International Revenue Share Fraud

International Revenue Share Fraud (IRSF) is one of the telecom industry’s most enduring problems.  Yet many of us who are familiar with IRSF have only a foggy notion of how it works and how operators around the globe are coping with the issue.

Well, here to give us a first class briefing on IRSF is a true international expert on the issue, Colin Yates, who only a few months ago left his post as the head of Fraud Management at the Vodafone Group to start a consulting practice.  Our interview covers the bases: the origins of IRSF, typical fraud scenarios, efforts to get international cooperation on the issue, and the future outlook of IRSF.

Colin Yates Yes, Dan.  It started on the internet and has gradually migrated into mobile and fixed line networks

It was around 2005 or 2006 when IRSF fraud termination in the Pacific Islands really accelerated as a fraud issue.  New technology is what’s really opened up opportunities for fraudsters.

In particular, you can trace the rise in mobile fraud to the success of mobile marketing, particularly the ease of obtaining a Simcard for international roaming.  Most of the fraud methods in those early days involved getting access to SIM cards and using them while roaming to call international revenue share numbers, knowing it would take 24 to 36 hours for those call records to get back to the home network.

In that window of opportunity, the fraudsters could dial as many IRSF numbers as they could before the home network became aware of the traffic and terminated the simcard.

As mobile phone technology progressed, we gave them the smartphone with the ability to make 6 simultaneous calls by utilizing the conference call facility on the handset.  On your mobile handset, you can call a number, put it on hold, then call a second number, put it on hold, etc.  So if the bad guys make 6 calls at once off of one SIM card, at $5 a minute, that’s a pretty nice income.

There were other features as well.  International call forwarding was another boon to fraudsters.  You could call forward a fraudulent simcard to an IRSF number in Somalia for example, make a local call into the forwarded device and have that automatically transferred to an IRSF number in Somalia, which could be repeated after each call connected.

Over the last six or seven years, I would say IRSF has changed character, but the problem has not abated.

Back in 2005 or 2006 timeframes, it wasn’t unusual to hear about a fraudster armed with four SIM cards pulling in $100,000 of revenue over a weekend of calls.  The more organized groups with 40 to 50 hijacked SIM cards could pull down several million $ over a weekend.

Then, about four years ago the GSM association approved a project to implement Near Real-Time Roaming Data Exchange (NRTRDE), allowing operators to get their hands on their international roaming call data much faster.  That new process reduced that 24-36 hour time period between the fraud taking place and getting the roaming records at the home network.  So NRTRDE was key to reducing the IRSF window to only 4 hours, which helped to take away many of the big fraud hits.  However despite this initiative, if you have a Fraudster operating with a cluster of 30 or 40 cards with a number of ‘Mules’ making calls at the same time, you can still do plenty of damage — even in 4 hours, this level of activity can result in losses in the $50,000 to $100,000 range.

A lot of the calls were related to premium rate services around the world.  Once again, technology advancements made it easier for the fraudsters to inflate traffic into high value premium rate numbers.  There are now software based techniques to block international premium rate numbers from being completed, which helps operators reduce this risk.

Why Certain Countries are IRSF Destinations

To get around the issue of blocked international premium rate numbers, fraudsters have picked on countries that have high interconnect or termination rates.  If I made a call from the UK into AT&T for example, the international call rate might be 2 cents a minute.  That’s the charge AT&T will bill BT for terminating the call in the U.S.

But in countries such as Cook Island and many other small countries in the Pacific, their international termination rate is more like 60 cents a minute.  This high termination fee is a magnet to fraudsters.  It means the fraudster can make money in a much tighter window.

A common issue now being experienced by the industry is number misappropriation or number hijacking.  For example, a call from the UK to a Pacific Island country code may never get there.  It will be stopped somewhere in the call routing chain and rerouted to an information line, chat line, fortune telling, etc, or simply terminated onto a ringing or other tone

Fraud management teams around the world are closely monitoring the fraud calling destinations and as fraud numbers become known, may block these numbers at their switches Unfortunately , the precise numbers being exploited change on a daily basis and it’s a constant challenge to keep up with these new numbers.

I know the stop payment option on known fraudulent numbers seems like a good strategy and an obvious way to go.  Unfortunately, we tried doing that believing that if we could stop the money flow, we would disrupt the fraudster’s business case, but we failed.  The problem is, to do that, you need cooperation from every operator in the call transit chain.  The fraudulent calls may pass through 6 or 7 operators to get to their termination point and getting agreement from that many operators is very difficult.  Now you might be able to get 4 out of 5 operators to cooperate, but invariably there’s one operator who won’t give you the routing information you need to identify who they routed the call to.

Bound by International Agreements

In essence, carriers are bound by international agreements for roaming and interconnect payments.  And as you might expect, the terms of these agreements were made long before IRSF came into existence.  The basic GSMA roaming agreement for example, which is bilaterally agreed between two operators says that the originating operator must pay for all calls originating from his network — whether it is fraud or not.

