WO2002091713A2 - A system and method for preventing fraudulent calls using a common billing number - Google Patents

A system and method for preventing fraudulent calls using a common billing number Download PDF

Info

Publication number
WO2002091713A2
WO2002091713A2 PCT/US2002/014343 US0214343W WO02091713A2 WO 2002091713 A2 WO2002091713 A2 WO 2002091713A2 US 0214343 W US0214343 W US 0214343W WO 02091713 A2 WO02091713 A2 WO 02091713A2
Authority
WO
WIPO (PCT)
Prior art keywords
cdr
fraud
billing number
call
current
Prior art date
Application number
PCT/US2002/014343
Other languages
French (fr)
Other versions
WO2002091713A3 (en
Inventor
Dean C. Marchand
Erin C. Jackman
Ron Zimmerman
Original Assignee
Worldcom, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Worldcom, Inc. filed Critical Worldcom, Inc.
Priority to CA002446732A priority Critical patent/CA2446732A1/en
Priority to EP02744138A priority patent/EP1388256A4/en
Priority to JP2002588055A priority patent/JP2004527185A/en
Priority to AU2002340818A priority patent/AU2002340818A1/en
Publication of WO2002091713A2 publication Critical patent/WO2002091713A2/en
Publication of WO2002091713A3 publication Critical patent/WO2002091713A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/47Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/58Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP based on statistics of usage or network monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/01Details of billing arrangements
    • H04M2215/0148Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/01Details of billing arrangements
    • H04M2215/0188Network monitoring; statistics on usage on called/calling number

