leased or purchased number ranges from the Number Range Holder

How Fraudsters Advertise Themselves

Frankly, IRSF is a fairly easy business to get into.  Do a Google search on international premium numbers and you’ll see how many International Number Aggregators are advertising for business.  It’s all there: a sign up form and a registration page detailing how much they pay you for generating traffic to their numbers, which in some cases may be hijacked ranges.  What they are looking for is companies and individuals who are willing to drive or inflate traffic to those phone numbers.  And the numbers are often provided, and payments settled on a 15 to 30 day basis.

Between 2009 and 2012, the number of sites has increased 140%.  So there are more fraud groups who are realizing the monetary benefits of this fraud.  In short, the number of fraudsters is increasing.

It is important to emphasize that not all revenue share number aggregators are fraudsters.  There are legitimate operations out there who are offering genuine terminations into the correct country for various information services, voting lines etc.  However my own analysis of the huge increase in the number of sites offering these numbers would indicate that many of these sites are either advertising numbers without the authority or knowledge of the number range holder, terminating the numbers against ITU recommendations, or not performing any due diligence on those they are supplying the numbers to.

The fraudsters live and operate all around the world.  There are many in Europe, the Middle East and Africa and South America.

The IRSF Number Providers

The number aggregators involved in this are generally not licensed telecom operators at all.  I guess the closest description would be to call them international revenue share number providers.  They are not really premium rate number providers as most of the numbers they are terminating calls on are not classified as premium rate under the ITU definitions, but simply assigned or unassigned numbers into a country which attracts a high termination rate.  But they are not licensed by any government or agency nor do they report to any regulatory authority.

They are offering numbers in countries where they have no relationship, particularly some in the Pacific Islands.  The operators in those countries have no idea that their numbers are being compromised until they are advised by another operator, or receive complaints from their customers.

There are however many telecom operators around the world who are prepared to offer their numbers to these number aggregators either on a lease or revenue share basis.

Why It’s Hard to Detect and Reconstruct IRSF Cases

It’s often difficult to get law enforcement involved in investigating IRSF because generally it’s so complex as it crosses so many international boundaries.  A typical example could be where you have a SIM card from the UK being obtained by a fraudster using a stolen identity and shipped to another fraudster in Spain to make calls to revenue share numbers in Somalia, with the fraudulent proceeds being transferred to a criminal gang in Pakistan.  So in that case you’ve got three international boundaries to sort out with fraudsters operating in 3 or 4 different jurisdictions.  So the police often throw up their hands citing the jurisdictional issues and uncertainty of where the actual fraud occurred. .

You need two sides to make it work.  At the terminating end, the idea is to keep the person on the line as long as possible to drive up the fraudulent revenue.  It may be just a voice recording asking you to hold.  Or they might say, “You’ve just won a prize.  Please wait for more details”.  Other fraudsters will just have a reoccurring message to keep the caller on the line.  They might keep a call open for close to 60 minutes.

Of course, the person calling is usually a fraudster as well.  In some cases, they will terminate the call at say 55 to 57 minutes knowing a number of fraud management systems are programmed to alert for calls that are an hour or longer to a high risk destination.

So there are two scenarios.  You have some calls that are automatically generated.  And then consumers are calling the numbers.  And there are cases where consumers are looking for an opportunity to make some money.  In the end someone has to pay to terminate these calls, but if there is no customer to bill because the connection is fraudulent then the originating operator has to pay and carry that loss.

Colin, in your new fraud management consulting firm you struck up a relationship with Xintec.

Yes, when I left my job as Group Head of Fraud Management at Vodafone in July 2012, Xintec offered me the opportunity to become their consultant.  When I was first getting into the fraud management business, I started talking about the need for the industry to have a lower cost entry level into fraud management systems for smaller operators.

Their solutions have become very successful for tier 2 or 3 operators.  With Xintec, operators have the opportunity to do 80% of their fraud detection without spending a million dollars.  It’s a good business model.

At Vodafone, couldn’t you use the group purchased fraud solution for the many small operators that Vodafone has in its group?

Actually, Vodafone was moving towards that model — a shared service centre environment with one or two centralized fraud management systems that collect core records from other countries.

But privacy issues were just one roadblock.  It’s hard to get the authority for local operators to send their call records to another country.  In the end, this is why we started implementing Xintec solutions into some of our smaller operators.  It ended up being a lot more cost effective as an interim approach until the day when they can establish a centrally managed system.

I think there’s huge potential for group operators to move to a shared fraud management model, and the trend towards cloud-based solutions will probably speed that along.  As I’ve said, political and data sharing issues are blocking the move right now and these may take a long time to resolve.

Colin, thanks much for this detailed and highly interesting briefing on IRSF.  What’s your crystal ball tell you about the future?

