About Cerebrus Solutions Limited. This Fraud Primer is prepared by Cerebrus Solutions

Issue 2.2 September 2001

Cerebrus RE is an advanced fraud detection system that places the fraud analyst at the heart of the fraud management operation. Uniquely, it combines neural network, rule and database technologies within a single system, providing consolidated, case-oriented fraud management capabilities. The advanced graphical user interface presents the system s findings about individual customers in a clear and easy to use fashion. The resultant synergies allow Cerebrus to deliver significant operational benefits, enabling proactive fraud management and a high, sustainable return on investment. About Cerebrus Solutions Limited This is prepared by Cerebrus Solutions Cerebrus Solutions Limited is the leading provider of fraud and revenue enhancement solutions based on leading edge neural network technology. This innovative approach includes analysis of each individual subscriber s behaviour, providing unrivalled visibility across all activity within the network. This key aspect of effective global revenue assurance is available to telecom operators for fixed and wireless networks supporting voice, data, mcommerce and the Wireless Internet. Cerebrus Solutions is committed to helping operators maximise profits by minimising exposure to telecoms fraud. Its flagship system, Cerebrus RE, is already helping many telecoms operators worldwide to protect billions of dollars of revenue. Cerebrus Solutions Limited was formed in 1997 and was previously a business unit of Nortel Networks plc. In 2001 it became an independent company with the support of Argo Global Capital LLC and Agilent Technologies. Headquartered in Harlow, in the UK, Cerebrus Solutions Limited employs over 50 people and operates globally with customers on four continents and pan-regional sales support in Europe, The Americas and Asia Pacific. Issue 2.2, September 2001 Page 2 of 2

Table Of Contents 1. TELECOMMUNICATIONS FRAUD 4 1.1. INTRODUCTION 4 1.2. OVERVIEW 4 2. HOW DO FRAUDSTERS BENEFIT FROM FRAUD? 6 2.1. BY USING A SERVICE WITHOUT PAYING 6 2.2. BY CALL SELLING TO OTHERS 6 2.3. BY DIRECTING CALLS TO THEIR OWN PREMIUM RATE NUMBERS 6 2.4. BY MAKING CALLS TO COMPETITION LINES 6 2.5. BY SELLING INFORMATION TO OTHERS 6 3. TYPES OF FRAUD FOUND IN ALL TYPES OF VOICE NETWORK 7 3.1. INSIDERS 7 3.2. SUBSCRIPTION FRAUDS 7 3.3. REVERSE CHARGE CALLS 7 3.4. CALLING CARDS 7 4. ADDITIONAL FRAUD TYPES IN FIXED NETWORKS 8 4.1. TEEING-IN 8 4.2. HACKING 8 5. ADDITIONAL FRAUD TYPES IN MOBILE NETWORKS 9 5.1. CLONING 9 5.2. ROAMING 9 5.3. THEFT 9 5.4. PRE-PAID CARDS 9 6. THE CASE FOR ACTION 10 6.1. FINANCIALLY 10 6.2. MARKETING 10 6.3. CUSTOMER RELATIONS 10 6.4. SHAREHOLDER PERCEPTIONS 10 7. RESPONSE 12 7.1. SOLUTIONS TO BUSINESS PROBLEMS 12 8. CASE STUDIES 13 8.1. CASE OVERVIEW A-OPERATION APOLLO, PREMIUM RATE SERVICE FRAUD 13 8.2. CASE OVERVIEW B-PRSFRAUD USING AUTODIALLING EQUIPMENT 14 8.3. CASE OVERVIEW C-CALL SELLING -MOBILE 15 8.4. CASE OVERVIEW D-CALL SELLING -FIXED 16 8.5. CASE OVERVIEW E-SUBSCRIPTION FRAUD REPEAT DEBT 17 8.6. CASE OVERVIEW F - PBX DISA FRAUD 18 8.7. CASE OVERVIEW G-SUBSCRIPTION FRAUD 19 Issue 2.2, September 2001 Page 3 of 3

