Exploring fraud in telephony networks

Video thumbnail (Frame 0) Video thumbnail (Frame 1435) Video thumbnail (Frame 3165) Video thumbnail (Frame 4619) Video thumbnail (Frame 6620) Video thumbnail (Frame 8383) Video thumbnail (Frame 9768) Video thumbnail (Frame 11254) Video thumbnail (Frame 12760) Video thumbnail (Frame 14204) Video thumbnail (Frame 16103) Video thumbnail (Frame 17890) Video thumbnail (Frame 19527) Video thumbnail (Frame 20757) Video thumbnail (Frame 22029) Video thumbnail (Frame 23324) Video thumbnail (Frame 25604) Video thumbnail (Frame 30544) Video thumbnail (Frame 31787) Video thumbnail (Frame 33260) Video thumbnail (Frame 34617) Video thumbnail (Frame 36259) Video thumbnail (Frame 38549) Video thumbnail (Frame 40190) Video thumbnail (Frame 41577) Video thumbnail (Frame 42937) Video thumbnail (Frame 44691) Video thumbnail (Frame 47296) Video thumbnail (Frame 48629) Video thumbnail (Frame 49896) Video thumbnail (Frame 52179) Video thumbnail (Frame 53463) Video thumbnail (Frame 55117) Video thumbnail (Frame 56734) Video thumbnail (Frame 57966) Video thumbnail (Frame 60194) Video thumbnail (Frame 64883) Video thumbnail (Frame 66513) Video thumbnail (Frame 68541) Video thumbnail (Frame 70866) Video thumbnail (Frame 73186) Video thumbnail (Frame 74638) Video thumbnail (Frame 76291) Video thumbnail (Frame 77834) Video thumbnail (Frame 79355) Video thumbnail (Frame 81710) Video thumbnail (Frame 83613) Video thumbnail (Frame 86518) Video thumbnail (Frame 88328) Video thumbnail (Frame 90069) Video thumbnail (Frame 92307)
Video in TIB AV-Portal: Exploring fraud in telephony networks

Formal Metadata

Exploring fraud in telephony networks
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Telephone networks form the oldest large scale network that has grown to touch over 7 billion people. Telephony is now merging many complex technologies (PSTN, cellular and IP networks) and enabling numerous services that can be easily monetized. However, security challenges for telephony are often neither well understood, nor well addressed. As a result, telephone networks attract a lot of fraud. In this talk, we will systematically explore the fraud in telephone networks, focusing on voice telephony. We will present a taxonomy of fraud, and analyze two prevalent fraud schemes in more detail: looking into the ecosystem of International Revenue Share Fraud (IRSF), and discussing a new countermeasure to the well-known problem of voice spam.
Keywords Security

Related Material

Video is cited by the following resource
Computer network Bit Musical ensemble
Numbering scheme Source code Student's t-test Semiconductor memory Twitter Goodness of fit Network topology Personal digital assistant Personal digital assistant Touch typing Principle of relativity Right angle Information security Information security Physical system
Numbering scheme System call Multiplication sign Semiconductor memory System call Connected space Mechanism design Type theory Computer network Operator (mathematics) Computer network Information security Newton's law of universal gravitation
Group action Enterprise architecture System call Link (knot theory) Mobile Web Analogy Mass Different (Kate Ryan album) Computer network Operator (mathematics) Analogy Service (economics) Internettelefonie Operator (mathematics) Line (geometry) Cartesian coordinate system System call Connected space Mechanism design Order (biology) Computer network Hill differential equation Right angle Wireless LAN Volume Sinc function Session Initiation Protocol
Axiom of choice Group action Randomization Numbering scheme Enterprise architecture Mobile Web Analogy Bit rate Bit Graph coloring Neuroinformatik Term (mathematics) Operator (mathematics) Wireless LAN Physical system Pay television Simulation Numbering scheme Internettelefonie Operator (mathematics) Plastikkarte Bit Cartesian coordinate system System call Connected space Corporate Network Film editing Oval Personal digital assistant Computer network Right angle Conditional-access module Simulation Session Initiation Protocol
Pay television Simulation Enterprise architecture System call Numbering scheme Mobile Web Quadrilateral Analogy Operator (mathematics) Plastikkarte Bit Bit rate System call Corporate Network Finite element method Oval Personal digital assistant Computer network Computer network Computer network Cuboid Wireless LAN Session Initiation Protocol
Pay television Numbering scheme Service (economics) Observational study Numbering scheme Line (geometry) Mobile Web Archaeological field survey Operator (mathematics) Analogy Student's t-test Corporate Network Causality Insertion loss Term (mathematics) Computer network Right angle Resultant Wireless LAN Physical system
Authentication Numbering scheme Simulation Line (geometry) Authentication Archaeological field survey Operator (mathematics) Plastikkarte Database transaction Mereology Mereology Sound effect Numerical taxonomy Message passing Insertion loss Personal digital assistant Password Right angle Divisor Information Information security Simulation
Protein folding Numerical taxonomy Numbering scheme Root Root Numbering scheme Multiplication sign Bit Right angle Mereology Physical system Physical system
Service (economics) Pay television Numbering scheme System call Pay television Numbering scheme Multiplication sign Authentication Shared memory Bit Bit rate Prime number Disk read-and-write head System call Social engineering (security) Message passing Ring (mathematics) Bit rate Computer network Right angle Information security Physical system Numerical taxonomy Vulnerability (computing)
Empennage Group action System call MIDI Bit rate Disk read-and-write head Mereology Regular graph CNN Different (Kate Ryan album) Computer network Operator (mathematics) Communications protocol Social class Service (economics) Variety (linguistics) Numbering scheme Magneto-optical drive Euler angles System call Flow separation Information privacy Connected space Inclusion map Numerical taxonomy Well-formed formula System programming Normal (geometry) Figurate number Simulation
Group action Numbering scheme System call Service (economics) Pay television State of matter Decision theory Mobile Web Cellular automaton Bit rate Plastikkarte Mereology Perspective (visual) Field (computer science) Malware Regular graph Bit rate Different (Kate Ryan album) Operator (mathematics) Gastropod shell Physical system Mobile Web Pay television Multiplication Internet service provider Plastikkarte System call Radical (chemistry) Malware Personal digital assistant Internet service provider Hacker (term) Simulation Routing
Standard deviation State transition system Pay television Numbering scheme System call Pay television Spyware Numbering scheme Interface (computing) Web page Bit rate Spyware Instance (computer science) Flow separation System call Radical (chemistry) Bit rate Different (Kate Ryan album) Internet service provider Computer cluster Website Hill differential equation Software testing
Numbering scheme System call Mobile Web Real-time operating system Spyware Twitter Facebook Hypermedia Different (Kate Ryan album) Software testing Physical system Default (computer science) Pay television Spyware Numbering scheme Interface (computing) Web page Internet service provider System call Flow separation CAN bus Interface (computing) Website Software testing Session Initiation Protocol
Web portal Numbering scheme Web portal Numbering scheme Interface (computing) Range (statistics) Operator (mathematics) Internet service provider Similarity (geometry) Range (statistics) Total S.A. Mereology System call Flow separation Similarity (geometry) Software testing Software testing Row (database)
State observer Numbering scheme Statistics Numerical digit State of matter Multiplication sign Mobile Web Range (statistics) 1 (number) Mathematical analysis Different (Kate Ryan album) Average Operator (mathematics) Spacetime Integer Software testing Lipschitz-Stetigkeit Resource allocation Mobile Web Pay television Dot product Regulator gene Numbering scheme Decimal Digitizing Internet service provider Line (geometry) Cartesian coordinate system Type theory Internet service provider Software testing Spacetime
