Crime pays, if you’re in the right business
Alan Burkitt-Gray uncovers the grimy story of carriers that spoof call data so mobile operators, not their customers, get big bills
As many of us move to services such as WhatsApp, Facebook Messenger and WeChat, growth in voice has evaporated and traffic is now steadily falling at up to 7% a year. But there is more, and possibly worse, news for telecoms companies.
Margins are getting thinner for carriers, especially those in the European Union since it adopted a “roam like at home” rule for mobile services in 2013 that removes all extra calling charges within the Union and the European Economic Area (EEA).
While this is good for people who can call home and use data roaming during business trips and holidays in the EU without worrying about bill shock, mobile operators and the carriers that connect calls for them are now facing their own bill shock problem, because roam like at home has facilitated a new form of telecoms fraud.
Eli Katz, chief executive of XConnect Global Networks – now owned by US telecoms services company Somos – describes this problem as “one of the biggest changes in rating, billing and costing in decades”.
Meanwhile, Katia Gonzalez, head of fraud and security at BICS, warns that “roam like at home has been reconfirmed for the next few years, so the impact will go on”. Gonzalez is reluctant to even guess how much the industry is losing to these fraudsters.
She explains that this is “very difficult to answer”, because many of the companies affected “do not have the technology” to detect the fraud.
This is not the sort of fraud where someone steals your phone and uses it to call premium-rate numbers to run up a bill of hundreds of euros. Instead, callers and recipients are innocent parties who make and receive legitimate calls that cause law-abiding telecoms operators to lose money to operators that are not as law-abiding.
One operator involved in this fraud is a reasonably well-known carrier, says Gonzalez. She will not identify the company other than to say, “it is a European-based company”.
Telecoms fraud from A to B
For as long as anyone can remember, most of the world has lived in a “caller pays” regime.
The person dialling the call is the “A-end” of the call, the recipient is the “B-end” and the A-end pays for the call – except for the US and a few other places, where B-ends pay towards calls they receive, even if only via call minutes in monthly bundles.
This system allows someone in Australia to see what they will be charged to call Belgium before dialling.
Call charges vary hugely. Vodafone UK charges £0.19/min for calls from the UK to landlines and mobiles within the EU and the EEA; £1.50/min for calling non-EU/EEA destinations in Europe (eg, Albania, Switzerland or Turkey); and £3/min for calls to the rest of the world.
Call charges from Microsoft’s Skype vary widely, but are usually much lower: Skype’s pre-pay service charges £0.021/min calling EU/EEA landlines from the UK, £0.019/min for similar calls to China, but £0.499p for calls to Belarus. Callers also pay a connection fee, usually of less than £0.10.
But whatever callers pay, there is an element in the cost structure they never see: the final delivery charge from the company tasked with passing calls to recipients – the B-end’s local service provider.
For calls within Europe, “the termination rate is normally 0.5ȼ to 1ȼ a minute”, says Katz. But the termination rates for calls that originate from outside Europe are not regulated. “For many countries the termination rate is much higher: 20ȼ to 30ȼ a minute,” says Katz.
The termination fee for EU-to-EU calls is covered by the A-end’s roam-like-at-home fee, while fees for calls outside the EU form part of their phone bill.
This system works in the other direction, notes John Wilkinson, chief executive of TMT Analysis.
“Companies in Europe have low termination rates, but they’ve had to pay high rates to make calls into Asia and the Middle East,” he explains.
However, except for the US and a few other places, he says, “the A-number pays and the B-number has no cost. This has worked for 150 years.”
Now, some operators are fighting back. “If I’m being charged 30ȼ a minute [to have a call delivered],” says Katz, putting on the voice of an operator, “then I might want to charge on a reciprocal basis.” In other words, they may claim the right to charge 30ȼ/min to deliver calls in the opposite direction.
Such reciprocal delivery charges offer a way to make money illicitly. For example, if a Middle Eastern operator charges $7/min to deliver calls coming from Europe to customers on its network, Vodafone might impose similar charges to deliver calls from callers in that country back to Europe.
This system relies on knowing where a call comes from. While the origin of an email can be traced (every email contains the time and IP address of the server it was sent from, and each server it passes through), phone calls do not contain similar data.
Instead, they are assigned calling line identification (CLI) codes. These display on the screens of phones the number that calls come from – they are how you know if a caller is your best friend or a mysterious law firm that claims you were injured in a road accident.
This fraud involves substituting a caller’s CLI with a false CLI, making it appear as though the call originates in another country. For example, Brobtel – a fictional operator in fictional Brobdingnag – charges high termination rates to deliver calls originating in distant (and also fictional) Ambrosia. However, Brobtel’s termination fees for calls originating from its neighbour (ahem) Cloud Cuckoo Land are tiny.
Ambrosia Telecom charges $7/min on calls to Brobdingnag to cover its termination fees, which are routed through Cloud Cuckoo Land International Carrier (CCLIC).
But, unknown by Ambrosia Telecom, CCLIC swaps Ambrosian CLIs for ones that show Cloud Cuckoo Land. So as Brobtel thinks these calls originate in Cloud Cuckoo Land it charges CCLIC the tiny termination fee, while Ambrosia Telecom pays out a high termination fee, and CCLIC pockets the difference.
“I don’t know by whom that call has been carried from A to B,” says Gonzalez. This means it is impossible to tell if a fraud is being committed.
But some carriers, if they discover a call has used an incorrect CLI, will retrospectively charge A-end operators very high termination rates. A few mobile operators charge penalty fees of €2/min to terminate such calls, even ones originating in the EU, by sending A-end operators adjustment invoices at the end of the month.
Penalties for false CLI
The trick to spoofing the CLI system lies in substituting a caller’s genuine CLI with a realistic fake CLI.
“If there’s a filled-in CLI that matches the A-number, that looks OK,” says Wilkinson, whose company – like Katz’s – specialises in identifying fake CLIs. “You have to stuff the CLI with numbers that look like they’re real.”
However, Gonzalez warns that fraudsters are substituting original CLIs with real phone numbers so “there’s no way to tell they’re spoofed”.
She says: “The bad guys are very smart, so it’s very difficult to detect. We see spoofed CLIs that use a theatre reservation number, for example.”
Call the number to check, as some of Gonzalez’s team might do, and you get a real, ringing phone number.
“Even with machine learning it’s very difficult,” she adds.
The hard bit for the industry is figuring out what to do about this kind of fraud.
Phone companies do not want to block calls, says Gonzalez. “It’s not a caller’s fault that her operator uses a route that allows CLI spoofing,” she says. “We cannot block a call. We have a legitimate call and we have to carry it.”