Thanks, Dan.  IRSF is a huge problem that the industry finds difficult to manage.  Unless we start getting some localized legislation in countries to stop the money flow, it will continue to be difficult to manage.  Stop the money and you stop the problem.

In my view, the operator shouldn’t be paying money when they know that at the end of the payment chain, a percentage of this is going to get into the hands of fraudsters.  In my view, this money is the proceeds of crime and payment could constitute money laundering.  It is not possible to just pay the legitimate carriers involved in transiting these calls, as in the absence of any transparency in the call routing, it is not possible to identify where in that call routing the call is being terminated.

Copyright 2012 Black Swan Telecom Journal

 

About the Expert

Colin Yates

Colin Yates

Colin Yates has been working in the Telecom Fraud, Security and Investigation areas for 24 years and for the past 6 has held the position of Vodafone’s Group Head of Fraud Management and Investigations, based at the Newbury, UK Vodafone Headquaters, with responsibilities across the Vodafone footprint.

Prior the joining Vodafone, Colin spent 11 years in a similar role with Telecom New Zealand, which he joined after a 19 year career in the New Zealand Police.

Colin left Vodafone in July 2012 to start his own fraud consultancy, Yates Fraud Consulting.  In this capacity he has been appointed as Fraud Consultant to Xintec and is also Fraud Advisor to the Pacific Islands Telecommunications Association (PITA).   Contact Colin via

Related Stories

  • Recruiting Smartphone Users as Partners in Telecom Fraud & Security Control by Tal Eisner — Premium Rate Service (PRS) fraud and spyware on a mobile phone can ruin an operator’s relationship with a  subscriber.  The attacker uses malware to automatically generate phone calls, SMSs and data sessions to high cost (premium) phone numbers.  This article discusses a new crowd sourcing mobile app that addresses the problem and helps operators better manage the threat.
  • Roaming — if Managed Correctly --  Can Be a Spark to Revenues by Brian Silvestri — Major analyst firms are predicting that roaming revenues will almost double in five years.  What’s more, roaming remains at the pivot point of Wireless Carrier strategy.  Drawing lessons from the incredible rise of AT&T’s Digital One Rate Plan, this article points to future challengtes and raises key  questions about how mobile operators will ultimately come to terms with smartphone market profitability, service quality, and data roaming.
  • International Revenue Share Fraud: Are We Winning the Battle Against Telecom Pirates? interview with Colin Yates — International Revenue Share Fraud (IRSF) is one of the telecom industry’s most enduring problems.  Yet many of us have only a foggy notion of how IRSF works and how operators around the globe are coping with the issue. This interview covers the bases: the origins of IRSF, typical fraud scenarios, efforts to get international cooperation on the issue, and the future outlook of IRSF.
  • Roaming Fraud: The Importance of Real-Time Data Exchange and Analysis interview with James Stewart — The Near Real Time Roaming Data Exchange (NRTRDE) is a GSM standard allowing operators to gain fast access to the roaming records of service providers half way around the world.  The article explains how 65 carriers are using this data to combat fraud through a service bureau.  Learn about the dangers of international roaming fraud and the value a roaming service bureau brings to the table.

