A Private Branch Exchange (PBX) is a telephone exchange that makes connections among the internal telephones of an organization, such as a private business or telephone network. The PBX allows these internal telephones to connect to the public switched telephone network (PSTN) via trunk lines and/or the Internet. A hosted PBX system delivers PBX functionality as a service, available over the PSTN and/or the Internet. A telephone company typically provides hosted PBXs using equipment located on the premises of the telephone company's exchange. In a hosted PBX system, the customer organization does not need to buy or install PBX equipment and the telephone company can use the same switching equipment to service multiple PBX hosting accounts. Furthermore, Voice over Internet Protocol (VoIP) gateways can be combined with traditional PBX functionality enabling businesses and organizations to use their managed Internet/Intranet to help reduce long distance expenses and to enjoy the benefits of a single network for voice and data, which gives greater cost savings, mobility and increased redundancy.
Like other Internet-based computer systems, VoIP PBXs have become a target for Internet-based fraud. A hacker, one who compromises a VoIP PBX often by obtaining the Session Initiation Protocol (SIP) credentials of a VoIP telephony device of an authorized user, can place fraudulent phone calls through the VoIP PBX to any destination. Such fraudulent phone calls can sometimes incur large phone bills when placed to international locations. Such VoIP fraud may result in financial liabilities owed by an authorized user or the VoIP PBX service provider to the call carriers who terminate these calls. A successful hacker can use illicitly obtained credentials to place numerous calls in a matter of minutes that can run up thousands of dollars in fraudulent VoIP calls through a VoIP PBX.
Like VoIP, Short Message Service (SMS) or Multimedia Messaging Service (MMS), each referred to hereinafter also as “messaging services,” are services that may be offered by phone, Internet and mobile communications systems. Messaging services utilize standardized communications protocols to allow fixed line, mobile phone, or other computing devices to exchange short text messages. SMS, as used on modern handsets, originated from radiotelegraphy in radio memo pagers using standardized phone protocols. These were defined in 1985 as part of the Global System for Mobile Communications (GSM) series of standards as a means of sending messages of up to 160 characters to and from GSM mobile handsets. Though most SMS messages are mobile device to mobile device text messages, support for the service has expanded to include other mobile technologies, such as American Nation Standards Institute (ANSI), Code Divisional Multiple Access (CDMA) networks, and Digital Advanced Mobile Phone System (AMPS) networks, as well as satellite and landline networks.
SMS and MMS messaging gateways and services can be combined with traditional PBX functionality enabling businesses and organizations to use their managed Internet/Intranet to help reduce expenses and to enjoy the benefits of a single network for voice and data. This allows VoIP service providers to offer their subscribers messaging services such as SMS and MMS. A VoIP service provider can offer these messaging services utilizing a softphone application on a computing device, mobile device or Session Initiation Protocol (SIP) phone system. In many instances the VoIP service provider will offer this feature in a mobile device application format.
Messaging services such as SMS have become a huge commercial industry, earning communications service providers billions of dollars in revenues each year. However, these messaging services have inherent security vulnerabilities and shortcomings and are often the targets of fraudulent attacks. Given the huge potential financial liability to a service provider who may be subject to such attacks, there exists a need to eliminate or mitigate messaging services fraud.
There are several types of messaging fraud. These include Spamming cases, Flooding cases, Faking cases, and Spoofing cases, among others. Spamming occurs when the subscriber receives an unsolicited SMS or MMS. The act of spamming is similar to receiving spam emails in an email account. It is not defined by the content of the message, but the mere fact that the user did not request or solicit the message. The content of the spam message is incidental to the act. However, it is important to note the message could have been sent from a valid originator and, therefore, may be correctly billed to the sender.
Another instance of messaging fraud occurs when a large number of messages are sent to one or more destinations, effectively “flooding” the networks. This is referred to as SMS flooding. SMS flooding occurs when the volume of messages originating from a user account becomes so large it effectively overwhelms the network. This can lead to problems such as service outages for other users. This is usually identified when the number of messages originating from an account far exceeds the usual number of messages sent within a specific time period.
