VoIP Fraud: The Industry’s Best-Kept Secret

Widespread fraud is the biggest problem facing VoIP, and it is costing service providers of all sizes millions of dollars, causing customers severe service headaches and forcing at least one provider to go belly-up. Worse still, the credit card companies and major carriers are making a killing off it.

It's one of the best kept secrets in the Voice over IP industry. The biggest problem facing VoIP providers isn't the specter of costly E911 requirements, overzealous regulators, or even competition from myriad sources.

The biggest issue is fraud, perpetrated by scammers who take advantage of lax international communications standards and regulations, and make thousands of minutes of calls through carriers — many of them fly-by-night operators — in places such as Afghanistan and Lichtenstein, who charge exhorbitant rates for call termination, leaving the originating service provider with sky high bills and no one to charge for them.

VoIP scams have already caused start-ups in the fledgling industry millions of dollars in losses and are blamed, in part, for the recent demise of one service provider.

“It is the single largest problem facing providers,” says Ravi Sakaria, VoicePulse CEO, “because the development cost associated with addressing the issue is significant enough that it could be prohibitive for the smaller players.”

David Epstein, the CEO of BroadVoice, agrees. “Theft of telecom services isn't anything new,” said Epstein. “What is new is the ease with which perpetrators can do this.”

It is easy, and for Jeremy McNamara, founder and owner of NuFone, a small but popular VoIP provider specializing in service for the Asterisk open-source PBX system, very costly.

“One day we were contacted by a customer who wanted a wholesale agreement with us for international calling,” McNamara says. “For a few months the traffic was regular. In the beginning of April he started weaving into the regular traffic a Lichtenstein special services number, similar to 1-900 numbers, where the far end carrier sets the rate.”

When the bill for terminating these calls came, NuFone had a rude awakening. “We were charging him $.09 a minutes and being billed $1.90 a minute. He was gladly paying $.09 a minute.”

This single incident will potentially cost NuFone about $450,000, although the company is currently disputing the charges. The company has also contacted the U.S. Secret Service. “We're currently waiting on a response from them on what the next step is,” says McNamara.

Other providers have reported cases to the FBI as well. However, the ability of law enforcement agencies to prosecute these crimes is limited.

When DialPad changed its business model from a free to a pay service in 2001, “we got an early education in how insidious the fraud problem is,” said Craig Walker, the company CEO (Dialpad was recently pruchased by Yahoo). “We learned early on that there is a risk to the viability of the business.”

For LiveVOIP, a small provider based in Mesa, AZ, fraud contributed to the company having gone belly-up earlier this month, leaving their customers with no service. Citing, among other factors, “mass credit card fraud” as a reason, the company's web site was replaced with a notice of bankruptcy (the notice was recently removed, though the business remains shuttered). LiveVoip representatives could not be reached for comment.

Even the big players have had their bouts with scammers.

For Vonage, fraud came as an unexpected byproduct of the company's recent marketing push. “At the end of 2004 into early 2005, as a result of our TV campaign,” explains Jerry Maloney, Vonage Senior VP Finance, “people found us and this unintentionally opened up the floodgates.” Since then, the company's anti-fraud team has been able to reduce the fraud losses significantly, according to Maloney.

BroadVoice executives say that fraud, and its detection, is a very significant part of their business. “During the early part of this year, a significant percentage — about 10 percent — of new subscribers turned out to be fraudulent,” reports BroadVoice's Epstein.

There are several reasons why VoIP is more vulnerable to this type of fraud.

The call termination scam that NuFone experienced takes advantage of the fact that in some countries control over the communications system is weak. It's relatively easy for a scammer to set up a competitive common carrier — VoIP doesn't require the specialized equipment of traditional telephony, so there's very little barrier to entry.

More importantly, a lack of government oversite allows rates to be changed ad hoc, without any other carrier being aware of the changes. The cost of a specific call termination can be increased by huge margins, and the originating carrier — a BroadVoice, Vonage or VoicePulse — is left footing the bill having never been informed of the price increase.

As a hypothetic example, a provider in the United States offers calls to a specific country at 10 cents a minute to landlines and 25 cents a minute to cell phones. The provider has set those rates based on the average price it pays to the large carriers — such as Bermuda-based Global Crossing — to terminate calls in that country. The large carriers protect themselves from unexpected price blips by including cost pass-throughs in their contracts with the service providers.

