Voice over internet protocol (VoIP) services transmit telephone calls over high-speed internet connections rather than over traditional land-based telephone lines. They do not usually travel directly from a caller to a recipient’s computer but rather through computers belonging to several layers of intermediary VoIP service providers, or wholesalers.
VoIP is about convergence, saving money and resources. However, these types of systems also create more inroads for attack. As VoIP has become more accessible and popular, security threats have grown as well. The most prevalent threats to today’s VoIP deployments are rooted in traditional data networking and PSTN attacks. Today, VoIP devices are the primary tools used by fraudsters. In the first half of 2012, 46% of fraudulent calls were made from VoIP phones.
What constitutes VoIP fraud?
For the purposes of this article, we will consider VoIP fraud to be the use of a VoIP telecommunications network with the intention of avoiding payment. In that sense, the payment may be incorrect, entirely lacking, or the attempt to force another party to pay. We will consider both illegal activities and those activities which, though technically legal, may still hurt telecommunications companies by taking advantage of systems and vulnerabilities.
Who does VoIP fraud affect?
VoIP fraud can affect any organisation which uses or sells VoIP services. In most cases, the fraud target is an enterprise. Most enterprises never realise that they have been hacked, refuse to pay the fraudulent charges and threaten to switch to a different service provider. The SIP service provider has little leverage over its international long distance vendors and is left to cover the bill.
However, in some cases, service providers will demand the enterprise pay for fraudulent charges. This was the case in a 2009 when Michael Smith, a small business owner in Massachusetts, found that someone had hacked into his private branch exchange (PBX) to make $900,000 worth of calls to Somalia.
AT&T attempted to sue Smith for $1,15-million to recoup the cost of the calls and interest. Though AT&T eventually dropped the charges, a spokeswoman for the company maintained that they had been entitled by law to collect the amounts owed, and that Smith should have put more safeguards in place to protect his phone system.
VoIP fraud can and does occur in any industry. Certain industries, such as banking, tend to attract more fraud than others. A recent study from Pindrop Security found that nine out of the top ten banks, and 34 of the top 50 banks had been victims of call fraud.
Where does VoIP fraud come from?
VoIP fraud comes from all over the globe. Traditionally, Africa has been a “Hot Continent” from telecom fraud, because the termination costs are very high and regulation is not as stringent as in other parts of the world. However, a 2011 study from the Communications Fraud Control Association (CFCA) found that the top five countries from which fraud originates are the United States, India, the United Kingdom, Pakistan, and the Philippines. The top five fraud terminating countries were Cuba, Somalia, Sierra Leone, Zimbabwe, and Latvia.
How big of a problem is VoIP fraud?
VoIP fraud is a significant and growing problem in the telecommunications industry. Because fraudsters often attack during weekends, fraud events often go undetected for many hours. A single fraud event can easily cost a company between three and fifty thousand dollars. In many cases, this number can be even larger. A 2009 attack on an Australian company’s VoIP PBX resulted in 11 000 international calls in just 46 hours, leaving the SIP provider with a bill in excess of $120 000. A 2011 weekend episode in South Africa resulted in a bill of over $12 000 and another in the US cost victims more than $1,4-million. Experts have trouble estimating an aggregated global yearly loss, because calculations are often based on subjective and individual standards. However, most experts agree that total loss is somewhere between 3% and 10 % of income. This translates to a total global losses of somewhere between 30- and 50-billion dollars per year.7 The CFCA’s 2011 report put the number at $40,1-billion dollars lost. This is a problem that is only increasing. According to the CFCA report, phone fraud is growing at a rate of 29% per year. As the popularity of VoIP continues to grow, the problem of VoIP fraud will become an increasing threat to the industry.
Continue reading »
Continue reading »