TAP YIPL

home *** CD-ROM | disk | FTP | other *** search

/ TAP YIPL / TAP_and_YIPL_Collection_CD.iso / PHREAK / GENERAL / BBFRAUD.TXT < prev next >

Wrap

Text File | 1998-04-27 | 35KB | 1,262 lines

TABLE OF CONTENTS BLUE BOX FRAUD DETECTION DESC 1001-132 NTP NORTHERN TELECOM PRACTICE 297-1001-132 ISSUED: 87 04 24 RELEASE: 02.01 STANDARD DIGITAL SWITCHING SYSTEMS DMS*-100 FAMILY BLUE BOX FRAUD DETECTION FEATURE DESCRIPTION * DMS-100 is a trademark of Northern Telecom Page 1 21 pages PRACTICE 297-1001-132 RELEASE: 02.01 (c) Northern Telecom 1980, 1987 Page 2 PRACTICE 297-1001-132 RELEASE: 02.01 CONTENTS PAGE 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . 4 General . . . . . . . . . . . . . . . . . . . . . . . . 4 Practice Application . . . . . . . . . . . . . . . . . . 4 Reason for Reissue . . . . . . . . . . . . . . . . . . . 5 Software Identification . . . . . . . . . . . . . . . . 5 Command Format Conventions . . . . . . . . . . . . . . . 5 References . . . . . . . . . . . . . . . . . . . . . . . 5 2. DESCRIPTION . . . . . . . . . . . . . . . . . . . . . . 7 Testing for Fraudulent Calls . . . . . . . . . . . . . . 10 Recording Fraudulent Calls . . . . . . . . . . . . . . . 11 Disposing of Fraudulent Calls . . . . . . . . . . . . . 12 Cut the Call . . . . . . . . . . . . . . . . . . . . 12 Continue the Call . . . . . . . . . . . . . . . . . 12 3. OPERATIONAL MEASUREMENTS . . . . . . . . . . . . . . . . 13 4. MAN-MACHINE INTERFACE . . . . . . . . . . . . . . . . . 14 Commands . . . . . . . . . . . . . . . . . . . . . . . . 14 Alarms . . . . . . . . . . . . . . . . . . . . . . . . . 17 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5. GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . 20 FIGURES FIG. TITLE PAGE 1 Fraudulent Call Setup . . . . . . . . . . . . . . . . . 8 2 The Extra Wink . . . . . . . . . . . . . . . . . . . . 9 3 The Reserved Multifrequency Receiver . . . . . . . . . 10 Page 3 INTRODUCTION BLUE BOX FRAUD DETECTION DESC 1001-132 NTP PRACTICE 297-1001-132 RELEASE: 02.01 1. INTRODUCTION GENERAL 1.01 This Practice describes the Blue Box Fraud Detection fea- ture and its operation within the DMS-100 Family. A "blue box" is any device, connected illegally to a subscriber's line, that can produce both a 2600 Hz tone and multifrequency (MF) dig- its. 1.02 To place a fraudulent call, the perpetrator performs two steps: 1. Use a normal telephone to place a normal call. This call is usually a free or inexpensive call, and uses a Single Fre- quency (SF) trunk beyond the perpetrator's billing office. 2. Use a blue box to place the fraudulent call. This call uses the SF trunk seized for the original, normal call. 1.03 Calls placed with a blue box are typically undetected by the perpetrator's billing office, thus the term "blue box fraud." 1.04 The Blue Box Fraud Detection feature attempts to discover fraudulent MF signaling over Centralized Automatic Message Accounting (CAMA) and SuperCAMA trunks; it does not detect frau- dulent signaling over Traffic Operator Position System (TOPS) trunks. This feature can alert the operating company of a frau- dulent call attempt and either allow billing to be made for the call or disconnect the call. 1.05 This feature detects fraudulent MF signaling but does not detect fraudulent SF pulsing. No customer data schema is required, because the feature is activated and deactivated using the Command Interpreter (CI) facilities at the Maintenance and Administration Position (MAP1). The feature implements the meth- od of detection of fraudulent toll telephone calls described in U.S. patent 4,001,513. PRACTICE APPLICATION 1.06 The information contained in this Practice is applicable to offices having Batch Change Supplement release 22 (BCS22) software. It is also applicable to offices having a BCS release greater than 22 unless reissued. The application of all Northern