BYE delay fraud
While working on fraud detection and prevention for a number of VoIP providers, I came across a rarely detected, yet creative type of fraud. It is called BYE delay fraud.
Let's see what a regular SIP message exchange looks like when we have four VoIP carriers in chain:
What is shown above is a typical (yet somewhat simplified) view of SIP traffic exchange within a chain of four carriers. The messages are chronologically sorted so that the first message appears on the top of the diagram and the last message at the bottom. There are two significant moments for this call:
t0 - time when the call is answered: the moment we consider the starting time when measuring the duration of the call
t1 - time when the call has ended (hangup by callee): the moment we consider the ending time when measuring the duration of the call
So if we say that
t0 = 3sec
t1 = 45sec
The duration of the call is 45-3 = 42sec.
Since the OK and BYE messages are forwarded between all four providers almost instantly (meaning t0 and t1 are practically the same for all providers), every provider will consider the call duration was 42sec and charge the previous (originating) provider in the chain accordingly.
Let's analyze the diagram:
So this is an example of a regular situation. Everybody is happy, every provider made some money on that call, no fraudulent activities here.
Now, let's assume our vendor gets nasty and wants to extract some extra money by charging us (you) more than he should. What he can do is setup a specially designed SIP routing device (or reconfigure it's own softswitch if possible), so that the BYE message is not transferred to the previous provider instantly! Let's take a look how would the previously shown SIP message exchange diagram look like in that case:
Now we have three significant moments to consider:
t0 - time when the call is answered: the moment we consider the starting time when measuring the duration of the call
t1 - time when the call has ended because the callee hung up - in this scenario the BYE message at time t1 is visible only to our vendor and our vendor's vendor
t2 - time when the caller has hung up - in this scenario the BYE message at t2 is visible only to our customer, by us and by our vendor
So if we say that
t0 = 3sec
t1 = 45sec
t2 = 59sec
Before we calculate the duration of the call, let's analyze what happened here. The call started at t0, all providers are aware of that. The call is terminated by the callee at t1, but since our nasty vendor did not forward the BYE message, our softswitch (and also our customer's one) consider the call still active! The caller does not hear anything (or in some more advanced cases of such type of fraud gets a playback of some message luring him to keep the line open as long as possible). At t2, the caller realizes that something is wrong and hangs up. Customer sends us BYE, we forward the BYE message to out vendor.
To make it more clear I'll list all the events like i did in the non-fraud scenario:
Customer: t2 - t0 = 59-3 = 56 sec
We: t2 - t0 = 59-3 = 56 sec
Our vendor: t1 - t0 - 45-3 = 42 sec
Vendor's vendor: t1 - t0 - 45-3 = 42 sec
See the point? For a single call, not all providers in the chain are charged for the same duration! Actually, our nasty vendor charged us 14 seconds more than it should have! What's more, our vendor gets charged for only 42 seconds, so all the added value from the 14 seconds he keeps for himself, because his vendor (vendor's vendor) considers the call duration also 42 seconds!
Who is at the greatest loss here? We are obviously not, because we got charged 56 seconds from our vendor, and we charge our customer 56 seconds. We (as a link in the chain) are actually profiting from this, not even knowing what's going on. The one who pays the additional 14 seconds is the poor guy at the very beginning of the chain, probably some retail end-user.
This kind of fraud is extremely hard to detect, and what's more concerning, there is actually no interest by any provider in the chain to fight this kind of fraud because everyone profits from it.
The only ones who, I can imagine, could have interest in fighting BYE delay fraud are actually end-users, retail customers, especially call centers.
If you are running a call center or are a large retail customer, I would recommend periodic testing to ensure that you don't fall victim for this kind of fraud.
Let's see what a regular SIP message exchange looks like when we have four VoIP carriers in chain:
What is shown above is a typical (yet somewhat simplified) view of SIP traffic exchange within a chain of four carriers. The messages are chronologically sorted so that the first message appears on the top of the diagram and the last message at the bottom. There are two significant moments for this call:
t0 - time when the call is answered: the moment we consider the starting time when measuring the duration of the call
t1 - time when the call has ended (hangup by callee): the moment we consider the ending time when measuring the duration of the call
So if we say that
t0 = 3sec
t1 = 45sec
The duration of the call is 45-3 = 42sec.
Since the OK and BYE messages are forwarded between all four providers almost instantly (meaning t0 and t1 are practically the same for all providers), every provider will consider the call duration was 42sec and charge the previous (originating) provider in the chain accordingly.