State observer Numbering scheme System call Numerical digit View (database) Range (statistics) Source code Complete metric space Mass Perspective (visual) Data model Telecommunication Operator (mathematics) Source code Information Numbering scheme Internet service provider Operator (mathematics) Client (computing) Volume (thermodynamics) System call Perspective (visual) Internet service provider Telecommunication Data logger Volume Physical system Row (database)
Source code Numbering scheme Call centre System call Trail Numbering scheme Source code Operator (mathematics) Client (computing) Real-time operating system Client (computing) System call Perspective (visual) Data model Fraunhofer-Institut für Physikalische Meßtechnik Causality Telecommunication Different (Kate Ryan album) Operator (mathematics) Internet service provider Software testing Volume Physical system
Source code Numbering scheme Statistics System call Trail Numbering scheme Multiplication sign Source code Instance (computer science) Login Distance System call Likelihood function 2 (number) Different (Kate Ryan album) Normal (geometry) Software testing Information Position operator Row (database)
Random number Randomization Numbering scheme System call Algorithm Numerical digit Multiplication sign Set (mathematics) Bit rate Plastikkarte Performance appraisal Different (Kate Ryan album) Operator (mathematics) Forest Personal digital assistant Software testing Position operator Physical system Source code Simulation Algorithm Numbering scheme Operator (mathematics) Plastikkarte Total S.A. Semiconductor memory System call Forest Sign (mathematics) Personal digital assistant Computer network Simulation Resultant
Dataflow Service (economics) Proxy server Observational study MIDI Maxima and minima Discrete element method Computer icon Force Arithmetic mean Operator (mathematics) Core dump Proxy server Game theory Mathematical optimization Form (programming) Physical system Service (economics) Multiplication Numbering scheme Operator (mathematics) Coma Berenices Mereology Euler angles Semiconductor memory Cartesian coordinate system Telecommunication Computer network Convex hull Right angle Quicksort Game theory Simulation Routing
Service (economics) Numbering scheme Group action System call Service (economics) Proxy server Code Shared memory Operator (mathematics) System call Neuroinformatik Personal digital assistant Operator (mathematics) Smartphone Proxy server Game theory
Numbering scheme Group action System call Service (economics) Pay television Proxy server Cloud computing Mereology Graph coloring 2 (number) Operator (mathematics) Core dump Traffic reporting Pay television Service (economics) Simulation Interface (computing) Shared memory Operator (mathematics) Plastikkarte Cartesian coordinate system System call Vector potential Internet service provider Telecommunication Computer network Normal (geometry) Right angle Routing
Numbering scheme System call Proxy server Numbering scheme Plastikkarte Measurement Blog Operator (mathematics) Software testing Proxy server Simulation Multiplication Spyware Android (robot) Operator (mathematics) Plastikkarte Numbering scheme System call Measurement Personal digital assistant Commodore VIC-20 Computer network Computing platform Software testing Right angle Simulation
Numbering scheme Group action System call Proxy server Multiplication sign Mobile Web Bit rate Counting Mereology Proper map Revision control Radical (chemistry) Insertion loss Computer network Core dump Cuboid Proxy server Simulation Numbering scheme Operator (mathematics) Plastikkarte Term (mathematics) Cartesian coordinate system System call Radical (chemistry) Personal digital assistant Computer network Right angle
System call Proxy server Insertion loss Computer network Operator (mathematics) Core dump Insertion loss
Type theory System call Exterior algebra Permanent Bit Electronic mailing list Cartesian coordinate system System call Flow separation Sinc function
Chatterbot Type theory System call Multiplication sign Electronic mailing list Quicksort Musical ensemble Window
Web page Type theory Different (Kate Ryan album) Chatterbot Flow separation System call YouTube Row (database)
Point (geometry) Pattern recognition Scripting language Artificial neural network Server (computing) Robot Interactive television Heat transfer Artificial intelligence Set (mathematics) Audio file format Heat transfer Graph coloring System call Speech synthesis Row (database)
Area Pay television System call Service (economics) Regulator gene Correspondence (mathematics) System call Type theory Type theory Different (Kate Ryan album) Personal digital assistant Linearization Office suite Information security Category of being Physical system YouTube Row (database)
Point (geometry) Type theory Building Bit rate Flow separation System call 10 (number)
Word System call Average Bit rate Limit (category theory) Average System call
Numbering scheme System call Causality Average Multiplication sign Limit (category theory) Data conversion Average System call YouTube Row (database)
Dataflow Context awareness System call Line (geometry) Chatterbot Artificial intelligence Control flow Mathematical analysis Limit (category theory) Bit rate Shape (magazine) Average Plastikkarte Graph coloring Subset 2 (number) Natural number Different (Kate Ryan album) Term (mathematics) Query language Data conversion Dependent and independent variables Closed set Mathematical analysis Planning Plastikkarte Line (geometry) Group action Control flow System call Flow separation Type theory Latent heat Arithmetic mean Query language Linearization Speech synthesis Formal verification Natural language Resultant
Authentication Context awareness Context awareness System call Different (Kate Ryan album) Set (mathematics) Cuboid Data conversion Semiconductor memory Graph coloring System call Vulnerability (computing)
Regulator gene Spyware Multiplication sign Operator (mathematics) Right angle Communications protocol Plastikkarte Communications protocol Information security Resultant Diameter Vulnerability (computing)
Musical ensemble Line (geometry)
Mobile app Numbering scheme Source code Set (mathematics) Open set Disk read-and-write head Mereology Bit rate Forest Determinant Proxy server Mobile Web Default (computer science) Simulation Regulator gene Interface (computing) Moment (mathematics) Plastikkarte Line (geometry) Semiconductor memory Cartesian coordinate system System call Radical (chemistry) Network topology Computer network Right angle
Mobile app Numbering scheme Statistics Pay television Internet service provider Semiconductor memory Mereology Prime number System call
Simulation Numbering scheme Observational study Plastikkarte Semiconductor memory Cartesian coordinate system System call Film editing Bit rate Causality Operator (mathematics) Cuboid Software testing Proxy server Identity management
Numbering scheme Email Physical law Data storage device Planning Plastikkarte Mereology Software bug Type theory Operator (mathematics) Computer network Right angle Table (information)
Category of being Goodness of fit Service (economics) Moment of inertia Chatterbot Robot Mathematical analysis Data conversion Semiconductor memory System call
Point (geometry) Numbering scheme Service (economics) Robot Source code Replication (computing) Term (mathematics) Operator (mathematics) Computer network Data conversion Booting Simulation Plastikkarte Bit Semiconductor memory Cartesian coordinate system System call Radical (chemistry) Personal digital assistant Internet service provider Telecommunication Computer network Self-organization Pattern language Pole (complex analysis)
Group action Numbering scheme Operator (mathematics) Computer network Electronic mailing list Charge carrier 1 (number) Software testing Mountain pass Semiconductor memory System call Routing
Numbering scheme Statistics Forcing (mathematics) Prisoner's dilemma Mountain pass Semiconductor memory System call Maize Different (Kate Ryan album) Term (mathematics) Internet service provider Operator (mathematics) Software testing Routing
Optical disc drive Server (computing) Simulation Process (computing) Term (mathematics) Code Multiplication sign Operator (mathematics) Telecommunication Cuboid Open set Semiconductor memory
Cartesian closed category Musical ensemble Semiconductor memory Social class
[Music] welcome everyone to the first talk in the morning we are here to learn something new about exploring the fraud and telephony networks the speakers today are all very often CEO and Navi Shahin and they will give you a little bit of an understanding of the telephony fraud ecosystem so that you can learn a bit about what telephones can do so give a warm hand of applause to over here over you and maybe
