Recently in telecommunications, several industry-wide measures have been introduced to detect and mitigate losses, yet International Revenue Share Fraud (IRSF) is increasing on a global scale. This webinar by Colin Yates, independent consultant and advisor to multiple industry bodies and ex-Vodafone Head of Group Risk, discussed best practices for executing a strategy for the prevention of IRSF fraud. Covered in the webinar: - About IRSF and the extent of global fraud losses today - What measures can be taken to mitigate fraud losses - What controls can be put in place to predict and detect IRSF attacks - Industry guidelines and best practice used to address IRSF - How technology can help a CSPs Fraud detection and prevention capability

1. International Revenue Share
Fraud Webinar
Colin Yates
Yates Fraud Consulting Ltd.
Roaming and IRSF Webinar – 3 December 2013

2. Webinar Agenda
• Introduction to IRSF
• Recent case studies
• Law Enforcement action re IRSF
• Introduction to IRSF – 5 Stages
• IPR Number Resellers
• Number Misappropriation (Hijacking)
• Industry initiatives to reduce IRSF losses
• Industry’s contributing factors to IRSF
• Risk mitigation & recommendations
• Q & A

3. Introduction to IRSF
• There are a number of definitions available to describe IRSF A
simple description would be:
‘Using fraudulent access to an Operators
network to artificially inflate traffic to
numbers obtained from an International
Premium Rate Number Provider, for which
payment will be received by the Fraudster (on
a revenue share basis with the number
provider) for every minute of traffic generated
into those numbers.’

4. IRSF
What is our view of the fraudster?

5. Recent Case Studies
USA & Barcelona

6. Case Study No. 1
USA
• Small USA network operator providing service to SME’s
– 2 PBX’s hacked with IRSF losses of $US160,000 suffered over a 30 hour
period
– Their carrier discovered fraud and served immediate notice that they
required full payment within 48 hours
• Carrier unable to pay and only option was to close down
• Asked for my assistance and was able to provide sufficient
information to get debt reduced with time to pay
• Confirmation that IRSF will impact any operator, irrespective
of size, location or services offered, and losses could have
been significantly reduced by effective Risk Mgt

7. Case Study No. 2
Handset Theft - Barcelona
• Major issue impacting many operators who have customers
roaming in Spain
– Barcelona well known as the ‘Pickpocket’ capital
– Since Jan 2013, an average of 260 mobiles per month have been stolen
and the Simcards used for IRSF
– All 4 Spanish networks being used, losses per Simcard are averaging
€10,000 per hour
• Fraudsters using combination of International Call Forward,
multi party calling, and associated PBX Fraud
• Also discovered that some roamers are selling their mobiles
for €500 and then reporting them stolen later!

8. Law Enforcement action for IRSF
• We cannot rely of Law Enforcement to
investigate IRSF, prosecute fraudsters
and seek reparation for operators
• Investigating IRSF is complex, typically
extending across 3 or 4 international
borders
• Simply determining jurisdiction will be
a challenge
• A recent USA IRSF investigation took
almost 3 years to complete by an
operator and federal agency task force
• Principals were arrested in Malaysia for
IRSF involving tens of millions of dollars
• Before extradition could be
arranged, fraudsters were bailed and fled
to Pakistan.

9. The 5 Basic steps to IRSF
1
Access a
Network
2
Obtain
IRSF
numbers
3
Generate
the calls
4
Receive
payment
5
Determine
loss

10. 1. Access to a Network
• Fraudster must obtain the means to make these calls
• To maximise income, preferably at no cost to Fraudster
• Common ‘Primary Frauds’ to gain access are;
– Subscription Fraud
– SIM Cloning
– Theft of handsets or SIM cards
– PBX Hacking
– Wangiri Fraud
– Arbitrage (Requires the exploitation of a bundled or discounted tariff
offering calls at less cost than any IRS pay-out offered)

11. 2. Obtain IRSF Numbers
• Fraudster may have existing relationship with IPRN Provider
• If not, will search Internet to find one
• Obtains a ‘Test Number’ from Reseller website
• Will chose a destination with good pay-out (Latvia €0.17c)
• Calls Test Number to confirm a call will connect
• Once confirmed, will request numbers from IPRN Provider
• Request will include an estimate of minutes to be
generated
• Will include his bank account details so that funds based on
minutes generated can be credited every 7 to 30 days

12. 3. Generate traffic
• Once IRS numbers issued, Fraudster starts generating calls
• To maximise revenues, Fraudster will utilise network
services to generate overlapping, simultaneous calls
• Such services will include International Call Forwarding,
Multi-Party calling, combining PBX with C/Fwd mobile Sim
• Fraudster will continue this activity until originating
number range owner becomes aware of fraud and blocks
access
• Typically the Fraudster will then move to another
fraudulent access and continue calling additional numbers
providing by the IPR Number Provider

13. 4. Receive payment
• In most circumstances the originating number range holder is
required to make payment for this fraudulent traffic
– Existing Roaming or Interconnect agreement requirement
• Initial payment made to roaming or interconnect partner
• Payment continues down value chain to reach the terminating
number range owner
• Terminating operator retains his share and pays IPRN Provider
• IPRN Provider shares this balance by paying the Fraudster
(e.g. €0.17c per minute for calls to Latvia) and retaining the
balance.

