Post on 26-Dec-2015
Cox Loss Prevention and Revenue ProtectionCox Loss Prevention and Revenue Protection
Presentation to:Presentation to:
2012 IURPA / SCRPA / SURPA Conference
Tom BrandonTom Brandon
CPP, CUSACPP, CUSASecurity and Risk Manager, Cox Communications CaliforniaSecurity and Risk Manager, Cox Communications California
Mark MatteoMark MatteoSecurity and Investigations Manager, Cox Communications North East Security and Investigations Manager, Cox Communications North East RegionRegion
June 14, 2012 New Orleans, LAJune 14, 2012 New Orleans, LA
ObjectivesHistory LessonOverview of Cox Communications
ThreatsTheft of Service
ObjectivesBest practicesYour crooks could be our crooks
Networking and resourcesShared Challenges
Cox CommunicationsCox Communications
Cox Enterprises—Atlanta GeorgiaPublishing, News Services,
Mannheim Auto AuctionsAtlanta Journal-Constitution,
AutoTraderCCI California—Mission Cable TV
Local EntrepreneursSan Diego Geography & Topography
Today…
Cox Communications CaliforniaNow 6 systems in US
1.6 Million revenue generating unitsHigh Speed Internet 55mbps/5mbps523 HD choices2008/2009 Best Place to Work
More about the Company…1962—12 channels1970s Orwellian Fears:Late 70s:
DeregulationExpansionTechnology explosion
90s: High Speed InternetTelephoneDigital Video—High Def
Theft of Service DeterrenceCalifornia Penal Code 593d
Cable theft law enacted in 1982Utilization of Citizen’s ArrestRestitutionAnalog CATVPiracy not a factor todayTechnology has hardened the systemTelephone and High Speed Internet
TodayCox BusinessDigital = Security…for now
What,____ __ _______?
On the Surface:
1 Not guilty 7 Enter Plea 10 Jury trial 70 Plead Guilty 80 TOS Arrests
Below the surfaceBelow the surface:
Deterrent affect keeps tens of thousands from stealing basic service.
Also, FCC Also, FCC •Requirements: CLIRequirements: CLI•Network QualityNetwork Quality
Average Annual Theft of Service (TOS) CasesAverage Annual Theft of Service (TOS) Cases
Basic Theft of Service Program
Field Audit
Field Employee
Anonymous Call
Customer
Investigator Develops Case
Makes contact, executes “Citizen’s
Arrest”
Calls Law Enforcement
Agency to Accompany
LEA Officer writes citation for PC593d
Case submitted to District Attorney’s
Office
Typical Field Audit Inspection71,00071,000 non-subscriber addresses were
audited by Network Inspectors in a recent 12 month period
5,0005,000 accounts were found active without billing
800800 of those accounts were possible theft of service
Unauthorized Active ConnectionsUnauthorized Active Connections
Percent of Poss ible Theft Locations Found Reactivated
94%
6%
Rechecks
Back On (Not all UAs are investigated)
Examples:•Non-Cox equipment•Resident admits theft•Blatant tampering•Neighbors' service affected…
Investigation of UA ActivityInvestigation of UA Activity
1%1% theft rate National average for CATV theft is about 2.1%2.1%
$23 Million in franchise fees to local governments annually—California alone…
Impact of TheftImpact of Theft
Challenges 2012…Reduced Restitution amountsA few cases “dropped”…The average request of the court by Cox
is $1,200 and includes investigation expenses.
The actual damages for a one month theft is about $40…not much of a deterrent.
PC593d allows for $5,000 or 3x actual damages.
Real impact is on network quality“Cumulative Leakage Index” CLIInterference from signal ingress
New ChallengesRetail Stores: Bill Payment
CentersRobbery Prevention
“Solutions Stores”: Retail CentersRobbery PreventionLoss PreventionShopliftingCommercial Burglary Fraud - Identity Theft
Investigation Process
Employee
Customer
Law Enforcement
Leader
OLTB/ Other Anonymous
Source
Quality Assurance
Security
HR
Community Relations
IT
Corp Legal/Security
Employee Leader
Investigationo Policy Violationso Civil Codeo Penal codeo Disclosureo Preserve
Evidenceo Chain of Custodyo Secure PC/Datao Office Spaceo Telephone
Records
Law Enforcement Agency(If Necessary)o Determine PC
violationo Advise on
investigationo Request evidenceLeadership/HRo Employee actionCommunity relations
Finance
More Challenges
“Copper theft”Law Enforcement LiaisonTerritoryEquipment Thefts
“Node”
Equipment theft cases
Partnering with other MSOsLaw Enforcement liaisonGPS technologyEducating field technicians
Other Security IssuesField Employees:
Irate Customers—threatsCrime avoidanceCrime accusations
Bill Payment CentersNetwork Abuse--FraudHR Meetings
Field EmployeesThreats
Emergency Notification Team Communication, stop any field visitsInvestigate, LEA, EvaluateContact: Sometimes term service.
Crime AvoidanceTraining: Avoid, Adult, Accompany,
AlertUrge law enforcement reportingEmployee privacy
HR MeetingsZero Tolerance PolicyTraining
Meeting conductPlanningVisual indicatorsSecurity Involvement
Interview Room—100% Telephone Interview, ship personal items, check
Visitor Procedures, Access ControlEAP
Business Continuity Planning
Fraud: Guarding Customer Information
Customer InformationPolicyTrainingQCForensic Resources
InvestigationsSecurity Role: Policy or Penal Code?Victim or …Law enforcement liaisonChain of custody, etc.