Definitions

  • This application relates generally to preventing fraudulent access to a telecommunications system.
  • this application relates to identifying fraudulent calls made to and originating from a private branch exchange (PBX) that use a common billing number.
  • PBX private branch exchange
  • Fraud costs the telecommunications industry millions of dollars per year. While the telecommunications industry struggles to prevent fraud and its devastating financial effects, the number of techniques that are used to perpetrate fraud continue to increase.
  • the fraud can be as simple as using a stolen credit card to charge a long distance call, or it can involve sophisticated call looping techniques, such as repeatedly calling a PBX, finding the correct sequence to access an outside line (by trial and error or other hacking techniques) and then placing a costly long distance call through the PBX system.
  • the telecommunications industry is involved in an intensive and ongoing effort to identify different types of fraud and to develop and implement ways of preventing such fraud.
  • Fraud control may be divided conceptually into identifying a call that is likely to be fraudulent and responding after a call is identified as likely to be fraudulent.
  • a fraud analyst uses billing detail records (BDRs) to validate call attempts in an effort to identify a fraudulent call and use call detail records (CDRs) in an effort to respond to fraud when a call has be ⁇ en completed.
  • BDRs billing detail records
  • CDRs call detail records
  • Methods of identifying calls that are likely to be fraudulent vary from the simple to the sophisticated and are generally directed at a particular type of fraudulent activity. For example, a call is likely to be fraudulent if it is made using a calling card that has been reported stolen by the owner.
  • the BDRs and CDRs contain information pertaining to the calls. Each CDR and BDR contain an originating number (where the call is from), a terminating number (where the call is to), and a billing number (where the cost of the call is charged to).
  • the '354 patent is directed at calls that require "special service", that is, which are placed through an operator or an automatic operation support system. Such calls generally require the caller to manually supply the billing number, such as by pressing numbers on a payphone, swiping the magnetic strip on a card, or speaking with an operator. It may also require the caller to identify the category of billing product (such as credit card, calling card, or pre-paid phone card) for the billing number.
  • the category of the billing product may alternatively be identified by the system by matching all or part of the billing number with billing numbers (or ranges of billing numbers) stored in an identification database, where the stored billing numbers are correlated with the category of billing product.
  • the identification database may also correlate a billing number with the particular type of billing product for the category. For example, where the category of the billing number is identified as a credit card, the identification database may use the billing number to further identify the type of credit card, such as Visa, Master Card, American Express, etc.
  • the '354 patent also identifies fraudulent activity by monitoring use of a billing number over time. For example, where the number of domestic calls placed within a certain amount of time using the same billing number exceeds a threshold, an alert is generated. Such use could signify that the billing number has been stolen and is being used to place multiple calls. International calls are handled in a similar fashion. However, due to the costly nature of international calls, the threshold value may be , adjusted so that fewer calls within the time period generate an alert. In addition, the threshold may be further adjusted for calls to countries where a high percentage of fraudulent calls are directed. The thresholds may also be varied by the billing product.
  • fraudulent activity may be determined to be more likely to occur on a calling card than on a third party call; consequently, the threshold may be set lower for calling card products.
  • the '354 patent monitors all calls made for that billing number, regardless of where the calls originate from or are directed to.
  • a hacker may attempt to hack into a private branch exchange (PBX) in order to access information or to use the PBX to make a subsequent call.
  • PBX private branch exchange
  • the call to the PBX may be a local or domestic call, which is less likely to attract attention, whereas the subsequent call made from the PBX may be a costly international call.
  • hackers may use a PBX in a remote area to access a telephone number that is restricted if dialed directly from the hacker's phone. In this manner, the hacker uses a technique called "call looping" to loop around a restricted telephone leg in order to gain access to the blocked number.
  • a system of detecting fraudulent calls made to a PBX is described in U.S. Patent No. 5,805,686, entitled “Telephone Fraud Detection System", which is owned by the assignee of the present invention.
  • the system disclosed in the '686 patent collects call detail records (CDRs) and allows long distance phone customers the ability to monitor usage of their PBX and assign a risk factor to a plurality of recognized call types and destinations. Based upon the generated risk values, fraud analyst determines whether or not to block future access to the PBX for the originating, terminating, or billing number.
  • CDRs call detail records
  • a system for identifying fraud in a telecommunications system utilizes a host receiver for receiving call detail records (CDRs) which are generated for each call placed to a PBX.
  • CDRs call detail records
  • Each CDR contains at least an originating number, a terminating number, a billing number and a call start time corresponding to each call.
  • the CDRs are stored in a CDR queue and are then analyzed using a CDR fraud detector to determine whether the calls are potentially fraudulent. If the calls are flagged as potentially fraudulent, the system generates an alert to a fraud analyst for additional consideration. The fraud analyst can then perform additional checks and add the number to an exception database if the call can be verified as legitimate. If the fraud analyst determines that the call is fraudulent, the billing number, originating number and/or terminating number may be blocked from the PBX.
  • CDRs call detail records
  • the method for preventing fraudulent access and use of the PBX comprises the steps of receiving a call detail record for each call entering and leaving a PBX, storing the CDRs in a queue, purging previously stored CDRs in a fraud database that are older than a current time less a predetermined period of time, comparing each CDR billing number to previously stored CDRs in the fraud database, storing the CDR in the fraud database, and generating an alert when the billing number of the current CDR matches a billing number of a previously stored CDR in the fraud database.
  • Fig. 1 is a block diagram illustrating the problem of call looping through a PBX using a common billing number
  • Fig. 2 is a block diagram illustrating the system in which the present invention operates
  • Fig. 3 is a diagram illustrating the different components of the CDR processor of ⁇ Fig. 2, according to the present invention
  • Fig. 4 is a detailed flow chart of the method performed by the CDR fraud detector of FIG. 3;
  • Fig. 5 is a continuation of the method performed by the CDR fraud detector of FIG. 3.
  • FIG. 1 shows a block diagram illustrating the problem of call looping through a private branch exchange (PBX) using a common billing number.
  • PBX private branch exchange
  • Call looping occurs when there is a block imposed by a long distance telephone carrier which prevents the direct dialing of a number from a calling location 100 to a called location 120.
