Frequently Asked Question's
XINTEC have developed "FraudStrike™", a unique solution to detect IRSF fraud attacks "on the fly". FraudStrike™ is a live database of IRSF test numbers, which is interrogated in real time, and which generates immediate alerts when IRSF incidents occur.
A: IRSF is a specific type of roaming fraud in which traffic is artificially inflated (traffic pumping) to premium rate numbers around the world.
Fraudulently obtained subscriptions are used in a roaming scenario to make long duration outgoing international calls to number ranges with high termination costs, which typically involve small or remote countries, or international satellite operators.
The calls generally do not reach the geographic destination associated with the number range called, but are routed by interconnect carriers to a third party audio text or premium rate service provider. Revenue for the calls is shared between the service provider and the caller.
IRSF is triggered by fraud enablers such as PBX hacking, SIM card cloning, International roaming fraud, subscription theft, etc.
A: The delays in recognising IRSF activity, and delays in blocking SIMs or B-numbers makes IRSF extremely difficult to prevent and combat.
The typical call pattern for revenue sharing fraud is a spike in traffic to high cost destinations. These spikes typically occur during holidays or weekend periods, when systems are not monitored.
Detection methods vary considerably in terms of effectiveness, implementation costs, ease of deployment, etc. According to the GSMA, these include:
A: FraudStrike™ is a powerful yet cost-effective fraud management system (FMS) specifically enabled for the detection and prevention of IRSF activity during or prior to an attack.
It comprises a unique and live database of over 300,000 International Revenue Share (IRS) test numbers obtained from IPRN resellers to test that a revenue share destination and number range can be connected from a given location. These test numbers, if used correctly in a hotlist, are an extremely useful tool to alert operators of a pending or live IRSF attack.
FraudStrike also comprises algorithms and detection techniques to support the accuracy of the detection process, and to minimise false positives.
FraudStrike™ will sit alongside any existing fraud controls or fraud systems.
FraudStrike™ can also be configured to detect multiple other fraud types (PBX/VoIP fraud, Wangiri, domestic fraud, SIM box detection, etc.)
A: Yes. FraudStrike™ consists of a fully featured fraud management system (FMSevolution) with the IPR number database pre-loaded onto it.
FraudStrike™ will automatically update the hotlist database as new IPR numbers are added.
XINTEC offers FraudStrike™ as an easy to set up SaaS or deployed solution.
Obviously the key to maximising the value from using FraudStrike™ is the reaction time between the time any alert is generated and the time a fraudulent device is identified and de-activated.
A: FraudStrike™ contains IRS test numbers that we know are currently being offered for use in the market. This includes the many ITU numbers that are allocated to operators and are then leased to IPRN resellers. Many of these numbers technically comply with ITU recommendations, and so will not generally be offered in other databases, but can still be used in these types of attacks.
A: The GSMA hotlist number database is compiled using operator fraud reports of actual IRSF incidents and therefore relies on the goodwill of operators to share such information with the GSMA. It also relies on the GSMA publishing updates to these numbers and actively managing the database. And as many of the numbers contained in the GSMA Hotlist Number Database have already been used to terminate fraudulent calls, they may be of no value.
FraudStrike™ is an actively managed database with updates every 2-4 weeks. Typical updates will contain any new numbers identified, plus retained numbers not published by the IPRN resellers during the period, as it has been found that often these numbers will re-appear, or have been traded with another reseller.
In this way the latest version of the FraudStrike™ database is always up to date with all known test numbers that may be used.
FraudStrike™ will alert you to a likely IRSF attack, before fraud losses escalate.
A: New IPRN resellers are being identified regularly, and existing number resellers are updating and changing their numbers frequently, certainly on a monthly basis. To ensure that FraudStrike™ numbers are current, the database is updated every 2-4 weeks to include any new numbers identified since the last update.
