Hello, We just had an unfortunate compromise and racked up a large amount of calls in a 12 hour period. The attack seems to be for financial gain in that the most frequent destination is a conference call service in Poland, that possibly keeps calls open waiting for a PIN to be entered. Is there any basis for expecting that the upstream carrier should have some protections that would limit our liability? Thanks, -mark P.S. For those people who feel compelled to point out that we should have (better) protection on our end: Yes, Thank you, message received!
Verizon Business, Level 3, and XO all notify us of possible fraud on International calls, but I don't think they monitor for fraud on domestic calls. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mark Kent Sent: Monday, May 14, 2012 12:34 PM To: voiceops at voiceops.org Subject: [VoiceOps] fraud protection Hello, We just had an unfortunate compromise and racked up a large amount of calls in a 12 hour period. The attack seems to be for financial gain in that the most frequent destination is a conference call service in Poland, that possibly keeps calls open waiting for a PIN to be entered. Is there any basis for expecting that the upstream carrier should have some protections that would limit our liability? Thanks, -mark P.S. For those people who feel compelled to point out that we should have (better) protection on our end: Yes, Thank you, message received! _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
The only Domestic based fraud I have been alerted from via the big carriers listed below have only been towards Abuse and Phishing based scam calls. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Eric Wieling Sent: Monday, May 14, 2012 11:35 AM To: Mark Kent; voiceops at voiceops.org Subject: Re: [VoiceOps] fraud protection Verizon Business, Level 3, and XO all notify us of possible fraud on International calls, but I don't think they monitor for fraud on domestic calls. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mark Kent Sent: Monday, May 14, 2012 12:34 PM To: voiceops at voiceops.org Subject: [VoiceOps] fraud protection Hello, We just had an unfortunate compromise and racked up a large amount of calls in a 12 hour period. The attack seems to be for financial gain in that the most frequent destination is a conference call service in Poland, that possibly keeps calls open waiting for a PIN to be entered. Is there any basis for expecting that the upstream carrier should have some protections that would limit our liability? Thanks, -mark P.S. For those people who feel compelled to point out that we should have (better) protection on our end: Yes, Thank you, message received! _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Level3 will notify us... about 24-48 hours after we've already discovered it ourselves and taken appropriate action. ANPI is about at 4 hours or so. Again, usually after we've already detected it. So while it's nice that upstream carriers notify, it's usually well after a significant bill has been racked up. It's best to be proactive on your own as much as possible. I'm actively looking for more and better ways to be proactive ourselves also. There are still some that get through the cracks now and then. --- Brandon P. Buckner -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Eric Wieling Sent: Monday, May 14, 2012 12:35 PM To: Mark Kent; voiceops at voiceops.org Subject: Re: [VoiceOps] fraud protection Verizon Business, Level 3, and XO all notify us of possible fraud on International calls, but I don't think they monitor for fraud on domestic calls. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mark Kent Sent: Monday, May 14, 2012 12:34 PM To: voiceops at voiceops.org Subject: [VoiceOps] fraud protection Hello, We just had an unfortunate compromise and racked up a large amount of calls in a 12 hour period. The attack seems to be for financial gain in that the most frequent destination is a conference call service in Poland, that possibly keeps calls open waiting for a PIN to be entered. Is there any basis for expecting that the upstream carrier should have some protections that would limit our liability? Thanks, -mark P.S. For those people who feel compelled to point out that we should have (better) protection on our end: Yes, Thank you, message received! _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Ditto about Level 3 and XO, although in many cases their alerts are only an hour or two behind us finding it. One easy "tweak" that can help limit the impact of these is placing concurrent call limits on International traffic in your switches or SBCs based on your traffic trends. That way if you have sudden jump, not only is there a cap on it, but in most systems you can be alerted that way as well. -Scott -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Brandon Buckner Sent: Monday, May 14, 2012 2:22 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] fraud protection Level3 will notify us... about 24-48 hours after we've already discovered it ourselves and taken appropriate action. ANPI is about at 4 hours or so. Again, usually after we've already detected it. So while it's nice that upstream carriers notify, it's usually well after a significant bill has been racked up. It's best to be proactive on your own as much as possible. I'm actively looking for more and better ways to be proactive ourselves also. There are still some that get through the cracks now and then. --- Brandon P. Buckner -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Eric Wieling Sent: Monday, May 14, 2012 12:35 PM To: Mark Kent; voiceops at voiceops.org Subject: Re: [VoiceOps] fraud protection Verizon Business, Level 3, and XO all notify us of possible fraud on International calls, but I don't think they monitor for fraud on domestic calls. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mark Kent Sent: Monday, May 14, 2012 12:34 PM To: voiceops at voiceops.org Subject: [VoiceOps] fraud protection Hello, We just had an unfortunate compromise and racked up a large amount of calls in a 12 hour period. The attack seems to be for financial gain in that the most frequent destination is a conference call service in Poland, that possibly keeps calls open waiting for a PIN to be entered. Is there any basis for expecting that the upstream carrier should have some protections that would limit our liability? Thanks, -mark P.S. For those people who feel compelled to point out that we should have (better) protection on our end: Yes, Thank you, message received! _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