  • calling location 100 is a location within New York City
  • called location 120 is a location within the country of Iran. Assuming for the example posed in FIG.
  • a call detail record (CDR) is generated.
  • the call detail record for first leg 160 includes an originating number field 101 , a terminating number field 102, a billing number field 103, and a time of call field 107.
  • second leg 170 contains fields 104, 105, 106, and 108, respectively.
  • the present invention determines that within a predetermined period of time, an incoming and an outgoing call to PBX 110 has used the same billing number.
  • the present invention recognizes this potentially fraudulent pattern and generates an alert to a fraud analyst for additional review.
  • FIG. 2 there is a disclosed a block diagram illustrating the system in which the present invention operates.
  • the system will be described with reference to the left side of Fig. 2 only. It is understood, however, that multiple redundant systems may run simultaneously in order to assist in the reduction of processing time.
  • a call data record is generated and forwarded to a main frame 205.
  • the CDR contains an originating number (where the call is from), a terminating number (where the call is to), a billing number (where the cost of the call is charged to) and a call start time.
  • the CDR is then stored in a CDR database 210.
  • the call data records are then forwarded to a CDR processor 200 in order to determine whether or not the calls are potentially fraudulent.
  • the output of CDR processor 200 is connected to an alert generator 230.
  • alert generator 230 If the information contained in the CDRs is determined by CDR processor 200 to be potentially fraudulent, alert generator 230 generates an alert and passes the alert through local telephone company 240 to a fraud monitoring center 250.
  • the alert can be sent using an email message or sent as a data file using file transfer protocol (FTP).
  • FTP file transfer protocol
  • the appropriate action may be the addition of the billing number to a block list to prevent the future use of that billing number.
  • the fraud analyst can perform a revenue study which determines whether or not it is economically feasible to impose a block on a particular leg of the fraudulent call (i.e. from NYC to Iowa PBX or from Iowa PBX to Iran).
  • FIG. 3 refers to a diagram illustrating the different components of the CDR processor of Fig. 2, according to the present invention. It is understood that while the system of FIG. 3 is described in the singular sense,. multiple systems can run simultaneously to reduce processing time and increase system redundancy. For example, separate systems, as described below, could handle all calls for a particular region or state, thus limiting the amount of data flowing into any one system.
  • the system for preventing fraudulent calls using a common billing number includes a host CDR receiver 300 for receiving individual call detail records from main frame 205.
  • the call detail records received by CDR receiver 300 are stored in a CDR queue 310.
  • CDR queue 310 stores the CDRs in a first-in-first-out (FIFO) manner.
  • the call detail records are then forwarded to a CDR fraud detector 320 for further processing as described in FIGS. 4 and 5.
  • Fraud detector 320 further comprises a fraud database 330 and an exception database 340 in order to help process the CDRs and detect fraud.
  • the CDR queue acts as a temporary storage for the CDR fraud detector 320.
  • fraud detector 320 detects fraud by receiving a call detail record for each call entering and leaving a PBX, purging previously stored CDRs in a fraud database that are older than a current time less a predetermined period of time, comparing each current CDR billing number to previously stored billing numbers of CDRs in the fraud database 330, storing the current CDRs in the fraud database 330, and generating an alert when the billing number of the current CDR matches the billing number of a previously stored CDR.
  • the CDRs are forwarded to alert generator 230 to generate an alert to a fraud analyst.
  • CDR fraud detector 320 receives the call detail records
  • fraud detector 320 reads a predetermined period of time in step 405.
  • fraud detector 320 reads a billing number field from the associated . current CDR in step 410.
  • Fraud detector 320 then reads a call start time field from the associated CDR in step 420.
  • fraud detector 320 purges previously stored CDRs in a fraud database 330 that are older than the current time less the predetermined period of time. The purging of previously stored CDRs ensures that fraud detector 320 only examines those CDRs that fit within the predetermined period of time.
  • the fraud analyst has the option of setting the predetermined period of time based upon his experience with fraud control.
  • the predetermined period of time is short, on the order of two to three minutes, as hackers break in and commandeer an outside line with which to place another call. Therefore, calls which enter and exit the PBX using the same billing numbers within a predetermined period of time are deemed potentially fraudulent and generate an alert to a fraud analyst. It is understood, however, that the predetermined period of time may be reprogrammed by a fraud analyst.
  • step 450 it is determined whether or not the billing number associated with the current call detail record matches a previous entry in the fraud database 330. If not, the process continues to step 430, where fraud detector 320 stores the billing number and the CDR in fraud database 330. The process then continues to step 490 wherein it is determined whether or not the fraud analyst wishes to change the predetermined period of time. If the fraud analyst decides to change the predetermined period of time, the process returns to step 405, or else the process returns to step 410.
  • step 460 it is determined that the billing number matches a previous entry in the fraud database 330. If after step 450 it is determined that the billing number matches a previous entry in the fraud database 330, the process proceeds to step 460. It is determined, in step 460, whether or not the billing number exists in an exception database 340.
  • the exception database 340 contains a list of information commonly contained in CDRs, namely an originating number, a terminating number, and a billing number, that has been determined by a fraud analyst not to be fraudulent. For example, if a legitimate particular billing number is used to dial in and out of the PBX, that number can be exempt from fraud analysis.
  • step 480 the billing number is removed from the fraud database 330, and the process proceeds to step 490. Removing the billing number from the fraud database 330 prevents the continued triggering of possible fraud for that number. If, however, the billing number is not located in the exception database, the process proceeds to step 470 wherein the fraud analyst determines whether or not fraud is actually present. The fraud analyst can rely on his professional experience and may use any known method of determining whether or not fraud is present. If the fraud analyst determines that fraud is not present, the process proceeds to step 480 wherein the billing number is removed from the fraud database 330 and added to exception database 340. If fraud is present, the process proceeds to step 475 wherein fraud detector 320 generates an alert message. The alert message is then forwarded to alert generator 230 for additional processing and forwarding to local telephone company 240.
  • hackers who attempt to circumvent blocked leg 150 by dialing and breaking into PBX 110 using call looping are prevented from using PBX 110 in the future wherein a common billing number is being used fraudulently.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Meter Arrangements (AREA)
  • Monitoring And Testing Of Exchanges (AREA)
  • Sub-Exchange Stations And Push- Button Telephones (AREA)