Now, a scammer sets up termination service to certain numbers in that country, and charges, for example, $2.00 a minute. Accomplices of the scammer sign up with the service provider and, once set up, make a call to one of the numbers. On the other end, the line picks up and the caller simply keeps the phone off the hook for hours. In the meantime, the service provider is being charged $2.00 a minute for that call (plus whatever built-in mark-up the large carrier adds), but is still charging the caller 10 cents a minute. It's like being in a taxi with the flag down and travelling continuously in a loop around the block: The losses are potentially huge and mount up rapidly.

This type of situation is at the center of recent difficulties faced by BroadVoice when GlobalCrossing cut the company off, leaving a large number of BroadVoice customers without service, though officials from BroadVoice and Global Crossing, currently involved in a legal dispute, would neither confirm nor deny this.

The growth of identity theft also plays a role in the VoIP fraud problem. Although NuFone's scammer used a valid credit card to sign up, many scammers use stolen credit card numbers to sign up for service. Because all the information is valid — it's been stolen recently and hasn't been reported, what scammers call “fresh” — the application is accepted. And stolen credit card numbers are easy to get — all you need is an online connection the ability to join IRC chat rooms like “#ccz” and “#ccards.”

Another scam that VoIP providers have seen involves Western Union, as Lance James explains. James is CTO of Secure Science Corp., a company that specializes in fraud detection, tracking and prevention.

The scammers place a money transfer order to themselves with Western Union using a stolen credit card and faking — called spoofing — the callback number that appears on Western Union's caller ID. For small amounts — under $300 — Western Union doesn't call back to check with the purchaser if the callback number matches that on the credit card. Because the amounts are small, thieves make repeated calls.

Although phone number spoofing is not new, it is much easier with the open standards of IP, according to James. And you don't have to be a technical expert, either. There are services like SPOOFTEL (www.spooftel.com) that will do it for you.

Another factor in the fraud picture is the nature of the technology. The openness that is an important benefit of building on IP also creates vulnerability.

“It's similar to e-mail,” says Secure Science's James. “SIP to SIP communications are like an e-mail address.”

“The potential is the same with any open protocol for someone with in-depth knowledge to take advantage of the architecture,” says Roger Farnsworth, Cisco Marketing Manager for Secure IP Communications for Voice.

“VoIP providers are moving into uncharted waters, Cell and GSM phones have to register the phone,” Farnsworth says. “VoIP is working from a different paradigm — for example, BYOD (Bring Your Own Device) services. How do you register users and devices, authenticate users and ensure legitimate devices?”

“It's difficult to do security [for VoIP] because of its inherent complexity,” explains Internet veteran Karl Auerbach, former ICANN Director and CTO of Internetworking Labs, a VoIP interoperability testing company. “The design of VoIP protocols tries to cover as bases as possible, implementers have to deal with all these possibilities.”

The burden of addressing the fraud problem falls to providers — not the credit card companies. Credit card companies seldom initiate fraud investigations, according to Detective Mike Blanc of the Santa Clara, CA, Police Department High Tech Crimes unit. “They treat it as a cost of doing business,” Blanc says.

In fact, it could be said that fraud is not a cost but a profit center for the credit card companies because merchants are charged additional fees for fraudulent transactions. And the fees escalate with the level of fraud.

To protect themselves, VoIP providers have developed their own tools for screening out fraud. Many providers monitor call patterns constantly and block calls to suspicious exchanges. Some have taken it further, like NuFone, which has limited international calling for new accounts and blocks all calls to countries that are associated with high rates of fraud like Afghanistan.

VoicePulse has developed a screening system that “scores” an order based on many different criteria. As a result, “We are detecting 95 percent of fraudulent orders,” says VoicePulse's Sakaria. He adds that “the number of attempts has not decreased.”

VoicePulse plans to offer its security software as a standalone product which will be available in the fourth quarter of this year, according to Sakaria.

Despite the fact that VoIP providers are becoming smarter about preventing fraud, the problem appears to be permanent.

“It's a cost of doing business and a significant one,” says Sakaria. “I've been saying all along that the cost of entry [into the VoIP business] is low but the cost of staying in business is high.”