Long Distance Fraud Again – Really?

I’ve been helping clients get into and stay in the long distance business since the 80’s when long distance was a new line of business for many telcos. I remember when the industry was new that it was a challenge. If you were a rural LEC you had to convince the RBOC who owned the regional tandem switch to help you set up a trunk group to get to a long distance company. And they were reluctant and slow to respond. So a company had to fight to get into the long distance business.

But over time it got easier and fairly routine and most rural telephone companies added long distance as a product line. It worked pretty well until the time in the early 90’s when calling cards became the rage and customers all wanted them. With a calling card a customer could make a long distance call from any other phone and bill it to their own home phone number.

So companies in the long distance business started giving out calling cards, and eventually they gave a calling card to every customer. This generated a lot of new traffic, and since this was back in the day when it still was not unusual to pay 10¢ to 15¢ per minute for long distance it also drove a lot of new revenue. But within a few years after calling cards were introduced calling card fraud followed. Calling card fraud was pretty straight forward. There were people who would try to find a valid calling card number that they would then send to places like the Middle East where street vendors would hawk cheap minutes. And dozens or even hundreds of people would use the calling card until somebody figured out that fraud was going on and cut off the card.

When the fraud first started the losses got huge because nobody was looking for it. But over time the carriers that sold the long distance began monitoring for unusual usage and policies were established such as making the cards only good for domestic calling, and over time the big calling card fraud got under control, but never quite stopped.

Over the years since then I have run across cases of fraud, but it has been a random thing here and there and not widespread like the calling card fraud had once been. The companies that sold wholesale long distance got more sophisticated and monitored usage closely and for the most part the industry stopped worrying about fraud.

But recently I have seen cases of significant fraud happening again to my clients. Within recent months I have had two clients hit for over $25,000 in fraud in a single month, which in both cases was as much as they had been paying for wholesale long distance for most of a year. So for these companies this was a really big deal and it effectively doubled their cost of buying long distance for the year.

And both of these companies were buying long distance from ‘big name’ carriers and not from some small VoIP provider. I must tell you that I was surprised. Not surprised that fraud could still happen, but surprised that the big company selling the long distance did not have a fraud monitoring process in place to stop it. It’s not that hard to monitor for fraud at the large carrier level. If they process the long distance in real-time it is not hard to set some flags to look for unusual usage. When my clients decided to buy wholesale long distance from these vendors they were assured that those carriers had fraud monitoring. It turns out to not to be true.

The fraud in both of these cases was allowed due to faulty connections between my clients and their customer. In one case if was my client’s own connection that was not secure. They had installed an IAD (Integrated Access Device) at a business customer in order to supply voice and data from their fiber connection. The IAD was not properly configured and had very weak passwords and was not configured to only accept commands from my client.

The second case was similar in that another client had a connection to a customer PBX. And of course, being a full service provider, they made the connection for the customer to his PBX. As it turns out there was a backdoor connection available into the PBX into the internet, which means that the PBX could have a connection from somewhere other than my client.

Neither of those problems automatically leads to fraud, but there is a new set of bad guys in the world. They use computer worms to test against millions of phone numbers looking for phone numbers connected to PBXs or IADs. Once they find such a device they use normal hacking techniques like cracking easy passwords to gain access to the device. They then sell calling in the same way as was done in the old days of calling card fraud. In one of these cases the calling went to the Middle East and in the other went to INTELSAT calling to satellite phones – both very expensive calling. My suspicion is that these bad guys are not selling these minutes on the street like in the past, but instead hawking cheap minutes to International VoIP minute sellers who have no idea where these minutes come from.

Certainly my clients had some liability in their loss since they contributed to the customer connection being made in an insecure manner. But they also ought to be able to rely on their underlying long distance provider to protect them against a flurry of suspicious calls. The biggest worry about this new kind of fraud is that it pumps a large volume of calling to expensive places in a short period of time. So it can cost a telco a large amount of money in a hurry.

So my caution to companies that sell long distance is to beware. It has been a while since fraud was of this level of concern, but it’s back again. There are two steps you can take to protect yourself. First, make absolutely certain that the company you are buying long distance from has good fraud detection and policies. You want a carrier who will not only find the fraud but who will cut off the calling before they even contact you. But second, the responsibility rests with you to use good network practices to make sure it is hard for somebody to hack the connections to your customers. If you want to know more about how to protect yourself contact Derrel Duplechin of CCG at (337) 654-7490.