1. Technological Field
This application relates generally to preventing fraudulent access to a telecommunications system. In particular, this application relates to identifying fraudulent calls made to and originating from a private branch exchange (PBX) that use a common billing number.
2. Description of the Related Art
Fraud costs the telecommunications industry millions of dollars per year. While the telecommunications industry struggles to prevent fraud and its devastating financial effects, the number of techniques that are used to perpetrate fraud continue to increase. The fraud can be as simple as using a stolen credit card to charge a long distance call, or it can involve sophisticated call looping techniques, such as repeatedly calling a PBX, finding tne correct sequence to access an outside line (by trial and error or other hacking techniques) and then placing a costly long distance call through the PBX system. Regardless of the type of fraud, the telecommunications industry is involved in an intensive and ongoing effort to identify different types of fraud and to develop and implement ways of preventing such fraud.
Particular methods of fraud control and systems for implementing them are known in the industry. Fraud control may be divided conceptually into identifying a call that is likely to be fraudulent and responding after a call is identified as likely to be fraudulent. Specifically, a fraud analyst uses billing detail records (BDRs) to validate call attempts in an effort to identify a fraudulent call and uses call detail records (CDRS) in an effort to respond to fraud when a call has been completed. Methods of identifying calls that are likely to be fraudulent vary from the simple to the sophisticated and are generally directed at a particular type of fraudulent activity. For example, a call is likely to be fraudulent if it is made using a calling card that has been reported stolen by the owner. The BDRs and CDRs contain information pertaining to the calls. Each CDR and BDR contain an originating number (where the call is from), a terminating number (where the call is to), and a billing number (where the cost of the call is charged to).
A sophisticated method and system of identifying fraudulent calls is described in U.S. Pat. No. 5,768,354 (""354), entitled xe2x80x9cFraud Evaluation And Reporting System and Method Thereofxe2x80x9d, which is owned by the assignee of the present invention, the contents of which are hereby incorporated by reference. Fraudulent activity is identified in the ""354 patent by monitoring billing detail records (BDRs) that are created for each call in real time. In the simple case, where the company""s database shows that the billing number being used for a call has been reported lost, stolen, etc., the billing detail record includes a header designating it as a xe2x80x9cbad billing numberxe2x80x9d. The call is immediately identified as fraudulent, and an alert is generated in the system. A fraud analyst monitors the alerts and takes appropriate actions depending upon the type of alert generated.
The ""354 patent is directed at calls that require xe2x80x9cspecial servicexe2x80x9d, that is, which are placed through an operator or an automatic operation support system. Such calls generally require the caller to manually supply the billing number, such as by pressing numbers on a payphone, swiping the magnetic strip on a card, or speaking with an operator. It may also require the caller to identify the category of billing product (such as credit card, calling card, or pre-paid phone card) for the billing number. The category of the billing product may alternatively be identified by the system by matching all or part of the billing number with billing numbers (or ranges of billing numbers) stored in an identification database, where the stored billing numbers are correlated with the category of billing product. The identification database may also correlate a billing number with the particular type of billing product for the category. For example, where the category of the billing number is identified as a credit card, the identification database may use the billing number to further identify the type of credit card, such as Visa, Master Card, American Express, etc.
The ""354 patent also identifies fraudulent activity by monitoring use of a billing number over time. For example, where the number of domestic calls placed within a certain amount of time using the same billing number exceeds a threshold, an alert is generated. Such use could signify that the billing number has been stolen and is being used to place multiple calls. International calls are handled in a similar fashion. However, due to the costly nature of international calls, the threshold value may be adjusted so that fewer calls within the time period generate an alert. In addition, the threshold may be further adjusted for calls to countries where a high percentage of fraudulent calls are directed. The thresholds may also be varied by the billing product. For example, fraudulent activity may be determined to be more likely to occur on a calling card than on a third party call; consequently, the threshold may be set lower for calling card products. The ""354 patent monitors all calls made for that billing number, regardless of where the calls originate from or are directed to.
