MCI Accused of Long-Distance Call Accounting Fraud

drcobb writes "According to the New York Times, MCI is under investigation again. This time for spoofing SS7 point codes to avoid paying access tariffs. Federal prosecutors have opened an investigation in the United States and Canada into accusations that MCI, the nation's second-largest long-distance carrier, defrauded other telephone companies of at least hundreds of millions of dollars over nearly a decade, people involved in the inquiry said."

spoofing ss7?

please.

What does spoofing ss7 point codes have to do with this?

Oh, you can't really spoof ss7 point codes, otherwise the return ( cells? ) have no way of getting back to you, so how do you expect to terminate a call? hmmm?

dumbass.

get some clue before you write about telephony related things.

oh, every facilities-based provider gets around getting billed for access, especially when you're talking about intrastate calls. ILEC will bill you roughly 3.5 cents a minute, new CLECs do the same thing, older CLECs charge more but will have to reduce their access costs.

for interstate calls, you're getting hit for half a cent a minute.

there is a document on this somewhere on the fcc site describing how the rates have to go down, and what the rates have to be for intra/inter state access charges.

get some clue.

Not exactly uncommon in telecoms...

[heironymouscoward]

(I am not a telecoms specialist, this is second-hand knowledge...)

Most billing systems in telecoms infrastructure work on trust to some extent. That is, billing is based on information such as the originator address, but many telecoms systems do not verify this kind of data except in a limited way.

In a general sense, once you are on a telecoms network, your partners trust you to play fair, but there is not a general paranoia. Historically this was because nationalized telcos had no reason to cheat.

This is a particular headache for SMS operators, since it is relatively easy for fraudulent operators to send SMS traffic with spoofed originating addresses. The traffic is either billed to the wrong parties, or at the wrong rate.

Obviously whenever this kind of fraud gets uncovered, people tighten up their security. But often the cost of doing this is so high that it's a last step, not a first one.

Think of unsecured email and you get a fair analogy.

Perhaps a telco insider has a better view?

Re:Tariffs are the single largest cost??

[Detritus]

A tariff is not a tax. It is a regulated price for a service. In this case, the long distance company pays a few cents a minute to the originating and terminating local carriers for access and use of their networks.

Re:Wow.

[Mister+Transistor]

Acutally it wouldn't be quite that bad; all they need to check is the beginning and end of the call, and verify that the source and destination were correctly specified for the confirmed call from here to there... If the source and "here" don't match - fraud alert!

The calls that were switched onto another LD carrier would be much more difficult to backtrace, because they would all show origination from whatever local office they were transferred through. They most likely had forged source information that showed the origination as the local office that they were first illegally transferred to. That's a double whammy, not only are they getting out of termination tarrifs, but they are actually using their competitor's infrastructure for free and charging the termination fee to them to boot! Wow.

How it really works

[ZPO]

Here is how something like this typically works.

First, how is it supposed to work. SS7 pointcodes are like the IP address of a telephone switch. Messages are routed through an SS7 network that runs between switches to route calls, identify the source and destination information, and generate billing data. There are rather simple ways to conceal the origin of these calls. The ILECs (who own the InterLATA tandems) have gotten their friends, the state PUCs, to continue with quite high orig/term interconnection tarriffs. This is a huge source of revenue for them. The original concept was to pay for the large upfront expenditures to install the interlata tandems with the breakup of AT&T and the entrance of the new (at the time) IXCs. Those switches (and the required capacity upgrades) have been paid for hundreds of times over. When you consider $.05/min long distance and the orig/term fees are $.03-.04/min for both ends you see the IXC isn't exactly making much. Its a little present to the ILECs from the PUCs.

Many companies are doing this today via what is known as the "enhanced service provider exemption". In short, this states that Inter-LATA traffic which is carried across an enhanced services network (VoIP, VoATM, VoFR, etc) is not subject to InterLATA termination fees at the distant end of the call. The rules are pretty vague here and there doesn't appear to be a minimum percentage in the quantity of calls which must be handled by the enhanced services network or a percentage of the overall call distance that must be handled by the enhanced services network. What you get is folks that buy some to handle perhaps a T1s worth of trunks, place them next to each other in the rack, and route a few calls through it within a single office. Under the current rules they now operate an "enhanced services network" and are thus exempt from paying the orig/term InterLATA tarriffs. There is at least one large calling card provider (especially catering to the Hispanic population in the US) that does exactly this. The company then finds a friendly CLEC to allow them to dump their calls into the local network via MF (tone signalled, non-SS7) trunking and the origin of the call will appear to be a local number.

In the old days (pre-1999) there were several companies doing this without bothering to claim the enhanced service provider exemption. I've personally seen companies locate in a CLEC colocation facility and house nothing but a patch panel in a closed cabinet. MF trunks from IXCs (long distance carriers) are brought in on one side, and MF local-access trunks head out the other. This is also known as "dump and term".

When you're MCI (WorldDom) this becomes trivially easy. MCI owns at least 2 CLECs. WorldCom bought Brooks (I ran local operations in 2 cities for Brooks) shortly before the MCI deal. They also bought MFS several years before that. It would be a very simple matter to use an intermediary in each LATA to launder the traffic via MF trunks back into their MFS/Brooks switches and then pass them off to the ILEC (incumbent local exchange carrier) as what appear to be local calls. There isn't any high-tech SS7 munging required here.

This could also be accomplished via some sexy work with SS7 on a switch. It would be like NAT and would rewrite the originating point code and phone number to a local one. The same SS7 hardware would take the messages coming back and rewrite them to go to the proper switch. We do NAT with IP addresses every day. Its not a large stretch to imagine doing it with SS7. I don't see much of a need to though. There are much simpler ways to accompish it.

Hell, if MCI/Worldcom doesn't mind the exposure just run the MF trunks between local and LD switches without the intermediary. It opens up a huge liability hole, but it may have been deemed acceptable.