Abstract

A system for monitoring a plurality of telephone calls made to and originating from a common branch exchange to detect fraudulent activity, including receiving means (300) for receiving a call detail record (CDR) corresponding to each of the calls and directing the CDR to be stored in at least one queue means (310), the CDR containing at least a billing number associated with each call; means for retrieving (320) current CDRs, one at a time, from the queue means (310); processor means for comparing (320), for the current CDR, the billing number with billing numbers of previously stored CDRs in a fraud database (330); means for storing (320) the current CDRs in the fraud database (330); and means for generating an alert (230) when the billing number of the current CDR matches a billing number of a previously stored CDR in the fraud database.

Description

A SYSTEM AND METHOD FOR PREVENTING FRAUDULENT CALLS USING A COMMON BILLING NUMBER
BACKGROUND OF THE INVENTION
1. Technological Field
This application relates generally to preventing fraudulent access to a telecommunications system. In particular, this application relates to identifying fraudulent calls made to and originating from a private branch exchange (PBX) that use a common billing number.
2. Description Of The Related Art
Fraud costs the telecommunications industry millions of dollars per year. While the telecommunications industry struggles to prevent fraud and its devastating financial effects, the number of techniques that are used to perpetrate fraud continue to increase. The fraud can be as simple as using a stolen credit card to charge a long distance call, or it can involve sophisticated call looping techniques, such as repeatedly calling a PBX, finding the correct sequence to access an outside line (by trial and error or other hacking techniques) and then placing a costly long distance call through the PBX system. Regardless of the type of fraud, the telecommunications industry is involved in an intensive and ongoing effort to identify different types of fraud and to develop and implement ways of preventing such fraud.
Particular methods of fraud control and systems for implementing them are known in the industry. Fraud control may be divided conceptually into identifying a call that is likely to be fraudulent and responding after a call is identified as likely to be fraudulent. Specifically, a fraud analyst uses billing detail records (BDRs) to validate call attempts in an effort to identify a fraudulent call and use call detail records (CDRs) in an effort to respond to fraud when a call has be^en completed. Methods of identifying calls that are likely to be fraudulent vary from the simple to the sophisticated and are generally directed at a particular type of fraudulent activity. For example, a call is likely to be fraudulent if it is made using a calling card that has been reported stolen by the owner. The BDRs and CDRs contain information pertaining to the calls. Each CDR and BDR contain an originating number (where the call is from), a terminating number (where the call is to), and a billing number (where the cost of the call is charged to).
A sophisticated method and system of identifying fraudulent calls is described in U.S. Patent No. 5,768,354, entitled "Fraud Evaluation And Reporting System and Method Thereof", which is owned by the assignee of the present invention. Fraudulent activity is identified in the '354 patent by monitoring billing detail records (BDRs) that are created for each call in real time. In the simple case, where the company's database shows that the billing number being used for a call has been reported lost, stolen, etc., the billing detail record includes a header designating it as a "bad billing number". The call is immediately identified as fraudulent, and an alert is generated in the system. A fraud analyst monitors the alerts and takes appropriate actions depending upon the type of alert generated.
The '354 patent is directed at calls that require "special service", that is, which are placed through an operator or an automatic operation support system. Such calls generally require the caller to manually supply the billing number, such as by pressing numbers on a payphone, swiping the magnetic strip on a card, or speaking with an operator. It may also require the caller to identify the category of billing product (such as credit card, calling card, or pre-paid phone card) for the billing number. The category of the billing product may alternatively be identified by the system by matching all or part of the billing number with billing numbers (or ranges of billing numbers) stored in an identification database, where the stored billing numbers are correlated with the category of billing product. The identification database may also correlate a billing number with the particular type of billing product for the category. For example, where the category of the billing number is identified as a credit card, the identification database may use the billing number to further identify the type of credit card, such as Visa, Master Card, American Express, etc.
The '354 patent also identifies fraudulent activity by monitoring use of a billing number over time. For example, where the number of domestic calls placed within a certain amount of time using the same billing number exceeds a threshold, an alert is generated. Such use could signify that the billing number has been stolen and is being used to place multiple calls. International calls are handled in a similar fashion. However, due to the costly nature of international calls, the threshold value may be , adjusted so that fewer calls within the time period generate an alert. In addition, the threshold may be further adjusted for calls to countries where a high percentage of fraudulent calls are directed. The thresholds may also be varied by the billing product. For example, fraudulent activity may be determined to be more likely to occur on a calling card than on a third party call; consequently, the threshold may be set lower for calling card products. The '354 patent monitors all calls made for that billing number, regardless of where the calls originate from or are directed to.
While monitoring BDRs and their associated billing numbers and blocking those numbers displaying evidence of fraudulent usage, i.e. numerous call attempts over a period of time, is an important component of fraud prevention, no one technique in and of itself is sufficient to prevent fraudulent access. Perpetrators of fraud (also referred to herein as "hackers") are persistent, creative and constantly developing new ways of evading fraud prevention mechanisms.
For example, a hacker may attempt to hack into a private branch exchange (PBX) in order to access information or to use the PBX to make a subsequent call. In the latter case, the call to the PBX may be a local or domestic call, which is less likely to attract attention, whereas the subsequent call made from the PBX may be a costly international call. In addition, hackers may use a PBX in a remote area to access a telephone number that is restricted if dialed directly from the hacker's phone. In this manner, the hacker uses a technique called "call looping" to loop around a restricted telephone leg in order to gain access to the blocked number.