14. 5. Determining loss
• Originating Number range holder has made full payment
• In case of Subscription or other SIM based fraud, little or no
chance of recovering this from the fraudster.
• In case of PBX Fraud, typically the network provider will
attempt to recover cost of fraud from the PBX user
• In many cases this will result in a dispute, unwanted
publicity and customer churn unless network provider
accepts all or part of this loss
• PBX user will typically argue that their network provider
should have discovered such a huge increase in calling
activity
• All other transit operators, IRS Number owner, number
reseller and fraudster have benefited from this fraud

15. IPR Number Resellers
• Number of Resellers continues to increase:
– 17 in 2009
– 47 in 2012
– 85 in October 2013
• 400% increase in 4 years
• Most of this increase results in those wanting
to exploit IRSF revenues
• Many now acting as Number Wholesalers

16. Number Misappropriation (Hijacking)
• Usually involves
Country numbers with
high termination rates
– e.g Small Island
nation at $US0.65c
• Fraudsters will act in
collusion with a
dishonest carrier
• Advertise ‘below cost’
rates into country to
attract operators
looking for Least Cost
Routing (LCR)
• Calls will be routed in a
certain direction to
ensure that they hit
the ‘dishonest
operators’ network
• Once there, they will
be filtered out and
‘short-stopped’ outside
the
• Payment follows the
same value chain as
the call routing

17. Industry initiatives to reduce IRSF
losses
• Very little industry progress
to stop IRSF/Hijacking
• ITU misuse reporting is not
being supported
• I3 Forum has published
guidelines, but again, these
are not being supported by
all of their membership
• BEREC have issued
guidelines re with-holding
payment however these
apply only to European
operators and are complex
• Continued lack of
cooperation within the
operator community
• Regretfully, the Fraudsters
appear to be better
organised to take full
advantage of industry
weaknesses

18. Industry’s ability to implement initiatives
for steps 1 – 5 of IRSF
1
Access a
Network
2
Obtain
IRSF
numbers
3
Generate
the calls
4
Receive
payment
5
Determine
loss

19. 1 – Access to a network
 Subscription Fraud and it’s variations can be reduced with
effective Fraud Management Systems
 SIM cloning can be eliminated by upgrading algorithm
 PBX Fraud can be reduced by implementing fraud awareness
programs and audits for business customers
 Arbitrage can be avoided by ensuring that risk reviews are
completed on all new products, services and tariffs
 Invest in a fraud management solution
However controls must be relative to preventing
fraud while minimising customer impact.

20. 2 – Obtaining IPR Numbers
 IPR Number Resellers have increased by 400% since 2009
 85+ are now competing to attract fraudsters to them
 Up to 75% of fraudsters embarking on an IRS Fraud will call a
Test Number, provided by the Reseller first.
 Most of these Test Numbers are now available in a database
as an IRSF detection tool
Implement a cost effective Fraud Management System
which uses a Test Number Database as a hotlist. This
alerts a CSP to a potential IRSF incident and has already
shown benefits.

21. 3 – Generate traffic
 Reduce the opportunity for fraudsters to maximise revenues
by;
– Removing International Call Forwarding and Multi Party calling from
roaming customer SIM’s
– Ensure that automated systems are in place to analyse NRTRDE
records 24x7 and refer alerts to analysts
– Ensure automated systems are in place to notify analysts 24x7 of calls
to known IRSF destinations
Up to 87% of all reported IRSF occurs between 8.00pm
Friday and 8.00am Monday. If the fraud function does
not operate during this period, alternatives must be
identified.

22. 4 – Receive Payment
 Early identification of IRSF does provide opportunities to
negotiate payment withholding by partners
 Position is strengthened if impacted operator is able to
confirm that IRSF losses relate to a hijacked number range
The earlier an incident is identified, the less the fraud
loss will be, so early detection is critical.

23. 5 – Determining Loss
 In most situations, it will be the originating number owner
who will suffer the loss for IRSF, and it is their responsibility to
ensure that they have systems and processes in place to
minimise these losses.
 Accurate reporting with evidential information is essential to
identifying true losses, enabling future accurate
detection/prevention through knowledge transfer.
Fraud management solutions have good reporting capabilities
and will support the creation of future intelligence in the fight
against IRSF.