1. Telecommunications Fraud 1.1. Introduction Fraud is a multi-billion dollar world-wide industry, which affects every public telephone network. Fraudsters are motivated not only by money, but also by the need for anonymity to mask other crimes, or sometimes just the challenge of beating the system. This primer outlines some of the more common aspects of fraud, which apply to both fixed and mobile operators who support both direct and indirect connection to their network. The fraudster is ingenious and determined and will frequently find a way to misuse services and compromise security. There are many variations on each of the themes identified in this primer, consequently all of the various aspects of fraud are too numerous to mention. The sure thing is that the only qualifications required to become a victim is to operate a switch or use a service. Fraud is prevalent in both fixed and mobile networks of all technologies. Typically the more advanced the service more susceptible it is to fraud. As one vulnerability is closed another will be found. Fraud is insidious, the risk is not only from outside but it is frequently perpetrated by, or involves a telco s own employees. Fraud counter-measures need to be the subject of a definite corporate policy supported by a suitable implementation strategy. 1.2. Overview Fraud splits into two main categories, Revenue Fraud in which the motive is to make money and Non-Revenue Fraud, which is motivated by more personal objectives. Typically an operator s fraud may be expected to split approximately 50%-50% or between the two types. Non-Revenue Fraud motivations include providing a no-cost voice or data service to friends or compatriots or by the sheer thrill of outmanoeuvring the defences. In others cases criminals avoid surveillance and the threat of phone-tapping by gaining illegitimate use of the telephone network. However, in the majority of cases, the motives are less complex, financial gain. This achieved by Revenue Frauds of which their are two main kinds; Call Selling in which service is sold at a discount and the telco bills are not paid, and Premium Rate Service (PRS) frauds where calls are illicitly stimulated to a PRS line in order to generate revenue. There are several identified generic methods of fraud. Subscription: Surfing: Ghosting: Where the fraudster obtains a subscription to a service with the intent of perpetrating fraud. This occurs through the normal application processes and may often be achieved with false identity details. This is the use of another s service without having the necessary authority. This can generate phantom calls on a bill. It can be achieved through mechanisms such as cloning a mobile phone, obtaining calling card authorisation details, PBX hacking and other ways. This term refers to technical means of deceiving the network in order to obtaining free or cheap rate calls. The technology is constantly evolving but Issue 2.2, September 2001 Page 4 of 4

current examples include equipment, which suppresses the answer signal sent to the calling exchange. This allows charge-free calls for the duration of the ring tone, no answer period set in the calling exchange. Accounting: This is the exploitation of accounting and billing processes to reduce charges or obtain a cash refund. This method will usually involve insiders in some way. Information Abuse: This involves obtaining useful information or access codes and selling them on. This will also usually involve insiders. Issue 2.2, September 2001 Page 5 of 5