A system of detecting fraudulent calls made to a PBX is described in U.S. Patent No. 5,805,686, entitled "Telephone Fraud Detection System", which is owned by the assignee of the present invention. The system disclosed in the '686 patent collects call detail records (CDRs) and allows long distance phone customers the ability to monitor usage of their PBX and assign a risk factor to a plurality of recognized call types and destinations. Based upon the generated risk values, fraud analyst determines whether or not to block future access to the PBX for the originating, terminating, or billing number.
While these methods and systems are effective if a hacker makes many call attempts over a period of time, the systems may not detect hackers that break in to a PBX on one line, find an outside line with a different originating number, and call to another terminating number. Most fraud detection systems detect fraud by comparing either the originating numbers or the terminating numbers of the incoming call with the originating numbers or the terminating numbers of the outgoing call. If there are calls where the terminating number of the incoming call is the same as the originating number of the second call, the call may be a fraudulent call loop, and the call may be disconnected. In an effort to defeat these methods, hackers have devised methods of placing calls wherein the originating numbers and/or the terminating numbers are not the same for the call loop. Fortunately, for the telecommunication companies who are trying to prevent the fraudulent calls, in most cases the billing number for the call remains the same.
Thus, it would be desirable to have a system and method for identifying and blocking fraudulent call looping calls that use a common billing number.
SUMMARY OF THE INVENTION
It is therefore an object of the present invention to provide a system and method for preventing fraudulent calls using a common billing number. It is also an object of the present invention to prevent the fraudulent use of a PBX by preventing call looping through the PBX.
It is an additional object of the present invention to detect multiple calls to a common PBX that use a common billing number.
In order to achieve the above and other objects, there is provided a system for identifying fraud in a telecommunications system, the system utilizes a host receiver for receiving call detail records (CDRs) which are generated for each call placed to a PBX. Each CDR contains at least an originating number, a terminating number, a billing number and a call start time corresponding to each call. The CDRs are stored in a CDR queue and are then analyzed using a CDR fraud detector to determine whether the calls are potentially fraudulent. If the calls are flagged as potentially fraudulent, the system generates an alert to a fraud analyst for additional consideration. The fraud analyst can then perform additional checks and add the number to an exception database if the call can be verified as legitimate. If the fraud analyst determines that the call is fraudulent, the billing number, originating number and/or terminating number may be blocked from the PBX.
The method for preventing fraudulent access and use of the PBX comprises the steps of receiving a call detail record for each call entering and leaving a PBX, storing the CDRs in a queue, purging previously stored CDRs in a fraud database that are older than a current time less a predetermined period of time, comparing each CDR billing number to previously stored CDRs in the fraud database, storing the CDR in the fraud database, and generating an alert when the billing number of the current CDR matches a billing number of a previously stored CDR in the fraud database.
BRIEF DESCRIPTION OF THE DRAWINGS
The above and other objects, features and advantages of the present invention will become more apparent from the following detailed description when taken in conjunction with the accompanying drawings in which: ► Fig. 1 is a block diagram illustrating the problem of call looping through a PBX using a common billing number;
Fig. 2 is a block diagram illustrating the system in which the present invention operates;
Fig. 3 is a diagram illustrating the different components of the CDR processor of ι Fig. 2, according to the present invention;
Fig. 4 is a detailed flow chart of the method performed by the CDR fraud detector of FIG. 3; and
Fig. 5 is a continuation of the method performed by the CDR fraud detector of FIG. 3.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Referring now to the drawings, in which similar reference characters denote similar or identical elements throughout several views, FIG. 1 shows a block diagram illustrating the problem of call looping through a private branch exchange (PBX) using a common billing number. Call looping occurs when there is a block imposed by a long distance telephone carrier which prevents the direct dialing of a number from a calling location 100 to a called location 120. In this example, calling location 100 is a location within New York City, and called location 120 is a location within the country of Iran. Assuming for the example posed in FIG. 1 , that long distance calls between New York City and Iran have typically been of a fraudulent nature, the long distance companies, in an effort to reduce their losses associated with fraudulent calls, may impose a block for all calls originating from New York City to a location within the country of Iran. While this block may frustrate the purposes of hackers, they will resort to alternative methods to reach their destination.
Hackers use the previously described call looping technique to get around a blocked leg 150 from New York City to Iran. An example of call looping is as follows. Hackers who reside in calling location 100 attempt to dial a PBX 110 located in a location which is not commonly associated with fraudulent activity. The hacker dials into PBX 110, accesses an outgoing line, and dials called location 120. Since there is no block on a first leg 160 from calling location 100 to PBX 110 and no block along a second leg 170 from PBX 110 to called location 120, the hacker has successfully avoided blocked leg 150.
Upon completion of the call for each leg, a call detail record (CDR) is generated. The call detail record for first leg 160 includes an originating number field 101 , a terminating number field 102, a billing number field 103, and a time of call field 107. Similarly, second leg 170 contains fields 104, 105, 106, and 108, respectively. When the hacker enters PBX 110, the hacker accesses a different PBX line to place the outgoing call. Therefore, neither the originating number or the terminating number of the incoming and outgoing calls are the same. In this regard, fraud detection means which detect common originating numbers or terminating numbers are unable to determine that a fraudulent call has been placed to PBX 110. Thus, the hacker has avoided fraud detection.
As set forth below, the present invention determines that within a predetermined period of time, an incoming and an outgoing call to PBX 110 has used the same billing number. The present invention recognizes this potentially fraudulent pattern and generates an alert to a fraud analyst for additional review.
Referring now to FIG. 2, there is a disclosed a block diagram illustrating the system in which the present invention operates. In an effort to simplify the description, the system will be described with reference to the left side of Fig. 2 only. It is understood, however, that multiple redundant systems may run simultaneously in order to assist in the reduction of processing time.