thank you good morning everyone happy to see so many people working out for the first talk of the day happy to open the session today so calling this talk is to give you first a broad overview of telephony fraud right what is telephony fraud what is important how does it work and then we dive into a few topics going into more detail there'll be some new curtains some things we project before but the goal is ready to give an overview I want to dive into some of the difficulties there some of the things on how you can analyze how you can detect on especially where we care about understanding who does it work so small token of myself so my name is already off Rocio molestin por fin you
reckon was more engineering school in source of friends on the French Riviera next to Nick's my specialty is walking on number that system security has worked in telephony fraud right now you can throw me on Twitter or her sake and I'm tree hiring students PhD students engineers feel free to get in touch in case of needs my name is Myron I have been working the
last almost five years with Oregon on telephony fraud first ice type of the PhD and then I did one year of postdoc and starting from next year actually I will be I will join in the SI p security research good so telephony fraud what's
really interesting about telephony fraud
is that telephony is like the oldest network we have today it's still running right so it telephony started in 1870s the beginning of other connections of phones right and since then since 150 years we kind of have backward compatibility right so it's kind of a big legacy another thing interesting for fraud is that everything is billed so are almost every phone call you make even if you have something that plans or sound there is some bidding behind they check how much time you call which number which destinations all this is very complicated on since the beginning people try to make some free calls so for example to fraud some telephone operators write on social engineering on against them and then today so it's
getting quite complicated there are multiple technologies which get converged you have voice over IP since like 20 years but no tones of applications on those are interacting with the telephone ecosystem right so this is this is getting complicated with many different actors involved before you had these state-owned operators like 100 French orders Telecom in Germany but since 20 years it's getting like lots of operators lots of interconnection and so
on on telephone ephod telephone is not touching like seven billion people right so it's really huge on this generates a massive amount of data and finding the fraud in there is not always easy so let's look at the ecosystem right so at the beginning you have a phone right so it may be a long line phone old analog
line it could be analog line in a company with a PBX or it most likely today if you're in the Companions approach network is an IP phone with an IP PBX fine so those phones gets connected through different connection links to your operator and of course you also have mobile phones which as well gets connected through Wireless to your parrot or network so we don't care so much about technical details of hoe is at action walk but Moho the calls are routed across apparatus right because if you have a call from the same Alberto to the same Alberto it stays on
the network but extremely often you go over another vocal at all because you call someone that's in another country or in another opera at all so you have to get some at a connection between two operators and then again extremely often you have to go through so through some transit operators because you are across multiple countries or they just don't have a direct link or for some random reason price or someone they still go through a transit very often you have multiple choices on sometimes it go through some other transit and that's getting complicated sometimes you have ten transit operators between the two colors so of course as we mentioned your mobile phones there there are computers on your terms of applications voice over IP and what this court ET will come back to it on these are all to interconnect with the telephony legacy telephony system that adds some complexity and in the end if you call a mobile phone from a mobile phone you may go through all this right all this complicated network on toss it or you may also go directly between the two phones over the IP network that's extremely frequent today so in all this ecosystem now we have
some fraud a bit everywhere so for example you may have your operator who's overcharging you something this happens this happens on then you may have other cases where your phone gets stolen your SIM card is abused to generate some calls to some cam numbers right and then you get extremely high charge at the end of the month and sometimes it's even within a few hours before your phone - cuts we'll talk about that in a bit
in some cases I don't know if it occurs to you and you may have someone calling you from one country on you received a call and when you see the caller ID which is changed so your friends calling you from let's say Russia and then you get a UK caller ID and that's a kind of a quad typically this is done with steam boxes which get somewhere into the network to abuse some SIM cards on this be Kelly changed the cord ID we will see some examples of that as
another thing that's extremely important today is the unwanted course voice spans the hobo course basically that they have all boats that would just Pam you a lot on everyone receives on spam course before and we'll talk a bit about this too so in the end there is fraud a bit
everywhere in this networks right and we need to kind of understand this because
these faults have some consequences right these consequences are important
right so in terms of money there is not good study about it there is one study by CFC which states that that do it annually but overall is food they claim that telephone if what costs like something like four billion dollars a year that's significant right but these numbers are not extremely variable but if you just look at the complaints from users so it's about half a million users which complain to the FTC in u.s. about receiving some spam cause fine half a million per month half a million complaints per month the results all
telephony dinner of service which basically Mac happens to make emergency phone numbers unavailable that can have life-threatening consequences so we rely on this system for a student to work on another thing as well is that more and
more we rely on the telephone for using it as a trusted party as a secure system a secure mechanism so that we can use for some part two-factor authentication but we have seen recently some cases were two-factor authentication is abused so you receive a text message on your phone to login to your bank or confirm a bank transaction or access your Bitcoin wallet there have been cases with becoming worried stolen because people just went to the shop or bribe some employees and they get the phone number attached to a new SIM card with their own and then they can get the reset password message and confirmation text message on the phone right so all these actually abused in the white so because all this gets quite
complicated on in fact very often when some people talk how you check online you find people talking about fraud on the name it to do technically say PBX fraud there is no such thing as a PA big sport fine PBX can be abused compromised on they can be used to make a lot of different falls so we actually came up with a definition
right because we're scientists so we have to come up with definitions trying
to help us to understand this in the proper way so at the beginning we said that a fraud scheme is a way to obtain an illegitimate benefit on by using a technique right it's important because as I mentioned techniques can be used from multiple in multiple folds in the end these techniques they are possible because the witness is internet walks in the systems on these witnesses are presence because there are some root causes which have been there for a long time and are hard to fix so to get a bit
more concrete here is an example with a call back scam so you all receive this
