350 likes | 521 Views
Fighting Telesex Fraud in Brasil. clifford m jordan Embratel – Fraud Control Manager FIINA Conference Berlin, October 2003. Origins of Fraud Related to Telesex. Consumer Fraud Telephone clients fraud in order to access PRS services (Telesex) without intent to pay. Clip-on
E N D
Fighting Telesex Fraud in Brasil clifford m jordan Embratel – Fraud Control Manager FIINA Conference Berlin, October 2003
Origins of Fraud Related to Telesex • Consumer Fraud Telephone clients fraud in order to access PRS services (Telesex) without intent to pay. • Clip-on • Subscription Fraud • PABX Fraud • Employee misuse of company telephones • Vendor Fraud: Vendor of Telesex services frauds in order to increase his revenue • Subscription Fraud • Product Fraud • Artificial Traffic We will discuss all these types of Fraud
Telecom Environment – before June 2000 • Two companies legally providing Intl service: Embratel and Intelig • PIC Code started in June 1999 which allows casual calling. • Embratel – 021 (domestic) • Embratel – 0021 (international) • Intelig – 023 (domestic) • Intelig – 0023 (international) • Embratel started billing customers in Jan 2000 • High trends in bad debt were discovered in March 2000 and executives decided that blocking of customers is necessary. • High numbers of complaints from customers not recognizing international calls to telesex numbers on their phone bills. • International blocking capability put into production in July 2000 (blocking in the switch) • First blocks were for call sell operations and very large volume telesex offenders – reason was for Suspicion of Fraud • Embratel´s first official Fraud Control department started in Sep 2000
Telesex Environment – before June 2000 • Telesex Advertisements on TV and Newspaper (2 – 3 pages daily filled with small ads) with phone numbers of the pattern – 0021-xxx-xxxx • Striptease Television Program airing nightly at midnight sponsored entirely by Telesex calls. During the striptease performances, an International Telesex phone number would be shown with the pattern – 0021-xxx-xxxx • Data from one day in July 2000 showed: • Moldova Telesex: 11704 calls = 50428 mins • Guiné Bissau Telesex: 18903 calls = 108688 mins • São Tome Principe Telesex: 30088 calls = 159299 mins • Total: 60695 calls = 318415 mins • Estimated value of traffic: ~$500k per day • Phone sex was big business in Brasil
Initial Hot Countries - June 2000 • Sao Tome and Principe (Carrier A) • Recordings (audiotext) • Live conversations with girls in Copacabana • Guinea Bissau (Carrier B) • Recordings • Moldovia (Carrier C) • Recordings
Flow of Money for Intl Telesex Service: • Client A uses International Telesex Service • Client A pays Long Distance Provider for calls on invoice • Long Distance Provider pays International Carrier a percentage for interconnect costs • International Carrier pays a percentage to Service Bureau (Level 1) • Service Bureau (Level 1) pays a percentage to Service Bureau (Level 2) • Service Bureau (Level 2) pays a percentage to Service Bureau (Level X) • Service Bureau (Level X) pays a percentage to Content Provider Client A Long Distance Provider International Carrier Service Bureau Level 1 Service Bureau Level 2 Service Bureau Level X Content Provider
How Telesex Calls were Routed • The subtle fraud: • The customer sees an advertisement on TV telling him to call: 0021-239-xxxx to speak with a Brazilian girl. • The customer speaks with a girl in Copacabana, Rio de Janeiro • The result: • Customer believes he made DOMESTIC long distance call Carrier A São Tome and Principe • The result for Embratel: • The customer receives invoice with calls to São Tome and Principe and claims never to have called or spoken to anyone in São Tome and Principe. • The customer does not pay! Brazil Rio de Janeiro
How Telesex Calls were Routed Moldova Audiotext Recording Carrier C Brazil
Provisioning of Telesex Service: To access the content, the destination phone numbers must be provisioned. Who provisioned the phone numbers of pattern 0021-xxx-xxxx ??? Possible Suspects are: • International Carrier • Service Bureau (Level 1) Client A Long Distance Provider International Carrier Service Bureau Level 1 Service Bureau Level 2 Service Bureau Level X Content Provider
Aug 2000 - Oct 2000 • Embratel began researching all callers of Telesex and started blocking the worst offenders for fraud. • Result: The amount of daily traffic decreased to about 15000 calls per day = 75000 mins. This is a decrease of 75%. • However, the losses in October 2000 still at about $125K per day.
