Phone fraud is an ever-increasing problem in this country. To combat the problem, long-distance carriers are developing products to detect fraud in its early stages. In recent years, customer liability for the unauthorized use of customer premise equipment (CPE) and calling card numbers to make long-distance calls is estimated at over $2 billion annually. In some cases, a customer may incur charges in excess of $100,000 over the course of one weekend. To maintain good relations with the public, long distance carriers, including MCI, often assume the majority of the liability for these calls. As a result, both carriers and customers are increasingly seeking measures to reduce the occurrence of phone fraud. Phone fraud consists of two types: CPE related and calling card.
CPE-related fraud occurs when a third party gains illegal access to a customer's PBX (private branch exchange) and steals the dial tone to make outgoing calls. This is a particular problem with hackers dialing 800 (toll-free) numbers and then gaining access to an outbound trunk. Outgoing calls are charged to the CPE owner regardless of the origination of the call. From a financial standpoint, the worst and most costly form of abuse involves international calls.
At the present time, fraud analysis is typically done by manually reviewing call data records, after an initial data sorting, to detect patterns indicative of fraud. However, as will be appreciated, this is a laborious and time-consuming process which results in long delays between the actual occurrence of fraud and the manual review and detection thereof. In the previously identified related applications, systems have been developed for automating the detection of fraud alarms and storing their details in a database accessible by workstations.
Co-pending U.S. patent application Ser. No. 08/577,888 (Attorney Docket: 1643/400) is directed to a system referred to as MCI Detect.TM. that provides long distance carriers such as MCI with an automated (and improved) method of detecting CPE fraud. Both applications are incorporated by reference herein. For explanatory purposes, the front end system directed to MCI Detect will now be discussed. The present invention, per se, is discussed in the Section entitled "The Workstation Interface."
CPE fraud is suspected when an unusual calling pattern is detected, such as the following:
Inbound 800 number calls (hereinafter referred to as inbound 800); PA1 Outbound international calls (hereinafter referred to as outbound international); PA1 Numerous short duration calls which may indicate that hackers are attempting entry. PA1 Excessively long calls which may indicate that hackers are using inbound trunks to make outbound calls; PA1 An unusual number of calls to foreign countries; PA1 An unusual number of calls during non-business hours. PA1 Total number of short-duration calls PA1 Total number of long-duration calls PA1 Total number of calls of any type PA1 Total number of cumulative minutes from any type of call. PA1 Thresholds PA1 Risk factors PA1 Suspect numbers. PA1 The flexibility to specify the ANIs and DALs that will be monitored and the monitoring thresholds and parameters for each. PA1 MCI Detect's timely detection and notification of 15 minutes or less. PA1 Calls to all foreign countries are monitored, not just a subset consisting of high-fraud countries. PA1 Risk factors are applied to NPA-NXXs, information digits, and specific countries, which minimizes false alarms and also provides early notification of abnormal calling patterns. PA1 Customers will have the option of specifying any of the following media for alarm notification: telephone, MCI Mail.TM., fax, pager Integrated Network Management Services (INMS), or Integrated Customer Workstation (ICW).
Two types of non-residential calls that are most susceptible to fraud are monitored:
Fraud may also be suspected when calls originate from prisons, pay phones, hotels, hospitals, etc. The call detail records (CDRs) associated with each call contain information digits which provide this type of information. Calls originating from certain dialing areas, such as Manhattan, may also be cause for concern. NOTE: A dialing area is known as a Numbering Plan Area--Network Number Exchange (NPA-NXX).
Past experience with fraud also reveals suspect numbers which may be specific phone numbers (ANIs or Automatic Number Identifications) or dedicated access lines (DALs). Both an ANI and a DAL can be tracked to a specific home or business. Prepared with information about how to detect CPE-related fraud, MCI was able to determine which data to collect in order to develop monitoring plans for its customers. For calls to specific 800 numbers or from certain ANIs or DALs, MCI collects the following:
MCI Detect keeps count of the number of calls in each category over previously defined time periods such as during non-business hours on a weekend. Customers may specify what is considered to be a long or short call, or too many calls. The maximum allowable amount in any category is a threshold. Exceeding a threshold results in an alarm.
MCI Detect also permits customers to associate a risk with certain types of calls. For inbound 800 calls, risk factors may be assigned to calls from specific NPA-NXXs, information digits, and countries. For outbound international calls, the risk may be assigned to calls to specific countries only. When a risk is associated with a call, the statistic for that call is multiplied by the assigned risk factor (any number between 1.0 and 100.0). For example, if an outbound call to Cuba is assigned a risk of 2.0, then such a call is counted twice. In this way, a threshold is exceeded more quickly. It does not mean, however, that this call will automatically generate an alarm.