2. How do fraudsters benefit from fraud? The main ways in which fraudsters benefit financially from fraud are: 2.1. By using a service without paying The simplest case. For those unwilling to pay for the service, fraud is the answer. Losses in this case are usually hundreds or thousands of dollars per case - one operator gave an average figure of $600. However, there are usually many such people on any given network making total losses significant. Losses in this category are difficult to distinguish from bad debt, and may be described as such. 2.2. By Call Selling to others This is where criminals sell high-value calls at a substantial discount to other people. This is commonly organised on an industrial scale, is well organised and is of an international scope. Typically it costs the telephone company the order of $15,000 per line per day. Call diversion facilities mean that many simultaneous calls can be billed to the same line, to maximise the return before the line is disconnected. One operator lost $100,000 in a weekend in this way, when a four line operation was set up in a part of town with a high foreign population. Losses are typically tens or hundreds of thousands of dollars. 2.3. By directing calls to their own premium rate numbers By setting up high tariff premium rate services (PRS) in other countries, criminals can generate legitimate revenues at the expense of the telco that originates the call. The owners of the premium rate service (who of course deny any connection with the fraudsters) are still entitled to receive their fees even if the originating telco does not. One UK business customer lost over $750,000 to hackers who placed calls to PRS lines in Israel during one month in 1996. Office cleaners have been known to do this and randomly pick office phones from which to dial the service, leaving them connected overnight. In the morning the office workers think that the phone has just been knocked off-hook. Other more devious and sophisticated methods have been deployed. One down loaded software from a web site which modified the subscriber s PC software so that the next time that site was accessed it was dialled via a PRS line rated ate around $8 per minute almost $500 an hour. What is more it kept the line open even when the web browser had been shut down. If this remained active overnight a single call would cost almost $5,000. As few as one thousand victims could generate $5,000,000. The biggest, publicly acknowledged PRS fraud netted the fraudster an estimated $60,000,000. 2.4. By making calls to competition lines In recent case two PTT engineers ran up charges of several hundred thousand pounds by calling premium rate competition lines that offered cash prizes for correctly answering quiz questions. The engineers were using test lines for which bills are not usually generated. 2.5. By selling information to others Information obtained (usually by insiders) can be of great value to criminals. Insiders can more safely exploit certain information by selling it to others rather than acting upon the information themselves. It is reported that two US operators suffered losses of $55 million through the activities of two employees in 1995. One - a network engineer - used a protocol analyser to strip calling card details as they were being submitted for processing. The other was a calling Issue 2.2, September 2001 Page 6 of 6

card operator with access to transaction details. Both sold on the information to a professional network of criminals, which then resold it world-wide to calling card counterfeiters. 3. Types of fraud found in all types of voice network 3.1. Insiders Between them, employees know everything about the network... how to add subscribers, how to set up a test line that does not generate a bill, how to add features for a friend. Disgruntled ex-employees are dangerous too, and may possess copies of keys to cabinets or junction boxes in public places. In one recent case, an engineer installed auto diallers in a business customer s premises that made short duration calls to PRS lines set up by an accomplice. The duration was set low to avoid showing up on analysis reports. When the fraud first came to light several months later, the telco blamed the customer, arguing that the fraud originated on the customer s network. Only later did it become apparent that the telco s own engineer was to blame for the losses, which exceeded $400,000. 3.2. Subscription frauds There are many specific types of Subscription Fraud. One significant variety is known as NITP, No Intention To Pay. This type of fraud typically involves misrepresenting one s identity in order to avoid payment. At first sight, these incidents look like classical bad debt; the difference is that the intent to defraud was there at the outset rather than being an inability to pay caused by changed circumstances. Sometimes the account is run for an extended period during which time the bills are settled promptly before a heavy usage period for which the bill remains unpaid. In many cases the fraudsters renew subscriptions with variants of their details thus defeating checks when they subscribe. They again fail to pay and repeat the process, this cycle can carry on for many months undetected. 3.3. Reverse charge calls International reverse charge calls can be routed by other carriers who may not submit their accounting details until several months later. This leaves a loophole for fraudsters to accept a large number of calls in a short period without exceeding any credit thresholds set for their account. Only later, when the fraudster has disappeared, are the charges apparent. One UK company reports losing $12,000 in a single incident of this type. 3.4. Calling cards Calling cards themselves are usually just a way of remembering the card and account identity. There are many ways in which this information may be stolen including: Shoulder surfing, use of high-powered binoculars or cameras to watch the user entering the codes. Recording devices have also been used to eavesdrop on numbers spoken to the operator. Simple theft of the card itself. Hacking, where the fraudster uses repeated attempts to deduce or guess code combinations. Once the fraudster has the codes, the illicit use of them can often be carried out from a remote location to minimise the chances of being caught. Issue 2.2, September 2001 Page 7 of 7