Threat MitigationTheir problems become
our riskEmployees personal
issues Trespass Vandalism Hacking attempts Active Shooters Weapons on Site
(pepper spray) Business disruptions Performance issues
MitigationRelationships
Employees Leadership HR
Awareness Reporting process
Social Engineering
Social EngineeringSnead Ring
Victimized 50 + individualsUsed call forwarding scam to confirm bank
transfers and new credit cardsServing 11 years… Plea agreement 32 counts
of identity theft, credit card fraud, and access device fraud “if imposed consecutively, the maximum penalties for all offenses to which Defendant is pleading guilty are 298 years imprisonment; a fine of $ 8,000,000; and a term of supervised release of 88 years.”
Fraudulently Obtaining Customer DataPrep work
ResearchEx-EmployeesSocial MediaProbingPhishing / Vishing
AttackPosing as Home Office (Corporate)Knowing the “Lingo” and Tools“Test Account”Confirmation
Tools & TechniquesCaller ID SpoofingModem Cloning IP and MAC Spoofing
Caller ID Spoofing
Modem Cloning
IP and MAC Spoofing
Subscriber Fraud
CASE 1ST CLAIRE INC / UNITY RADIO (2 DUMMY
CORPORATIONS)INTERNATIONAL CALLINGCALLING CARDSOVER $80,000 IN LOSSES
CASE 2Michael Grimes 2003 – Present ACCOUNTS SET UP UNDER STOLEN IDENTITIES. FOR $150.00 GUARANTEED HIS “CUSTOMERS”
MINIMUM 4 MONTHS OF SERVICE (NAMES AND SS#s PASS CREDIT CHECK) 200 + FRAUDULENT ACCOUNTS
OVER $150,000 IN LOSSES VOICE, VIDEO, DATA, EQUIPMENT
100+ DIGI / DVR / HD SET TOPS ($250 - $500 PER)Used same stolen identities and process to set up
accounts with power, gas, and telephone Utilities.
Michael Grimes
ID Defendant Name or Alias Birth Year Case Number Case Name Case Status
132710 CARTER 1966 62-2003-11173 MICHAEL GRIMES Disposed
132710 CARTER 1966 P2-2010-2157A MICHAEL GRIMES Disposed
132710 CARTER 1966 62-2007-07440 MICHAEL GRIMES Pending
132710 CARTER 1966 N2-1997-0213A MICHAEL GRIMES Disposed
132710 CARTER 1966 P2-2007-1799A MICHAEL GRIMES Disposed
132710 CARTER 1966 P1-1986-0833A MICHAEL GRIMES Disposed
132710 CARTER 1966 62-2005-20541 MICHAEL GRIMES Disposed
132710 CARTER 1966 P2-2006-2445A MICHAEL GRIMES Disposed
132710 CARTER 1966 62-2007-09900 MICHAEL GRIMES Disposed
132710 CARTER 1966 62-2007-07439 MICHAEL GRIMES Pending
132710 CARTER 1966 21-2001-00078 MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL 1966 62-2007-09900 MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL A 1966 N2-1997-0213A MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL A 1966 P1-1986-0833A MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL A 1966 P2-2006-2445A MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL A 1966 P2-2007-1799A MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL A 1966 P2-2010-2157A MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL A 1966 62-2007-09900 MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL 1966 62-2007-07440 MICHAEL GRIMES Pending
132710 GRIMES, MICHAEL 1966 62-2007-07439 MICHAEL GRIMES Pending
132710 GRIMES, MICHAEL 1966 62-2005-20541 MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL 1966 62-2003-11173 MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL 1966 21-2001-00078 MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL 1966 P2-2010-2157A MICHAEL GRIMES Disposed
132710 GRIMES, MICHAEL A 1966 21-2001-00078 MICHAEL GRIMES Disposed
EASY TARGETCUSTOMER FRIENDLY BUSINESSDRIVEN BY SALESLIMITED IDENTIFICATION (WHO’S REALLY
ON THE OTHER END OF THE PHONE / KEYBOARD)
NAME AND SS# MATCH / CLEAN CREDIT CHECK???
DEPARTMENTS EFFECTEDCOLLECTIONSCUSTOMER CARE WAREHOUSE / INVENTORY FIELD (RESOURCES DEDICATED TO INSTALL /
SERVICE FRAUDULENT ACCOUNTS INSTEAD OF PAYING CUSTOMERS)
SALES / MARKETINGACCOUNTING / FINANCESECURITY / LOSS PREVENTIONLEGAL
RED FLAGSMULTIPLE ACCOUNTS UNDER THE SAME NAME AND
SS#VARIED SPELLINGS OF NAMESVARIED SS#sHIGH CHURN RESIDENCES WITH RECURRING NON-
PAYSHIGH LONG DISTANCE / INTERNATIONAL CALL
VOLUME WITHIN FIRST MONTH OF SERVICECOMMON BILL TO ADDRESSESMISMATCHED SERVICES (IE MULTIPLE PHONE LINES
IN A 1 BED ROOM APARTMENT)
OTHER RISKSLAW ENFORCEMENT
UNTRACEABLE / UNIDENTIFIABLE SUBSCRIBERS
INACCURATE INFORMATION ON WARRANTS AND SUBPOENAS
IDENTITY THEFT VICTIM
CREDIT HISTORYWRONG PERSON
(WARRANT)
CHANGE IN PROCESSDEVELOP DETECTION METHODS BASED ON
COMMON CHARACTERISTICS OF SUBSCRIBER FRAUD.
MONITOR DATABASE FOR SIGNS OF FRAUDEMPLOYEE EDUCATION & TRAINING (SIGNS OF
FRAUD)FRONT END Q/A OF SALES AND CUSTOMER CARE /
PROCEDURES IN PLACE FOR LIMITING VULNERABILITY
ACCOUNTABILITY
Questions?