A: This is an opportunity to provide some added value to your roaming partners. IRSF losses through the use of a SIM card roaming in a visited network can increase at a rate of $10,000 per hour. A visited network is required to provide a home network with details of roaming calls within 4 hours. Alerting your roaming partner of likely IRSF activity an hour or two before they receive NRTRDE files could help them avoid significant fraud losses. This is likely to be seen as a differentiator of service from other in-country networks, and could result in your organisation being considered a preferred roaming partner, consequently increasing your roaming revenues.
A: FraudStrike™ contains numbers that are being advertised as International Revenue Share test numbers. We do not recommend that these numbers are blocked, but rather kept in the hotlist so you can be alerted to any activity on the network that could be construed to be a potential IRSF attack. If you block these numbers, which are not typically used in the actual IRSF attack itself, then you will lose the intelligence that these numbers can provide as an early warning system. Fraudsters often have access to more than one device and an early warning of a likely IRSF attack does provide the opportunity to investigate, and identify any other devices that should also be blocked. Some IPRN Resellers do also provide numbers for legitimate purposes, such as content services, Psychic lines etc. Blocking these numbers could prevent customers accessing a legitimate service, and revenue would be lost.
A: If a number is entered in the FraudStrike™ database, this is because it has been advertised by an IPRN Reseller on their rate card or test number schedule. Some IPRN Resellers are heavily involved in number misappropriation (number hijacking), and will often hijack a small operators complete number range during a period when they intend carrying out an IRSF attack. In this case, they will often publish assigned customer numbers which will only generate revenue for them during the period of the number hijack. This is another very good reason why FraudStrike™ numbers should not be blocked. In this case, a very quick investigation could reveal that the call is placed by a legitimate customer to the genuine user of the FraudStrike™ advertised number.
A: Since FraudStrike™ contains a list of active IRS test numbers it can be used for a number of purposes other than detecting IRSF attacks. One example is using the FraudStrike™ database for Wangiri fraud detection. By replacing the last 2 digits of the IRS test numbers with wildcards we have a premium number database consisting of over 2 million numbers. Monitoring calls from these numbers onto your network, especially where these numbers are dialling more than a certain number of unique domestic numbers, has been shown to be effective in detecting Wangiri fraud attacks. Similarly this also works as an outgoing hot list if a rule is set at say >5 calls to a specific FraudStrike™ range from different subscribers in xx minutes.
A: Yes. Our experience has shown that FraudStrike™ is very effective at preventing IRSF. It is actively managed and updated on a regular basis and while we don't claim that it contains every single IRS test number it does provide very good protection.
Existing FraudStrike™ users now regard this database as the key defensive tool in their IRSF detection strategy.
A: The advantage of using FraudStrike™ over other detection methods such as HUR’s is that FraudStrike™ uses a proactive approach to IRSF prevention instead of reactive. With the use of the IRSF Test Number database, the fraudster can typically make a number of test calls testing the full connectivity to the premium rate service. Once these Holist Fraud alerts are generated these subscribers activity can then be monitored and stopped very early on in an IRSF fraud attack.
Using alternative methods such as HUR’s are more of a reactive approach to IRSF prevention whereby the reports will only alert on an IRSF fraud attack as it is carried out. As a result, FraudStrike™ can work towards a much faster speed of detection than other alternative IRSF prevention techniques.
A: FraudStrike™ contains over 300,000 test numbers, that is numbers which can be provided to a potential customer or fraudster to confirm that this number/range can be called from the country he is calling from, and device he is using (for example a fraudulent SIM card or hacked PBX).
These numbers are obtained from over 160 international premium rate number reseller websites and are regarded as “test” numbers as they are advertised to potential fraudsters to test their connectivity before carrying out a fraud attack.
A: As detailed above, these test numbers are obtained from over 160 international premium rate number reseller websites. These websites are analysed frequently and the hotlist database is constantly updated, i.e. with updates available every 2-4 weeks, with the total numbers growing each month.
A: The FraudStrike™ database now contains numbers representing 221 country (dialling) codes. This represents 88% of the world’s Country Codes that have been issued, so any one of these could be responsible for an expensive IRSF attack. If a number is in FraudStrike™, then it is there because it has been advertised on an IPRN Providers website.