4. Additional fraud types in fixed networks 4.1. Teeing-in This means physically connecting in to someone else s line. This can be difficult to detect, especially in multiple occupancy buildings. By choosing a high usage line to tee-in to, fraudsters can operate for a substantial period before anyone is alerted. If the connection is removed after a short period, there is often no proof that the calls were not made by the protesting customer ( But we never call PRS lines in Nigeria! ). 4.2. Hacking Many parts of the network are vulnerable to those armed with the right equipment and willing to experiment. PBXs and switches often have maintenance ports, where passwords are sometimes left as the manufacturer s default or remain unchanged for years. Access to these gives the power to reconfigure the network at the fraudster s convenience. A variant of this is where corrupt members of staff or contractors divert an extension (in the evening, over a weekend or during a public holiday) to a high cost destination. Voicemail and DISA (Direct Inward System Access) services which allow external access to the PBX facilities are also vulnerable to hacking where they allow out-dialling and especially when the PBX supports free phone lines. Voicemail and DISA usually rely on PIN codes, which can be stolen, guessed, or found by a process of elimination. In one recent case, a free phone DISA service was successfully hacked, providing no charge world-wide access to whoever knew the access details. These details were published on a web site, and the resultant weekend s activity led to losses of over $500,000. Frequently, DISA may be activated in a PBX without the operator knowing and passwords are thus frequently left at the default. Voicemail systems can also be set up with naive passwords and, like DISA, to allow dial-thru access to other lines. Finding a vulnerable PBX is a relatively trivial matter and they become easy targets for the fraudster. Issue 2.2, September 2001 Page 8 of 8

5. Additional fraud types in mobile networks Operators of mobile networks face additional threats, exacerbated by the fact that concealment and evasion are simpler when the equipment is mobile. Furthermore, mobile services frequently offer advanced services (such as call forwarding, or 3 way calling), which can open the door to high-yield fraud. Types of fraud particularly associated with mobile networks include: 5.1. Cloning Cloning is the best-known type of telephone fraud, afflicting analogue networks in particular. Cloning is the practice of programming the identity of a legitimate phone into another phone. The details of its identity are usually obtained either by eavesdropping on its interaction with the base station or by stealing it. Calls are then billed to the owner of the legitimate phone. Cases of multiple clones of the legitimate phone have been reported. This clearly multiplies the resultant financial exposure. At some point, the legitimate owner protests and is issued with a new identity, with the previous one being barred. To counter this, criminals have a variant on cloning called tumbling, whereby a phone is programmed with the identities of many other phones (99 in one case). Each time a call is made, the phone rotates between its identities, lessening the chance of detection and ensuring that the phone will work until all the accounts are barred. Cloned phones are often sold with a guarantee that they will work for a given number of months - if the clone is detected and the account is barred the supplier will replace it free of charge in the guarantee period. In the US, 75,000 phones are cloned each month and the problem is found wherever analogue mobile networks are present. 5.2. Roaming To be truly useful, mobile phones should allow roaming between networks and across countries. However, fraudsters can exploit the time lag in sharing account activation and billing data between these operators. For example, a user can evade billing limits set by his home network by making high value calls whilst roaming across other networks. It is even possible to close the account in the home country, but still use the phone abroad for a certain period. Faster data transfer between operators - preferably by EDI - is the most effective solution to this problem. 5.3. Theft Despite an often-subsidised selling price, the handsets are valuable in themselves as well as in the network access, which they provide. They are thus an attractive target for theft. In the window of time before the theft is reported and the account barred, many high value calls can be placed, particularly using call-forwarding features to stack up multiple simultaneous calls. Alternatively, the phone may be cloned. 5.4. Pre-Paid Cards Pre-paid subscription cards have been designed to allow a subscriber to pay for a certain value of calls in advance. This is an attractive proposition in that the subscriber has little opportunity Issue 2.2, September 2001 Page 9 of 9