When a customer 270 places a long distance call, he may either access a long distance network directly through a database server 220 or through an operator console 260. Upon completion of the call, a call data record (CDR) is generated and forwarded to a main frame 205. The CDR contains an originating number (where the call is from), a terminating number (where the call is to), a billing number (where the cost of the call is charged to) and a call start time. The CDR is then stored in a CDR database 210. The call data records are then forwarded to a CDR processor 200 in order to determine whether or not the calls are potentially fraudulent. The output of CDR processor 200 is connected to an alert generator 230. If the information contained in the CDRs is determined by CDR processor 200 to be potentially fraudulent, alert generator 230 generates an alert and passes the alert through local telephone company 240 to a fraud monitoring center 250. The alert can be sent using an email message or sent as a data file using file transfer protocol (FTP). When fraud monitoring center 250 receives the alert from alert generator 230, a fraud analyst will review the alert and take appropriate actions.
Since the calls have already been completed, the appropriate action may be the addition of the billing number to a block list to prevent the future use of that billing number. In addition, the fraud analyst can perform a revenue study which determines whether or not it is economically feasible to impose a block on a particular leg of the fraudulent call (i.e. from NYC to Iowa PBX or from Iowa PBX to Iran).
FIG. 3 refers to a diagram illustrating the different components of the CDR processor of Fig. 2, according to the present invention. It is understood that while the system of FIG. 3 is described in the singular sense,. multiple systems can run simultaneously to reduce processing time and increase system redundancy. For example, separate systems, as described below, could handle all calls for a particular region or state, thus limiting the amount of data flowing into any one system.
The system for preventing fraudulent calls using a common billing number includes a host CDR receiver 300 for receiving individual call detail records from main frame 205. The call detail records received by CDR receiver 300 are stored in a CDR queue 310. CDR queue 310 stores the CDRs in a first-in-first-out (FIFO) manner. The call detail records are then forwarded to a CDR fraud detector 320 for further processing as described in FIGS. 4 and 5. Fraud detector 320 further comprises a fraud database 330 and an exception database 340 in order to help process the CDRs and detect fraud. The CDR queue acts as a temporary storage for the CDR fraud detector 320. Essentially, fraud detector 320 detects fraud by receiving a call detail record for each call entering and leaving a PBX, purging previously stored CDRs in a fraud database that are older than a current time less a predetermined period of time, comparing each current CDR billing number to previously stored billing numbers of CDRs in the fraud database 330, storing the current CDRs in the fraud database 330, and generating an alert when the billing number of the current CDR matches the billing number of a previously stored CDR. Depending upon whether or not CDR fraud detector 320 determines the presence of potential fraud, the CDRs are forwarded to alert generator 230 to generate an alert to a fraud analyst.
Referring now to FIG. 4, there is shown a detailed flow chart illustrating the method performed by CDR fraud detector 320 of FIG. 3. Once CDR fraud detector 320 receives the call detail records, fraud detector 320 reads a predetermined period of time in step 405. Next, fraud detector 320 reads a billing number field from the associated . current CDR in step 410. Fraud detector 320 then reads a call start time field from the associated CDR in step 420. Proceeding to step 440, fraud detector 320 purges previously stored CDRs in a fraud database 330 that are older than the current time less the predetermined period of time. The purging of previously stored CDRs ensures that fraud detector 320 only examines those CDRs that fit within the predetermined period of time. The fraud analyst has the option of setting the predetermined period of time based upon his experience with fraud control. Typically, the predetermined period of time is short, on the order of two to three minutes, as hackers break in and commandeer an outside line with which to place another call. Therefore, calls which enter and exit the PBX using the same billing numbers within a predetermined period of time are deemed potentially fraudulent and generate an alert to a fraud analyst. It is understood, however, that the predetermined period of time may be reprogrammed by a fraud analyst.
Once previously stored CDRs have been purged from fraud database 330 in step 440, the process proceeds to step 450 wherein it is determined whether or not the billing number associated with the current call detail record matches a previous entry in the fraud database 330. If not, the process continues to step 430, where fraud detector 320 stores the billing number and the CDR in fraud database 330. The process then continues to step 490 wherein it is determined whether or not the fraud analyst wishes to change the predetermined period of time. If the fraud analyst decides to change the predetermined period of time, the process returns to step 405, or else the process returns to step 410.
Referring to FIG. 5, there is shown a continuation of the detailed flow chart illustrating the method performed by CDR fraud detector 320 of FIG. 3. If after step 450 it is determined that the billing number matches a previous entry in the fraud database 330, the process proceeds to step 460. It is determined, in step 460, whether or not the billing number exists in an exception database 340. The exception database 340 contains a list of information commonly contained in CDRs, namely an originating number, a terminating number, and a billing number, that has been determined by a fraud analyst not to be fraudulent. For example, if a legitimate particular billing number is used to dial in and out of the PBX, that number can be exempt from fraud analysis.
If the billing number exists in exception database 340, the process proceeds to step 480 wherein the billing number is removed from the fraud database 330, and the process proceeds to step 490. Removing the billing number from the fraud database 330 prevents the continued triggering of possible fraud for that number. If, however, the billing number is not located in the exception database, the process proceeds to step 470 wherein the fraud analyst determines whether or not fraud is actually present. The fraud analyst can rely on his professional experience and may use any known method of determining whether or not fraud is present. If the fraud analyst determines that fraud is not present, the process proceeds to step 480 wherein the billing number is removed from the fraud database 330 and added to exception database 340. If fraud is present, the process proceeds to step 475 wherein fraud detector 320 generates an alert message. The alert message is then forwarded to alert generator 230 for additional processing and forwarding to local telephone company 240.
In this manner, hackers who attempt to circumvent blocked leg 150 by dialing and breaking into PBX 110 using call looping are prevented from using PBX 110 in the future wherein a common billing number is being used fraudulently.
While an embodiment of the present invention has been shown and described, it is understood that many changes and modifications may be made thereunto without departing from the spirit and scope of the present invention as defined in the appended claims.

