IRSF Detection and Protection with

“PRISM”

Contents

• Introduction to IRSF• Recent case studies• Law Enforcement action re IRSF• Introduction to IRSF – 5 Stages• IPR Number Resellers• Number Misappropriation (Hijacking)• Industry initiatives to reduce IRSF losses• Industry’s contributing factors to IRSF• Risk mitigation & recommendations

Introduction to IRSF

There are a number of definitions available to describe IRSF. A simple description would be:

Using fraudulent access to an Operators network to artificially inflate traffic to numbers obtained from an International Premium Rate Number Provider, for which payment will be received by the Fraudster (on a revenue share basis with the number provider) for every minute of traffic generated into those numbers.

What is our view of the fraudster?

• Personality crosses all known profiles of a Fraudster – primarily greed

• Varies from an inexperienced fraudster to an organised crime boss to a fringe extremist group wishing to fund terrorism

• Many of those making the calls are ‘Moles’ employed for this purpose

• The experienced IRS Fraudsters will have teams dedicated to research, strategy and gathering intelligence on future targets

• All have one goal, and that is to deprive operators of as much revenue as possible

Recent Case StudiesUSA & Barcelona

Case Study No. 1 USA

• Small USA network operator providing service to SME’so 2 PBX’s hacked with IRSF losses of $US160,000 suffered in 30 hourso Their carrier discovered the fraud and served immediate notice that they

required full payment within 2 days

• Carrier unable to pay and only option was to close down• Asked for assistance and was able to provide sufficient

information to get debt reduced with time to pay• Confirmation that IRSF will impact any operator,

irrespective of size, location or services offered, and losses could have been significantly reduced by effective Risk Management

Case Study No. 2 Barcelona - Handset Theft

• Major issue impacting many operators who have customers roaming in Spaino Barcelona well known as the ‘Pickpocket’ capitalo Since Jan 2013, an average of 260 mobiles per month have been stolen

and the SIM cards used for IRSFo All 4 major Spanish networks being used, losses per SIM card can be as

high as €10,000 per hour

• Fraudsters using combination of International Call Forward, multi party calling, and associated PBX Fraud

• Also discovered that some roamers are selling their mobiles for €500 and then reporting them stolen later!

Law Enforcement action for IRSF

• We cannot rely on Law Enforcement to investigate IRSF, prosecute fraudsters and seek reparation for operators

• Investigating IRSF is complex, typically • Extending across 3 or 4 international borders• Simply determining jurisdiction will be a challenge• A recent USA IRSF investigation took almost 3 years

to complete by an operator and Federal agency task forceo Principals were arrested in Asia for IRSF involving tens of

millions of dollarso Before extradition could be arranged, fraudsters were bailed

and fled to Pakistan.

The 5 Basic steps to IRSF

1Access a Network

2Obtain IRSF

Nos.

3Generate the

calls

4Receive

payment

5Determine

loss

Access to a Network

• Fraudster must obtain the means to make these calls• To maximise income, preferably at no cost to

Fraudster• Common ‘Primary Frauds’ to gain access are:

o Subscription Fraudo SIM Cloningo Theft of handsets or SIM cardso PBX Hackingo Wangiri Fraud o Arbitrage (Requires the exploitation of a bundled or discounted

tariff offering calls at less cost than any IRS pay-out offered)

12

34

5

Obtain IRSF Numbers

• Fraudster may have existing relationship with IPRN Provider; if not, will search Internet to find one

• Obtains a ‘Test Number’ from Reseller website• Will chose a destination with good pay-out (Latvia €0.17c)• Calls Test Number to confirm a call will connect• Once confirmed, will request numbers from IPRN Provider• Request will include an estimate of minutes to be

generated• Will include his bank account details so that funds based

on minutes generated can be credited every 7 to 30 days

1

234

5

Generate traffic

• Once IRS numbers issued, Fraudster starts generating calls• To maximise revenues, Fraudster will utilise network

services to generate overlapping, simultaneous calls• Such services will include International Call Forwarding,

Multi-Party calling, combining PBX with CFW mobile SIM • Fraudster will continue this activity until originating

number range owner becomes aware of fraud and blocks access

• Typically the Fraudster will then move to another fraudulent access and continue calling additional numbers providing by the IPR Number Provider