to avoid payment. However, fraud has been reported with this approach. Security around the production of the pre-paid cards needs to be good; in one case a printer prepared a duplicate set of cards, which he reportedly sold for in excess of $1,000,000. Needless to say, when the legitimate purchaser tried to use them the pre-paid systems had already recorded use to the full value of the cards and they had become useless. Another reported incident is of fraudsters finding a way to recharge the cards from their handset without the need to purchase a new prepaid card. 6. The case for action Fraud negatively impacts a phone company in four ways: 6.1. Financially The financial losses can be unpredictably large. According to generally accepted industry estimates, a fixed network provider can experience loses of up to 3% of annual net revenues to fraud depending upon the level of protection in place. For mobile networks, this figure can be higher, 5% of revenues. Where international or off-net calls are involved, as will inevitably be the case with the significant revenue frauds then there will also be a substantial cash-flow out of the company as interconnect charges are paid. There will be no revenue taken to cover these costs. This can have a significant and unpredictable effect on the operating margins and crucially the earnings of the company. The impact on earnings can be as great as 20% to 30%. Factors that affect the magnitude of financial exposure include geographic location, maturity of the operator - new operators tend to be viewed as easy targets, comprehensiveness of any counter-measures and offered service portfolio. 6.2. Marketing Vulnerability to fraud may constrain a carrier from offering the optimum spread of advanced services that their network may be technically able to support. For example, many hesitate to offer voice or fax services that permit out-dialling (e.g. forwarding faxes or voicemail messages to user-specified numbers) even though this could give competitive advantage. Protection from fraud can also be a positive selling point to business customers, particularly when selling against an incumbent carrier. 6.3. Customer relations Fraud is a customer relations issue. Fraud often impacts end customer bills and leads to disputes, perhaps litigation. Customer perception is adversely affected if the service is seen to be poorly protected or unreactive to fraud. Perversely, this holds true even if the fraud originated in the customer s premises. The net result is a loss of competitive advantage and increased churn. 6.4. Shareholder perceptions Shareholder confidence may be shaken, should the company become a victim of a major fraud. Prosecution of the fraudsters - if they are caught - invariably generates publicity, which can be negative or positive depending upon how quickly and effectively they were detected. Additionally fraud affects the company s financial performance through increased costs for which no revenue is taken as well as increasing the percentage of bad debt. This directly impacts the bottom line, reducing earnings. For new operators this threatens to delay Issue 2.2, September 2001 Page 10 of 10

achievement of a cash positive situation, while for more mature companies it depresses their Earnings Per Share. Both impacts will be of significant concern to investors. Issue 2.2, September 2001 Page 11 of 11

7. Response Fraud is a real and significant threat to the commercial well being of every operator. It reduces their competitive advantage through a direct and adverse effect on service quality and financial performance. It demands to be taken seriously. The establishment of a fraud management strategy is imperative. This will allow an operator to determine its policy and strategy to fraud and hence to establish effective counter-measures. Cerebrus Solutions is able to help operators establish such a response to this real and significant threat. 7.1. Solutions to business problems Supported by Argo Global Capital, Cerebrus Solutions' commitment is to the strategic development of its product portfolio, employing the most appropriate technologies. Continuous product enhancement is a core philosophy targeted at combating the changing nature of fraud. Cerebrus Solutions state-of-the-art portfolio targets fraud prevention, customer segmentation and churn detection. It will continue to evolve, focused on the analysis of network and subscriber associated information for the business benefit of the operator. Traditionally fraud detection has solely relied upon assessing calls against predetermined rules and thresholds. The fraud analyst then reviews the data for each suspect subscriber and assesses whether or not fraudulent behaviour is present. At the heart of the Cerebrus fraud detection solution is a unique and advanced application of neural network technology. This mimics the way in which humans match patterns and profiles in order to detect fraudulent activity. Unlike a human, however, the technology systematically and reliably examines tens of millions of subscriber profiles each day enabling a rapid response to suspected fraudsters. Complemented by conventional detection and database approaches Cerebrus combines the power of multiple technologies effectively. Its real time feature set constantly monitors subscriber activity, rapidly highlighting fraudster activity while powerful analytical and learning capabilities continuously enhance the fraud analyst s effectiveness. Through the application of Cerebrus solutions telecommunications operators are able to reduce their exposure to fraud; protect high value services; enhance overall customer profitability and cost effectively reduce financial losses for the business. Issue 2.2, September 2001 Page 12 of 12