Oct 2000 • Executives made decision to stop Telesex • Reasons: • High number of customer complaints due to: • Clip-On, Subscription Fraud, PABX Fraud, Employee Misuse of Company Telephones... • Bad publicity and company image problems • Heavy Bad Debt losses (not measured at the time) • Embratel Regulatory Dpt expressed fear of taking drastic actions to stop Telesex • Reasons: • Embratel would not be fully compliant with Anatel rule that they provide service to all destinations worldwide • Possible customer complaints about blocking telesex traffic. Good customers may demand their rights to call telesex destinations. • Compromise Struck • Re-route all traffic to Telesex dominated countries to the International Operators. • Have the International Operators record the Client Name, and CPF (social security number) • Inform the customer of the destination country and the high tariffs. • Allow the Operator to complete the call. • Send letter to Intl Carriers saying that Embratel would no longer pay for any International traffic that was considered Telesex. • Procon in São Paulo was consulted and gave thumbs up.
Nov 2000 • Plan put into production – All traffic to Hot Telesex Countries re-routed to the Intl Operators. • Problem: • The demand outweighed the Operator Center´s ability to handle it. • TMA for these calls was between 5-10 minutes • Abandonment rate was between 30 and 80% • Of those customers that spoke to operator, only 3-4% provided the information and wanted to complete the call. Of the total amount this was about 2%. • Solution: • Do Nothing, wait for the complaints to come in.
Dec 2000 – July 2001 • Dec 2000: • Investigated ECTEL FraudView System – Primarily to fight call-sell fraud which was our number one priority now that Telesex was under “control”. • Jan 2001: • Contracted Alcatel to develop STP Infusion which would: • provide realtime blacklisting capability for up to 11 million terminals. • query the blacklist and route the call within 5 tenths of a second. • May 2001: • Signed contract to purchase FraudView system with probes on 100% of all International Voice Links • Unique Ability of FraudView: Allows us to induce a disconnect of the call by the automatic insertion of silence on the line in realtime. • July 2001: • Installation of FraudView complete and system is put into production. • July 30, 2001 – Decided to take a stronger stance agains Telesex and thus D-Day declared internaly on Telesex! No one opposed! • All Telesex re-directs were undone and FraudView was used exclusively to fight this fraud via insertion of silence.
Aug 2001 • A new twist in the fight: • Despite the insertion of silence long duration calls were occuring to these international telesex destinations. • What sort of traffic was this? Who is interested in generating and enduring an hour or more of pure telesex silence??? • Answer: Someone who is not interested in communicating. But rather someone who is simply interested in the duration of the call. Hence the discovery of Artificial Traffic in Brasil • The fraudsters receive their money based on the number of minutes of total calling duration and not on what was communicated. Therefore it was in their interest to insure that as many minutes of traffic are logged to these destination. • How we fought Artificial Traffic: • We re-redirected all the calls to these Telesex hot countries to the operators and instructed the operators to not complete any calls where they hear silence on the line. • If the operators were to hear anything in the beginning of the call that was indicative of Telesex, they were instructed to report the destination number to Fraud Control who then would perform an investigation and then would blacklist the destination in FraudView
Artificial Traffic to Telesex Countries 2 weeks of Insertion of Silence Only Re-Directs to Operators Lifted Re-Directs to Operators Returned
Call Sell Traffic to Arabic Countries Effectiveness of Silence Insertion On Call-Sell!
Dec 2001 • New 800 Pre-paid phone card telesex service.... • Complaints of kids purchasing phone cards. Prompted legal actions against service. • Public advertisements were considered by many as too risque which prompted community action. • Service very likely to have suffered from fraud attempts boosting 800 charges. • Service dies a quick death within a month.
Jan 2002 – Mar 2002 • Detected Telesex calls to Guiana (592) • Television program advertising calls in the late hours. It was seen by someone in Embratel who communicated the occurance to us. • Inserted silence on all the calls, but long duration calls persisted, giving evidence to Artificial Traffic. • Re-routed all calls to certain prefixes in Guiana through the Embratel Intl Operators to filter in the same way we were doing for all other telesex calls. • STP Infusion put into production allowing us to: • block any A number from making domestic or international calls or receiving collect calls. • Block any B number from receiving calls. • Quickly input all Telesex destinations into blacklist thus preventing the completion of any calls.