While monitoring BDRs and their associated billing numbers and blocking those numbers displaying evidence of fraudulent usage, i.e. numerous call attempts over a period of time, is an important component of fraud prevention, no one technique in and of itself is sufficient to prevent fraudulent access. Perpetrators of fraud (also referred to herein as xe2x80x9chackersxe2x80x9d) are persistent, creative and constantly developing new ways of evading fraud prevention mechanisms.
For example, a hacker may attempt to hack into a private branch exchange (PBX) in order to access information or to use the PBX to make a subsequent call. In the latter case, the call to the PBX may be a local or domestic call, which is less likely to attract attention, whereas the subsequent call made from the PBX may be a costly international call. In addition, hackers may use a PBX in a remote area to access a telephone number that is restricted if dialed directly from the hacker""s phone. In this manner, the hacker uses a technique called xe2x80x9ccall loopingxe2x80x9d to loop around a restricted telephone leg in order to gain access to the blocked number.
A system of detecting fraudulent calls made to a PBX is described in U.S. Pat. No. 5,805,686 (""686), entitled xe2x80x9cTelephone Fraud Detection Systemxe2x80x9d, which is owned by the assignee of the present invention and whose contents of which are hereby incorporated by reference. The system disclosed in the ""686 patent collects call detail records (CDRs) and allows long distance phone customers the ability to monitor usage of their PBX and assign a risk factor to a plurality of recognized call types and destinations. Based upon the generated risk values, fraud analyst determines whether or not to block future access to the PBX for the originating, terminating, or billing number.
While these methods and systems are effective if a hacker makes many call attempts over a period of time, the systems may not detect hackers that break in to a PBX on one line, find an outside line with a different originating number, and call to another terminating number. Most fraud detection systems detect fraud by comparing either the originating numbers or the terminating numbers of the incoming call with the originating numbers or the terminating numbers of the outgoing call. If there are calls where the terminating number of the incoming call is the same as the originating number of the second call, the call may be a fraudulent call loop, and the call may be disconnected. In an effort to defeat these methods, hackers have devised methods of placing calls wherein the originating numbers and/or the terminating numbers are not the same for the call loop. Fortunately, for the telecommunication companies who are trying to prevent the fraudulent calls, in most cases the billing number for the call remains the same.
Thus, it would be desirable to have a system and method for identifying and blocking fraudulent call looping calls that use a common billing number.
It is therefore an object of the present invention to provide a system and method for preventing fraudulent calls using a common billing number.
It is also an object of the present invention to prevent the fraudulent use of a PBX by preventing call looping through the PBX.
It is an additional object of the present invention to detect multiple calls to a common PBX that use a common billing number.
In order to achieve the above and other objects, there is provided a system for identifying fraud in a telecommunications system, the system utilizes a host receiver for receiving call detail records (CDRs) which are generated for each call placed to a PBX. Each CDR contains at least an originating number, a terminating number, a billing number and a call start time corresponding to each call. The CDRs are stored in a CDR queue and are then analyzed using a CDR fraud detector to determine whether the calls are potentially fraudulent. If the calls are flagged as potentially fraudulent, the system generates an alert to a fraud analyst for additional consideration. The fraud analyst can then perform additional checks and add the number to an exception database if the call can be verified as legitimate. If the fraud analyst determines that the call is fraudulent, the billing number, originating number and/or terminating number may be blocked from the PBX.
The method for preventing fraudulent access and use of the PBX comprises the steps of receiving a call detail record for each call entering and leaving a PBX, storing the CDRs in a queue, purging previously stored CDRs in a fraud database that are older than a current time less a predetermined period of time, comparing each CDR billing number to previously stored CDRs in the fraud database, storing the CDR in the fraud database, and generating an alert when the billing number of the current CDR matches a billing number of a previously stored CDR in the fraud database.