1

2

34

5

Receive payment

• In most circumstances the originating number range holder is required to make payment for this fraudulent traffico Existing Roaming or Interconnect agreement requirement

• Initial payment made to roaming or interconnect partner• Payment continues down value chain to reach the

terminating number range owner• Terminating operator retains his share and pays IPRN

Provider• IPRN Provider shares this balance by paying the

Fraudster (e.g. €0.17c per minute for calls to Latvia) and retaining the balance

1

2

345

Determining loss

• Originating Number range holder has made full payment• In case of Subscription or other SIM based fraud, little or no

chance of recovering this from the fraudster.• In case of PBX Fraud, typically the network provider will

attempt to recover cost of fraud from the PBX user• In many cases this will result in a dispute, unwanted publicity

and customer churn unless network provider accepts all or part of this loss

• PBX user will typically argue that their network provider should have discovered such a huge increase in calling activity

• All other transit operators, IRS Number owner, number reseller and fraudster have benefited from this fraud

1

2

34

5

IPR Number Resellers

• Number of Resellers continues to increase:o 17 in 2009o 47 in 2012o 85 in October 2013

• 400% increase in 4 years• Most of this increase results in those wanting to

exploit IRSF revenues• Many now acting as Number Wholesalers

Number Misappropriation (Hijacking)

• Usually involves Country numbers with high termination rates – e.g Small Island nation at $US0.65c

• Fraudsters will act in collusion with a dishonest carrier• Advertise ‘below cost’ rates into country to attract

operators looking for Least Cost Routing (LCR)• Calls will be routed in a certain direction to ensure that

they hit the ‘dishonest operators’ network• Once there, they will be filtered out and ‘short-stopped’

outside the Country to which the CC applies• Payment follows the same value chain as the call routing

Industry initiatives to reduce IRSF losses?

• Very little industry progress to stop IRSF/Hijacking• ITU misuse reporting is not currently being supported• I3 Forum has published guidelines, but again, these are not

being supported by all of their membership• BEREC have issued guidelines re with-holding payment

however these apply only to European operators and are complex

• Continued lack of cooperation within the operator community• Regretfully, the Fraudsters appear to be better organised to

take full advantage of industry weaknesses

Industry’s ability to implement initiatives for steps 1 – 5 of IRSF

1Access a Network

2Obtain IRSF

Nos.

3Generate the

calls

4Receive

payment

5Determine

loss

Access to a network

• Subscription Fraud and it’s variations can be reduced with effective Fraud Management Systems

• SIM cloning can be eliminated by upgrading algorithm• PBX Fraud can be reduced by implementing fraud

awareness programs and audits for business customers• Arbitrage can be avoided by ensuring that risk reviews

are completed on all new products, services and tariffs• Invest in a fraud management solution

However controls must be relative to preventing fraud while minimising customer impact.

12

34

5

Obtaining IPR Numbers

• IPR Number Resellers have increased by 400% since 2009• 85+ are now competing to attract fraudsters to them• Up to 75% of fraudsters embarking on an IRS Fraud will

call a Test Number, provided by the Reseller first.• Most of these Test Numbers are now available in a

database as an IRSF detection tool

Implement a cost effective Fraud Management System which uses a Test Number Database as a hotlist. This alerts a CSP to a potential IRSF incident and has already shown benefits

1

234

5

Generate traffic

• Reduce the opportunity for fraudsters to maximise revenues by;o Removing International Call Forwarding and Multi Party calling from

roaming customer SIM’so Ensure that automated systems are in place to analyse NRTRDE

records 24x7 and refer alerts to analystso Ensure automated systems are in place to notify analysts 24x7 of calls

to known IRSF destinations

Up to 87% of all reported IRSF occurs between 8.00pm Friday and 8.00am Monday. If the fraud function does not operate during this period, alternatives must be identified.

1

2

34

5

Receive Payment

• Early identification of IRSF does provide opportunities to negotiate payment withholding by partners

• Position is strengthened if impacted operator is able to confirm that IRSF losses relate to a hijacked number range

The earlier an incident is identified, the less the fraud loss will be, so early detection is critical.

1

2

345

Determining Loss

• In most situations, it will be the originating number owner who will suffer the loss for IRSF, and it is their responsibility to ensure that they have systems and processes in place to minimise these losses.