text messages this course very short calls which make your phone ring say up there is no message maybe you call back right so the border of the fraudsters - they will call lots of people and they will generate lots of one ring on many phones and they expect or some people call back and they will call back but one calling back they will call back a premium rate number on this primal head number will generate some cash for the holster so this we can actually analyze in this taxonomy so we can define the fraud scheme as a call bask in the benefit of the fraud is to obtain some new share from these premium numbers then the technique would be multiple techniques can be used but first we seen that some caller ID spoofing can be used there will be some weaknesses in the system so burski you can do karate spoofing because there is no caller ID or altercation in these systems in the telephony there are some things on going to fix this but it's still going to take a lot of time before it's completely there and in the end all these are possible because you have legacy networks and so on right so we came up with this classification layers and then we can make this bit
more complicated and we can just categorize the different classes of frauds and put it in their classes of false classes of techniques on witnesses and so on and way to obtain benefits and
then we can get this to a lot more detail I don't expect you to look in detail at this figure we have a pepper where we discuss all this but we're going to use this as as a as a head of the talk on we're going to talk about some specific parts of it Mary is going to start talking about adoption or of new chef hood or RSF so
before explaining how this IRS efforts
first I need to explain you how in normal international phone call works so let's say there is a colder in country a he wants to call the collie in country B so for this coat the collar will pay
some amount of money to his operator let's say he pays 1 so it's most likely that there is no direct connection between these two operators so the cold needs to go through several transit operators and what happens is that each operator like year operator a he will have a red sheet showing that for this destination he can use several different
transit operators to route the call and each of them probably have different qualities and different prices of course if he chooses a cheaper transit operator it will keep more money for himself but usually this decision is very complicated so let's say operator a choose t3 as the transit operator again t3 will have multiple of shells let's say it shows T 4 and finally t 4 actually paid the international call termination field to the destination operator and that the call is terminated on the state's destination so what happens in case of international revenue fraud is basically there's the fraudster who is generating calls on behalf of someone else he can use stolen SIM cards it can compromise the telephone system he can use mobile malware etc and basically at some part of the Colorado there is a transit operator that is the kind of shady fraudulent operator and instead of sending this call to the
legitimate destination this operator can make a deal with that service provider and actually hijack the call and reroute the call to this provider and of course in this case they don't have to pay any money to the operator B instead they can keep this money for themselves and shared between each other and the finally Alfred will also get some part of the revenue for each minute of the call that he generates so we analyze this fraud scheme basically from the perspective of this the premium rate service providers so actually if you go online make a
Google search with the keyword international premium rate numbers you will see many many websites that are
advertising those numbers so they tell you that you can get a phone number for free you start generating calls to this phone number and then you receive payments we had several different payment methods and they also give you a lot of support whatever you need this is an example of the money paybacks
for instance if you start if you generate call to this phone number in Belarus you will be getting 10 cents for one minute of cold so one interesting
thing was that those are Karin providers they actually also have some test interfaces and this is necessary because before you start the actual fraud you need to make sure that the hijack works
so you first go to the the test interface you make some real tests you check if your call is the hijacking in this route and if you will be able to receive pay back or not and actually those systems are faces they advertise on social media in facebook twitter they with the user accounts test user accounts and so on so once you go to one of those interfaces you will see several phone numbers from many different countries you can pick one of those numbers you make your test call and if the test call is successful basically you will see in the website in real time if you're called the high-tech was
successful and if you will be able to get some money back from this call or not so basically what we did was to to
cross those the test portals for about three years actually in total we have
been collecting more than 1.3 million test numbers than 150 k tests follow records so the first interesting thing that we observed was that actually all the countries and territories in the world are affected by this fraud scheme but some parts some continents and countries are affected more like African countries Russia some islands in South America and so on one important
thing that to note is that the test numbers that we collect they are not actually they are not used for the actual fraud scheme so first the Roadster goes to the test interface make several tests to several destinations and if the test is successful actually he will obtain another number that is that will be dedicated to himself but this number is probably will be in a similar number range with the test call that he made and actually so the fraud actually will occur on similar numbers to the test numbers so example as an example if this is a test number that you see on the test interface most probably this number is hijacked in the range of 100 or 10,000 numbers but we don't actually know the actual range of high-tech so in this picture okay it's a
bit complicated so here we see the whole number space of two countries Latvia and Cuba so in the y-axis you see the first four digits all possible four-digit numbers and in the x-axis you see the last four digits so if you actually move
over the x axis these are the consecutive phone numbers and if you move over the y axis you can see number of allocations in the country by the type firstness the blue denotes the mobile number range so in Latvia for example mobile ranges start with 2 while in Cuba mobile ranges start with 5 so the first thing we observe here is that the spread knows of IP eras are different in each country in Latvia the test numbers are more concentrated on fifth number ranges but in Cuba they are much more spread and much more random looking the second observation we can make is that the dots that you see the red dots they are actually come from the number ranges that are not allocated by the regulator of this country so actually normally those numbers that should not be used and can should not be called by anyone but they are still being abused for this world and the last observation we make is that you are seeing some vertical lines in the graphic and this is because the test numbers are most of the time selected from the beginning of this four digit number ranges so once they hijack a range probably they advertise the beginning some numbers from the beginning of the range as the test number and maybe they use the rest for the actual fraud okay so another thing that we analyzed was the behavior of different providers if state behave the same way or they are different so these these are some statistics from most six of the providers you can see the first two of them are the most active ones they change numbers very frequently so an average advertisement duration for a single number is only for five days and every new day they advertise almost 2,000 new phone numbers probably they do this because after some time these phone numbers start getting blocked by operators so by changing the numbers frequently they make the test calls more successful but the rest of the providers they basically are more static they advertise phone numbers for really long durations and actually advertise new few new numbers per day so another thing we looked at was to check if two different if one phone number is shared between multiple providers or not and it turns out that among the more than 1 million numbers only 70,000 of them are observed in more than one provider but actually if you ignore the last four digits and
