Innovative Fraud Monitoring Identifying and combatting fraud in real time January 2014
Technology and Shrinking Margins Easier to commit fraud more incentive to do it
International Call Termination Originating Service Provider Wholesalers International PTT Local Carrier Caller Carrier VoIP Gateway Called Customer Normal Scenario Call Attempt triggers distant ringing Answer Signal triggers billing in all switches $$$ $$ $$ $$ $ Payments for call termination Note: The technical name for the answer signal is Answer Supervision 3
False Answer Supervision (FAS) Methods Originating Service Provider Wholesalers International PTT Local Carrier Caller Carrier VoIP Gateway Call Attempt triggers distant ringing Called Customer FAS - Early Answer Early Answer Signal triggers billing in previous switches $$$$ $$$ $$$ $$ $ Payments for call termination Caller Originating Service Provider Carrier Wholesalers VoIP Gateway Recording simulating ringing or artificial answer FAS - Recording Scenario Answer Signal triggers billing in all switches $$$$ $$$ $$$ Payments for call termination 4
Premium Rate Fraud Originating Service Provider Wholesalers International PTT Local Carrier Premium Rate Recording Caller Carrier Called Recording $$$$$$ $$$$$ $$$$$ $$$$ $$$$ Payments for Premium Service $$ Payments for Call Generation 5
Two main methods of detection Test Call Sending (FAS Detection) Depends on the availability of probes in the distant destination Probes are focused on mobile networks problematic to install in OLO networks in each country Test calls costs money and the chance of hitting intermittent FAS is not high FAS carriers can watch for source or destination details of test calls and route those to a high quality network Statistical Analysis and Comparison of Call Detail Records All destinations and countries can be investigated Identifies fraud based on patterns and finger prints Complex to identify intermittent fraud and to avoid false positives of normal customer behavior Focus of the rest of this talk 6
The Challenges of Detecting FAS An individual CDR can tell you nothing about the validity of the call Valid customer behavior all calls to voicemail can mimic the tell-tale signs of FAS FAS is no longer destination specific eg Cuba. Any destination worth more than a few cents is a cost effective target 26% of 1000 destinations had some FAS in a typical month FAS is no longer long term in nature a few hours on one destination, then a few hours on a totally different one will be invisible to most detection systems Carriers can get into business for a few thousand dollars or can lease switching capacity. They can also form multiple entities to muddy the trail Finally, our Sales colleagues do not want to lose valid (reasonably valid?) supply 7
What do we know about an FAS call? Call connect rate is usually higher than normal Average length of call is lower Time to answer is more uniform OK so look for lower average duration and higher ASR. ACD 6.2 mins Average hides a lot of details 8
Distribution of Answer Delay 60 Normal Distribution Answer Delay Number of calls 50 40 30 Average Delay: 10 seconds 20 10 0 0 3 6 9 12 15 18 21 24 27 30 33 36 39 42 Average is not sufficient: Move to Second Order Moments to describe the shape of the data 350 300 250 200 150 100 50 0 FAS Distribution of Answer Delay Number of calls Average Delay: 8.5 seconds 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 9
Higher Order Statistical Moments Standard Deviation: Measures the width of a set of data points to assess the distribution of values Variance: How far are the values separated from each other Co-Variance: Measure of the relationship between two variables Entropy: Level of uncertainty in the set of values, which can indicate if there is a high correlation around a particular call set up time that is invisible in the average measurement That is probably enough statistics but this is the analysis you really need to spot intermittent FAS without False Positives 10
How about Premium Rate Fraud? Two broad approaches: Use intelligence gathering likely destinations, likely numbers and then look for changing traffic patterns to those destinations Identify the underlying patterns that indicate fraud What are those patterns? Calls start from a small range of originating numbers and terminate to a small range of destination numbers Low level of volume to test access and connections Step change in volume as multiple parallel calls are made Deep statistical analysis of all call detail records can similarly identify these subtle changes in calling behavior 11
Summary Fraud is a growing industry problem the migration to VoIP equipment has made it worse The traditional approaches compare average durations, average connection rates, average connection time between carriers can easily be beaten by skilled fraud operators Fraud has certain finger prints that can be identified and tracked using Big Data statistical approaches Continued evolution of statistical systems can identify Fraud with a high degree of confidence 12
HOT TELECOM