jean-marie.gandois@wanadoo.fr - +33616370912

1

What is IRSF Fraud(International Revenue Share Fraud)

A compilation of various information on the subject

jean-marie.gandois@wanadoo.fr - +33616370912

2

International Revenue Share

What is the International Revenue ShareFor each call (voice, data) sent from country A to country B, several operators are involved in the routing of the communication so the revenue has to be shared:

• HPMN (Home Public Mobile Network), the home network of the subscriber who makes the call• VPMN (Visited Public Mobile Network), the network visited

when the subscriber is roaming in another country• One or many Carriers • An IPRN (International Premium Rate Number) provider• A Content provider• Others…

jean-marie.gandois@wanadoo.fr - +33616370912

3

International Revenue Share

What is the International Revenue ShareEach party involved in the delivery of the communication invoices the amount of its transport costs to the upstream party according to a bilateral agreement. Unse case 1) roaming. A subscriber of an operator in country A (HPMN) is traveling in a country B and uses the services of an operator in the visited country (VPMN) for receiving and transmitting communications

• A « Data Clearing House » cumulates monthly for the account of HPMN all calls (incoming & outgoing) from roaming subscriber in country B

• Le HPMN bills to its client (subscriber) the roaming communications depending on the tariff plan defined at subscription (post-paid or pre-paid)

• So there is revenue sharing (paid by the subscriber) between HPMN and VPMN

jean-marie.gandois@wanadoo.fr - +33616370912

4

International Revenue Share

What is the International Revenue Share

Country A Country B

HPMN

VPMN

Bill

payment

DataClearingHouse

Payment

The amount paid by the subscriber is sharedbetween HPMN and VPMN

jean-marie.gandois@wanadoo.fr - +33616370912

5

International Revenue Share

What is the International Revenue ShareEach party involved in the delivery of the communication invoices the amount of its transport cos to the upstream party as per a bilateral contract. Use case 2) Calls toward an IPRN (International Premium Rate Number) A subscriber of an operator in country A (HPMN) calls an International Premium Rate Number (IPRN) located in country B.

• In this case the HPMN send the call to a carrier that routes the call to the operator of country B which is a Premium Rate Numbers Provider (IPRN provider). The content provider bills the IPRN provider (operator)

• The IPRN provider pays the content provider • If different, the IPRN provider bills the local operator• The local operator bills the carrier• The carrier bills the HPMN

6

International Revenue Share

What is the International Revenue Share

Country A

Country BHPMN

localoperator

Payment

The amount paid by the subscriber is shared between all the parties involved

IPRNprovider

ContentProvider

Carrier

Calls

Calls

Calls

Payment

Payment

CallsInvoices

Payments

jean-marie.gandois@wanadoo.cContent fr - +33616370912

jean-marie.gandois@wanadoo.fr - +33616370912

7

What is International Revenue Share Fraud

Definition– IRSF is the use of fraudulent access to an operator’s network in order to artificially inflate traffic to premium rate numbers obtained from an international supplier of premium numbers (International Premium Rate Number Provider), which payment will be made by the fraudster (on a revenue sharing basis with the supplier) for each minute of traffic generated to these numbers.

Assessment– An activity which affects over 250 countries– There are thousands of numbers and destinations chosen by fraudsters– Fraudsters do not distinguish between large and small operators, between good and bad service providers– They use methods more and more sophisticated and difficult to detect

jean-marie.gandois@wanadoo.fr - +33616370912

8

The steps to fraud IRSFThe first step to a fraudster is to access a network, then he must obtain remunerative rate numbers from a premium rate numbers Provider (IPRNP). Then it generates calls, usually with a call generator. The operator who has a payback agreement with the premium rate numbers provider pays him a part of the communication amount, which is shared with the fraudster. He charges the carrier or operator upstream of the cost of call termination, and so on until the "client", the calling number, that often does not exist.