It’s a big controversy and I personally feel that the originating carrier has the right to know how his call was routed.

When it comes to payment time, each operator just pays the operator he passed the calls off to, with no knowledge who is next in that payment chain.

The Body of European Regulators (BEREC) are beginning to appreciate this issue more, and are currently talking about how to make it easier for operators to extract the details of exact routing of every call that may have been made fraudulently.  That would be a very big help indeed.  It will help operators ultimately to stop the money, which will reduce the problem, but the fraudsters will simply move onto something else.

More and more business customers are now moving to IP-PBXs and this can actually make it easier for technology savvy fraudsters to penetrate and use this access for IRSF.  However the vulnerabilities of some traditional PBX’s, which have allowed fraudsters easy access to networks for the past 10 years or so, are still cropping up on a weekly basis.

And the people involved are more sophisticated now: it’s organized crime, people who can afford to hire those with the knowledge to penetrate any controls put in place.

As the industry works on LTE and next generation networks and making sure we have effective security controls around that, we can guarantee that groups of fraudsters are also working hard to break those defenses.

I have no doubt that fraudsters will find ways around every obstacle we put in front of them.  They always do.  This is not their hobby, it is their business.

Going back six or seven years, most of the IRS fraud was called through fraudulent SIMs that were roaming.  But now we’re seeing a lot more through PBXs.  For instance, there are some groups based in the Philippines who are continually dialing out to nations of the world looking for a PBX that they can hack.  This could be through an insecure DISA line, a maintenance port or any other vulnerable entry point where they can gain access to an outgoing trunk.  They then contact their organized crime associates who pay them for that information and then use the access it provides to make IRSF calls.

Today, many in the industry believe that the PBX has become more common as an IRSF enabler than the mobile phone with fraudulent SIMs.

Yes, various industry groups maintain a database of the latest fraudulent numbers.  A lot of information sharing goes on between operators who accept that fraud management is a non-competitive area of the business.  If a range of fraudulent numbers is found in say, a small African country, these will get reported through industry forums such as the GSM Association or the Communications Fraud Control Association, and a hot list is generated.

This is one area where Xintec offers a viable solution to keep the hot lists updated.  That helps you identify the known numbers being used for fraud and these are being updated on a daily basis.  Unfortunately someone has to have a fraud hit to find out what these new numbers being used are.

Well, the Pacific Island operators are very concerned at the impact this number hijacking is having on their customers, their communities and their reputation with other international operators.  This is something which is out of their control and really, they are also victims of this fraud.  Some of these islands only have a customer base of 2,000 or so people and some operators around the world are blocking the whole range in an Island from receiving calls because of a perceived fraud risk.  So if an islands number range is hijacked, it may take a couple of days before the routing returns to normal.

Typically we know the country codes where revenue share fraud is taking place, so Fraud Detection System thresholds on calls to those countries will to try to identify them early.

I’ve been recently working with the Pacific Island Telecom Association.  Because most islands have such high termination rates, they are very popular for revenue share.  The majority of Pacific Islands won’t entertain relationships with any of the number aggregators offering the numbers.

The fraudsters will likely have a relationship with a dishonest or unscrupulous operator which could be a traditional or Voice over IP operator who will terminate the traffic destined for those islands outside that country.  We call it short-stopping.  They will stop the call before it gets to the correct country, so it can be terminated into another country onto a voice mail system, information line or recorded message.  That’s instead of forwarding the call through the approved routing for termination in the correct country.  Because it’s a Pacific country code, it’s still billed at around 60 cents a minute instead of a few cents if the real termination rate for the country where it actually terminates was used..

Dan, IRSF scenarios can be very confusing and the fraudsters have an interest in keeping it that way to cover their tracks.  The following diagram and explanation shows a typical IRSF scenario using mobile roaming.

International Revenue Share Fraud Mobile Roaming Scenario

The flow of the IRSF case above is as follows:

  • Fraudster obtains Simcards (fraudulently) from the HPMN (Home Network) and takes these across an international border to a VPMN (Visited Network) and calls IRS numbers
  • HPMN receives no payment for these calls but must pay the VPMN for their origination
  • VPMN must then pay Carrier 1 to whom he passed the call.  In turn, Carrier 1 must pay Carrier 2, and so on, until the payment reaches the IPRN (International Premium Rate Network) provider.  The IPRN will, in turn pay Content Provider for supplying its content and keeping the call minutes as long as possible to increase the billing charge.
  • Content Provider will have a relationship with Fraudster who shares the proceeds.  Often the IPRN provider and the content provider are the same person.
  • In this case the IPRN provider will have leased or purchased number ranges from the Number Range Holder

How Fraudsters Advertise Themselves

Frankly, IRSF is a fairly easy business to get into.  Do a Google search on international premium numbers and you’ll see how many International Number Aggregators are advertising for business.  It’s all there: a sign up form and a registration page detailing how much they pay you for generating traffic to their numbers, which in some cases may be hijacked ranges.  What they are looking for is companies and individuals who are willing to drive or inflate traffic to those phone numbers.  And the numbers are often provided, and payments settled on a 15 to 30 day basis.