Claims

WHAT IS CLAIMED IS:
1. A system for monitoring a plurality of telephone calls made to and originating from a common private branch exchange (PBX) to detect fraudulent activity, comprising: receiving means for receiving a call detail record (CDR) corresponding to each of said calls and directing said CDR to be stored in at least one queue means, said CDR containing at least a billing number associated with each call; means for retrieving current CDRs, one at a time, from said queue means; processor means for comparing, for said current CDR, said billing number with billing numbers of previously stored CDRs in a fraud database; means for storing said current CDRs in said fraud database; and means for generating an alert when said billing number of said current CDR matches a billing number of a previously stored CDR in said fraud database.
2. The system according to claim 1 further comprising means for purging said previously stored CDRs contained in said fraud database that are older than a current time less a predetermined period of time.
3. The system according to claim 1 , wherein said means for generating an alert further comprises: means for determining whether said billing number of said current CDR is contained in an entry of an exception database; and means for preventing an alert if said billing number of said current CDR is found in said exception database.
4. The system according to claim 2, wherein said predetermined period of time is determined by a fraud analyst.
5. The system according to claim 3, wherein said billing number entries in said exception database are determined by a fraud analyst.
6. A method for monitoring a plurality of telephone calls made to and originating from a common private branch exchange (PBX) to detect fraudulent activity, comprising the steps of: receiving a call detail record (CDR) corresponding to each of said calls, said CDR containing at least a billing number associated with each call; storing said CDRs in at least one queue means; retrieving a current CDR, one at a time, from said queue means; comparing, for each said current CDR, said billing number with billing numbers of previously stored CDRs in a fraud database; storing said current CDR in said fraud database; and generating an alert when said billing number of said current CDR matches a billing number of a previously stored CDR in said fraud database.
7. . The method according to claim 6 further comprising the step of purging said previously stored CDRs in a fraud database that are older than a current time less a predetermined time.
8. The method according to claim 6, wherein said step of generating an alert further comprises the steps of: determining whether said billing number of said current CDR is contained in an entry of an exception database; and preventing an alert if said billing number of said current CDR is found in said exception database.
PCT/US2002/014343 2001-05-08 2002-05-08 A system and method for preventing fraudulent calls using a common billing number WO2002091713A2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CA002446732A CA2446732A1 (en) 2001-05-08 2002-05-08 A system and method for preventing fraudulent calls using a common billing number
EP02744138A EP1388256A4 (en) 2001-05-08 2002-05-08 A system and method for preventing fraudulent calls using a common billing number
JP2002588055A JP2004527185A (en) 2001-05-08 2002-05-08 System and method for preventing fraudulent calls using a common billing number
AU2002340818A AU2002340818A1 (en) 2001-05-08 2002-05-08 A system and method for preventing fraudulent calls using a common billing number

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/850,708 US6801607B1 (en) 2001-05-08 2001-05-08 System and method for preventing fraudulent calls using a common billing number
US09/850,708 2001-05-08

Publications (2)

Publication Number Publication Date
WO2002091713A2 true WO2002091713A2 (en) 2002-11-14
WO2002091713A3 WO2002091713A3 (en) 2003-02-27

Family

ID=25308901

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2002/014343 WO2002091713A2 (en) 2001-05-08 2002-05-08 A system and method for preventing fraudulent calls using a common billing number

Country Status (6)