8. Case Studies 8.1. Case Overview A - Operation Apollo, Premium Rate Service fraud 8.1.1. Summary Motive: To make money Means: Premium Rate Services (Revenue Fraud) Mode: Surfing and Subscription Method: Fraudulent application, payphones, cloning (analogue mobiles), security guards (customer lines) and telecoms engineers (test and spare lines) Losses: Estimated to exceed 1m over the period of the fraud (approximately18 months). 8.1.2. Overview The enquiry, which began in 1991, was jointly conducted by BT s Investigation Department and West Yorkshire Police, with the assistance of Regional Crime Squads. The case concluded with about 25 prosecutions up to 1995. In total, almost 100 people were arrested in connection with the alleged fraud. At the centre of the fraud was a chat-line PRS based in Manchester, UK. The PRS provider employed a number of people on a commission basis where earnings were related to the total call minutes for each employee. This commission structure generated lower level frauds within the PRS where chat-line operators themselves would seek to increase their own remuneration. Operation Apollo was one of the most significant PRS fraud cases encountered in recent years for a number of reasons. Not only was it one of the most costly in terms of lost revenue, but it was also one of the most complex to investigate leading to limited success in prosecution of those charged. In particular, the courts ruled to dismiss charges against the alleged organiser, the PRS provider, primarily based on the defence s insistence that the jury be allowed to listen to all of the callers recorded conversations with the chat-line employees for the previous six months. As it would have taken over one year to listen to all the tapes it was deemed not to be in the public interest to pursue the case. Charges against the PRS provider have therefore never been proven. The fraud methods employed were diverse. Payphone mechanisms were tampered with to leave calls open for long periods. Fraudulent applications for service were made and long duration calls were placed, often with lines simply being left open and unattended. Cloned mobiles were used to make frequent PRS calls. Security guards, entrusted with their client s premises and armed with a phone line, would call the PRS in return for money or favours. BT exchange engineers were also involved, using spare and test lines to call the service. 8.1.3. Fraud management considerations With the wide range of fraud methods employed, the only way to defend against this type of attack would be to undertake a comprehensive fraud management improvement programme. Examples of application that may be considered in the context of this example are: customer risk assessment to include fraud rather than simply credit risk assessment Issue 2.2, September 2001 Page 13 of 13

security input to the design of hardware and software for payphones to reduce fraud opportunity tailored fraud monitoring services for major business customers supported by specific security guidance in defining their telecommunications security policy control on access privileges and availability of test and spare lines. 8.2. Case Overview B - PRS fraud using autodialing equipment 8.2.1. Summary Motive: To make money Means: Premium Rate Services (Revenue Fraud) Mode: Surfing Method: Auto dialler set to make calls below threshold set for monitoring purposes Losses: Estimated to exceed 300K over the period of the fraud 8.2.2. Overview A telecommunications company used billing system reports to monitor for high usage accounts. Reports were based on calls that were itemised for billing purposes. The default itemisation threshold was ten call units (the duration of a unit varied by time of day and charge band) and so calls of nine units or less would not be itemised. As a result, calls of less than ten units would not be included in the processing for the high usage reports. The fraudsters took advantage of the vulnerability in high usage reporting by manufacturing simple auto dialler devices programmed to make nine unit calls to their PRS number. The devices were combined with telephone line-jack units and included a timing function so that calls would only be made at night. The line-jack units were fitted into a number of unsuspecting business customer premises by a telecoms engineer who was involved in the fraud. The scam only came to light several weeks later when the affected companies received excessive bills. 8.2.3. Fraud management considerations Inside knowledge was used to great effect in this example. A fraud monitoring system that is based on billing data will generally result in detection delays. Near real-time monitoring of all can traffic is essential to avoid similar experiences. Thresholds set for any monitoring device may be evaded if they remain constant. Fraudsters will test systems and attempt to spread usage to avoid detection. Issue 2.2, September 2001 Page 14 of 14