April 6 2002 • New Supreme Court Decision in Brasil regarding Telesex calls: • Case: Angela Maria da Cruz versus TELERJ (Telecomunicações do Rio de Janeiro) • June and July of 1996, International Telesex phone calls were made from Angela´s phone and she was invoiced by TELRJ to the tune of R$15000. • For not paying, her name was registered with Serasa (register of Bad Debtors). • Angela sued TELERJ, won the case, got her name removed from Serasa, and won R$6000 in punitive damages. • Because of this case, the STJ (Superior Tribunal de Justiça) stated that Telesex calls are NOT Typical of Normal use of the Telephone and therefore require the prior agreement of the owner of the line in order to bill for the calls.
April 6 2002 Intl Audiotext
Aug 2002 – Dialers!!! • Started getting complaints of unrecognized calls to Liechtenstein. • Investigated and found that the destinations were modems and not voice. • Customer Service was able to identify from the customer complaints that these calls were from Internet Dialers. • We started investigating this but found that nobody, including the local telcos understood what they were or how they worked. • For fear of having our network infected with trojans and viruses, we did not actively search the Internet for them. • We hard blocked all calls to these numbers in Liechtenstein. • We developed filters in FraudView that would look for B-numbers in smaller countries with many calls. If we found that the origens of the calls was spread throughout Brasil, it was a strong indication of a dialer and further investigation was done. • We also began to discuss the issue with other Telcos in Brasil actively sharing dialer destinations that were found.
Jan 2003 • Attended Audiotext Conference in Las Vegas to learn more about Audiotext Telesex and Dialers. Internext Conference, Jan 6, 2003
Flow of Money for Intl Dialer Usage: • Client A uses International Dialer Service • Client A pays Long Distance Provider for calls on invoice • Long Distance Provider pays International Carrier a percentage for interconnect costs • International Carrier pays a percentage to Service Bureau (Level 1) • Service Bureau (Level 1) pays a percentage to Service Bureau (Level 2) • Service Bureau (Level 2) pays a percentage to Service Bureau (Level X) • Service Bureau (Level X) pays a percentage to Content Provider Client A Long Distance Provider International Carrier Service Bureau Level 1 Service Bureau Level 2 Service Bureau Level X Content Provider
Jan 2003 Example of Level 1 Service Bureau: Internext Conference, Jan 6, 2003
Jan 2003 Another Example of Level 1 Service Bureau: Internext Conference, Jan 6, 2003
May 2003 • Added PC´s to Embratel Fraud Laboratory dedicated to downloading and executing dialers to determine the destinations. • Found some examples of “Good Dialers” • Explain to user about modem disconnect/reconnect in language of client • Do not silence the modem • Ask client of the age • Give price per minute of call • Found some examples of “Bad Dialers” • Lacking in one of the items above • Malicious in nature – loading trojans and viruses on machine
Example of “Good Dialer” Choose your Originating Country so dialer knows how to dial out. Page 1
Example of “Good Dialer” Choose type of Access. “MODEM/ISDN” will give you a Dialer “CABLE-DSL/LAN-WEBTV” will give you an intl phone number to call. Page 2
Example of “Good Dialer” Download and Open Dialer. Page 3
Example of “Good Dialer” Executing the Dialer. Notice the option of “Silent Dialing” In some “Bad Dialers” this is the default Page 4
Example of “Good Dialer” Executing the Dialer... Logging into the site. Observation: To prevent unauthorized access from direct connect, an IP address is auotmatically assigned to client on Login, and website will only work for that IP range Page 5
Example of “Bad Dialer” • Look up in Google key words: • Hobby Hacker Carding • Go to sites and download dialer and execute • Dialer will silence modem tones and will not give any information of what it is doing. • In addition to being connected to an international destination, your machine will be infected with various trojans and viruses inabling your machine and requiring re-loading of the operating system. ! ! • Please do not try this on a machine with: • A LAN connection • Important or Sensitive Information • A Critical Function
Summary of Telesex Fraud • If you choose to allow Telesex traffic, to fight fraud you will need to insure you take preventative actions for: • Subscription Fraud • Clip-On • Card Fraud • PABX Attacks • Employee Misuse of Telephone • Watch for Artificial Traffic • If you choose NOT to allow Telesex traffic you will need to: • Block International Telesex Destination Numbers • Networking to learn of new numbers and number ranges • See FIINA list of PRS Destinations • Maintain close contact with Customer Service • Look for International Destinations with wide dispersion of origens and with many long duration calls (case of dialers)
Contact Information: clifford m jordan manager fraud control and prevention Embratel 55-21-2121-2112 – office 55-21-2121-3267 – fax cliff@embratel.com.br cliff.jordan@mci.com