if you look for the number ranges almost 8 percent of the number ranges have been shared across all all the providers so
after making some observations on these numbers of course we want to focus on solution so from the perspective of an telecom operator an operator only sees the cold data records that are recorded in his own infrastructure so this records include to date the source number destination of birth duration some signaling information etc so it actually turns out to be very challenging to detect RSF because operators have limited like the local view of the call and they actually process a massive volume of traffic and
phone numbers every day and sometimes are normally detection techniques does not actually work because the number of phone calls can outnumber the legitimate cause for some of the source numbers also operator has many different uses with different behavior for example an outbound call center that is making
calls to many remote clients will not behave the same as some home users so of course first name of approach to detect a aggressive would be just to look for
those test numbers and the number ranges that we collected but this is not a good solution because this is incomplete we cannot select all the from IPM providers in real time all the
time and also this is likely to bring some false positives because not all calls to suspicious numbers will be fro doomed
so our approach our idea was using these
tests numbers in a different way for instance we could we complete some IRA safe likelihood for the destination number depending on the distance of this number to the norm test numbers or we can compute some again likelihood score for the destination country that relates to the ratio of IP errands advertised from this country and the test call logs observed to this country and finally we combine this with some statistics from the cold records like how many seconds of test since the last call from the same source number or how frequently the source number calls this particular destination numbers so fever likely to obtain some call records from
an small European operator and we were able to evaluate this approach actually so the data set we obtained includes four different IRS net cases three of them are compromised telephone systems used for NSF and one of them is a stolen SIM card again used for ILS s so in total we have 3,000 fraudulent calls in this data set and 150k legitimate calls and what we did was actually by using the features that I described before we trained the random forest algorithm to classify the calls as fraudulent or
benign and actually of course these are preliminary results but it turns out that this approach works better than
just the time the native approach of just looking for test numbers so we actually achieved much better accuracy and much less false positives but currently we are working on them much bigger data sets to be able to evaluate this approach better ok so the next
frauds that we will talk about is called interconnect bypass actually it will be one for most interconnect bypass world
one form of article so it's necessary
attack on it bypass is some flow technique where you will hoot course in an optimal way right you will get the course over some wood which is not the normal or the most likely route or the most quality wood and you will do this
to obtain some benefits so this is a general way that multiple techniques we'll talk in particular about over-the-top bypass and some study we
did a few years ago so basically what is called over the top so you probably heard this a lot before over the top is in a way the way that telecom operators core services which run on top of the network on which compete with the network services like telephony or messaging right so there are tons of applications you recognize probably most of the icons there on these are basically competing with traditional telecom services and providing some other services to it's huge today rights like it was sort of like billions of users and the thing is these services they in general need to make some revenue to write so they're very cheap or free but they still have to make some revenue so typical ways of making a revenue is at the ties menteur you sending some stickers or games on cetera on one way that is used more and more is to actually provide some attraction with telephony systems in particular we can
think of Skype in or Skype out which is very popular has been there for years was cut in by ska??i allows you to buy a
phone number and get people to call this phone number that would reach your Skype account and would ring on your computer or anything you want on skype out is from your Skype account you can call some international numbers if we were in the world so I'm sure many of you are reduce these services and these are perfectly fine but however there is what is called oddity bypass which will describe in more detail which is not so fine I'll show you why so it's not
steady an OCD bypass code is occurring
over on at a national court so before you see you have a caller Cody another team apart awesome transit operator on some terminating operate off on there is some of a new share along the way so you pay something to your genetic operator for him to put your call to the destination in ott bypass case it could be a code generated from a mobile or online it does not really matter but the code the number you call is basically a smartphone that has this
OTT application that has a SIM card with a phone number attached so basically what happens here is that this transit operator is going to make an agreement with the provider of this service of this OTT application on they will route the calls over the IP network on the call that you generate to those this mobile phone numbers +36 in France for example right it is not going to ring on the normal phone interface but it's going to ring on these oddity applications so maybe this hooker to you are ready before on this occurs engine are over intl communications so the big advantage of this is that the transit operator doesn't pay anything anymore to the terminating operator but it pays a lot less to the OTT provider which makes some revenue and then is keeping a lot more a bigger share of the revenue so
it's increasing its revenue on basically that runs the part on the OTT operate over happy about it this has some four seconds is for the color which is going to have some potential quality problems you pay for something for some coati of service as an operator but you get something else you may pay for premium routing and get something that's similar to avoid quality right for the quarry it's the same sometimes you have quality problems the core don't reach you don't have the voicemail or the call forwarding which are walking because the voicemail on the call forwarding are actually 100 by the Ottoman a team operator your mobile operator and there are some other report the main column of course is for the terminating operator because is losing a lot of money all the terminate all the international course a big part of the international calls don't go through his Network anymore and is not paid anymore
for those schools so to study this we actually made a small experiment we actually took eight front phones with some SIM cards that we put in eight
European countries so those phones were actually called hold over SSH CC altered on headphones and we get them to some friends in eight countries and then we generate calls to some phones which are in France which include SIM cards from this operator on the home country opera toys actually giving us the call data across that correspond to the course we generated those numbers so in the end we generated like 15,000 calls on this small test network we built and then we do some measurements so the first
