Email a colleague    

January 2015

False Answer Supervision Fraud: Applying Advanced Statistics to Find Needles in the CDR Haystack

False Answer Supervision Fraud: Applying Advanced Statistics to Find Needles in the CDR Haystack

Looking back at the history of fraud management systems, there’s been a steady march of progress over the last few years.

The earliest systems required a great deal of manual intervention.  But since then, innovation has brought us:

  • Software that automates the setting of thresholds;
  • Hardware that can affordably manage big data, and;
  • DPI techniques that can detect fraud and abuse using information from he data packets themselves.

But now Steve Heap, independent consultant and the former CTO of Arbinet, is here to tell us more about a new wave in telecom fraud management innovation: autonomic technology that relies on advanced statistics.  Here, Steve represents IPsoft, a cross-industry pioneer in this new software arena.

Dan Baker: Steve, Arbinet was a legend of the wholesale business.  Can you refresh us on their business model and how you’re now associated with IPsoft?

Steve Heap: Sure, Dan.  Arbinet’s business was to connect operators to an electronic exchange — a combination of voice switching, web-based trading, and rating/settlement environment.  So we facilitated the trading of voice traffic and in our peak year of 2009, we traded a wholesale traffic volume of around $450 million.

As you can imagine, with 500 companies — some of them small and new to the industry — connected to Arbinet, fraud was a big concern.  After trying to develop internal systems to identify it, I found the IPsoft solution and was impressed by the way it learned our traffic patterns and gave us actionable alerts of issues.  Since leaving Arbinet in 2010 I’ve worked to help spread the word about IPsoft’s telecom fraud solutions around the industry.

Now IPsoft (a 1,200 employee firm across New York and India), is not a well-known name in wholesale or even in telecom.  Their main focus has been in large enterprise IT where they build expert systems that manage internal networks, systems and help-desks by looking over the shoulder of technicians, learning what they do, and then reproducing that learning in an automated fashion.

Interesting.  Now I understand the telecom fraud area that IPsoft initially focused on is something called False Answer Supervision.  What’s that about?

False Answer Supervision (FAS) refers to the signalling that happens when a voice call is set up.  When the called person picks up the phone, an answer signal is returned.  That answer signal establishes the length of the call for each and every carrier in the traffic/billing chain.

But fraudsters can spoof the answer signal.  So, rather than waiting for the end user to actually pick up the phone, they artificially return the answer signal back up the chain.  And everyone assumes the call started at such and such a time, and they are going to bill on that basis.

Meanwhile the fraudster charges a higher amount because they’ve artificially answered the phone faster.  It might turn out to be 15, 20, or 25 seconds worth of extra billing.  And if the call was never answered because the person wasn‘t there, they are billing, say, for 30 seconds of a phone conversation that never occurred.

Why isn‘t FAS fraud detected by operators in the downstream billing chain?

Well, it’s really a function of how telecom works.  No one can do an end-to-end validation.  It is always relationship by relationship billing.  So apart from the one doing the fraud, everyone agrees to the signalling “facts”.

The terminating carrier — and each subsequent carrier in the chain — bills the carrier who sent it the traffic, in serial fashion.  And FAS fraud is very hard to detect without statistical analysis.

We don‘t really hear much about FAS fraud.  Why is that?  Has the threat become more significant in recent years?

FAS fraud was made a lot easier by the growth in voice over IP traffic.  When people had big Nortel switches, it was less prevalent because the switches were sort of hard-wired, but in a VoIP switch you can manipulate things easier.

And years ago, carriers didn‘t worry as much about FAS fraud: it was only considered a revenue threat on a few well-known destinations.  But now that voice margins are tight, some of the larger carriers have started to take action on FAS and remove the offending carriers from their routing lists.  One of the more aggressive is Tata, who, of course, is also the biggest international wholesaler around, so this is a key move forward for the industry.

How does the IPsoft solution detect fraud?

The starting point for the IPsoft system is a picture of what normal calling and traffic behaviour looks like.  It tracks number groups, destinations, the rate of successful voice connections, the duration of calls, and answer delays.

It then builds a statistical model to find anomalies, say, when the traffic is being sent to a small subset of numbers as opposed to the wide range of numbers you’d expect.  And since the delay it takes for a human to answer a phone is random, if the delay is regular, that suggests a machine is answering it.  So these kinds of observations are fed into the fraud analysis.

And rather than using signatures or thresholds stored in a database, the system relies on continuous learning on the fly.  So it is not pre-focused on certain number ranges, but can detect FAS or premium rate fraud in a zero-day fashion.

Billions of CDRs a month flow through the system to update the statistical model.  But interestingly, you cannot afford to store these CDRs because the data storage needs would be enormous.  Instead, the system stores only the statistical history of the traffic patterns detected in the CDRs.  Those patterns become the basis of later analysis.

What’s wrong with using thresholding to detect this fraud?  After all, thresholds these days are self-configured and updated to fit current traffic patterns.

Thresholding generally works on averages over a certain period of time.  The averages could be recomputed once a day, or if you’re lucky, it averages over an eight-hour period or less.

Trouble is, the fraudsters are clever: they vary their times and destinations.  They commit the FAS fraud on one destination for one hour, then shift to another destination for the next hour.

When that’s done, averaging thresholds can’t spot the fraud because the period of fraud activity is shorter than the period of threshold averaging.

Now telecom engineers and fraud experts know what statistics and standard deviations are about.  However, there’s a deeper level of statistical analysis that is rarely understood.  For instance, in the case of FAS, examining the data’s distribution curve becomes a better indicator of fraud than calculating averages or percentages.

And in this respect, I’m like a lot of technical people out there: I could never imagine specifying a system like this because my understanding of statistics kind of stops at a certain level.  However, the IPsoft solution is developed by data scientists and hence is successful in identifying FAS where normal thresholding-based systems are not.  And there are many operators out there who are proving this kind of statistical magic actually works in the real world.

Thanks for this interesting briefing, Steve.  It sounds like autonomic technology may find profitable use in other areas of telecom fraud — or even in marketing analytics.

Copyright 2015 Telexchange Journal

 

About the Expert

Steve Heap

Steve Heap

Steve Heap has many years of experience in international companies ranging from small start-ups to major multinational corporations.  His responsibilities have been across strategy, planning, engineering, and operations.  As the CTO of Arbinet he came face to face with many fraud issues and tackled some of the more severe ones in partnership with IPsoft.  Now as a Senior Technical Consultant with the company, he focuses on extending IPsoft’s broad portfolio of autonomic analytic systems to the carrier environment.   Contact Steve via

Related Stories

  • Automatically Stopping Fraud Traffic: iBasis Raises the Bar for Wholesaler Protection of Retail Carriers interview with Daan Kleijnen — The margins in the retail voice business are so tight these days that many operators fail to make a vital investment in fraud protection, making them easy targets for IRSF and other frauds.  A leading wholesaler explains a new fraud control program that automatically disconnects a retailer’s fraud traffic.
  • False Answer Supervision Fraud: Applying Advanced Statistics to Find Needles in the CDR Haystack interview with Steve Heap — Fraud management solutions have made great technical advances via automated threshold setting, big data, and DPI.  Now this expert interview explains how a new breed of advanced statistics-based solutions is tackling very hard-to-detect fraud types such as the call signal spoofing of False Answer Supervision.
  • Fraud Management Collaboration: From “Great Idea” to Real Software & Intelligence Sharing interview with Katia González — Without effective multi-operator collaboration in fraud management, each operator ends up merely reacting to fraud threats on its own rather than building up a proactive defense.  In this interview, a leading wholesale provider explains its innovative program to enable the automated and expert-to-expert sharing of fraud intelligence and techniques.
  • Recruiting Smartphone Users as Partners in Telecom Fraud & Security Control by Chris Hill — Premium Rate Service (PRS) fraud and spyware on a mobile phone can ruin an operator’s relationship with a  subscriber.  The attacker uses malware to automatically generate phone calls, SMSs and data sessions to high cost (premium) phone numbers.  This article discusses a new crowd sourcing mobile app that addresses the problem and helps operators better manage the threat.
  • International Revenue Share Fraud: Are We Winning the Battle Against Telecom Pirates? interview with Colin Yates — International Revenue Share Fraud (IRSF) is one of the telecom industry’s most enduring problems.  Yet many of us have only a foggy notion of how IRSF works and how operators around the globe are coping with the issue. This interview covers the bases: the origins of IRSF, typical fraud scenarios, efforts to get international cooperation on the issue, and the future outlook of IRSF.
  • Converging Criminal and Technical Intelligence: Secret to Combating the Explosion in Telecom Fraud and Security Threats interview with Mark Johnson — A fraud and security expert gives a big picture talk on why industry convergence is driving the need for a broader “revenue risk intelligence.”  His prescription?  Yes, telecoms surely need to excel in technical  infrastructure such as traffic usage data, IP intrusion appliances, and physical barriers.  But just as important is the need to pair that knowledge with the real-life lessons of fighting criminals in general.

Related Articles

  • The Race to Serve Enterprises with Revenue-Generating IT Services Virtualized by SDN & NFV interview with Gal Ofel — The SDN/NVF movement is giving telcos a new revenue-generating play in the cloud: virtualized network and IT services to enterprises in areas like security, enterprise service assurance, enterprise application prioritization and content caching.
  • Lifecycle Service Orchestration: Enterprise Ethernet & Cloud Exchange Meet OSS & SDN/NFV interview with Marie Fiala Timlin — SDN and lifecycle service orchestration are key to the next generation of telco-to-enterprise services.  In this interview, an expert explains how lifecycle service orchestration adds value to SDN, cloud exchanges, enterprise Ethernet, and mobile backhaul.
  • Automatically Stopping Fraud Traffic: iBasis Raises the Bar for Wholesaler Protection of Retail Carriers interview with Daan Kleijnen — The margins in the retail voice business are so tight these days that many operators fail to make a vital investment in fraud protection, making them easy targets for IRSF and other frauds.  A leading wholesaler explains a new fraud control program that automatically disconnects a retailer’s fraud traffic.
  • False Answer Supervision Fraud: Applying Advanced Statistics to Find Needles in the CDR Haystack interview with Steve Heap — Fraud management solutions have made great technical advances via automated threshold setting, big data, and DPI.  Now this expert interview explains how a new breed of advanced statistics-based solutions is tackling very hard-to-detect fraud types such as the call signal spoofing of False Answer Supervision.
  • Fraud Management Collaboration: From “Great Idea” to Real Software & Intelligence Sharing interview with Katia González — Without effective multi-operator collaboration in fraud management, each operator ends up merely reacting to fraud threats on its own rather than building up a proactive defense.  In this interview, a leading wholesale provider explains its innovative program to enable the automated and expert-to-expert sharing of fraud intelligence and techniques.
  • Sharing Intelligence, Services, and Infrastructure across the Telecom Galaxy interview with Gary Zimmerman — The telecom industry is an industry of sharing.  In fact, the rise of mobile broadband is driving a greater reliance on real-time intelligence, services trading, and infrastructure exchange.  In this article, a leading info exchange provider explains the value of its services portfolio and points to other interoperability and sharing ideas under development.
  • Recruiting Smartphone Users as Partners in Telecom Fraud & Security Control by Chris Hill — Premium Rate Service (PRS) fraud and spyware on a mobile phone can ruin an operator’s relationship with a  subscriber.  The attacker uses malware to automatically generate phone calls, SMSs and data sessions to high cost (premium) phone numbers.  This article discusses a new crowd sourcing mobile app that addresses the problem and helps operators better manage the threat.
  • International Revenue Share Fraud: Are We Winning the Battle Against Telecom Pirates? interview with Colin Yates — International Revenue Share Fraud (IRSF) is one of the telecom industry’s most enduring problems.  Yet many of us have only a foggy notion of how IRSF works and how operators around the globe are coping with the issue. This interview covers the bases: the origins of IRSF, typical fraud scenarios, efforts to get international cooperation on the issue, and the future outlook of IRSF.
  • Converging Criminal and Technical Intelligence: Secret to Combating the Explosion in Telecom Fraud and Security Threats interview with Mark Johnson — A fraud and security expert gives a big picture talk on why industry convergence is driving the need for a broader “revenue risk intelligence.”  His prescription?  Yes, telecoms surely need to excel in technical  infrastructure such as traffic usage data, IP intrusion appliances, and physical barriers.  But just as important is the need to pair that knowledge with the real-life lessons of fighting criminals in general.
  • Real-Time Network Intelligence: The New Way to Read Telecom Tea Leaves by Suren Nathan — Real-time network intelligence is the key to deciding which products to launch, whose facilities to lease, and where to route traffic.  The article explains why telecoms — and especially enhanced service providers --  should ideally be equipped with both a fine-grained margin analysis solution and a SaaS platform, offering an upgrade path that requires no internat IT support.