I know I'm a little late to the party on this topic but it is unfortunately something I have a lot of experience with. I would never rely on upstream carriers to do your fraud detection for you. The rationale here is that their definition of fraud is likely dramatically different from yours, and they may have customers that exclusively do 10M minutes of traffic to Belarus or Somalia, and so might not consider that as fraud for the first few days, but you know your customers and you know your traffic, so you are best equipped to make that determination. They will almost always inform you, but it will be when a threshold they consider scary has been breached, which may be orders of magnitude worse than what you can metabolize. I am not sure what your business model is, if you use exclusively managed devices, or just sell straight sip trunks to anyone with a credit card, or if you screen customers by locality, and if you normally deal in heavy international, but most switch vendors will tell you to lock down the number of concurrent calls per subscriber and perform numerous other highly restrictive actions that will chafe you and your customers and possibly hurt your service delivery model. My experience has been to simply plot customer spending trends (you bill them with the same data so this is easy) and then raise an alarm whenever their calling patterns deviate significantly from the norm (obviously calculating customer spend more than once a day is important here). What you do with those alarms is up to you. We have an automated system with a sliding scale that immediately terminates the active suspect calls, and removes the ability to dial internationally and flags the account for review all the way up to suspending the account with extreme prejudice which is based on a lot of logic we have developed over the years. I have seen some companies just fire off alarm emails to their noc to have a human put eyes on it which works just as well, and can certainly lend intelligence to the process but also may introduce a human element of failure. Don't rely on anyone else to watch your customers, since they don't understand what is normal like you will, and in the end you always get stuck with the check. -Ryan On 05/14/2012 09:33 AM, Mark Kent wrote:
Hello,
We just had an unfortunate compromise and racked up a large amount of calls in a 12 hour period. The attack seems to be for financial gain in that the most frequent destination is a conference call service in Poland, that possibly keeps calls open waiting for a PIN to be entered.
Is there any basis for expecting that the upstream carrier should have some protections that would limit our liability?
Thanks, -mark
P.S. For those people who feel compelled to point out that we should have (better) protection on our end: Yes, Thank you, message received! _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops