fraude dans la telephonie - imt · 6 some of your work, so far a taxonomy for telephony fraud...
TRANSCRIPT
![Page 1: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/1.jpg)
Fraude dans la Telephonie
Aurélien Francillon
Merve Sahin
With Monaco Telecom
Also with cooperations:NYU Abu Dhabi
Georgia TechTelecom Paris Tech (Marc Relieu)
![Page 2: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/2.jpg)
2
Telephony Fraud
● A long-standing problem (1870s → 2010s)
– Early fraud mechanisms:aiming to make free calls
– Today: ● Convergence of multiple technologies ● Multiple actors involved
– Operators, VoIP providers, 3rd party services, enterprises…
● Touching over 7 billion people● Massive volume of traffic
![Page 3: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/3.jpg)
3
Telephony fraud: Some examples
● Small charges on your phone bill
● Stolen phone or SIM card
● Unwanted calls and voicemails
● Unknown international caller IDs
![Page 4: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/4.jpg)
4
Consequences of Telephony Fraud
[*] CFCA Global Fraud Loss Survey, 2015
In 2015, estimated financial loss for operators was $38.1 billion*
- In the US, 400K+ spam call complaints (monthly)- In France, 574K complaints last year
Attacks on critical infrastructure(e.g., TDoS* on emergency lines)
Effects on online security● Technical support scams● Telemarketing calls recording
sensitive information
[*] Guri et al., “9-1-1 DDoS: Attacks, Analysis and Mitigation”, EuroS&P'17
[*] D. Cameron, “Major leak exposes 400K recorded telemarketing calls, thousandsof credit card numbers”, 2017.
![Page 5: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/5.jpg)
5
Problems with Telephony Fraud
● Multi-dimensional problem– Technologies, regulations, law,
historical background
● Multiple fraudulent actors
● Various skills and motivations
● Confusing terminology – Different terms for the same problem
– Same term for different problems
● Limited public documentation, not comprehensive
Telephony fraud and vulnerabilities are not well understood
Without a good understanding, we cannot effectively fight fraud!
![Page 6: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/6.jpg)
6
Some of your work, so far
● A taxonomy for telephony fraud ● Holistic view, clear terminology, a publicly available guide
● Detailed study of 3 fraud schemes– Over-The-Top (OTT) bypass fraud
● Position it in the taxonomy● Evaluate existing solutions● Measure its effects with a case study
– International Revenue Share Fraud ● Understand why it is difficult to address● Understand the drawbacks of existing solutions● Propose a way to improve detection
– Voice spam ● Analyze a new defense approach
[IEEE EuroS&P’17]
[ACM CCS’16]
(coming soon...)
[Usenix SOUPS’17]
![Page 7: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/7.jpg)
7
Example: Callback Scam
![Page 8: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/8.jpg)
8
Example: Callback Scam
![Page 9: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/9.jpg)
9
Example: Callback Scam
![Page 10: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/10.jpg)
10
Example: Callback Scam
Fraud Schemes Callback scam
![Page 11: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/11.jpg)
11
Example: Callback Scam
Fraud Benefits
Fraud Schemes
Get a share from call revenue
Callback scam
Lead to
![Page 12: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/12.jpg)
12
Example: Callback Scam
Fraud Benefits
Techniques
Fraud Schemes
Get a share from call revenue
Callback scam
Caller ID spoofing, Auto-dialers, Social engineering
Enable
Lead to
![Page 13: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/13.jpg)
13
Example: Callback Scam
Fraud Benefits
Techniques
Weaknesses
Fraud Schemes
Get a share from call revenue
Callback scam
Caller ID spoofing, Auto-dialers, Social engineering
Lack of Caller ID authentication, Lack of security & fraud awareness
Manipulated by
Enable
Lead to
![Page 14: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/14.jpg)
14
Example: Callback Scam
Fraud Benefits
Techniques
Weaknesses
Root Causes
Fraud Schemes
Get a share from call revenue
Callback scam
Caller ID spoofing, Auto-dialers, Social engineering
Lack of Caller ID authentication, Lack of security & fraud awareness
Legacy/Insecure protocols, Interconnection of poorly understood technologies
Result in
Manipulated by
Enable
Lead to
![Page 15: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/15.jpg)
15
A definition
● A fraud schemeis a way to obtain an illegitimate benefit using a technique. Such techniques are possible because of weaknesses in the system, which are themselves due to root causes.
