International Revenue Share Fraud (IRSF) attacks. They are one of the telcom industry’s most persistent problems and when your business is targeted, it costs you money. IRSF has been steadily increasing over the past 10 years and its perpetrators are dedicated to ensuring that it continues to be a highly profitable and hard-to-stop crime. We’ve kept a close eye on this issue here at TeleSign and, in doing so, have developed best-practice recommendations to help our customers put the products and processes in place to fight IRSF. But first, what is it?
IRSF – The Basics
With IRSF, attackers use fraudulent access to a network to artificially inflate traffic to numbers obtained from an International Premium Rate Number (IPRN) Provider. Fraudsters then receive payment (on a revenue share basis with the number provider) for every minute of traffic generated into these numbers. If they enable automation of voice calls to these numbers from an Internet site or application, they can obtain a lot of money in a very short period of time (hours or minutes).
An unsuspecting party along the voice call chain is charged for the high toll calls. The most damaging attacks tend to be initiated over a weekend or late at night when fraudsters know human monitoring may be minimal and an attack less likely to be caught.
Quite often, the premium number subscriber, content provider and fraudster are the same entity. Fraudsters will continue this activity until the originating number range owner becomes aware of the fraud and blocks access. Typically, the fraudsters will then move to another fraudulent access point and continue calling additional numbers provided by the IPRN Provider.
It’s a way for fraudsters to make money without having to register for an account or complete a two-factor authentication (2FA) transaction. They simply need to make a call to a particular number or set of numbers. This call is a recorded voice message across a voice-based network trying to deliver a one-time passcode (OTP). Whether the code is entered by an end-user or not, fraudsters share the revenue that this action generates, simply by placing the call.
How We Help
TeleSign guides our customers in taking the appropriate actions to prevent or reduce the potential impact of IRSF –most notably, the cost. These recommendations include:
- Rate-limiting: You should only allow a certain maximum number of transactions per second to be generated on your site to prevent excessive use and/or Distributed Denial of Service (DDoS) attacks.
- Monitor your messaging platform for unusual behavior, such as:
- Repeat requests for the same phone number (set retry limits).
- All requests coming from one a particular IP address.
- Requests at unusual times of day or to unusual destinations (countries where transactions are not common or expected at high volumes).
- If you have no end-users in a particular country, you should consider building it into your logic to not allow calls to be placed to that country.
- Create a clear escalation path and appropriate level contacts so action can be taken if an attack happens.
Customers can also benefit from implementing TeleSign’s Score product before triggering voice transactions. For example, Score (with Telebureau) helps identify and block high-risk phone numbers, phone types (including Premium numbers), countries, prefixes and number ranges–reducing the likelihood and/or significantly limiting the amount of fraud incurred. Assessing a phone number for association with or likelihood of fraud before sending a voice message has been shown to be a particularly effective method for stopping or minimizing IRSF.
TeleSign’s Client Services team can assist customers with additional preventative measures you can take to limit or prevent the impact of IRSF on your platform. Charges resulting from IRSF are often the result of vulnerabilities on customers’ websites; which is why it’s important for customers to take steps to prevent it as much as possible. Taking the steps above, in conjunction with Score, can significantly limit the impact of such attacks. Although TeleSign will also proactively monitor for IRSF attacks, and will alert customers if identified, it is the responsibility of customers to take preventative steps proactively to minimize any potential impact of this vulnerability.