Fighting Telesex Fraud in Brasil

clifford m jordanEmbratel – Fraud Control Manager

FIINA ConferenceBerlin, October 2003

Origins of Fraud Related to Telesex

• Consumer FraudTelephone clients fraud in order to access PRS services (Telesex) without intent to pay.– Clip-on– Subscription Fraud– PABX Fraud– Employee misuse of company telephones

• Vendor Fraud:Vendor of Telesex services frauds in order to increase his revenue– Subscription Fraud – Product Fraud – Artificial Traffic

We will discuss all these types of Fraud

• Two companies legally providing Intl service: Embratel and Intelig• PIC Code started in June 1999 which allows casual calling.

– Embratel – 021 (domestic)– Embratel – 0021 (international)– Intelig – 023 (domestic)– Intelig – 0023 (international)

• Embratel started billing customers in Jan 2000• High trends in bad debt were discovered in March 2000 and

executives decided that blocking of customers is necessary.• High numbers of complaints from customers not recognizing

international calls to telesex numbers on their phone bills.• International blocking capability put into production in July 2000

(blocking in the switch)• First blocks were for call sell operations and very large volume

telesex offenders – reason was for Suspicion of Fraud• Embratel´s first official Fraud Control department started in Sep

2000

Telecom Environment – before June 2000

Telesex Environment – before June 2000

• Telesex Advertisements on TV and Newspaper (2 – 3 pages daily filled with small ads) with phone numbers of the pattern –

0021-xxx-xxxx• Striptease Television Program airing nightly at midnight sponsored

entirely by Telesex calls. During the striptease performances, an International Telesex phone number would be shown with the pattern – 0021-xxx-xxxx

• Data from one day in July 2000 showed:– Moldova Telesex: 11704 calls = 50428 mins– Guiné Bissau Telesex: 18903 calls = 108688 mins– São Tome Principe Telesex: 30088 calls = 159299 mins– Total: 60695 calls = 318415 mins

• Estimated value of traffic: ~$500k per day• Phone sex was big business in Brasil

– Sao Tome and Principe (Carrier A) • Recordings (audiotext)

• Live conversations with girls in Copacabana

– Guinea Bissau (Carrier B)• Recordings

– Moldovia (Carrier C)• Recordings

Initial Hot Countries - June 2000

Client A Long Distance

ProviderInternational

CarrierService Bureau

Level 1Service Bureau

Level XContentProvider

Service BureauLevel 2

Flow of Money for Intl Telesex Service:• Client A uses International Telesex Service

• Client A pays Long Distance Provider for calls on invoice• Long Distance Provider pays International Carrier a

percentage for interconnect costs• International Carrier pays a percentage to Service Bureau (Level 1) • Service Bureau (Level 1) pays a percentage to Service Bureau (Level 2)• Service Bureau (Level 2) pays a percentage to Service Bureau (Level X)• Service Bureau (Level X) pays a percentage to Content Provider

How Telesex Calls were Routed

São Tome and Principe

Rio de Janeiro

Brazil

Carrier A

The subtle fraud:• The customer sees an advertisement on TV telling him to call: 0021-239-xxxx to speak with a Brazilian girl. • The customer speaks with a girl in Copacabana, Rio de Janeiro• The result:

Customer believes he made DOMESTIC long distance call

The result for Embratel:• The customer receives invoice with calls to São Tome and Principe and claims never to have called or spoken to anyone in São Tome and Principe. • The customer does not pay!

Moldova

Brazil

Carrier C

Audiotext Recording

How Telesex Calls were Routed

Client A Long Distance

ProviderInternational

CarrierService Bureau

Level 1Service Bureau

Level XContentProvider

Service BureauLevel 2

Provisioning of Telesex Service:

To access the content, the destination phone numbers must be provisioned. Who provisioned the phone numbers of pattern 0021-xxx-xxxx ???

• International Carrier• Service Bureau (Level 1)

Possible Suspects are:

Aug 2000 - Oct 2000

• Embratel began researching all callers of Telesex and started blocking the worst offenders for fraud.

• Result: The amount of daily traffic decreased to about 15000 calls per day = 75000 mins. This is a decrease of 75%.

• However, the losses in October 2000 still at about $125K per day.

Oct 2000• Executives made decision to stop Telesex

– Reasons:• High number of customer complaints due to:

– Clip-On, Subscription Fraud, PABX Fraud, Employee Misuse of Company Telephones...• Bad publicity and company image problems• Heavy Bad Debt losses (not measured at the time)

• Embratel Regulatory Dpt expressed fear of taking drastic actions to stop Telesex

– Reasons:• Embratel would not be fully compliant with Anatel rule that they provide service to all destinations

worldwide• Possible customer complaints about blocking telesex traffic. Good customers may demand their

rights to call telesex destinations.

• Compromise Struck– Re-route all traffic to Telesex dominated countries to the International Operators.– Have the International Operators record the Client Name, and CPF (social security number)– Inform the customer of the destination country and the high tariffs.– Allow the Operator to complete the call.– Send letter to Intl Carriers saying that Embratel would no longer pay for any International

traffic that was considered Telesex. • Procon in São Paulo was consulted and gave thumbs up.