8.3. Case Overview C - Call Selling - Mobile 8.3.1. Summary Motive: To make money Means: Call Selling (Revenue Fraud) Mode: Surfing and subscription Method: Cloned analogue mobiles physically linked to provide 3-way calling with remote activation via a PC/modem interface Losses: Estimated to exceed 300K over the period of the fraud (several months) 8.3.2. Overview A mobile communications service provider did not allow 3-way calling features on their phones in an attempt to limit fraudulent use. In addition, international call barring was in place. A wellorganised call sell operation used a number of cloned mobile phones, fixed to a backboard, that were each hard-wired to a second mobile. The wiring created permitted 3-way calling by using each of the paired phones for a leg of the call (the technique is known as cheeseboxing ). When the cloned handsets were detected and terminated, they would simply be reprogrammed with ESNs and MINs. The configuration produced the hub of a truly mobile call sell operation that could be moved at a moment s notice. To get around the international call barring, one of the mobiles would call a fixed line at a separate location, which would in turn be diverted to the required international destination. The fixed line divert facility could be activated remotely to reduce the risk of capture. Remote control was achieved in this case by having a PC connected to the fixed line, dialling in through a modem from the mobile call centre and programming the divert for each customer call. Similar set-ups have been seen elsewhere and one such operation used a PC in line with the mobiles to track usage and generate bills on account for their call sell customers. Simple spreadsheets acted as a billing system. 8.3.3. Fraud management considerations Service providers often offer a comprehensive range of features to their customer base. In many companies, fraud friendly features are a standard offering (e.g. call diversion/conference calling). Care should be taken in packaging products to consider the risks presented - many customers do not use the many features available. Customer perception of the company offering service may be tainted if they perceive other service providers to be feature rich, despite them not really needing or using additional features. It is therefore necessary in many cases to present the features to market in a way that demonstrates their availability but in a more controlled manner. For example, it may be prudent to include a risk assessment weighting factor where unknown customers request fraud friendly features. Additional controls may also be employed on the network. For example, where call diversion is used, it may be barred from use to international destinations and the number of simultaneous diverted calls may be limited. Such changes to network software are often difficult to implement although some vendors are now providing the means to improve controls. Issue 2.2, September 2001 Page 15 of 15

8.4. Case Overview D - Call Selling - Fixed 8.4.1. Summary Motive: To make money Means: Call Selling (Revenue Fraud) Mode: Subscription Method: Fraudulent application for service with the use of call diversion features to stack calls Losses: More than 100K 8.4.2. Overview A fixed network operator provided two lines to a residential address. A call sell operation operated from the address, which was rented for a short period. One of the lines was used as an admin line to receive daily customer lists via a fax and then contact customers to obtain the numbers that they wished to be connected to. As the call sell operators were contacting customers on the admin line, the call sell line could be programmed with a new international divert in real-time. Once the divert had been set up, the call sell customer would then dial the second line and be routed to their required destination, only paying local call rates. The call stacking vulnerability of many switches allows many simultaneous diverted calls to be in progress for an account. Losses in excess of 10K per line per day are not uncommon. In this particular example, the fraud went undetected for several days and had exceeded 100K losses when controlling action was finally taken. 8.4.3. Fraud management considerations Control of feature use is a significant problem only recently being tackled by some switch manufacturers. Issue 2.2, September 2001 Page 16 of 16