Related Articles

  • The Grey Market in Prepaid: Tactics to Combat International Bypass via the SIM Box interview with Ahmad Nadeem Syed — SIM box fraud is one of the toughest revenue threats that telecoms face.  It is the redirection of international calls via the internet to drop illegal VoIP traffic onto mobile networks.  This interview with an expert RA and fraud manager provides a detailed overview of the threat scenario, current SIM box tactics, and some creative ideas for bringing this problem under control.
  • Why Deep Packet Inspection Analysis is Essential for Detecting IP Fraud by Dror Eshet — The IP and mobile broadband revolution is in full swing: time for fraud managers to totally rethink their existing controls and areas of exposure.  In this article, a fraud expert discusses the power of DPI technology and the key impact its analysis is having in an FM world where knowing what’s inside the packets is as important as figuring out where those IP packages are going.
  • Flexibility & Fraud Management Systems: 8 Questions for Luke Taylor of Neural Technologies interview with Luke Taylor — Meeting today’s fraud threats is not just about technology, but also the speed of threat detection, the scanning of data outliers, and being enormously flexible.  A leading fraud management vendor takes a bead on current FM issues and points to where software is headed.
  • Recruiting Smartphone Users as Partners in Telecom Fraud & Security Control by Tal Eisner — Premium Rate Service (PRS) fraud and spyware on a mobile phone can ruin an operator’s relationship with a  subscriber.  The attacker uses malware to automatically generate phone calls, SMSs and data sessions to high cost (premium) phone numbers.  This article discusses a new crowd sourcing mobile app that addresses the problem and helps operators better manage the threat.
  • Roaming — if Managed Correctly --  Can Be a Spark to Revenues by Brian Silvestri — Major analyst firms are predicting that roaming revenues will almost double in five years.  What’s more, roaming remains at the pivot point of Wireless Carrier strategy.  Drawing lessons from the incredible rise of AT&T’s Digital One Rate Plan, this article points to future challengtes and raises key  questions about how mobile operators will ultimately come to terms with smartphone market profitability, service quality, and data roaming.
  • What Makes Good Fraud Management Software?  9 Questions for Tal Eisner of cVidya interview with Tal Eisner — How do you know if the fraud management software you own or are considering is a good one?  That’s the starting point of a conversation Black Swan had with a product strategist of a leading FMS vendor.  The article discusses everything from maturity and customer collaboration... to PBX hacking and enabling the FMS to actually enhance the relationship a telco has with its enterprise customers.
  • International Revenue Share Fraud: Are We Winning the Battle Against Telecom Pirates? interview with Colin Yates — International Revenue Share Fraud (IRSF) is one of the telecom industry’s most enduring problems.  Yet many of us have only a foggy notion of how IRSF works and how operators around the globe are coping with the issue. This interview covers the bases: the origins of IRSF, typical fraud scenarios, efforts to get international cooperation on the issue, and the future outlook of IRSF.
  • Fraud Management at Kyivstar in Ukraine interview with Anton Pivala — Kyivstar from Ukraine is a leading mobile operator in both  voice service quality and consumer value.  This case study gives details on Kyivstar’s fraud control program, reveals some of the unique operator challenges faced in Eastern Europe, and explains how Kyivstar is successfully winning the battle against  IRSF and SIMbox fraud.
  • Converging Criminal and Technical Intelligence: Secret to Combating the Explosion in Telecom Fraud and Security Threats interview with Mark Johnson — A fraud and security expert gives a big picture talk on why industry convergence is driving the need for a broader “revenue risk intelligence.”  His prescription?  Yes, telecoms surely need to excel in technical  infrastructure such as traffic usage data, IP intrusion appliances, and physical barriers.  But just as important is the need to pair that knowledge with the real-life lessons of fighting criminals in general.
  • Gratifying Ghana: Why Listening to Operators Trumps Vendor Technology and Size interview with Ludvig Lindqvist — The value of technically excellent software is negated if the solution is not implemented right.  This article makes a strong case that vendors need to focus on first things first — get in full synch with a service provider’s business, capabilities and unique needs before you recommend or implement any software.  Topics discussed include: the benefits of retaining in-house expertise, implementation challenges in Africa, and the meaning of “thorough engagement” with the client.
  • Roaming Fraud: The Importance of Real-Time Data Exchange and Analysis interview with James Stewart — The Near Real Time Roaming Data Exchange (NRTRDE) is a GSM standard allowing operators to gain fast access to the roaming records of service providers half way around the world.  The article explains how 65 carriers are using this data to combat fraud through a service bureau.  Learn about the dangers of international roaming fraud and the value a roaming service bureau brings to the table.
  • Is the M2M Device in Your Refrigerator a Telecom Fraud Threat? interview with Simon Collins — Machine to machine (M2M) technology is being applied in hundreds of monitoring apps, such as smart metering and health diagnosis.  It’s even being used to monitor driving patterns tied to auto insurance rates.  But this article shows the serious M2M fraud and security threat that stem from the theft of the SIM/USIM device used in every M2M device.  The article discusses the RA and fraud strategies operators need to employ to manage the risks that will come from wider M2M deployments.
  • “Fraud Is a Wind that Always Blows” and Other Wisdom From a 28-Year Old Software Firm interview with Gary Beck — Here’s the amazing story of how Beck Computers was pulled out of a Tier 1 account only to be brought back in a few months later.  The article explores software vendor service and support challenges, real-time computing requirements, advanced fraud management functions, and ways to educate management on the value an FMS investment.
  • Insider Fraud: Detecting Criminal Activity in the Telecom Sales Process interview with Tal Eisner — One of the biggest problems telecoms now face is fraud done inside their offices, dealer stores and firewalls.  This type of fraud is especially dangerous because it’s performed by people fully authorized to transact for the company.  The story dicusses the major causes of insider fraud, presents a case study, and explains basic techniques that software uses to detect insider fraud.
  • Fraud & Credit Risk Software: Setting the Client Free to Innovate interview with Luke Taylor — Not every operator wants the freedom to configure its own fraud management solution, but certain providers wouldn‘t live without such a “framework” approach .  This article discusses: the reasons why operator choose this strategy as it covers many other fraud and credit software implementation issues.
  • Why Selling to Business Customers Makes You a High Risk Target for Fraud by David West — There’s a saying in the fraud business: “It’s not a question of whether you’ll be hit by fraud — only when, how bad, and from which direction.“  Citing four recent cases where operators were hit by fraud, this article explains why investing in a fraud soluiont — and keeping up-to-date — are so critical.  The article gives several examples of vulnerability points that fraudsters commonly exploit.