The prosperity of any organization depends on how well it communicates with its clients or how incessantly it caters to their needs or attends troubleshooting. As a catalyst to this process came the concept of PBX or PRIVATE BRANCH EXCHANGE. This allows one dialing number to be connected to several telephone units. In this way the calls of several callers on a single number can be attended.
Also another catalyst would be the VOIP or VOICE over INETRNET PROTOCOL. VOIP is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.
As much as these developments have brought in simplicity and ease to the process of client handling, they have also at times incurred huge losses to the organization in the light of the various malpractices or nefarious activities that have recently cropped up. One such practice happens to be that of INTERNATIONAL REVENUE SHARE FRAUD, that has come to the forefront and grabbed a lot of eyeballs for the sheer measure of currency that it has generated by this type of a scam.
There happens to be a very simple modus operandi involved with IRSF.
- Firstly the hacker involved in IRSF needs to find a PBX system to hack into. This can be easily done by going through a list of such numbers and tracking down to the most vulnerable ones.
- Secondly he has to choose IRS destination maybe in some foreign country where calls are charged with exorbitantly high prices.
- Join hands with such IPRN providers for increasing traffic and in turn share profits.
- Continue calls till the owner happens to be unaware of the entire scam that is continuing.
Global Top Fraud Methods
The idea behind this happens to be nothing but the abuse of carrier interconnect agreements. People committing such frauds often get involved with local carriers who charge high rates for call, and agree to share profits with the fraud for increasing traffic. The fraudster now hacks into the PBX server of any organization and gains illegal access to VOIP Service Providers Network. Following this, the fraudster pumps the traffic from this hacked number to a High Cost Destination against a percentage of profit from the local carrier. The owner of the organization happens to be unaware of this fraud until he happens to be charged an unnaturally high bill against his PBX. But till then the scam is already done and a lot of money has already been made. This leads to a variety of problems. They are as follows:-
- The user is harassed by an exorbitantly high bill against his number for calls that he has never made.
- Since the telephone service provider is under the obligation to make payments, they do it religiously but face a problem when they send bills to the customers but the customers refuse to have made any such calls.
- The goodwill and reputation of the Telephone Service Provider is jeopardized.
According to a survey by CFCA in the year 2015, barely International Revenue Service Fraud accounts to a whooping sum of $38.10 Billion (USD). Under the regulatory mechanism of Telecommunications Act of 1966, of the United States of America, wireless and long distance carriers pay access fees to local exchange carriers or LEC’s. This happens to be the loophole that is misused by the fraudsters. In fact in USA, the Court has asked the FEDRAL COMMUNICATIONS COMMISION to determine appropriate rates and look into the matter of traffic pumping. Another survey by the CFCA shows that India along with UK, Philippines and Cuba happen to be the top IRSF destination.
TELECOM REGULATORY AUTHORITY OF INDIA promises to all customers, quality and standard for telecommunication services. Explanatory Memorandum to the “Standards of Quality of Service of Basic Telephone Service (Wireline) and Cellular Mobile Telephone Service Regulations, 2009” (7 of 2009) dated the 20th March, 2009 clause 2.1, sub clause 8 states that, “TRAI’s first and foremost priority should be to ensure harmless and peaceful service to the consumers”.
There happen to be a variety of ways by which there can be a relief to such harassed users. Some of such way outs are mentioned below:-
- Firstly one finds that such frauds are done mostly at nights or during holidays so that the organization remains unaware of it for a long time. In this regard one may go in for the variety of solutions available in the market for Call Detail Record (CDR) in real time. It takes a %minute sample for any spike calls that are made and immediately intimates through e-mail or SMS.
- Secondly one may have a contract with the telecom company to intimate the organization if there happens to be any history of suspicious and lengthy conversations at premium rates.
- Organizations can subscribe for the numerous blacklists or databases that have a list of such fraudulent numbers and get them blocked. For ex: PRISM-IRSF TEST NUMBER DATABASE, which has almost 70,000 IRS Test numbers and their lists are updated in every four weeks.
- Lastly going in for the expensive but time tested Fraud Management System.
- The aggrieved consumer can file a suit in the Consumer Redressal Court against exorbitantly high bill charged against calls that were never actually made by them.
Following are the recommendations for protecting the internal telecom exchange servers, this will help to take defensive measures against your servers getting compromised:
- Security audit and vulnerability assessment ahead of the implementation. Remediate vulnerabilities prior to your VoIP implementation.
- Have your firewall administrator review the existing configuration, propose necessary changes for VoIP, and have the telephony vendor review for accuracy.
- Make sure your Firewall is compatible to inspect VoIP traffic. Configure IPS/IDS for raising alarms on exchange of unusual traffic.
- Plan on establishing VPN tunnels for any endpoint connectivity outside of the corporate office.
- Have your telephony vendor write up a recommended patching methodology and training program for IT staff. Make sure that handsets are included in the program
- Include your VoIP servers in the tape backup schedule. Without a backup, you would not be able to restore telephony in the event of a disaster.