• Accurate reporting with supporting information is essential to identify true losses, identify control weaknesses and enable future detection/prevention to be improved

Fraud management solutions have good reporting capabilities and will support the creation of future intelligence in the fight against IRSF

1

2

34

5

PRISM

IRS Test Number Database

PRISM• YFCL are monitoring the IPR Number Reseller

websites and developed an IRS Test Number Database (PRISM)

• This database currently contains over 40,000 test numbers o PRISM has been made available on a subscription basis to operators

since the 21 August 2013o It is used as a ‘hot-list’ within an FMS to alert operators when a Test

Number has been calledo It has proved to be very effective at identifying IRSFo Test Numbers are updated every 6-8 weeks to ensure that they remain

current

Example of IRSF Test NumbersDate Time A Number B Number Call Duration30/03/2013 05:17:33 XXX977860XX 23221104397 730/03/2013 05:32:14 XXX977860XX 23221104397 530/03/2013 05:57:22 XXX977860XX 23221104397 530/03/2013 06:03:41 XXX977860XX 23221300284 1930/03/2013 06:13:55 XXX977860XX 23221300284 60130/03/2013 06:13:57 XXX977860XX 23221300284 58130/03/2013 06:13:58 XXX977860XX 23221300284 53830/03/2013 06:13:58 XXX977860XX 23221300284 55130/03/2013 06:14:01 XXX977860XX 23221300284 57630/03/2013 06:14:01 XXX977860XX 23221300284 59230/03/2013 06:14:02 XXX977860XX 23221300284 54330/03/2013 06:14:03 XXX977860XX 23221300284 57530/03/2013 06:14:05 XXX977860XX 23221300284 53030/03/2013 06:14:06 XXX977860XX 23221300284 59330/03/2013 06:14:07 XXX977860XX 23221300284 49830/03/2013 06:14:07 XXX977860XX 23221300284 58830/03/2013 06:14:08 XXX977860XX 23221300284 545

Sierra Leone 23221341844 https://www.reaxxxxxxxxts.com/Sierra Leone 23221104397 https://www.reaxxxxxxxxts.com/Sierra Leone 23221201721 https://www.reaxxxxxxxxts.com/

Sierra Leone 23221341838 https://www.reaxxxxxxxxts.com/Sierra Leone 23221104344 https://www.reaxxxxxxxxts.com/Sierra Leone 23221201740 https://www.reaxxxxxxxxts.com/

Calls to a Test Number in Sierra Leone. 3 Calls all short duration. (Duration in seconds).

IRSF commences 46 minutes after calls to Test Number. This fraud continued for 4 hours with a loss to the carrier of over $US 52,000. Could this have been avoided or reduced if an alert had been generated once the Test Number was called?

Sierra Leone Test Numbers available on number reseller’s website in March 2013.

Sierra Leone Test Numbers from the same website in July 2013. Note changes.

Risk Mitigation and Recommendations

Risk Mitigationand recommendations

Considerations

• IRSF and associated fraud will be around for the foreseeable future

• The lack of Industry progress means operators must implement strong prevention and detection controls

• Law Enforcement action is no deterrent• Operators who have experienced IRSF are

strengthening their controls, fraudsters are constantly searching for soft targets.

• What you spend now to implement controls will be significantly less than you will lose in an IRSF attack

• IRS Fraudsters do not differentiate between Prepaid or Post-paid, both are at risk.

Risk Mitigationand recommendations

Advice

• Question whether you have strong or sufficient controls in place to prevent or detect an IRSF attack?

• Remove International Call Forwarding and multi-party calling capability from roaming SIM cards

• Encourage mobile users to implement SIM pin-lock

• Ensure all Business customers have been advised to check their PBX security – change default Passwords, remove DISA facility if not required etc

Risk Mitigationand recommendations

T

• Early detection of likely IRSF activity is essential losses are likely to increase at €10,000 per hour

• Install an automated Fraud Management System capable of providing you with 24x7 monitoring and correlation to a Test Number database.

• Consider expansion in FM coverage to look at the primary frauds

• Subscription Fraud • SIM Cloning• Theft of handsets or SIM cards• PBX Hacking• Wangiri Fraud

Tools

For more information please contact:info@xintec.com

XINTEC| Whelan House | South County Business Park | Leopardstown | Dublin 18 | Ireland