Hi\n\nThis may be of interest to some. Topical as a US supplier recently went bust\nin part due to fraud.\n\nBy CAROLYN SCHUK\nfor VOXILLA.COM\nIt's one of the best kept secrets in the Voice over IP industry.\n\nThe biggest problem facing VoIP providers isn't the specter of costly E911\nrequirements, overzealous regulators, or even competition from a myriad of\nsources.\n\nThe biggest issue is fraud, perpetrated by scammers who take advantage of\nlax international communications standards and regulations, and make\nthousands of minutes of calls through carriers - many of them fly-by-night\noperators - in places such as Afghanistan and Lichtenstein, who charge\nexhorbitant rates for call termination, leaving the originating service\nprovider with sky high bills and no one to charge for them.\n\nVoIP scams have already caused start-ups in the fledgling industry millions\nof dollars in losses and are blamed, in part, for the recent demise of one\nservice provider.\n\n"It is the single largest problem facing providers," says Ravi Sakaria,\nVoicePulse CEO, "because the development cost associated with addressing the\nissue is significant enough that it could be prohibitive for the smaller\nplayers."\n\nDavid Epstein, the CEO of BroadVoice, agrees. "Theft of telecom services\nisn't anything new," said Epstein. "What is new is the ease with which\nperpetrators can do this."\n\nIt is easy, and for Jeremy McNamara, founder and owner of NuFone, a small\nbut popular VoIP provider specializing in service for the Asterisk\nopen-source PBX system, very costly.\n\n"One day we were contacted by a customer who wanted a wholesale agreement\nwith us for international calling," McNamara says. "For a few months the\ntraffic was regular. In the beginning of April he started weaving into the\nregular traffic a Lichtenstein special services number, similar to 1-900\nnumbers, where the far end carrier sets the rate."\n\nWhen the bill for terminating these calls came, NuFone had a rude awakening.\n"We were charging him $.09 a minutes and being billed </body>.90 a minute. He was\ngladly paying $.09 a minute."\n\nThis single incident will potentially cost NuFone about 0,000, although\nthe company is currently disputing the charges. The company has also\ncontacted the U.S. Secret Service. "We're currently waiting on a response\nfrom them on what the next step is," says McNamara.\n\nOther providers have reported cases to the FBI as well. However, the ability\nof law enforcement agencies to prosecute these crimes is limited.\n\nWhen DialPad changed its business model from a free to a pay service in\n2001, "we got an early education in how insidious the fraud problem is,"\nsaid Craig Walker, the company CEO (Dialpad was recently pruchased by\nYahoo). "We learned early on that there is a risk to the viability of the\nbusiness."\n\nFor LiveVOIP, a small provider based in Mesa, AZ, fraud contributed to the\ncompany having gone belly-up earlier this month, leaving their customers\nwith no service. Citing, among other factors, "mass credit card fraud" as a\nreason, the company's web site was replaced with a notice of bankruptcy (the\nnotice was recently removed, though the business remains shuttered).\nLiveVoip representatives could not be reached for comment.\n\nEven the big players have had their bouts with scammers.\n\nFor Vonage, fraud came as an unexpected byproduct of the company's recent\nmarketing push. "At the end of 2004 into early 2005, as a result of our TV\ncampaign," explains Jerry Maloney, Vonage Senior VP Finance, "people found\nus and this unintentionally opened up the floodgates." Since then, the\ncompany's anti-fraud team has been able to reduce the fraud losses\nsignificantly, according to Maloney.\n\nBroadVoice executives say that fraud, and its detection, is a very\nsignificant part of their business. "During the early part of this year, a\nsignificant percentage - about 10 percent - of new subscribers turned out to\nbe fraudulent," reports BroadVoice's Epstein.\n\nThere are several reasons why VoIP is more vulnerable to this type of fraud.\n\nThe call termination scam that NuFone experienced takes advantage of the\nfact that in some countries control over the communications system is weak.\nIt's relatively easy for a scammer to set up a competitive common carrier -\nVoIP doesn't require the specialized equipment of traditional telephony, so\nthere's very little barrier to entry.\n\nMore importantly, a lack of government oversite allows rates to be changed\nad hoc, without any other carrier being aware of the changes. The cost of a\nspecific call termination can be increased by huge margins, and the\noriginating carrier - a BroadVoice, Vonage or VoicePulse - is left footing\nthe bill having never been informed of the price increase.\n\nAs a hypothetic example, a provider in the United States offers calls to a\nspecific country at 10 cents a minute to landlines and 25 cents a minute to\ncell phones. The provider has set those rates based on the average price it\npays to the large carriers - such as Bermuda-based Global Crossing - to\nterminate calls in that country. The large carriers protect themselves from\nunexpected price blips by including cost pass-throughs in their contracts\nwith the service providers.