Nov 2000• Plan put into production – All traffic to Hot Telesex Countries re-routed to the Intl

Operators.– Problem:

• The demand outweighed the Operator Center´s ability to handle it. • TMA for these calls was between 5-10 minutes• Abandonment rate was between 30 and 80%• Of those customers that spoke to operator, only 3-4% provided the information and wanted to complete

the call. Of the total amount this was about 2%.

– Solution:• Do Nothing, wait for the complaints to come in.

  1-nov-00 1-nov-00 1-nov-00

Intercepted Calls to Telesex 18986 16781 16202

Calls Attended by Operator 10719 11231 12069

Abandoned Calls (difference) 8267 5550 4133

Calls Completed by Operator 348 390 392

Completion Rate 1,83% 2,32% 2,42%

Dec 2000 – July 2001• Dec 2000:

– Investigated ECTEL FraudView System – Primarily to fight call-sell fraud which was our number one priority now that Telesex was under “control”.

• Jan 2001: – Contracted Alcatel to develop STP Infusion which would:

• provide realtime blacklisting capability for up to 11 million terminals.• query the blacklist and route the call within 5 tenths of a second.

• May 2001:– Signed contract to purchase FraudView system with probes on 100% of all

International Voice Links• Unique Ability of FraudView: Allows us to induce a disconnect of the call by the automatic

insertion of silence on the line in realtime.

• July 2001: – Installation of FraudView complete and system is put into production.– July 30, 2001 – Decided to take a stronger stance agains Telesex and thus D-Day

declared internaly on Telesex! No one opposed!– All Telesex re-directs were undone and FraudView was used exclusively to fight this

fraud via insertion of silence.

Aug 2001• A new twist in the fight:

– Despite the insertion of silence long duration calls were occuring to these international telesex destinations.

– What sort of traffic was this? Who is interested in generating and enduring an hour or more of pure telesex silence???

– Answer: Someone who is not interested in communicating. But rather someone who is simply interested in the duration of the call. Hence the discovery of Artificial Traffic in Brasil

– The fraudsters receive their money based on the number of minutes of total calling duration and not on what was communicated. Therefore it was in their interest to insure that as many minutes of traffic are logged to these destination.

• How we fought Artificial Traffic: – We re-redirected all the calls to these Telesex hot countries to the operators and

instructed the operators to not complete any calls where they hear silence on the line.

– If the operators were to hear anything in the beginning of the call that was indicative of Telesex, they were instructed to report the destination number to Fraud Control who then would perform an investigation and then would blacklist the destination in FraudView

0

5000

10000

15000

20000

25000

30000

03/0

4/2

001

10/0

4/2

001

17/0

4/2

001

24/0

4/2

001

01/0

5/2

001

08/0

5/2

001

15/0

5/2

001

22/0

5/2

001

29/0

5/2

001

05/0

6/2

001

12/0

6/2

001

19/0

6/2

001

26/0

6/2

001

03/0

7/2

001

10/0

7/2

001

17/0

7/2

001

24/0

7/2

001

31/0

7/2

001

07/0

8/2

001

14/0

8/2

001

21/0

8/2

001

28/0

8/2

001

04/0

9/2

001

11/0

9/2

001

18/0

9/2

001

25/0

9/2

001

02/1

0/2

001

min

ute

s

Artificial Traffic to Telesex Countries

Re-Directs toOperators Lifted

Re-Directs toOperators Returned

2 weeks of Insertion ofSilence Only

Call Sell Traffic to Arabic Countries

0

0,5

1

1,5

2

2,5

03/0

4/20

01

10/0

4/20

01

17/0

4/20

01

24/0

4/20

01

01/0

5/20

01

08/0

5/20

01

15/0

5/20

01

22/0

5/20

01

29/0

5/20

01

05/0

6/20

01

12/0

6/20

01

19/0

6/20

01

26/0

6/20

01

03/0

7/20

01

10/0

7/20

01

17/0

7/20

01

24/0

7/20

01

31/0

7/20

01

07/0

8/20

01

14/0

8/20

01

21/0

8/20

01

28/0

8/20

01

04/0

9/20

01

11/0

9/20

01

18/0

9/20

01

25/0

9/20

01

02/1

0/20

01

min

ute

s x

fact

or

Effectiveness of Silence Insertion

On Call-Sell!

Dec 2001

• New 800 Pre-paid phone card telesex service.... • Complaints of kids purchasing phone cards. Prompted legal actions

against service.• Public advertisements were considered by many as too risque

which prompted community action.• Service very likely to have suffered from fraud attempts boosting

800 charges.• Service dies a quick death within a month.

Dec 2001

Jan 2002 – Mar 2002• Detected Telesex calls to Guiana (592)• Television program advertising calls in the late hours. It was seen by

someone in Embratel who communicated the occurance to us.• Inserted silence on all the calls, but long duration calls persisted,

giving evidence to Artificial Traffic.• Re-routed all calls to certain prefixes in Guiana through the Embratel

Intl Operators to filter in the same way we were doing for all other telesex calls.

