CaveBear? Blog
Thoughts and Commentary by Karl Auerbach
Locus ab auctoritate est infirmissimus ("The argument from authority is the weakest.") — Thomas Aquinas
« The Computer Is Listening | Main | Permanent domain name registrations »
May 22, 2005
Yet Another Kind of Internet Thievery (YAKOIT)
I've recently come across yet another kind of internet thievery. This time it is perpetrated against voice over IP (VOIP) providers. The amount stolen can easily run into the hundreds of thousands, and perhaps even millions of dollars (US).

This thievery requires that the thief be well schooled in the arts of national and international telephone regulation and the settlement system through which telephone providers pay money to one another for various aspects of handling calls.

An important part of these settlement transfers is the fee that the destination carrier charges to handle the final leg of the call - i.e. the job of of making the called person's phone ring. In other words, for each call the destination carrier receives money from the upstream providers, the carriers closer to the person making the call.

Countries that do not have a nationalized telephone systems usually have administrative and regulatory procedures through which entities can qualify to become telephone providers.

Such providers make their money from revenue streams for outgoing calls made by their subscribers. Incoming calls also generate revenue via the settlement payments from the upstream providers. It is this latter flow of money that is of interest here.

Today there are many nascent VOIP providers - these range in size from giant telcos to intermediate companies such a Vonage to small ones such as nufone.

These VOIP providers have to pay settlement charges for those calls made by their subscribers when those calls have to be completed via the public switched telephone network (PSTN). In other words, when a subscriber to a VOIP service places a call to a PSTN number, that VOIP provider has to pay a charge to some PSTN provider.

Here's how the thievery works:

1. A thief goes through the regulatory process in some country to qualify as a telco carrier. In some countries this may be as simple as filling out some forms and paying a filing fee. (Note - there a a lot of good folks who also do this - no one except the large telephone companies would benefit if it became virtually impossible for innovative providers to qualify as carriers.)

The next steps must occur relatively quickly - usually within a few days.

2. The thief publishes a very high completion charge for some or all of its numbers.

3. The thief then creates a pool of these high-incoming-tariff priced telephone numbers. These numbers are just virtual numbers - they are nothing more than some software in some computer. But they actually seem to ring when called and they do answer incoming calls. Typically these numbers, once they answer, will never hang up. Some just play elevator music in order enhance the pretense that these are real phone lines being used for real calls.

4. The thief then searches for a VOIP provider that meets three criteria:

  a) The provider will accept calls for these high-tariff phone numbers. 

  b) The provider's charges are lower than the high-tariff. 

  c) The provider has not yet realized that calls to these numbers are extraordinarily expensive and amended its own charges to its own customers to reflect these costs. 

5. The thief then subscribes to this VOIP provider, creating a number of shills (usually computer programs, not people) that will be placing calls.

6. The thief then places a large number of calls through the VOIP provider to the high-priced numbers. The VOIP provider is then in a position of having to pay a large call-completion settlement charge for each call while receiving only a small amount of revenue from its billing of the customer (the thief's shill).

The VOIP provider may not become aware that is is being squeezed in a settlement-charge vise until weeks later when it receives the bills for its PSTN charges.

Someone might ask: Isn't the victim VOIP provider negligent in allowing calls to destinations when it does not know what the completion costs will be? My answer is this: I don't want to use the word "negligent" because that tends to carry implications that might in the minds of some excuse the actions of the thief. I would say that the provider was ingenuous. But I don't feel that this in any way reduces the culpability of the thief.

This is not a hypothetical problem. I recently was sitting across the table from someone who operates a victim VOIP provider when he was presented with an invoice for more than $400,000 in settlement charges.

The primary victims of this kind of thing are the small VOIP providers who do not (yet) have a staff dedicated to monitoring the comings and goings of blocks of destination phone numbers around the world and the settlement charges for each.

It is these small providers who are the source of VOIP innovation.

I hope that the law enforcement community in the US and elsewhere realizes that a real crime is being committed against these providers and that appropriate enforcement action is taken.

Posted by karl at May 22, 2005 05:43 PM

Additional Resources

• VoIP Security Consultants - Consultants who offer various security services
• VoIP Consultants - VoIP Consultants who may provide security services or referrals outside their main line of business
• VoIP Security Training - Security Training Providers
• VoIP Security - VoIP Security Information
• VoIP Security Vulnerabilities - Security Vulnerabilities that have been publicly disclosed in VoIP products
• VoIP Security Forum - Forum dedicated to VoIP security issues