LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to...
Transcript of LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to...
![Page 1: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/1.jpg)
Vijay Balasubramaniyan, Raj Bandyopadhyay, Telvis Calhoun 7 August, 2014
LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT RECONNAISSANCE TO TAKEOVER
![Page 2: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/2.jpg)
ONE IN EVERY 2,901 CALLS IS FRAUD
4,635
3,311
1,932
0 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500 5,000
> 1,000B (4)
> 100B (17)
> 10B (85)
Number of Calls
![Page 3: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/3.jpg)
PHONE FRAUD BY THE NUMBERS
12% – 94% Awareness of fraud on the phone channel
5
Avg. # of calls needed to compromise an account
$700,000 Largest financial transaction loss stopped
$0.57
Dollars lost for every call into your call center
![Page 4: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/4.jpg)
LOSS • Packet loss • Robotization
• Dropped frames
SPECTRUM • Quantization
• Frequency filters • Codec artifacts
NOISE • Clarity
• Correlation • Signal-to-noise ratio
147 audio features in each fingerprint
Phone Type Geo-Location Risk Score
PHONEPRINTING™
Phoneprint™
Call Audio Requires 15 seconds
of call audio
![Page 5: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/5.jpg)
FRAUD DETECTION SYSTEM
Phone Traffic
ANI
Audio
Geography
Device Type
Phoneprint
Reputation
Voiceprint
Notification Scoring Analysis
API
Pindrop Consortium
Fraud Analyst
![Page 6: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/6.jpg)
ANALYSIS AT SCALE
100 Million calls
18 Million Originating ANIs 12 Million Accounts
![Page 7: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/7.jpg)
GENUINE FROM FRAUD
0
10
20
30
40
50
60
70
80
90
100
100 90 80 70 60 50 40 30 20 10 0
% C
alls
abo
ve S
core
Score Threshold
% genuine above % fraud above
At score threshold of 60, stop 91% of fraud while passing 99% of genuine
LOW MEDIUM HIGH
![Page 8: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/8.jpg)
FRAUD CALL DISTRIBUTION
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Perc
enta
ge o
f fra
ud c
alls
Cell
48% 52%
29% 27%
44%
Land VoIP Domestic International
![Page 9: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/9.jpg)
9 HIGH RISK COUNTRIES
![Page 10: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/10.jpg)
WEST AFRICA “ONE”
Magrathea
![Page 11: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/11.jpg)
FRAUDSTER PROFILE
![Page 12: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/12.jpg)
VOICE DISTORTION
![Page 13: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/13.jpg)
CDR ANALYSIS
![Page 14: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/14.jpg)
CHARACTERISTICS OF CDR DATA
● Basic metadata about calls o Source and destination ANIs o Start and end timestamps of call
● Advanced application-specific metadata o IVR call flow information o Account numbers and other user information o Tower & base station information (for cell networks)
![Page 15: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/15.jpg)
GRAPH REPRESENTATION OF CDRS
● Directed graph: ANIs as nodes, edges from source to target
● Edges annotated with timing and other information
● Can include other elements as nodes e.g. account numbers
![Page 16: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/16.jpg)
FEATURES FOR CDR ANALYSIS
● Reputation features o Carrier, device type, prepaid status of source ANI o Complaints against source ANI
● Velocity (graph) features o Number of ANIs & accounts targeted by source ANI o Frequency and duration of calls from ANI o Application-specific features e.g. ANI scanning,
number of authentication attempts
![Page 17: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/17.jpg)
FEATURES FOR CDR ANALYSIS
● Behavior features from IVR o Call flow sequence in the IVR e.g. [Account Entry,
PIN Entry, Balance Check] o Use call flow sequences from single or multiple calls o Break up sequences into short chunks o Represent chunks as fixed-length, numeric vectors o Select top K features using feature selection
techniques e.g. chi-squared
![Page 18: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/18.jpg)
CASE STUDY 1: CALLING CARD TELCO
● Premium rate services fraud o Fraudsters using stolen calling cards to call fake
‘premium’ numbers abroad o Use of automated robots to discover valid customer
ANIs (ANI scanning) and dial out using those ANIs ● Our CDR analysis approach
o Create features based on graph analysis, duration of calls, and interval between subsequent calls
o Create a custom feature to identify scanning
![Page 19: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/19.jpg)
WE DETECT ANI SCANNING
● Detect over 80% of premium rate fraud, up to 10 days before actual fraud calls
● ANI scanning feature detects 50% of fraud
Premium Rate Fraud
![Page 20: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/20.jpg)
CASE STUDY 2: BENEFITS PROVIDER
● Fraudulent claims in state benefits o Fraudsters suspected of performing reconnaissance
over IVR to find valid info o Use of valid account info for account takeovers
● Our approach o Combine reputation, velocity and behavior features o Train model over labeled set of calls o Use model to score incoming calls
![Page 21: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/21.jpg)
WE FIND IVR RECONNAISSANCE ● Suspicious activity on 46% of accounts up to 2 months before fraud ● Specific instances of reconnaissance in IVR
● ANI: 209-532-XXXX ● 7 consecutive calls in 1 hour ● Sequence of invalid Account
number (PAN) entry attempts, followed by successful PAN entry and PIN entry.
![Page 22: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/22.jpg)
ML TRAINING AT SCALE
![Page 23: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/23.jpg)
REAL-TIME PREDICTION ARCHITECTURE
![Page 24: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/24.jpg)
MONGODB: LESSONS LEARNED
● Bulk Ingest o Use Journaled Write-Concern for Inserts.
Acknowledged Write-Concern for Updates. ● Query
o Use Aggregations API + Indexes to generate IVR and CDR features.
● Prediction o Store feature vectors as Binary BSON objects.
![Page 25: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/25.jpg)
CONCLUSION
● Account takeover – acoustical anomalies ● > 80% TDR, < 2% FPR ● 52% coming from international locations
● Account reconnaissance – CDR analysis ● 46% detected 2 months before attack
● Detect pre-crime, zero day attacks and repeat attacks on the phone channel by complete understanding of lifecycle of a fraudster
![Page 26: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/26.jpg)
PINDROP SECURITY [email protected] [email protected] [email protected]
![Page 27: LIFECYCLE OF A PHONE FRAUDSTER: FROM ACCOUNT ...€¦ · o Fraudsters using stolen calling cards to call fake ‘premium’ numbers abroad o Use of automated robots to discover valid](https://reader035.fdocuments.us/reader035/viewer/2022071019/5fd27321e8f45e3e7f668fb1/html5/thumbnails/27.jpg)
Good Fraud
PINDROP PHONEPRINT