International Revenue Share Fraud

jean-marie.gandois@wanadoo.fr - +33616370912

9

International Revenue Share Fraud

How the fraudster can access a network– Subscription fraud: the fraudster uses false identities, false bank account, etc.– SIM cloning: the process of copying the SIM card information. It does exist upon the market several hardware and software tools to copy the SIM card and find the Ki key– mobile or SIM cards theft– PBX hacking: il does exist several means to hack a PBX. These attacks come because the premises are not monitored, unchanged passwords, etc.– Access to the voicemail of a subscriber

jean-marie.gandois@wanadoo.fr - +33616370912

10

International Revenue Share Fraud

Some types of fraud IRSF (1)• Call without leaving a message or fake recorded message or forwarding international call

– Fraudsters use call generators to make calls to a large number of mobile or fixed phone numbers. The calls usually sound once. The number displayed on the recipient's phone is an international high-cost number , usually located in the Caribbean. The recipient recalls the number listed and is greeted by a message to keep it on as long as possible online. More the caller remains long line, and more scammers generate revenue.– Example for USA: Area codes used as falsified numbers are those of Anguilla, Antigua, Barbados, the British Virgin Islands, Dominica, Grenada, Montserrat, and the Turques-et-Caïques Islands (West Indies). The numbers of these countries are part of the North American Numbering Plan and therefore do not need to dial 011 as for other international calls.

jean-marie.gandois@wanadoo.fr - +33616370912

11

International Revenue Share Fraud

Some types of fraud IRSF (2)• Acquisition / illegal use of SIM cards

– Fraudsters illegally acquiring SIM cards or turn away SIM cards of unsuspecting customers, or use of SIM cards of stolen phones or obtain fraudulent SIM cards by subscription

• Hacking PBX / call forwarding– use of maintenance access codes for generating amount of calls to international premium rate numbers or hacking web interfaces of PBX or other equipment

1. The fraudster accesses the PBX web interface and configure call forwarding

2. The fraudster calls the hacked number3. The hacked PBX routes the call to the

service provider switch4. The switch sends the call to the

number IRSF

jean-marie.gandois@wanadoo.fr - +33616370912

12

International Revenue Share Fraud

Some types of fraud IRSF (3)•Hacking PBX / Forward « blind » calls

– The blind call transfers are a sophisticated technique to double international revenue share fraud while making fraud more difficult to detect

1. The fraudster hacks the PBX for call IRSF

2. The PBX sends the SIP invitation to the softswitch supplier

3. The softswitch route calls to the destination IRSF

4. The fraudster programs the PBX to transfer Blind call to another IRSF number

5. The fraudster hangs up. But communication between the two destinations continues.

jean-marie.gandois@wanadoo.fr - +33616370912

13

Some types of fraud IRSF (4) •Using the « call back » functionnality of the voicemails

– Some voicemail systems own simple default passwords or easy to divine (0000 ou 1234), and the users do not change them. – The criminal calls the phone number, then leaves a message to call back the number IRSF. – Then he connects to the account, finds the missed call, and initiates the recall to the IRSF number. – Once the call is connected, a criminal may attempt to leave it in place as long as possible, often hours or days.

International Revenue Share Fraud

jean-marie.gandois@wanadoo.fr - +33616370912

14

Companies: how to limit the risks of hacking your PABX

Change the default password by another one much more complex and whose you are the only one to know. Change your passwords regularly with high security (uppercase, lowercase, symbols and numbers combined).

Prohibit calls in some countries where you do not do business. Perform regular updates of your telephone equipment. Do an audit of your telephone equipment to verify its configuration and security level. Distribute to your employees (training, information) the risks and precautions for telephony

in the frame of IT security policy. Set thresholds for maximum call duration. If you approach this threshold, you will be

alerted. Install a firewall in front of the switch to filter incoming IP addresses. Enable only the services you need for your business activities. Lock your telephone during your absence from the office. Take out insurance against financial loss caused by a telephone fraud.

International Revenue Share Fraud

jean-marie.gandois@wanadoo.fr - +33616370912

15

Some references• Les fraudes sur les systèmes téléphoniques d'entreprise par Valérie

Ramarozatovo– http://pro.orange.fr/digital-et-vous/conseils-pros/les-fraudes-sur-les-systemes-telephoni

ques-d-entreprise.html

• International Revenue Share Fraud: Are We Winning the Battle Against Telecom Pirates? interview with Colin Yates– http://bswan.org/revenue_share_fraud.asp

• XINTEC : IRSF Detection and Protection with “PRISM”– http://fr.slideshare.net/XINTEC/irsf-protection-with-prism