For Broadworks operators, Good idea to limit concurrent redirect calls at Service Provider/Group/User levels. You will find updated documentation on xchange on Security that was updates recently. Email me offline if you need more info. Ujjval Karihaloo -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Scott Berkman Sent: Monday, May 14, 2012 1:34 PM To: 'Brandon Buckner'; voiceops at voiceops.org Subject: Re: [VoiceOps] fraud protection Ditto about Level 3 and XO, although in many cases their alerts are only an hour or two behind us finding it. One easy "tweak" that can help limit the impact of these is placing concurrent call limits on International traffic in your switches or SBCs based on your traffic trends. That way if you have sudden jump, not only is there a cap on it, but in most systems you can be alerted that way as well. -Scott -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Brandon Buckner Sent: Monday, May 14, 2012 2:22 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] fraud protection Level3 will notify us... about 24-48 hours after we've already discovered it ourselves and taken appropriate action. ANPI is about at 4 hours or so. Again, usually after we've already detected it. So while it's nice that upstream carriers notify, it's usually well after a significant bill has been racked up. It's best to be proactive on your own as much as possible. I'm actively looking for more and better ways to be proactive ourselves also. There are still some that get through the cracks now and then. --- Brandon P. Buckner -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Eric Wieling Sent: Monday, May 14, 2012 12:35 PM To: Mark Kent; voiceops at voiceops.org Subject: Re: [VoiceOps] fraud protection Verizon Business, Level 3, and XO all notify us of possible fraud on International calls, but I don't think they monitor for fraud on domestic calls. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mark Kent Sent: Monday, May 14, 2012 12:34 PM To: voiceops at voiceops.org Subject: [VoiceOps] fraud protection Hello, We just had an unfortunate compromise and racked up a large amount of calls in a 12 hour period. The attack seems to be for financial gain in that the most frequent destination is a conference call service in Poland, that possibly keeps calls open waiting for a PIN to be entered. Is there any basis for expecting that the upstream carrier should have some protections that would limit our liability? Thanks, -mark P.S. For those people who feel compelled to point out that we should have (better) protection on our end: Yes, Thank you, message received! _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
I know I'm a little late to the party on this topic but it is unfortunately something I have a lot of experience with. I would never rely on upstream carriers to do your fraud detection for you. The rationale here is that their definition of fraud is likely dramatically different from yours, and they may have customers that exclusively do 10M minutes of traffic to Belarus or Somalia, and so might not consider that as fraud for the first few days, but you know your customers and you know your traffic, so you are best equipped to make that determination. They will almost always inform you, but it will be when a threshold they consider scary has been breached, which may be orders of magnitude worse than what you can metabolize. I am not sure what your business model is, if you use exclusively managed devices, or just sell straight sip trunks to anyone with a credit card, or if you screen customers by locality, and if you normally deal in heavy international, but most switch vendors will tell you to lock down the number of concurrent calls per subscriber and perform numerous other highly restrictive actions that will chafe you and your customers and possibly hurt your service delivery model. My experience has been to simply plot customer spending trends (you bill them with the same data so this is easy) and then raise an alarm whenever their calling patterns deviate significantly from the norm (obviously calculating customer spend more than once a day is important here). What you do with those alarms is up to you. We have an automated system with a sliding scale that immediately terminates the active suspect calls, and removes the ability to dial internationally and flags the account for review all the way up to suspending the account with extreme prejudice which is based on a lot of logic we have developed over the years. I have seen some companies just fire off alarm emails to their noc to have a human put eyes on it which works just as well, and can certainly lend intelligence to the process but also may introduce a human element of failure. Don't rely on anyone else to watch your customers, since they don't understand what is normal like you will, and in the end you always get stuck with the check. -Ryan On 05/14/2012 09:33 AM, Mark Kent wrote:
Hello,
We just had an unfortunate compromise and racked up a large amount of calls in a 12 hour period. The attack seems to be for financial gain in that the most frequent destination is a conference call service in Poland, that possibly keeps calls open waiting for a PIN to be entered.
Is there any basis for expecting that the upstream carrier should have some protections that would limit our liability?
Thanks, -mark
P.S. For those people who feel compelled to point out that we should have (better) protection on our end: Yes, Thank you, message received! _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
participants (7)
-
BrandonB@netins.com -
EWieling@nyigc.com -
mark@noc.mainstreet.net -
ryandelgrosso@gmail.com -
scott@sberkman.net -
ujjval@simplesignal.com -
zak@simplesignal.com