Innovative Fraud Monitoring Identifying and combatting fraud in real time

January 2014

Technology and Shrinking Margins Easier to commit fraud – more incentive to do it

International Call Termination

Caller Called Customer

Carrier

VoIP Gateway

International PTT

Originating Service Provider

Wholesalers

Answer Signal triggers billing in all switches

Normal Scenario

Call Attempt triggers distant ringing

$$$ $$ $$ $$ $

Payments for call termination

Local Carrier

Note: The technical name for the answer signal is Answer Supervision

3

False Answer Supervision (FAS) Methods

Caller Called Customer

VoIP Gateway

International PTT

Originating Service Provider

Wholesalers

Early Answer Signal triggers billing in previous switches

FAS - Early Answer

Call Attempt triggers distant ringing

$$$$ $$$ $$$ $$ $ Payments for call termination

Local Carrier

Caller

VoIP Gateway

Originating Service Provider

Wholesalers

Answer Signal triggers billing in all switches

FAS - Recording Scenario

Recording simulating ringing or artificial answer

$$$$ $$$ $$$ Payments for call termination

Carrier

Carrier

4

Premium Rate Fraud

Caller Called Recording

International PTT

Originating Service Provider

Wholesalers

$$$$$$ $$$$$ $$$$$ $$$$ $$$$ Payments for Premium Service

Local Carrier

Premium Rate Recording

Carrier

5

$$ Payments for Call Generation

Two main methods of detection

Test Call Sending (FAS Detection) Depends on the availability of probes in the distant destination Probes are focused on mobile networks – problematic to install in OLO networks in each country Test calls costs money and the chance of hitting intermittent FAS is not high FAS carriers can watch for source or destination details of test calls and route those to a high quality network

Statistical Analysis and Comparison of Call Detail Records

All destinations and countries can be investigated Identifies fraud based on patterns and “finger prints” Complex to identify intermittent fraud and to avoid false positives of normal customer behavior Focus of the rest of this talk

6

The Challenges of Detecting FAS

An individual CDR can tell you nothing about the validity of the call Valid customer behavior – all calls to voicemail – can mimic the “tell-tale” signs of FAS FAS is no longer destination specific – eg Cuba. Any destination worth more than a few cents is a cost effective target

26% of 1000 destinations had some FAS in a typical month FAS is no longer long term in nature – a few hours on one destination, then a few hours on a totally different one will be invisible to most detection systems “Carriers” can get into business for a few thousand dollars – or can lease switching capacity. They can also form multiple entities to muddy the trail

Finally, our Sales colleagues do not want to lose valid (reasonably valid?) supply

7

What do we know about an FAS call?

Call connect rate is usually higher than normal Average length of call is lower Time to answer is more uniform

OK – so look for lower average duration and higher ASR….

8

ACD – 6.2 mins

Average hides a lot of details

Distribution of Answer Delay

9

0

10

20

30

40

50

60

0 3 6 9 12 15 18 21 24 27 30 33 36 39 42

Normal Distribution Answer Delay

Number of calls

0

50

100

150

200

250

300

350

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44

FAS Distribution of Answer Delay

Number of calls

Average Delay: 10 seconds

Average Delay: 8.5 seconds

Average is not sufficient:

Move to Second Order Moments to describe the

shape of the data

Higher Order Statistical Moments

10

Standard Deviation: Measures the width of a set of data points to assess the distribution of values Variance: How far are the values separated from each other Co-Variance: Measure of the relationship between two variables Entropy: Level of uncertainty in the set of values, which can indicate if there is a high correlation around a particular call set up time that is invisible in the average measurement

That is probably enough statistics – but this is the analysis you really need to spot intermittent FAS without False Positives

How about Premium Rate Fraud?

11

Two broad approaches: Use intelligence gathering – likely destinations, likely numbers – and then look for changing traffic patterns to those destinations Identify the underlying patterns that indicate fraud

What are those patterns?

Calls start from a small range of originating numbers and terminate to a small range of destination numbers Low level of volume to test access and connections Step change in volume as multiple parallel calls are made

Deep statistical analysis of all call detail records can similarly identify these subtle changes in calling behavior

Summary

Fraud is a growing industry problem – the migration to VoIP equipment

has made it worse

The traditional approaches – compare average durations, average

connection rates, average connection time between carriers – can easily

be beaten by skilled fraud operators

Fraud has certain “finger prints” that can be identified and tracked using

“Big Data” statistical approaches

Continued evolution of statistical systems can identify Fraud with a high

degree of confidence

12

HOT TELECOM