surprise is that about 80 percent of the course in some cases up to 80 percent of the cost bow over dota 2 Network right now this is huge right 80 percent being hijacked in some cases is pretty important there are six of the eight countries where there was some hijack but there was some bypass on the most surprising thing in fact was that there is multiple fraud schemes which curried and this is quite funny so for example
we see sim boxing on oddity bypass to Khalid we tried to call from UK from some phone number and UK and then we have so we first would say first we we expect the Duke or to terminate on the SIM card on the phone here to go over some transit and then we expect the the mobile termination with the same number as we called time so we expect to see this number to ring in fact we see sometimes that the numbers they go over sim box and then they don't show up as we received a call we generate but we don't receive it with a caller ID which is from you cable from Russia right so both leaders in box in the middle with a Russian SIM card which could be maybe a stolen SIM card holder on sim card on we see about 16% of sim box bypass but then we also see some plain OTT bypass like before like a motion before so there we see just the best what we observe is that the phone is not the phone is not ringing on the mobile network but we see the OTT application to ring right and then we see the proper phone number no problem but we have 36 persons of this worker and then the most funny part of it is that we also see the some cores which go first over the sim box and then they go over da TT bypass so in this case it means you see your phone ringing on the OTT application with the version number right and it's like who's calling me and that's that's kind of weird so in the end we reach this 80% fraud and with like all possibilities and that can get quite confusing for the user so in the end so
we have a paper where we describe a lot more details on experiments we complete connected we don't really have time today but in the end these frauds can
lead to quite severe financial loss for the operators there are some core establishment problems which we measure on basically you can get your phone to ring I mean the colour here your phone ringing for one minute before your phone actually rings and this is problematic because maybe after one need to just drop the course so you never actually on swear you don't have a chance to answer and then there are some quality problems but in fact if you look at this there is the whole benefit for the user right so that's I think that's the main problem someone's making some benefit you have some quality problems but no benefit for the user some things for me okay so with this I'm going to let me talk about some interesting topics on
telephony voice spam on ohms comes I
think is spam is a bit more particular compared to the previous stuff we talked about because this is something that I think everyone in this room experienced at least once in their lives so what is
voiced pan we can define actually a span called as any type of unwanted or abusive phone calls so this has been a
problem since several years and there are many solutions around like caller ID be like this applications whitelist do not list etc but none of them are actually working well we are still receiving a lot of spam calls so some people come up with alternative solutions for example they say that the permanent solution would be to present to be there for a
child or there are people who actually try to
troll bait the skimmers and they spend for example this guy spent two tours talking with a Windows technical support scammers so of course these are also some type of some sort of solutions but they are not very efficient because if
you spend two hours with the scammer you are also spending your own time so you waste the telemarketers time or spare much time but you don't you shouldn't waste your own time okay so this is N
[Music] [Music] [Music] so I you have seen Laney already so linear the guy that you all just heard is such a is a kind of a defensive jet boat that is created to to defend
against the voice members so the creator of Lenny is anonymous but it is actually working surprisingly while it is working very well in dealing with various type of spammers and it is growing popularity online you can find the YouTube page there is a public deployment of this chat bot basically that people are for building their calls and you can find the many different call recordings lynnie of laning dealing with several type of spammers so how this check both works so let's say there is a spammer
calling a user what the user does is basically either on his mobile phone or on his landline phone he transfers this
call to the to a telephone is over it is hosting Lenny he can either create a conference call or call transfer or make just make a set up call forwarding and basically here the user will leave from leave the color just mute himself and after this point Lenny will be interacting with the spammers this chat bot is actually made up of just the set
of pure recorded voice audio files and the secret that is running those recordings once the color stops speaking so as you see there is no speech recognition no artificial intelligence nothing advanced but this check post is working very very well and we think that the reason that it works so well is because of the the conversational quality of those recordings and the nice thing about this is that it actually acts as a high interaction tiny pots for voiced fun so as I said the
river YouTube channel playlist that you can find many recordings of linear online so what we did was actually we chose 200 of those recordings randomly and we made them transcribed with a commercial transcription service its corresponds to almost 2,000 minutes of phone calls then basically of course we
analyzed those transcriptions in detail so the first thing we saw was that in these 200 phone calls that you can find almost 222 different type of spans some of these are more on the legitimate side I mean according to the regulations of the corresponding country which is United States in this case these calls are legitimate like political or fundraising calls some of them are more like in the gray area because for example the telemarketing calls you are never sure if they actually get the user consent in a proper way and some of the calls are complete chemicals like the
tech support you just heard there are several vacation scams Nigerian scams and so on but the nice thing is that building is effective against all type of such spans so of course we went over in detail to those transcriptions and we analyzed how different spammers interact
with cleaning so there was several interesting things here so first of all I should say that laney never terminates the call so he never says bye he always keeps talking but it's some point the caller needs to of course stop like a terminate the call in some way so some of them actually try to do it this in a proper way try to say bye but some of
them are not polite they are rude and they just hang up so if we for example look at the ratio of people who hangs up you can see that the scammers are much less polite compared to for example the donation calls you can also see that the skimmers the average call duration for scam calls is much shorter than the rest of the coast because once the skimmer understands that he won't get any money he just hangs up the call he doesn't want to waste too much money and finally we found that the skimmers use bad words curse words much more than the rest of the spammers okay so I have been
saying that Laney is very effective why
I'm saying this because basically okay so in this the 200 phone calls that we analyzed the average call duration was 10 minutes actually in over all the playlists that all the recordings available on YouTube the average call duration was 10 minutes which is quite high and during this 10 minutes actually there are 58 in number is 58 conversation turns between Laney and the spammers and actually the spammer here's the recordings almost two times so he actually here's the the repeated recordings but they somehow do not realize that they are listening the same
thing over again and one other interesting thing was that only 5% of the only in 5% of the cause Blaney was explicitly recognized as a bot or as a recording so what we did was