• STP Infusion put into production allowing us to:– block any A number from making domestic or international calls or

receiving collect calls. – Block any B number from receiving calls.

• Quickly input all Telesex destinations into blacklist thus preventing the completion of any calls.

April 6 2002• New Supreme Court Decision in Brasil regarding Telesex calls:

– Case: Angela Maria da Cruz versus TELERJ (Telecomunicações do Rio de Janeiro)

– June and July of 1996, International Telesex phone calls were made from Angela´s phone and she was invoiced by TELRJ to the tune of R$15000.

– For not paying, her name was registered with Serasa (register of Bad Debtors).– Angela sued TELERJ, won the case, got her name removed from Serasa, and

won R$6000 in punitive damages.– Because of this case, the STJ (Superior Tribunal de Justiça) stated that Telesex

calls are NOT Typical of Normal use of the Telephone and therefore require the prior agreement of the owner of the line in order to bill for the calls.

April 6 2002

Aug 2002 – Dialers!!!• Started getting complaints of unrecognized calls to Liechtenstein.• Investigated and found that the destinations were modems and not

voice. • Customer Service was able to identify from the customer complaints

that these calls were from Internet Dialers.• We started investigating this but found that nobody, including the

local telcos understood what they were or how they worked. • For fear of having our network infected with trojans and viruses, we

did not actively search the Internet for them. • We hard blocked all calls to these numbers in Liechtenstein.• We developed filters in FraudView that would look for B-numbers in

smaller countries with many calls. If we found that the origens of the calls was spread throughout Brasil, it was a strong indication of a dialer and further investigation was done.

• We also began to discuss the issue with other Telcos in Brasil actively sharing dialer destinations that were found.

Jan 2003• Attended Audiotext Conference in Las Vegas to learn more about

Audiotext Telesex and Dialers.

Internext Conference, Jan 6, 2003

Client A Long Distance

ProviderInternational

CarrierService Bureau

Level 1Service Bureau

Level XContentProvider

Service BureauLevel 2

Flow of Money for Intl Dialer Usage:• Client A uses International Dialer Service

• Client A pays Long Distance Provider for calls on invoice• Long Distance Provider pays International Carrier a

percentage for interconnect costs• International Carrier pays a percentage to Service Bureau (Level 1) • Service Bureau (Level 1) pays a percentage to Service Bureau (Level 2)• Service Bureau (Level 2) pays a percentage to Service Bureau (Level X)• Service Bureau (Level X) pays a percentage to Content Provider

Example of Level 1 Service Bureau:

Internext Conference, Jan 6, 2003

Jan 2003

Another Example of Level 1 Service Bureau:

Internext Conference, Jan 6, 2003

Jan 2003

May 2003• Added PC´s to Embratel Fraud Laboratory dedicated to downloading

and executing dialers to determine the destinations.

• Found some examples of “Good Dialers”– Explain to user about modem disconnect/reconnect in language of client– Do not silence the modem– Ask client of the age– Give price per minute of call

• Found some examples of “Bad Dialers”– Lacking in one of the items above– Malicious in nature – loading trojans and viruses on machine

Example of “Good Dialer”

Choose yourOriginating

Countryso dialer knowshow to dial out.

Page 1

Example of “Good Dialer”

Choose type of Access.

“MODEM/ISDN” will give you a

Dialer

“CABLE-DSL/LAN-WEBTV”

will give you an intl phone number to

call.

Page 2

Example of “Good Dialer”

Download and Open Dialer.

Page 3

Example of “Good Dialer”

Executing the Dialer.

Page 4

Notice the option of “Silent Dialing”

In some “Bad Dialers” this is the

default

Example of “Good Dialer”

Executing the Dialer...

Page 5

Logging into the site.

Observation:To prevent unauthorized

access from direct connect, an IP address is auotmatically assigned to client on Login,

and website will only work for that IP range

Example of “Bad Dialer”• Look up in Google key words:• Hobby Hacker Carding• Go to sites and download dialer and execute• Dialer will silence modem tones and will not give any information of

what it is doing.• In addition to being connected to an international destination, your

machine will be infected with various trojans and viruses inabling your machine and requiring re-loading of the operating system.

Please do not try this on a machine with:• A LAN connection• Important or Sensitive Information• A Critical Function

Summary of Telesex Fraud• If you choose to allow Telesex traffic, to fight fraud you will need to insure

you take preventative actions for:– Subscription Fraud– Clip-On– Card Fraud– PABX Attacks– Employee Misuse of Telephone– Watch for Artificial Traffic

• If you choose NOT to allow Telesex traffic you will need to:– Block International Telesex Destination Numbers– Networking to learn of new numbers and number ranges– See FIINA list of PRS Destinations– Maintain close contact with Customer Service– Look for International Destinations with wide dispersion of origens and with

many long duration calls (case of dialers)

clifford m jordanmanager fraud control and prevention

Embratel55-21-2121-2112 – office

55-21-2121-3267 – faxcliff@embratel.com.brcliff.jordan@mci.com

Contact Information: