|
 |
 |
The State of Prepaid Technology: A New Kind of Phone Fraud
What Prepaid Providers Should Know
By Ken Osowski |
Normally, we focus on exciting new opportunities, technologies and markets for prepaid service providers. But, there is a new kind of fraud that’s emerging, and it is important that you understand what you can do to insulate and protect your business and customers.
As with most crimes, there’s a perpetrator and a window of opportunity that is either specifically created or unintentionally left open. In this case, the perpetrators are a new sub-species of hackers that we’ll refer to as Looters Of Unsuspecting Service Executives (or louses) who have access to enhanced TDM or IP platforms. These louses are exploiting doors left open by a few less-than-secure, or perhaps less-than-honorable, network operators.
In essence, louses with access to enhanced platforms are spoofing ANIs (the Automatic Number Identification that identifies the calling subscriber’s phone number) and throwing calls at prepaid service provider networks to see which ANIs stick; in other words, which ANIs have prepaid cards and values associated with them.
When the louse tries ANIs that happen to be associated with an account, they get a response that in effect says “Hello, where do you want to call?” The louse then either takes the value immediately (a onesie-twosie approach), or adds that number to their list for a larger scale plundering at some point in the near future.
And if you’re not aware of what’s going on, the first time you learn about it is when your subscribers start calling in large numbers to dispute their charges.
Now, these carriers that are hosting the louses should know which ANIs are in their network, and shouldn’t allow originations out of their network if the ANI is spoofed. But you can’t control the business practices of low-cost network operators, especially if they are two carriers removed from the carriers you directly connect to. And the real problem actually begins with the louses.
Up to now, the prepaid market has been populated with savvy professionals who have fairly leveraged the market’s opportunities, while legitimately delivering needed services. But in all viable markets, success sooner or later tends to attract an unscrupulous few, and the prepaid industry is no exception. As more and more carriers have come into existence & the market gets more competitive, it’s likely that these louses and the network operators that enable them are really just a very few bad apples. But if it’s your business that’s hit, it doesn’t matter how few their numbers are, does it?
What’s being done to close the open door? Tom Regan, Manager of Sales Engineering here at Pactolus, explains:
“In the newer standards, the network engineers have developed a means of exchanging the ANI in a trusted fashion. In SIP, call set up messages have a new header, P-Asserted-Identity (preferred asserted identity, or ‘PAI’ for short). The PAI header is intended to allow two networks to hand off a call with trust, with the originator ‘vouching’ for the ANI contained in the PAI header. The originator vouches for these calls either because the call originated in their network, or they received the call from a network that they trust. In other words, if you trust the carrier, then you accept the ANI contained in the PAI header. And if you don’t trust the network, you can set up your border elements to block the PAI header, allowing you to differentiate treatment of calls from trusted networks and networks that are not trusted.
Tom also reminded us that that buying inexpensive access network services from an unknown network provider represents a risk. He said that, among the others using that network, there could be louses looking for their next attack target.
“Once they get positive responses, they come back for more, like ants to sugar,” he added.
Most fraud systems are built around the presumption that the attacker’s ANI will be presented reliably and correctly. But the proliferation of TDM and IP enhanced services platforms weakens this assumption. These louses may need a better quality ‘black hat’ to mount their attack, but that doesn’t change their impact on a prepaid provider’s profitability.
In addition to searching for accounts tied to the spoofed ANI, the louses can also use ANI spoofing to bypass traditional, ANI-based fraud detection. They can mount larger brute force PIN guessing attacks.
And it doesn’t stop there. In their search for better revenues and margins, service providers are signing up customers with credit cards tied to their account, configured to recharge the account when it drops below a pre-set balance. It’s the proverbial pot of gold for the louse. A thought that definitely does not encourage restful sleep.
Adding Insult to Injury: In addition to seriously hitting your revenues, another big problem is that this type of attack can really drive up your network operating costs. Because these calls are answered by an IVR session, you’re actually paying to be attacked. That can be particularly bad if the attack is initiated through an 800 type number. It’s a little like being the manager of the bank that’s just been robbed, and then his own wallet is taken to pay for the thief’s escape in a cab.
Steps You Can Take to Protect Yourself & Your Customers:
There are several ways you can protect your network, business and customers:
1) Disabling ANI authentication on high cost access numbers (800 numbers) because if someone has associated their ANI, they can probably use a local access number.
2) Know your network partners; weigh your risks versus your margin gains. The reduced risk of connecting to higher quality networks needs to be balanced against the increased costs.
3) Check your CDRs for unusual calling patterns, a spike or increase in number of incoming calls that don’t result in subscriber authentication. It’s a symptom, not a cause, but indicates you want to keep a close eye on it.
4) Ensure your dispute resolution processes are in place. Also, if you return the customers dollars, will you only put money back into a safe that the hackers have the combination to? You can’t ask a customer to change their number, but you might want to think about alternatives for refunding.
5) Think of adding a 4 digit DTMF, a sort of ancillary supplemental DTMF shortcode, and think of it as a customer service benefit, not a drawback. In the last year, the news has been filled with identity theft stories. As your customers become more security aware, let them know that you’re offering this service because you care and want to protect them. You might even think about adding an option that changes the conditions of dispute resolution process, based on whether a customer has accepted this optional pin.
We invite you to write in with your thoughts, ideas and questions. In the meantime, there’s no one fail-proof answer. Steps like the PAI are approaches to forming a web of trust, not a panacea against the worst of human nature.
In any marketplace, you sooner or later have to watch your wallet. In this one, you can lean on reliable partners and your voice service vendors to help protect your business.
Ken Osowski is the VP of Marketing & Product Management at Pactolus Communications Software. He can be reached at Keno@pactolus.com.
 |
|