24. IRS Test Number Database (PRISM)

25. IRS Test Number Database (PRISM)
• YFCL are monitoring the IPR Number Reseller websites and
developed an IRS Test Number Database (PRISM)
• This database currently contains over 25,500 test numbers
– PRISM has been made available on a subscription basis to operators
since the 21 August 2013
– It is used as a ‘hot-list’ within an FMS to alert operators when a Test
Number has been called
– It has proved to be very effective at identifying IRSF
• Xintec are the only FMS Provider licenced to offer PRISM free
as a hot list within their FMSevolution product.

26. Example of IRSF Test Numbers
Date Time A Number B Number Call Duration
30/03/2013 05:17:33 XXX977860XX 23221104397 7
30/03/2013 05:32:14 XXX977860XX 23221104397 5
30/03/2013 05:57:22 XXX977860XX 23221104397 5
30/03/2013 06:03:41 XXX977860XX 23221300284 19
30/03/2013 06:13:55 XXX977860XX 23221300284 601
30/03/2013 06:13:57 XXX977860XX 23221300284 581
30/03/2013 06:13:58 XXX977860XX 23221300284 538
30/03/2013 06:13:58 XXX977860XX 23221300284 551
30/03/2013 06:14:01 XXX977860XX 23221300284 576
30/03/2013 06:14:01 XXX977860XX 23221300284 592
30/03/2013 06:14:02 XXX977860XX 23221300284 543
30/03/2013 06:14:03 XXX977860XX 23221300284 575
30/03/2013 06:14:05 XXX977860XX 23221300284 530
30/03/2013 06:14:06 XXX977860XX 23221300284 593
30/03/2013 06:14:07 XXX977860XX 23221300284 498
30/03/2013 06:14:07 XXX977860XX 23221300284 588
30/03/2013 06:14:08 XXX977860XX 23221300284 545
Sierra Leone 23221341844 https://www.reaxxxxxxxxts.com/
Sierra Leone 23221104397 https://www.reaxxxxxxxxts.com/
Sierra Leone 23221201721 https://www.reaxxxxxxxxts.com/
Sierra Leone 23221341838 https://www.reaxxxxxxxxts.com/
Sierra Leone 23221104344 https://www.reaxxxxxxxxts.com/
Sierra Leone 23221201740 https://www.reaxxxxxxxxts.com/
Calls to a Test Number in Sierra
Leone. 3 Calls all short duration.
(Duration in seconds).
IRSF commences 46 minutes
after calls to Test Number.
This fraud continued for 4 hours
with a loss to the carrier of over
$US 52,000.
Could this have been avoided or
reduced if an alert had been
generated once the Test
Number was called?
Sierra Leone Test
Numbers available on
number reseller’s
website in March 2013.
Sierra Leone Test Numbers
from the same website in
July 2013. Note changes.

27. Risk Mitigation and
Recommendations

28. Risk Mitigation and recommendations
Considerations
• IRSF and associated fraud will be around
for foreseeable future
• The lack of Industry progress means
operators to implement strong prevention
and detection
• Law Enforcement action is no deterrent
• Operators who have experienced IRSF are
strengthening their controls, fraudsters are
constantly searching for soft targets.
• What you spend now to implement
controls will be significantly less than you
will lose in an IRSF attack
• IRS Fraudsters do not differentiate
between Prepaid or Post-paid, both are at
risk.

29. Risk Mitigation and recommendations
Advice
• Question whether you have strong or
sufficient controls in place to prevent or
detect an IRSF attack?
• Remove International Call Forwarding
and multi-party calling capability from
roaming SIM cards
• Encourage mobile users to implement
SIM pin-lock
• Ensure all Business customers have
been advised to check their PBX
security – change default Passwords,
remove DISA facility if not required etc

30. Risk Mitigation and recommendations
Tools
• Early detection of likely IRSF activity is essential
losses are likely to increase at €10,000 per hour
• Install an automated Fraud Management
System capable of providing you with 24x7
monitoring and correlation to a Test Number
database.
• Consider expansion in FM coverage to look at
the primary frauds
• Subscription Fraud
• SIM Cloning
• Theft of handsets or SIM cards
• PBX Hacking
• Wangiri Fraud

32. COLIN YATES
FRAUD RISK CONSULTANT
EMAIL: COLIN@YATESFRAUDCONSULTING.COM
PHONE: +64-21 1084447 (NZ) OR +44-7920 870852 (UK)
WWW.YATESFRAUDCONSULTING.COM
Thank You!