While the types of fraud described above may be annoying, what is of particular concern to VoIP and telephony service providers is fraud that results in service cost to the service providers or to their subscribers, including SMS/MMS Faking (message faking) and SMS/MMS Spoofing (message spoofing). Message faking occurs when the Skinny Client Control Protocol (SCCP—a lightweight protocol for session signaling between Internet protocol devices and wireless call managers) or the Media Access Protocol (MAP) address associated with a subscriber's account is manipulated. The SCCP or MAP address may be entered incorrectly or taken from a valid originator using methods such as GT Scanning, described below. For example, when a user sends an SMS or MMS message, a message packet is generated by the user's device and initially forwarded over the user's network to a Mobile Switching Center (MSC) employed by the (originating) user's network. The MSC analyzes the message packet and uses the SCCP or MAP address of the user account that originated the message for authentication. The MSC also uses the message packet to determine the current switching network with which the destination user account is registered. The MSC then pings the switching network of the destination account for protocol routing information for the message. A Home Location Register (HLR) at the destination address responds to the originating MSC with the routing information for the receiving user device. The originating MSC then sends the actual text of the message to the MSC for the receiving network. The MSC for the receiving network confirms receipt. Fraud can occur when, although the originating MSC functions as normal, the SCCPs or MAP addresses are “hacked” and manipulated such that the source address is changed during the transmission of the “actual message” to the receiving user. This causes an accounting error because the financial cost associated with sending the message is charged to the account associated with the “hacked” source address. Therefore, the charges are placed against the account associated with this changed source address. This could result in huge charges against a subscriber or service provider if the hacker chooses to fake an authorized user's legitimate account and flood the network with messages.
Message faking can also occur if the user has a computing device application that can send messages on behalf of the user. Some hosted systems have an application programming interface (API) for sending messages that requires user authentication in order to use the API. If a hacker obtains these user credentials for either the application or the API, then a hacker can send fraudulent messages and also possibly create an incident of SMS flooding as described above. In this case, the hacker does not need to manipulate the SCCP or the MAP address of the message, and so this kind of hacking may be simpler and more commonplace, thereby potentially creating an even larger threat to a telephony service provider.
Similar to message faking, the messages can also be spoofed. Message spoofing occurs when a hacker or other entity manipulates the SCCP or MAP address of a message to make it appear to be a legitimate message from a device that is roaming on another network. The hacker manipulates the routing information in the message such that it appears to be originating from a foreign Visitor Location Register (VLR). The VLR is used to maintain a record of “foreign” mobile devices that are roaming on another carrier's network. When message spoofing is occurring, the hackers are using a user's account identifiers to essentially “clone” a user's identity within a telephony service provider's network. This “cloned” identity allows the hacker to appear to the user's Home Public Land Mobile Network (HPLMN) as the legitimate user. The HPLMN assumes the “cloned” user identity is the legitimate user roaming on another service provider's network and engaging in “legitimate” messaging activity using that network. Given that all the account identifying information provided by the VLR is correct, the HPLMN will authenticate and authorize the message transfer. From the HPLMN point of view, the message is originating from a legitimate user that is roaming on a third-party network with their device. However, it is in fact not a real subscriber, but a “clone” that has been generated by a hacker. The hacker effectively uses these techniques to trick the HPLMN into assuming that an authorized user is generating the message, and the message is then forwarded to a receiver. The message is then billed to the spoofed or “cloned” user account.
A hacker can also utilize GT Scanning, which uses special equipment to conduct a bulk scan of message service centers, to identify non-secure, vulnerable message service centers and mobile devices in order to commit any of the types of fraud described above.
Multiple solutions have been devised to detect potential VoIP and messaging fraud through a VoIP PBX or VoIP service providers. These fraud mitigation solutions are necessary because any interruption of calling or messaging services for a user can represent an intolerable business disruption with serious financial consequences, as many businesses and users rely on VoIP PBX and messaging services for all their communications. Therefore, telephone and messaging services are mission critical for many businesses. Thus, the need exists for a system and method that effectively mitigates financial liability of both VoIP and messaging fraud while being minimally disruptive to the communications of authorized users.
The present invention meets one or more of the above-referenced needs as described herein in greater detail.