MCI also maintains a global list of suspect numbers so that it can monitor calls from specific numbers (ANIs or DALs) where fraud has been detected in the past. Customers may modify this list to suit their purposes. When a call from a suspect number is detected, an alarm is immediately generated regardless of the current totals in relevant monitoring categories.
The purpose behind compiling so many statistics is that customers may combine them in a variety of ways to create a truly customized monitoring plan.
The first component for fraud control is the switched network used by MCI to provide long distance services to its customers. Switching is the ability to route calls to different locations within the public phone network on a call-by-call basis rather than limiting transmission between predetermined fixed points. For example, a call from New York to Los Angeles may be routed through Chicago in one instance and through Atlanta and Denver in another. At each point in the network where lines converge, a switch is in place. The switch makes, breaks, or changes connections among the phone circuits in order route calls to their destination.
Co-located with every switch are computer systems, adjunct processors (APs), which assist in loading billing information and software into the switch. MCI's billing software, Traffic 2000 (T2000), also acts as a screening device by examining the detailed information (call detail records [CDRs]) associated with each call. Only relevant CDRs--non-residential inbound 800 calls and outbound international calls--are sent to MCI Detect. This prevents the fraud data system from becoming overwhelmed with data.
MCI Detect accepts the CDRs, immediately analyzes the call traffic, and keeps a running total of the counts (for example, number of short-duration calls) and thresholds for each monitoring plan stored in its database. Each monitoring plan is a set of parameters which govern how fraud will be detected for a specific type of call. MCI has developed several generic plans, but customers may also develop their own plans.
Each monitoring plan has three features:
A threshold is a number which, when exceeded, generates an alarm in MCI Detect indicating possible fraud. For example, if a customer indicates that it should receive no more than 1000 calls to its 800 number on any given business day, then the number "1000" is a threshold, and the 1001st call will generate an alarm. Thresholds may be specified for the time of day and/or the day of the week. Furthermore, a threshold may be applied to each category for which MCI Detect keeps counts, including the number of short-duration calls, long-duration calls, and cumulative minutes.
As described previously, risk factors and suspect numbers help to determine the likelihood of fraud based on the assumption that some types of calls more clearly indicate fraud than others. For example, a call from a high-risk dialing area may be assigned a weight of 3.0. Each time such a call is recorded, relevant counts are multiplied by a factor of 3 and thresholds are exceeded more quickly. The detection of a suspect number immediately triggers an alarm in MCI Detect. It is not necessary to apply weights to these numbers.
Every MCI commercial customer is automatically assigned to a Universal Plan initially. Customized plan data is later entered by MCI representatives. Inbound and outbound thresholds are provided in separate plans; therefore, a customer can have both an inbound plan and an outbound plan active simultaneously. (Table 1 and Table 2 in FIGS. 5 and 6 show two examples of customer monitoring plans.)
When an alarm is generated by MCI Detect, it is also prioritized. The priority is a multiple of the number of times a threshold has been exceeded. For example, if the threshold was 10 and the relevant count has reached 50, then the priority of the alarm is 5 (50.div.10).
Each alarm is available to an MCI fraud analyst via an MCI Detect Workstation. The workstation is a PC with access to a Fraud Data Server and retrieves the next available alarm of the highest priority. The analyst investigates the alarm data and, if fraud is suspected, notifies the customer and suggests appropriate actions to stop the fraud.
Based upon both MCI's and the customer's experiences with fraud, the customer's monitoring plan(s) may be modified with a new set of parameters or suspect numbers. This fine tuning is needed to more accurately detect fraud and to prevent false alarms.
Since the elapsed time between the completion of a call and the generation of an alarm by MCI Detect is 15 minutes or less, a significant improvement has been made over the 3-4 days required previously. MCI plans to reduce this time further to the point where fraud is detected while the call is in progress. Detecting fraud in progress permits actions to limit its impact, such as shutting down a DAL, to be taken as quickly as possible. In addition to changing the way that calls are processed at the switch level, in-progress detection requires effective calling statistics and a complete and current list of suspect numbers.
In maximizing the flexibility of customer monitoring plans, MCI Detect both minimizes false alarms and provides advantages over current competing products. The features that put MCI Detect above the competition are the following:
To increase customer involvement in fraud detection, MCI will allow MCI customers to monitor their own inbound 800 and outbound international traffic. Using MCI Detect directly, customers may create, modify, and delete monitoring plans and view alarms.