8.5. Case Overview E - Subscription fraud repeat debt 8.5.1. Summary Motive: To save money Means: Non-revenue Mode: Subscription Method: Fraudulent application and Payment evasion Losses: Higher than average bad debts, typically in the range 500 to 1500 8.5.2. Overview Customers who fall to bad debt may wish to retain service and so may re-apply for service using false details. Often, the same address is used but a new identity is assumed. Repeat debtors incur additional account management costs and continue to leave uncollected debts. This type of fraud is often more serious than many companies believe. In one analysis, about 47% of the value of a telco s fraud problems related to non-revenue frauds. As usage is often similar to a normal account, it can be difficult to distinguish a fraud. However, although the identity of the customer may change they will usually maintain the same circle of family and friends whom they call - a calling fingerprint may therefore be established (e.g. top five called numbers for each debt account). This fingerprint can then be used to trace the individuals who owe money and prevent further debts accruing. The validity of this process is enhanced if commonly called telephone numbers are excluded from the fingerprint (e.g. operator services or local amenities). In trials, the automated application of the fingerprinting technique achieved the following results: Repeat debt fraud accounts were detected in a matter of days of the new service being provided rather than weeks after bill despatch. Savings of up to 94% were possible on fraud (repeat debtor) customer accounts (figure based on a monthly average, individual customer peak was higher than this). The average saving in cases actioned in the trial period was 87% against previous debts. Savings of around 6% of total bad debt for the company were indicated to be possible. Cash collected against outstanding debts was significant. Many customers caught by the system converted their accounts back to their real names after paying outstanding debts. Some said they were relieved not to have to continue the deceit that was initiated in times of financial hardship but did not know how to come clean. 8.5.3. Fraud management considerations The customer risk assessment process may be capable of improvement to help detect repeat debtors in advance of service provision. For example, comparison of customer contact numbers or application profiles may identify higher risks. Customer details such as postcode and credit rating could be used to provide more information on which to make a decision. Issue 2.2, September 2001 Page 17 of 17

8.6. Case Overview F - PBX DISA fraud 8.6.1. Summary Motive: To make and save money Means: Revenue and Non-revenue Mode: Surfing Method: PBX dial-through Losses: 300K in one weekend plus unquantified business disruption costs 8.6.2. Overview A major business customer s PBX was successfully compromised. The dial-up number for DISA service was toll-free (free phone) and a hacker managed to reconfigure the PBX set-up to achieve free access to anywhere in the world. Once the PBX was hacked, the details were fed through websites and a large amount of PBX activity ensued over a weekend. The intensity of fraud traffic, combines with continued tampering with the system configuration, led to PBX failure and several days loss of service. This fraud led to many further business problems including a wealth of complaints from people attempting to contact the affected customer. 8.6.3. Fraud management considerations Business customers will often neglect the security of their own switches. Telco s can help in offering appropriate guidance on switch security. The fraud management system may also be used to identify fraud on behalf of the customer - an excellent marketing tool for the telco. Issue 2.2, September 2001 Page 18 of 18

8.7. Case Overview G - Subscription fraud 8.7.1. Summary Motive: To make money and to save money Means: Revenue and Non-revenue Mode: Subscription Method: Fraudulent application, Payment evasion Losses: 3m per month 8.7.2. Overview A medium-sized telecommunications company relied on simple reports from the billing system to detect fraud. Detected frauds were allowed to run for some time to facilitate prosecution. Losses climbed rapidly peaking at more than 3 million per month and threatening the viability of the organisation. A fraud system and management procedures were implemented and over the following 3 months fraud losses were brought under control dropping to approximately 50k per month. 8.7.3. Fraud management considerations This case demonstrates what happens when the fraud management focus is entirely upon investigation. Although there was a considerable amount of resource deployed it was focused in the wrong direction and was not addressing the issues that would have reduced the problem to manageable proportions. Issue 2.2, September 2001 Page 19 of 19

More Information For more information on telecommunications fraud and counter-measures please contact Agilent Technologies: Russell McCormack Business Development Manager Agilent Technologies Tel: +44 131 331 6782 Fax: +44 131 331 7108 Mobile: +44 7765 897061 Issue 2.2, September 2001 Page 20 of 20

Email : Web Site: russell_mccormack@agilent.com www.agilent.com/cm/oss.shtml All figures, data and other material contained in this publication are typical and must be specifically confirmed in writing by Cerebrus Solutions before they become applicable to any tender, order or contract. Cerebrus Solutions takes every precaution to ensure that all information contained in this publication is factually correct but accepts no liability for any error or omission. No freedom to use patents or other property rights is implied by this publication. CEREBRUS SOLUTIONS LIMITED 2001 Agilent Technologies September 2002 5988-7753EN Issue 2.2, September 2001 Page 21 of 21