A: FraudStrike™ may raise false positives once deployed on your system – there are a number of reasons for this;
It is important to note however that if a number is in FraudStrike™, then it is there because it has been advertised on an IPRN Providers website. FraudStrike™ does not compete with the GSMA Hot Number Range list. The GSMA list contains numbers that have been used during an IRSF attack. The FraudStrike™ database contains Test Numbers which will be used prior to an IRSF attack so that the fraudster can confirm that the device and country he is calling from, is permitted to terminate a call in the country and number range he wishes to call. FraudStrike™ alerts can also occur during the traffic inflation phase of an IRSF attack as often a fraudster will find the need to test new numbers while the IRSF attack is in progress.
A: Yes. FraudStrike™ can monitor both Roaming-In and Roaming-Out traffic of an operator as well as Domestic and Fixed Line traffic feeds should IRSF be an issue under these traffic types.
Alerts can be raised for Inbound Roaming traffic alerting an operator of fraudulent activity of an inbound roamer to their network as best practice. This operator, while under no financial requirements, can then alert the parent operator of the fraud attack at the early stages when captured using FraudStrike™.
A: A typical test call will consist of very short calls (sometimes as short as 2 or 3 seconds) to these test numbers. FraudStrike™ will allow you to drill down to the actual CDRs that were generated when these test calls were made. If you have suffered an IRSF attack at any time, look through the fraud calling schedule, and the test calls will be obvious. These will generally be between 1 and 5 short calls to the same numbers followed by multiple calls to different numbers within the same ranges. If the called country is changed midway through the IRSF attack, you will generally see more short duration calls to that Country Code, again checking to ensure that this new Country can still be connected from the device being used.
A: Perhaps it would help to provide a few examples of IRSF impacting Prepaid:
With examples 1 and 2, the likelihood of these types of incidents is low but the impact if they do occur can be very severe. With example 3, the incidents of Wangiri Fraud have increased significantly over the past 12-18 months and the early identification of these incidents, allowing customers to be warned and IRSF numbers blocked is a great opportunity to add real value to the customer experience.
There are a number of associated frauds also that may be used in association with IRSF on Prepay. These include Credit Card Fraud (fraudulent recharges for use with IRSF), Voucher Fraud (using the fraudulent voucher balance for IRSF), and Fraudulent credits to Prepay account (Through Internal Fraud and sharing the IRSF income with Fraudster).
A: Provided one or more of the over 300,000 International Revenue Share test numbers is called by a fraudster, and all domestic and roaming call records are subject to analysis by FraudStrike™, then an alert will be issued to prompt an investigation into the call or calls. If calls are made within the domestic network to a domestic (in-country) Premium Rate Service Number, then these will not identified by FraudStrike™, as it does not include domestic PRS numbers. FraudStrike™ will however identify IRSF Test Numbers, which are in the database, if these numbers are called within the home Country. For example a Latvia IRSF number being called from a fraudulent SIM card or hacked PBX within Latvia (although some number providers do block access to these numbers from within the domestic network). In respect of domestic PRS numbers, monitoring calls into these numbers is generally a specific function of the FMS.
A: Some operators do suggest this approach however we do not recommend it. The over 300,000 numbers within FraudStrike™ are mostly test numbers, that is a number which can be provided to a potential customer or fraudster to confirm that this number/range can be called from the country he is calling from, and device he is using (for example a fraudulent SIM card or hacked PBX). It is extremely unlikely that this test number will be used to inflate traffic into that IRSF number range. Once the fraudster has confirmed that he can make these calls, he will go back to the number provider and obtain additional numbers to the same destination so that he can start his traffic inflation. The Test Number will generally then be used by another potential customer or fraudster for the same purpose.
The IPR Number Resellers will have tens of thousands of International Revenue Share numbers in behind the Test Numbers which they can distribute to those who have been successful with the test numbers. The Resellers do not generally advertise these IRS numbers, so we do not know what they are. If the test numbers are blocked, it is likely that the person making the calls will go back to the Reseller and be issued with another number, which the FraudStrike™ Database may not be aware of, to make the test calls. If this was successful, then the fraud will commence.