Fraud Benefits
Techniques
Weaknesses
Root Causes
Fraud Schemes
Lead to
Enable
Manipulated by
Result in
![Page 16: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/16.jpg)
16
Our taxonomy
![Page 17: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/17.jpg)
17
Our taxonomy
![Page 18: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/18.jpg)
18
Interconnect Bypass Fraud
![Page 19: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/19.jpg)
19
Interconnect Bypass Frauds
● Bypassing International call termination fees– Not going through normal routes
– Calls routed on “VoIP”
● Multiple well known schemes:– SIM Boxes (VOIP-GSM gateways)
used with stolen sim cards
– Compromised (IP-)PBX
● OTT-Bypass: – More recent, uses Smartphones voice chat applications*
– “Cooperation” with transit operators
* Sorry ! Our lawyer does not want us to disclose which app
SIM Box with many sim cards (sim card server)
IP-PBX, voice communication server over IP
![Page 20: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/20.jpg)
20
Regular International Call
keeps0.05$
keeps0.05$
![Page 21: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/21.jpg)
OTT Bypass Call
keeps0.05$
keeps0.05$
OTT Network(IP)
![Page 22: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/22.jpg)
OTT Bypass Call
OTT Network(IP)
keeps0.05$
keeps0.05$0.15$
0.15$
0.00$
![Page 23: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/23.jpg)
Detecting and Measuring OTT Bypass: Challenges
![Page 24: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/24.jpg)
Outgoing bypass: No visibility on complete call route
Detecting and Measuring OTT Bypass: Challenges
![Page 25: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/25.jpg)
Incoming bypass: No visibility on bypassed call logs
Detecting and Measuring OTT Bypass: Challenges
![Page 26: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/26.jpg)
26
Case Study: Measuring OTT bypass - on a Small European Country - with a custom TCG* platform
[*]TCG: Test Call Generation
![Page 27: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/27.jpg)
27
➢ Spain ➢ Turkey ➢ United Kingdom➢ Italy➢ Netherlands➢ Germany ➢ Austria➢ Switzerland
➢ FranceExperiment Setup● Customized Android phones● 4 SIM cards from victim operator ● Recipient phones roaming in France● Calls originating from 8 countries
(1 operator per country)● Centralized collection of call logs● 15000+ test calls over 4 months
[*]TCG: Test Call Generation
Case Study: Measuring OTT bypass - on a Small European Country - with a custom TCG* platform
![Page 28: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/28.jpg)
28
Overall bypass
OTT Network (IP)
Results● Up to 83% of calls were subjected to
bypass in 6 of 8 countries● OTT bypass leads to quality problems in
call establishment● Multiple fraud schemes may collide
➢ Spain – 83%➢ Turkey – 72%➢ United Kingdom – 61%➢ Italy – 56%➢ Netherlands – 53%➢ Germany – 42%➢ Austria➢ Switzerland
➢ France
![Page 29: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/29.jpg)
29
Example: Simbox and OTT Bypass
UK caller ID: +44-745... ● +44-745...● Mobile
termination
![Page 30: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/30.jpg)
30
Example: Simbox and OTT Bypass
Recipient phone is online on OTT
- 16% Simbox bypass (over Russian mobile numbers)
UK caller ID: +44-745... ● +7-969...● Mobile
termination
![Page 31: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/31.jpg)
31
Example: Simbox and OTT Bypass
OTT Network (IP)
Recipient phone is online on OTT
- 16% Simbox bypass (over Russian mobile numbers)
- 36% OTT bypass
UK caller ID: +44-745... ● +44-745...● OTT
termination
![Page 32: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/32.jpg)
32
Example: Simbox and OTT Bypass
OTT Network (IP)
Recipient phone is online on OTT
- 16% Simbox bypass (over Russian mobile numbers)
- 36% OTT bypass
- 25% Simbox + OTT bypass
~80% fraudulent call termination
UK caller ID: +44-... ● +7-969...● OTT
termination
![Page 33: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/33.jpg)
Conclusions
Telephony fraud is likely to remain as a significant problem– Several weaknesses (in protocols, regulations…)
that are difficult to fix
– New technologies will bring new vulnerabilities
– Fraudsters are smart and have strong incentives
– Fighting fraud is costly (fraud loss > cost of detection/prevention)
We need industry cooperation... and data !
?
![Page 34: Fraude dans la Telephonie - IMT · 6 Some of your work, so far A taxonomy for telephony fraud Holistic view, clear terminology, a publicly available guide Detailed study of 3 fraud](https://reader033.vdocuments.net/reader033/viewer/2022041607/5e34c3e017f17e3515673b45/html5/thumbnails/34.jpg)
34
References
• Merve Sahin, Aurélien Francillon, Payas Gupta, Mustaque Ahamad, “SoK: Fraud in Telephony Networks” IEEE European Symposium on Security and Privacy (EuroS&P'17), 2017, Paris, France• Merve Sahin, Aurélien Francillon, “Over-The-Top Bypass: Study of a Recent Telephony Fraud” ACM conference on Computer and communications security (CCS), 2016, Vienna, Austria• Merve Sahin, Marc Relieu, Aurélien Francillon “Using chatbots against voice spam: Analyzing Lenny's effectiveness” Usenix Symposium on Usable Privacy and Security (SOUPS), 2017• eMarketer. Digital content and advertising key revenue generators for messaging apps. emarketer, November 2015.• New threat to mobile network operator revenues. Revector Company Blog, February 2016.• B. Reaves, E. Shernan, A. Bates, H. Carter, and P. Traynor. Boxed out: Blocking cellular interconnect bypass fraud at the network edge. In USENIX Security, 2015.• Vijay A. Balasubramaniyan, Aamir Poonawalla, Mustaque Ahamad, Michael T. Hunter, and Patrick Traynor. 2010. PinDr0p: using single-ended audio features to determine call provenance. ACM CCS.• Miramirkhani et al., “Dial One for Scam: A Large-Scale Analysis of Technical Support Scams”, NDSS'17.• Guri et al., “9-1-1 DDoS: Attacks, Analysis and Mitigation”, EuroS&P'17.• D. Cameron, “Major leak exposes 400K recorded telemarketing calls, thousands of credit card numbers”, 2017. Available at www.dailydot.com.• L. Notenboom, “I got a call from Microsoft and allowed them access to my computer. What do I do now?”, 2014. Available at http://askleo.com.