\n\nNow, a scammer sets up termination service to certain numbers in that\ncountry, and charges, for example, .00 a minute. Accomplices of the\nscammer sign up with the service provider and, once set up, make a call to\none of the numbers. On the other end, the line picks up and the caller\nsimply keeps the phone off the hook for hours. In the meantime, the service\nprovider is being charged .00 a minute for that call (plus whatever\nbuilt-in mark-up the large carrier adds), but is still charging the caller\n10 cents a minute. It's like being in a taxi with the flag up and travelling\ncontinuously in a loop around the block: The losses are potentially huge and\nmount up rapidly.\n\nThis type of situation is at the center of recent difficulties faced by\nBroadVoice when GlobalCrossing cut the company off, leaving a large number\nof BroadVoice customers without service, though officials from BroadVoice\nand Global Crossing, currently involved in a legal dispute, would neither\nconfirm nor deny this.\n\nThe growth of identity theft also plays a role in the VoIP fraud problem.\nAlthough NuFone's scammer used a valid credit card to sign up, many scammers\nuse stolen credit card numbers to sign up for service. Because all the\ninformation is valid - it's been stolen recently and hasn't been reported,\nwhat scammers call "fresh" - the application is accepted. And stolen credit\ncard numbers are easy to get - all you need is an online connection the\nability to join IRC chat rooms like "#ccz" and "#ccards."\n\nAnother scam that VoIP providers have seen involves Western Union, as Lance\nJames explains. James is CTO of Secure Science Corp., a company that\nspecializes in fraud detection, tracking and prevention.\n\nThe scammers place a money transfer order to themselves with Western Union\nusing a stolen credit card and faking - called spoofing - the callback\nnumber that appears on Western Union's caller ID. For small amounts - under\n0 - Western Union doesn't call back to check with the purchaser if the\ncallback number matches that on the credit card. Because the amounts are\nsmall, thieves make repeated calls.\n\nAlthough phone number spoofing is not new, it is much easier with the open\nstandards of IP, according to James. And you don't have to be a technical\nexpert, either. There are services like SPOOFTEL ([URL="http://www.spooftel.com"]www.spooftel.com[/URL]) that\nwill do it for you.\n\nAnother factor in the fraud picture is the nature of the technology. The\nopenness that is an important benefit of building on IP also creates\nvulnerability.\n\n"It's similar to e-mail," says Secure Science's James. "SIP to SIP\ncommunications are like an e-mail address."\n\n"The potential is the same with any open protocol for someone with in-depth\nknowledge to take advantage of the architecture," says Roger Farnsworth,\nCisco Marketing Manager for Secure IP Communications for Voice.\n\n"VoIP providers are moving into uncharted waters, Cell and GSM phones have\nto register the phone," Farnsworth says. "VoIP is working from a different\nparadigm - for example, BYOD (Bring Your Own Device) services. How do you\nregister users and devices, authenticate users and ensure legitimate\ndevices?"\n\n"It's difficult to do security [for VoIP] because of its inherent\ncomplexity," explains Internet veteran Karl Auerbach, former ICANN Director\nand CTO of Internetworking Labs, a VoIP interoperability testing company.\n"The design of VoIP protocols tries to cover as bases as possible,\nimplementers have to deal with all these possibilities."\n\nThe burden of addressing the fraud problem falls to providers - not the\ncredit card companies. Credit card companies seldom initiate fraud\ninvestigations, according to Detective Mike Blanc of the Santa Clara, CA,\nPolice Department High Tech Crimes unit. "They treat it as a cost of doing\nbusiness," Blanc says.\n\nIn fact, it could be said that fraud is not a cost but a profit center for\nthe credit card companies because merchants are charged additional fees for\nfraudulent transactions. And the fees escalate with the level of fraud.\n\nTo protect themselves, VoIP providers have developed their own tools for\nscreening out fraud. Many providers monitor call patterns constantly and\nblock calls to suspicious exchanges. Some have taken it further, like\nNuFone, which has limited international calling for new accounts and blocks\nall calls to countries that are associated with high rates of fraud like\nAfghanistan.\n\nVoicePulse has developed a screening system that "scores" an order based on\nmany different criteria. As a result, "We are detecting 95 percent of\nfraudulent orders," says VoicePulse's Sakaria. He adds that "the number of\nattempts has not decreased."\n\nVoicePulse plans to offer its security software as a standalone product\nwhich will be available in the fourth quarter of this year, according to\nSakaria.\n\nDespite the fact that VoIP providers are becoming smarter about preventing\nfraud, the problem appears to be permanent.\n\n"It's a cost of doing business and a significant one," says Sakaria. "I've\nbeen saying all along that the cost of entry [into the VoIP business] is low\nbut the cost of staying in business is high."