Let's analyze the diagram:
- Our customer initiates a call (by sending SIP INVITE message to us)
- We route the call to our vendor (by sending SIP INVITE to our vendor)
- Our vendor routes the call to a vendor of his own (also sending INVITE)
- Vendor's vendor replies with SIP 180 RINGING
- Our vendor sends us the same message (180 RINGING)
- We send our customer 180 RINGING, so now the caller hears ringing tone, waiting for the called party to answer
- At t0 time (which is practically the same for all parties) the call is considered established
- The call is in progress
- At t1 time, the callee hangs up, and the BYE message gets it's way to the customer.
- All four providers make a record of the call with duration of 42 seconds.
- For this call, every provider charges the previous provider in chain (the originator). The cost is calculated like (duration X price_per_minute)
So this is an example of a regular situation. Everybody is happy, every provider made some money on that call, no fraudulent activities here.
Now, let's assume our vendor gets nasty and wants to extract some extra money by charging us (you) more than he should. What he can do is setup a specially designed SIP routing device (or reconfigure it's own softswitch if possible), so that the BYE message is not transferred to the previous provider instantly! Let's take a look how would the previously shown SIP message exchange diagram look like in that case:
Now we have three significant moments to consider:
t0 - time when the call is answered: the moment we consider the starting time when measuring the duration of the call
t1 - time when the call has ended because the callee hung up - in this scenario the BYE message at time t1 is visible only to our vendor and our vendor's vendor
t2 - time when the caller has hung up - in this scenario the BYE message at t2 is visible only to our customer, by us and by our vendor
So if we say that
t0 = 3sec
t1 = 45sec
t2 = 59sec
Before we calculate the duration of the call, let's analyze what happened here. The call started at t0, all providers are aware of that. The call is terminated by the callee at t1, but since our nasty vendor did not forward the BYE message, our softswitch (and also our customer's one) consider the call still active! The caller does not hear anything (or in some more advanced cases of such type of fraud gets a playback of some message luring him to keep the line open as long as possible). At t2, the caller realizes that something is wrong and hangs up. Customer sends us BYE, we forward the BYE message to out vendor.
To make it more clear I'll list all the events like i did in the non-fraud scenario:
- Our customer initiates a call (by sending SIP INVITE message to us)
- We route the call to our vendor (by sending SIP INVITE to our vendor)
- Our vendor routes the call to a vendor of his own (also sending INVITE)
- Vendor's vendor replies with SIP 180 RINGING
- Our vendor sends us the same message (180 RINGING)
- We send our customer 180 RINGING, so now the caller hears ringing tone, waiting for the called party to answer
- At t0 time (which is practically the same for all parties) the call is considered established
- The call is in progress
- At t1 time, the callee hangs up, and the BYE message gets to our vendor.
- Our vendor does not forward BYE message to us, leaving our softswitch thinking that the call is still active
- Not knowing that the call has ended, we don't send BYE to our customer either
- At t2 time the caller hangs up, and our customer sends us BYE, which we instantly forward to our vendor
- The duration of the call now differs for different providers!
- For this call, every provider charges the previous provider in chain (the originator). The cost is calculated like (duration X price_per_minute)
Customer: t2 - t0 = 59-3 = 56 sec
We: t2 - t0 = 59-3 = 56 sec
Our vendor: t1 - t0 - 45-3 = 42 sec
Vendor's vendor: t1 - t0 - 45-3 = 42 sec
See the point? For a single call, not all providers in the chain are charged for the same duration! Actually, our nasty vendor charged us 14 seconds more than it should have! What's more, our vendor gets charged for only 42 seconds, so all the added value from the 14 seconds he keeps for himself, because his vendor (vendor's vendor) considers the call duration also 42 seconds!
Who is at the greatest loss here? We are obviously not, because we got charged 56 seconds from our vendor, and we charge our customer 56 seconds. We (as a link in the chain) are actually profiting from this, not even knowing what's going on. The one who pays the additional 14 seconds is the poor guy at the very beginning of the chain, probably some retail end-user.
This kind of fraud is extremely hard to detect, and what's more concerning, there is actually no interest by any provider in the chain to fight this kind of fraud because everyone profits from it.
The only ones who, I can imagine, could have interest in fighting BYE delay fraud are actually end-users, retail customers, especially call centers.
If you are running a call center or are a large retail customer, I would recommend periodic testing to ensure that you don't fall victim for this kind of fraud.
Comments
Post a Comment