Country Link
US (1) US6801607B1 (en)
EP (1) EP1388256A4 (en)
JP (1) JP2004527185A (en)
AU (1) AU2002340818A1 (en)
CA (1) CA2446732A1 (en)
WO (1) WO2002091713A2 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2869491B1 (en) * 2004-04-22 2006-08-18 Alcatel Sa TELECOMMUNICATION NETWORK HAVING MULTIPLE PRIVATE OVERLAY NETWORKS; AUTOCOMMUTER FOR IMPLEMENTING THIS NETWORK; AND EMERGENCY CALL CENTER
US7873350B1 (en) * 2004-05-10 2011-01-18 At&T Intellectual Property Ii, L.P. End-to-end secure wireless communication for requesting a more secure channel
FR2876855B1 (en) * 2004-10-19 2007-02-09 Checkphone Soc Par Actions Sim DEVICE FOR SECURING A SELF-CONTROLLER
US7640015B2 (en) * 2005-05-12 2009-12-29 Agilent Technologies, Inc. Tools, methods and systems of storing remotely and retrieving detail records given a specific call or data session
US7398084B2 (en) * 2005-06-29 2008-07-08 Agilent Technologies, Inc. Method and system of correlating dissimilar call records to a high level aggregated view
US8175939B2 (en) * 2005-10-28 2012-05-08 Microsoft Corporation Merchant powered click-to-call method
US8411833B2 (en) * 2006-10-03 2013-04-02 Microsoft Corporation Call abuse prevention for pay-per-call services
US8503313B1 (en) * 2006-12-31 2013-08-06 At&T Intellectual Property Ii, L.P. Method and apparatus for detecting a network impairment using call detail records
US8477637B1 (en) 2006-12-31 2013-07-02 At&T Intellectual Property Ii, L.P. Method and apparatus for monitoring a packet network
IES20100402A2 (en) * 2009-06-25 2011-04-13 Liam Tully Telecommunication fraud prevention system and method
US9407558B2 (en) * 2013-05-10 2016-08-02 At&T Intellectual Property I, L.P. Method and system for automatic triggering network management control for VoIP border elements
US11310360B2 (en) * 2019-12-20 2022-04-19 Clear Labs Israel Ltd. System and methods thereof for real-time fraud detection of a telephone call transaction

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5495521A (en) * 1993-11-12 1996-02-27 At&T Corp. Method and means for preventing fraudulent use of telephone network
US5602906A (en) * 1993-04-30 1997-02-11 Sprint Communications Company L.P. Toll fraud detection system
US5809125A (en) * 1992-07-09 1998-09-15 Gammino; John R. Method and apparatus for intercepting potentially fraudulent telephone calls
US5854833A (en) * 1993-10-15 1998-12-29 Linkusa Corporation Processing using DEF records
US5907602A (en) * 1995-03-30 1999-05-25 British Telecommunications Public Limited Company Detecting possible fraudulent communication usage
US5970129A (en) * 1997-06-30 1999-10-19 Sprint Communications Co. L.P. Administrative monitoring system for calling card fraud prevention

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5689550A (en) * 1994-08-08 1997-11-18 Voice-Tel Enterprises, Inc. Interface enabling voice messaging systems to interact with communications networks
US5768354A (en) 1995-02-02 1998-06-16 Mci Communications Corporation Fraud evaluation and reporting system and method thereof
US5875236A (en) * 1995-11-21 1999-02-23 At&T Corp Call handling method for credit and fraud management
US5805686A (en) 1995-12-22 1998-09-08 Mci Corporation Telephone fraud detection system
US6418212B1 (en) * 1999-12-09 2002-07-09 Mci Worldcom, Inc. Telephone fraud detection and prevention

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5809125A (en) * 1992-07-09 1998-09-15 Gammino; John R. Method and apparatus for intercepting potentially fraudulent telephone calls
US5602906A (en) * 1993-04-30 1997-02-11 Sprint Communications Company L.P. Toll fraud detection system
US5854833A (en) * 1993-10-15 1998-12-29 Linkusa Corporation Processing using DEF records
US5495521A (en) * 1993-11-12 1996-02-27 At&T Corp. Method and means for preventing fraudulent use of telephone network
US5907602A (en) * 1995-03-30 1999-05-25 British Telecommunications Public Limited Company Detecting possible fraudulent communication usage
US5970129A (en) * 1997-06-30 1999-10-19 Sprint Communications Co. L.P. Administrative monitoring system for calling card fraud prevention

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1388256A2 *

Also Published As

Publication number Publication date
EP1388256A4 (en) 2004-07-28
JP2004527185A (en) 2004-09-02
WO2002091713A3 (en) 2003-02-27
US6801607B1 (en) 2004-10-05
AU2002340818A1 (en) 2002-11-18
EP1388256A2 (en) 2004-02-11
CA2446732A1 (en) 2002-11-14

Similar Documents

Publication Publication Date Title
US8170947B2 (en) Fraud detection based on call attempt velocity on terminating number
US5602906A (en) Toll fraud detection system
EP0618713B1 (en) Real-time fraud monitoring system in a telecommunication network
CA2327338C (en) Automated and selective authentication in transaction-based networks
US6947532B1 (en) Fraud detection based on call attempt velocity on originating number
US6570968B1 (en) Alert suppression in a telecommunications fraud control system
US20120099711A1 (en) Telecommunication fraud prevention system and method
US6801607B1 (en) System and method for preventing fraudulent calls using a common billing number
US6636592B2 (en) Method and system for using bad billed number records to prevent fraud in a telecommunication system
US6418212B1 (en) Telephone fraud detection and prevention
CA2401159A1 (en) Termination number screening
US6590967B1 (en) Variable length called number screening
US6782083B2 (en) ISN call interrupt
Masrub et al. SIM Boxing Problem: ALMADAR ALJADID Case Study
IE20100402U1 (en) Telecommunication fraud prevention system and method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2002744138

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2446732

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2002588055

Country of ref document: JP

WWP Wipo information: published in national office

Ref document number: 2002744138

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWW Wipo information: withdrawn in national office

Ref document number: 2002744138

Country of ref document: EP