actually we collaborated with the social scientists who is a specialized on conversation analysis topic and we get a subset of these transcriptions that we get we make them like we analyze them them further with some conversation analysis technique so now I will make you listen actually the first four terms of Lenny in isolation just to look at it in more detail this is Lenny come on sorry I barely hear you there yes yes yes oh yes yes yes so existed they they are very simple very beautiful Ines but they still are designed that is possible speech terms they are they have some details that are specific to nature and speech like there are hesitations versus repetitions and some of the tours in shape in erection for example in the second turn linear size I can barely hear you that which makes the color actually repeat he's a professor and but some of the terms are responsive for example the the fourth one would be SSS can depending on the context it can mean acceptance like approvals so depending on the context it can mean several different types of responses so this is an example to show you how these vary this is the simple lines work when they are how well they fit in one conversation so he in this is the type of an example of a credit card scam call so as you see the colored immediately answered the call the reason of the call he directly says why he is calling and then he finishes his touring with a question this looks like a question but actually the preferred answer here is a yes so he expects the the collie to say yes but actually linear breaks this flow by asking saying that he is not able to hear and as a result the color as you see just partially repeats his first query and that makes like asks the question again and by chance because plane is designed so well actually the next answer of Lainey's yes so the conversation continues very well like nothing happened basically soul in
either as I said the very simple-looking the chatbot with the cleric ordered six turns but actually it is really sophisticated due to the flexibility of the turns the clothes its closeness to nature speech the coherency of the character and the terms and so because this guy is an old guy of course he will have some hearing issues so it sounds very coherent to the color and also it has a very good ability to control the
conversation somehow sometimes leading the color to adjust to himself so in conclusion of course is a very specialized set but it's working it is
working very well in this narrow context of scam calls but of course it wouldn't work in different context probably but we think that use of such check box can be an effective way to at least to slow down the voiced Pam campaigns just
saying that overall the funny food is likely to remain a significant problem the weaknesses that are here on they're difficult to fix right so emotion for example voice caller ID authentication there are some items to fix it
with protocols like steer on the ITF protocols but it's going to take some time on every time we are the new layer
of technology is going to bring new vulnerabilities foster are quite smart and they have strong incentives basically emotion in the beginning that telephony the result of things which are built on there is because there is money there is a lots of ways to gain some benefit from its own gain some more news of it so we hear out about surveillance in a hijack of course etc so there are many like security problem with diameter or things like this or 2g security and so on but these can also be abused for for extracting some revenue from this by a fraudster right so so these these people have from incentives and they move very fast on the typically hidden in some different countries in the world with like flexible regulations Indiana's are interesting to understand that fighting for can be costly so telecom operator will not fight fraud if that's more getting more expensive
than actually lost or perceived lost right on in the end sometimes it's good to be as good than the competition right so if you are worse than competition that you need to do something but if you are the same as competition maybe you are fine okay so with this I thank you and I will take questions [Applause] [Music]
we have questions from the audience please llama line up at the mics I see a hand at microphone to please I wanted to
ask the calls that get routed through the apps the damage to the end user might be very minor acceptable nearly net positive but what I don't understand is it's very transparent to the end user he actually realizes which app he's being called on so there is a way to track this back and it should be very evident I thought when you were putting up the numbers I was expecting dot eight percent two percent like hiding it in the trees that's the forest it looks like why don't they massively intervene intervene and stop it so so your question is one so you expected it not to be 80 but 0.8
percent yeah so I think if it depends how you look at it right if you look at the course from this source to this destination if you have the phone with the application installed on your harvested on the IP network then you may have very high levels but overall in the world traffic it may be very low right it may be as well very high for some termination so if you have a SIM card for a country where you have 40 cents termination rates not like friends or Germany where you have like maybe Tucson termination rate was even the European regulation was very little but if you have very high dimensional heads there in these countries you may have a lot more of this bypass right and the other thing is yes of course the user will notice it because it's not going to ring on the normal say on droid the other interface but it's going to ring on this application so you may not notice it if you maybe expect this person to call you on this application or if you don't check it back to recall from the application or from the moment mobile it's going to look awkward if it's like your grandmother calling from the lawn line and that's ringing on this new phone see application you have but that is going to be obvious yes so yes it is obvious easy to detect for the own user actually it's something you can deactivate if you go search very far in the settings which are checked in by default but the thing as well is that for the opener tour is very hard because your part doesn't see Duke or determination of para todos don't see the call at all anymore that's the difficulty for the Opera tour itself okay all right thank you for the talk
do you have any stats on what apps are used for OGG so yes but although yours doesn't want us to rush on it but if you go girl online you will find it easily so no it's just Google for it here you will know okay thank you the signal angel yes deterrent what's to know with the callback spam weather out is hijacked who's paying for that is it the provider or the end user so who's paid if you have the callbacks camp so you get a call you call back so you as a user you call this premium number and then this prime number would be supposedly registered by the holster so you pay for the callback and then the part of a part of this cost of the call
that you pay would it be given back to the to the holster if that may be a good enhance we're okay Marty from one
application did you use in your own study to get those rates would we be able to find somewhere to generate the calls you mean the test cause you did a study on the OTG bypass those percentage rates of like eighty percent in Spain what what application was that and okay recent winners to generate the course ourselves for the test course I think he is asking for the application that is doing the bypass yes that's what Simmons were before although you're doesn't want us to mention it if you google it you would find it both applications so multiple applications so we know of one of them so we did all these experiments on one
application only but we are not sure if there are more of doing the same thing basically okay mark phone five please regarding the same box fraud where are those sim card coming from sorry the echo is bad where are sim cards coming from and how do the fraudsters avoid paying for the calls because I would assume calling from a sim card would not be cheaper than routing to college it definitely so there are those some cuts coming from basically there are multiple ways they can use stolen SIM cards but this is I think I would say it less likely there are some countries actually that that you can obtain SIM cards without like giving your identity this kind of things so in those countries it is much easier to obtain a large number of SIM cards and mostly that you abuse the SIM cards like let's say there is an operator that is making em like a promotion he says okay calling from
