KB100 - How Clearfly's Call Fraud Detection Works


What is call fraud?

While there are many benefits, one of the potential risks in running an IP-based phone system is that when not properly secured or hardened a system can be hijacked to place expensive phone calls to far-off places. Since some of these calls cost upwards of $10 per minute the reward for the attacker is great and thus those charged with configuring IP-based phone systems must take steps to prevent unwanted financial liability. Some simple steps can be taken to lessen your risk, but it is wise to have a fail-safe if an attacker succeeds.

How are systems compromised?

Systems can be compromised by different exploits depending on the make/model. Here are some common ones we have seen.

  1. The PBX simply responds to an invite from the greater Internet and it is routed it out one of its trunks as a normal call.

    • A PBX should not respond to a SIP invite from an unconfigured peer.

  2. The call was initiated using the username/password of an IP phone configured on the PBX.

    • Passwords should be sufficiently random so as not to be guessable

    • If PBX is not supporting off-premise phones It should not accept SIP invites from external authenticated peers.

  3. An attacker guessed a user’s voicemail using a remote voicemail access number and forwarded the calls to an international number.

    • A voicemail system should not permit forwarding of calls to international numbers.

Do you have a way to block calls if my system is compromised?

Clearfly implements a near real-time call fraud detection scheme which aims to identity unauthorized calls (currently international, as Clearfly provides unlimited domestic LD) and prevent further calls from being placed until the source of the calls can be verified as valid.

How it works

When a call is completed a billing record is written to a file on the serving switch. These files are uploaded and imported into our billing system at a fixed interval (currently every five minutes). After all calls have been imported our fraud detection service scans all calls for each customer in the previous six hour period and totals up the usage. The system then compares the total to a fixed threshold (currently $10.00 for international calls) which is defined on each customer’s account. If the threshold is exceeded the ability to place calls of this type is automatically blocked, and when placing a call to a blocked destination the customer will receive an announcement notifying them that their call has been "barred".

At this point Clearfly will notify the customer and or any related parties about the potential fraudulent calling. If the customer agrees that the calls were valid then Clearfly will unblock international calling and raise the block threshold to something more in line with the customer’s usage patterns. If the customer deems the calls fraudulent then they will need to determine how their phone system was compromised and correct the situation before requesting that the call block be removed.

Near real-time is not real-time

Even though the threshold may be set to $10.00 by default, if your system is compromised the actual cost of the calls before the block is activated will likely be greater. For example:

  1. Unauthorized call is placed at 9:00 PM and lasts for twelve minutes ending at 9:12 PM.

  2. It could be up to five minutes before the billing file is closed and uploaded to the billing server. 9:17 PM

  3. Billing files are uploaded into the system every 5 minutes. 9:23 PM

If this call exceeds your block threshold all future calls will be blocked, but there could still be calls that have not completed or have not been uploaded. However, odds are that calls will be blocked within 10 minutes of the first exceeding unauthorized call, and that is much better than letting a script kiddie rack up hours or days worth of calls at your expense.

What if I make a lot of international calls?

No Problem. Just submit a Move/Add/Change ticket in the Clearfly Portal requesting a six hour threshold that is more in line with your calling patterns. If you happen to guess low and get blocked, don’t worry — it’s easy for us to adjust!