Between 2009 and 2012, the number of sites has increased 140%.  So there are more fraud groups who are realizing the monetary benefits of this fraud.  In short, the number of fraudsters is increasing.

It is important to emphasize that not all revenue share number aggregators are fraudsters.  There are legitimate operations out there who are offering genuine terminations into the correct country for various information services, voting lines etc.  However my own analysis of the huge increase in the number of sites offering these numbers would indicate that many of these sites are either advertising numbers without the authority or knowledge of the number range holder, terminating the numbers against ITU recommendations, or not performing any due diligence on those they are supplying the numbers to.

The fraudsters live and operate all around the world.  There are many in Europe, the Middle East and Africa and South America.

The IRSF Number Providers

The number aggregators involved in this are generally not licensed telecom operators at all.  I guess the closest description would be to call them international revenue share number providers.  They are not really premium rate number providers as most of the numbers they are terminating calls on are not classified as premium rate under the ITU definitions, but simply assigned or unassigned numbers into a country which attracts a high termination rate.  But they are not licensed by any government or agency nor do they report to any regulatory authority.

They are offering numbers in countries where they have no relationship, particularly some in the Pacific Islands.  The operators in those countries have no idea that their numbers are being compromised until they are advised by another operator, or receive complaints from their customers.

There are however many telecom operators around the world who are prepared to offer their numbers to these number aggregators either on a lease or revenue share basis.

Why It’s Hard to Detect and Reconstruct IRSF Cases

It’s often difficult to get law enforcement involved in investigating IRSF because generally it’s so complex as it crosses so many international boundaries.  A typical example could be where you have a SIM card from the UK being obtained by a fraudster using a stolen identity and shipped to another fraudster in Spain to make calls to revenue share numbers in Somalia, with the fraudulent proceeds being transferred to a criminal gang in Pakistan.  So in that case you’ve got three international boundaries to sort out with fraudsters operating in 3 or 4 different jurisdictions.  So the police often throw up their hands citing the jurisdictional issues and uncertainty of where the actual fraud occurred. .

You need two sides to make it work.  At the terminating end, the idea is to keep the person on the line as long as possible to drive up the fraudulent revenue.  It may be just a voice recording asking you to hold.  Or they might say, “You’ve just won a prize.  Please wait for more details”.  Other fraudsters will just have a reoccurring message to keep the caller on the line.  They might keep a call open for close to 60 minutes.

Of course, the person calling is usually a fraudster as well.  In some cases, they will terminate the call at say 55 to 57 minutes knowing a number of fraud management systems are programmed to alert for calls that are an hour or longer to a high risk destination.

So there are two scenarios.  You have some calls that are automatically generated.  And then consumers are calling the numbers.  And there are cases where consumers are looking for an opportunity to make some money.  In the end someone has to pay to terminate these calls, but if there is no customer to bill because the connection is fraudulent then the originating operator has to pay and carry that loss.

Yes, when I left my job as Group Head of Fraud Management at Vodafone in July 2012, Xintec offered me the opportunity to become their consultant.  When I was first getting into the fraud management business, I started talking about the need for the industry to have a lower cost entry level into fraud management systems for smaller operators.

Their solutions have become very successful for tier 2 or 3 operators.  With Xintec, operators have the opportunity to do 80% of their fraud detection without spending a million dollars.  It’s a good business model.

Actually, Vodafone was moving towards that model — a shared service centre environment with one or two centralized fraud management systems that collect core records from other countries.

But privacy issues were just one roadblock.  It’s hard to get the authority for local operators to send their call records to another country.  In the end, this is why we started implementing Xintec solutions into some of our smaller operators.  It ended up being a lot more cost effective as an interim approach until the day when they can establish a centrally managed system.

I think there’s huge potential for group operators to move to a shared fraud management model, and the trend towards cloud-based solutions will probably speed that along.  As I’ve said, political and data sharing issues are blocking the move right now and these may take a long time to resolve.

Thanks, Dan.  IRSF is a huge problem that the industry finds difficult to manage.  Unless we start getting some localized legislation in countries to stop the money flow, it will continue to be difficult to manage.  Stop the money and you stop the problem.

In my view, the operator shouldn’t be paying money when they know that at the end of the payment chain, a percentage of this is going to get into the hands of fraudsters.  In my view, this money is the proceeds of crime and payment could constitute money laundering.  It is not possible to just pay the legitimate carriers involved in transiting these calls, as in the absence of any transparency in the call routing, it is not possible to identify where in that call routing the call is being terminated.

Leave a Reply

Your email address will not be published. Required fields are marked *