Russia let's I did to this country from my network it will be very cheap for the next few months let's say so then they are more likely to abuse this type of like law of tariffs and promotions from the operators there are sometimes some bugs in the numbering plans so do pay at all
may actually they have to have for every destination or cost right and sometimes they have some mistakes so if they have a mistake in the numbering plan and they
will charge you if say to call Zimbabwe you will make all the same as Germany because they made a mistake in the in this table where they put the phone number destination on the price so if a full store find this on finds that you would pay like say five cent instead of paying thirty five is going to buy these SIM cards by twenty of them but that means inbox is going to sell this traffic for cheaper than the normal height I think there was a second part
of the question as well but maybe the omitted okay Google has Google has developed a very sophisticated chat bot for phone calls would that be a suitable Lenny 2.0 yes so I think the thing with the Google's chat bot is that they have to say that it I mean they have to say that it is a check well okay there are so so property could be used for this as
well but I think they have been designed for something else so I think there is already from Google there there is a service that lets actually answers or spam calls I don't have much knowledge about it but there is also the check pot that makes for example makes reservations for you definitely it is that much complicated and better artificial intelligence I think it will work well if it is also combined with some conversation analysis Thanks I think as well is that so far there are lots of these let's see Alex yeah Google home etc when you talk to them you know you are talking to about if they have a voice that's kind of synthetic it's fine because you know you're talking to a bot if you think of Lenny he has a human voice it's a good actor who's actually speaking this it's hard to recognize this voice aspect because it's a real one fine just the conversation is fixed on it's done but as the denis is just on
swearing terms is not driving the conversation to anything smart it's working quite well so maybe if the these bots would become a lot better in voice quality in like this conversational organization of the discussion then maybe that could be used as well similar whereas as leaning but so far it's not yet there exactly I think question about the OTT how do they know that the application the OTT application is actually installed on the kaali's device how do they know that and also does this stem require the OTT II application to actually be actively participating in the scam and to be kind of complicit in it or are they just like a unknowing by standard so the way it's walking is the OTT service provider is actually advertising call termination on the two operators right then when they
agree on a deal you will have the open at all who's going to basically say oh I receive on my networks on my incoming traffic for calling this termination say no source Africa China South Africa and then you look at your hedges and you say okay I have I have going through - taken that much per minute I'm going to ohon all that much and so on and then you have many many maybe you have 20 different possible boots on you will say okay I have also this OTT operator on the thing is you would be only able to carry over the call to dissipate your cat or if on the other hand we have the phone which is having this application activated and if it's running on if you want IP network for this biscotti the thing is that on many OTT of replications today you Hajus there on the OTT application with your phone number so first the same phone number for the actual sim card on for the application so on the the oddity of our tour is kind of having a hurt bit things we know the phone is active on the applications active on can read comics at this point the the telecom operator is going to try to watch the call if this is already checked let's say the operator is going to try to put the call over the OTT Network if it's working it's ringing it's fine on sometimes it's not going to succeed so it's going to fall back to another network right so it's going to hold the pole on the OTT application only because they have a PI or deal with it for it and it's going to be only if the applications active and then it's going to ring maybe and if it doesn't if it doesn't work it doesn't connect then they would fall back to another another hood that's at least we understanding how it should work there's also patterns if you want to read patentees in the first scan case
how do the fraudulent operators make sure they get the call and not somebody else and how other lists or efforts to keep lists of fraudulent operators so they actually there is no way to make sure that you will get the call and that's why the actually there are there are there is those test interfaces that they the first make several calls to several destinations to see one that is working so most of the time if though if
the operators used like transit operators which are large ones like orange for example it has very big orange international carriers are very huge so and it is very very less likely to to have rode in that Network but some if some small or fraudulent transit operator is on the the Col route then you are more likely to end up in fraudulent Road route yeah so I mean they never make sure that they will get the call they just hope that they the cold will call them basically and if it doesn't work just a test another number
in another country another destination they would test until they see the number to appear on this test on that face so they say okay no I know this number are going to be hijacked so they I can make some cash out of it and then you just use this you get a new number that you will generate cash on this provider we know that when they see this
number it's you generated the course and actually the Col routing is very dynamic so maze maybe today there is a high-tech
purse and tomorrow maybe it won't work because the operator started to use a different route hey do you have any statistics on the same all kinds of scam being done like and who's done do you have any idea about the people behind those scams because I know for a fact that in some countries there is quite popular scam from prison like prisoners calling and saying like your daughter got in traffic accident you have to pay this and this yes so in terms of scams I don't have much idea I mean for telemarketing forces there are many call
centers running the telemarketing campaigns all the time but in terms of scams I am not really sure who will be behind if you grow body on telephone your odds
so you can refer to the CFCs doji which is not maybe perfectly accurate but that it gives an idea on they classified a big frauds by how much the costs or how much in fact open at all scam the cost to them so that's why it's not perfectly good hundred percent accurate nothing would be perfectly accurate but you see IRS f as a very big one
you see a sim box as quite big as well on things like this so I think you can't get very detail about it then who are the people doing this I think it depends a lot so you have in fact operators folding each other a lot apparently you have people who just like run the small fake companies on purchasing boxes somewhere I'm just advertise so you have one person companies a lot of telecom operators are in fact one person company doing on a side job having a server and telephony server in the place where you have you have no tax for example on that just running under to get some mixing some legitimate traffic with some fraud traffic and then they just make some few some benefit their code they would on these kind of things so it's it's a fairly complex ecosystem and I wouldn't be able to just point one kind of people for this questions so let's give a big
hand of a class for us because [Applause] [Music] [Applause] [Music] [Music]