Alarm bells should be going off at VoIP providers everywhere after the recent case in which a fraudulent VoIP aggregator routed as many as 10 million minutes of calls through other providers’ networks and pocketed an estimated $1 million in fees from its customers.
Two men were arrested earlier this month, one in Miami, one in Spokane, Washington. The Spokane resident had hacked into an unprotected corporate IP network and into the networks of several VoIP providers—including, reportedly, industry pioneer Net2Phone Inc. He routed traffic from the company’s customer through the corporate network to the VoIP providers, which terminated the calls. The providers were left with the interconnect charges—as much as $300,000 per victim.
Jason Lane-Sellers, director of consultancy services at Azure Solutions, a UK-based maker of fraud detection and prevention systems, isn’t surprised at all by the Miami case. Lane-Sellers, who will be speaking this week at the annual conference of the Communications Fraud Control Association (CFCA) in St. Louis, says too many VoIP providers are easy pickings for criminals.
“Like early wireless providers ten years ago, their focus is on building the network and getting customers on to it,” he says. “Security comes slightly further down the [list of priorities]. Those are the types of organizations criminals are looking for.”
Points of vulnerability
The victims in the Miami case apparently failed to take the most basic security precautions. VoIP providers’ networks are vulnerable to the same types of hacking attacks as any IP network. And network managers need to implement the same kinds of solutions—including properly configuring firewalls to ensure ports are protected. Leaving vulnerable ports open was almost certainly the problem in the Miami case, Lane-Sellers says.
He blames a hotly competitive VoIP market, especially in the U.S. where VoIP providers have proliferated and where keeping costs to a minimum is an imperative for most. “Security is often deemed to be a cost with no return,” Lane-Sellers says, “although that is obviously a misconception.”
Other factors may come into play as well. Ports may be opened during testing, for example, and then technicians forget to close them again. And they only need to be left open a short time for damage to be done. “Some of these scams only need a couple of days, they don’t need weeks or months,” he says.
There have also been cases in which employees were hoodwinked by hackers posing as company engineers into opening ports or creating other vulnerabilities. Employees taking money from criminals to sabotage security is another real threat, especially given that small VoIP providers may not be paying employees very much.
“Think about it from the criminal’s perspective,” Lane-Sellers says. “If I can do an attack that lasts, say, two weekends and nets $2 to $4 million—and that would be a very small operation—for me to give an employee a couple of hundred thousand dollars, it’s not too much of a cost to me.”
The vulnerabilities in VoIP networks may be the same as in other IP network operations, but the hackers’ objectives are usually different. While denial of service attacks or the threat of denial of service used as a lever for extortion is certainly one risk, most hackers targeting VoIP providers are looking to do exactly what the perpetrators in the Miami case did, and what telecom fraudsters have been doing for years—resell stolen network capacity.
Plugging the holes
The remedy? Ensuring that firewalls are properly configured and ports protected is just the first step. VoIP providers also need to actively monitor their networks so they know who’s accessing the network, with what kind of frequency, generating what kind of traffic. Are calls encrypted differently than calls generated within the network, for example? “That can be an indicator that they’re originating outside the network and are fraudulent,” Lane-Sellers says.
Too many VoIP providers implement simple call logging but then never actually look at the logs, he says. Azure takes it to the next level. It offers VoIP monitoring software that uses packet-level IP monitoring tools. The software also provides case management and intelligent analysis tools and an interface that makes monitoring a very labor-efficient process. Costs, says Lane-Sellers, run into the hundreds of thousands of dollars, “if that.”
“If you’ve spent a billion dollars on your network, or even $10 million, it’s not that high a percentage of your total costs,” he says. VoIP providers can also buy the Azure technology as a hosted service.
Some VoIP providers are monitoring traffic at a much lower cost, although also at a less detailed level. BinFone Telecom LLC, a Baltimore, Maryland-based provider of VoIP services to offshore call centers, pieced together its own monitoring system using open-source tools. The system monitors for obvious fraud patterns. If one of its customers normally sees 10,000 minutes of traffic a month and that suddenly jumps to 50,000 minutes, or if it goes from 1,000 to 15,000 minutes in a day, red flags go up.
BinFone also constrains customers’ call capacity so that if they are hit with fraudulent calling, both BinFone and the customer will notice it sooner rather than later and losses will be minimized. “If [a customer] is generally sending through 15 to 20 concurrent calls, they’re likely to be capped at 25 to 30 concurrent calls,” explains BinFone president Justin Newman.
BinFone did have one experience with hackers gaining access to its systems while it was still in research and development and before it began offering commercial service, but Newman speculates that the perpetrators didn’t actually realize they had hacked into a VoIP network and were not able to steal service.
“We’ve learned a lot since those days,” Newman says. “We definitely monitor customers’ usage now for patterns that might be indicative of a compromise, and to this point, we have had no successful attacks that we’re ware of.”
Newman is more concerned about fraud that doesn’t actually involve hacking, in particular credit card fraud. His company uses a service bureau that for $10 a month and a few cents per transaction analyzes Web-based account applications and scores them for the likelihood that they are fraudulent. For example, how likely is it that a person from the applicant’s region would have a credit card issued by that institution? Or how close to the applicant’s claimed address is his IP address registered?
If applicants score more than 0 or 1 on a scale that goes up to 10, the application is bumped out and handled manually, with BinFone typically calling the bank or credit card holder. Newman can tell within seconds if it’s a scam, because the legitimate card holders he talks to often don’t even know what VoIP is. About 30 percent of all account requests are kicked out for manual processing, he says, and 50 percent to 75 percent of those turn out to be fraudulent.
Selling other people’s calls
Many “call sell” scams require no hacking, Lane-Sellers says. In one of the most common, criminals open an account with a VoIP provider in the U.S., usually using a stolen credit card or identity. Next, they establish themselves as a long distance service provider in a third world country where rates from the incumbent phone provider for calls to the U.S. are staggeringly high. The fraudsters undercut incumbent prices but still charge many times what the U.S. VoIP provider charges for calls going in the other direction.
They place calls for their customers by initiating a connection in the U.S. using their account with the VoIP provider. There are several methods for completing calls between the third world country and a specific U.S. number. Most involve keeping the line from the U.S. open for long periods. The simplest is for a confederate in the U.S. to use call conferencing on the VoIP line to patch the call through to the stateside recipient.
A completely different kind of scam involves establishing a premium-priced phone line in a foreign country, similar to a 900 line in the U.S. The fraudsters use stolen or compromised credit cards to open accounts in the U.S. with VoIP providers. The VoIP provider doesn’t recognize the foreign premium-priced number and completes calls as it would for any other number—and later gets hit with charges from the foreign telco.
In the meantime, the fraudsters pocket their share of the revenue, which is paid out by the telco. Because half the fraud is happening in a foreign country, it’s hard to prove and harder to prosecute, Lane-Sellers says. The beauty of it from the criminal’s point of view is that the revenue looks legitimate—no money laundering required.
Telecommunications fraud and call selling in particular are nothing new. Criminals have been perpetrating this kind of fraud for a couple of decades at least. “IP technology just makes a lot of things to do with fraud that much simpler,” says Lane-Sellers. And it’s often the smallest, newest VoIP providers—with the fewest resources—that are most vulnerable.
The moral of the story: you can’t afford to ignore security. Yes, it’s a cost, but the potential losses from fraud and hacking, as the Miami case amply demonstrates, can be enough to sink a small VoIP provider.