By using the FraudStrike Database as a hot-list, to provide an early warning of what could be a potential IRSF attack, it allows a Fraud Analyst to start an investigation to confirm whether or not this activity is in fact fraud, then to block the device being used, and/or to try and identify any other devices under that fraudster’s control.
It should also be remembered that not all IRS calls are made by fraudsters, some could be genuine. There are some legitimate businesses that may contract with a number provider to issue revenue share numbers for activities such as bill payment, accessing content services, voting lines etc. Blocking all of the Test Numbers may deprive your organisation of a potential revenue stream.
A: In the event of a calling number matching a number on the FraudStrike Database:
If there are no further calls following the call or calls to the Test Number, then you may be fortunate enough to have identified a potential IRSF incident before the traffic inflation starts.
There can often be a delay of up to 1-4 hours between the time a Test Call is completed and the time the traffic inflation to additional numbers commences. This time period allows the fraudster to obtain further numbers from the Reseller, and if he is intending to use others to assist him in generating this traffic, to get them into position also. This becomes a critical period where the Analysts and Investigators need to convince themselves whether or not this is likely to lead to an IRSF attack if they do nothing, and if they are convinced it is leading to a fraud attack, take whatever steps are necessary to identify any other SIM cards or devices that may be under that fraudster’s control, so that they can also be neutralised.
Experience has shown us that if you identify and stop one IRSF attack, by all means celebrate your success, but remain vigilant. Generally the fraudsters will come back and try again within a few hours or days, believing that the operator will feel safe once the initial fraud incident is shut down.
A: It is our view, and one which we hope is shared by most others in the industry, that a VPMN (visited network) should be notifying the HPMN (their roaming Partner and the owner of the fraudulent SIM card) as soon as they become aware of, or suspect IRSF activity within their network. The VPMN has a contractual obligation under the NRTRDE agreement to notify the HPMN of their call traffic within 4 hours of call completion. However, most networks will identify IRSF activity well before this time period, usually within 1 hour of an IRSF attack commencing. The VPMN should not be delaying this notification until the next NRTRDE notification is due.
Delaying this notification to meet the 4 hour NRTRDE timeframe may result in some additional revenue for the VPMN, as the HPMN will be required to pay those charges. However for many reasons, whether they be moral, demonstrating that they are a good roaming partner, wanting to ensure that fraudsters make as little money as possible, or simply working on the basis that roaming partners (or operators) should not profit from fraud, will hopefully prompt the VPMN to find someone within the HPMN that they can advise of a likely fraud.
I think that all of those involved in the prevention, detection and investigation of IRSF will agree by now that unless the industry works together to try and stop this fraud, we never will succeed.
A: If we look at the types of Prepaid Fraud referred to above, generally the losses are reported in the same way as Post-paid fraud, although it is important to differentiate between post and pre-pay to ensure that the true risk of prepay is identified. Our experience now makes it clear that Prepay is not 'risk-free' as we all thought a few years ago. For those who have not seen it, we would encourage you to download and read the GSMA Permanent Reference Document FF-03, Advice on Prepaid Services, which identifies most of the known fraud risks associated with Prepay.
Some of the Prepay Fraud methods do result in a customer unwittingly having their prepay balance removed, and this provides an additional opportunity to report on the customer impact of fraud. It certainly helps getting some of the customer relationship people within the organisation on-side if an operator reports that say 10,000 plus prepay customers were impacted by Wangiri Fraud and lost all of their prepay balances.
A: FraudStrike™ is essentially a hotlist that can be applied to all called numbers including switching elements on the domestic network and also on all roaming traffic. Once an alert is generated the originating device and subscriber should be investigated to see if they are fraudulent. XINTEC offers a very quick-to-implement FraudStrike™ package consisting of an FMS (FMSevolution) with full alerting and reporting capability and the FraudStrike™ database which is automatically updated every time a new FraudStrike™ update occurs.
XINTEC can provide a SaaS or fully deployed option on this software and typical setup times for roaming traffic is of the order of a few days.