Telecom Practices (NTP) editions with respect to a given BCS release is given in 297-1001-001. ──────────────── 1 MAP is a trademark of Northern Telecom. Page 4 PRACTICE 297-1001-132 RELEASE: 02.01 REASON FOR REISSUE 1.07 This Practice has been reissued to revise the content and format of the existing document. Due to the extent of these changes, revision bars are not included in the text. SOFTWARE IDENTIFICATION 1.08 Software applicable to a specific DMS-100 Family office is identified by a BCS release number and by Northern Telecom (NT) Product Engineering Codes (PEC). The significance of the BCS number and the PEC is described in 297-1001-450 (section 450/32) and in the Office Feature Record D-190. 1.09 A display of the BCS number and PEC for the NT feature packages available in a specific office can be obtained by entering the command string: PATCHER;INFORM LIST;LEAVE at a MAP. COMMAND FORMAT CONVENTIONS 1.10 In this Practice, a uniform system of notation is used to illustrate system commands and responses. It shows the order in which command elements appear, the punctuation, and the options. Where the conventions are not used, an explanation is given in the text. CAPITAL letters or show constants, commands, or keywords that special characters the system accepts when entered as writ- ten. lowercase letters show a user- or system-supplied para- meter. Definitions are given for each par- ameter. Brackets [ ] or ┌ ┐ enclose optional parameters. A vertical │ │ list enclosed in brackets means that one └ ┘ or more of the parameters may be selected. REFERENCES 1.11 References listed as prerequisites are essential for an understanding of this Practice. Those listed as inform- ative contain detailed information concerning other items men- tioned in this Practice, but are not essential. References are inserted at the appropriate places in the text. Page 5 PRACTICE 297-1001-132 RELEASE: 02.01 Note: The documents listed may exist in more than one version. See 297-1001-001 to determine the release code of the version compatible with a specific release of software. Prerequisite References DOCUMENT NUMBER TITLE ───────────────────────────────────────────────────────────────────── 297-1001-100 System Description Informative References DOCUMENT NUMBER TITLE ───────────────────────────────────────────────────────────────────── GFXINDEX General Feature Description Index of Documents 297-1001-001 Master Index of Practices 297-1001-114 Operational Measurements (OM) 297-1001-119 Automatic Message Accounting - Northern Telecom Format 297-1001-450 Provisioning 297-1001-510 Log Report Manual Page 6 DESCRIPTION BLUE BOX FRAUD DETECTION DESC 1001-132 NTP PRACTICE 297-1001-132 RELEASE: 02.01 2. DESCRIPTION 2.01 The Blue Box Fraud Detection feature allows the DMS-200 to perform three fraud detection functions: o test for fraudulent calls o record fraudulent calls o dispose of fraudulent calls (cut or continue). 2.02 Figure 1 on page 8 describes how a perpetrator initiates a fraudulent call. Figure 2 on page 9 describes how the system responds to a fraudulent call, and how the testing proce- dure is invoked. Figure 3 on page 10 describes how the DMS-200 prepares to test for fraudulent calls. Page 7 PRACTICE 297-1001-132 RELEASE: 02.01 ───────────────────────────────────────────────────────────────── ┌───┐ /O\ To place a fraudulent call, │ the perpetrator first │ places a normal call. │ V The End Office sends the ┌───────────┐ digits to the CAMA office. │ │ │ END │ The CAMA office receives │ OFFICE │ and translates the digits │ │ from the End Office, and │ │ seizes an outgoing trunk. └─────┬─────┘ │ The office at the far end │ of the outgoing trunk winks │ in response, and the CAMA CAMA │ office sends the called TRUNK │ digits for this normal │ call. │ │ No fraud has taken place V yet. ┌────────────────────┐ │ CAMA │ │ OFFICE │ │ │ │ DMS │ │ 200 │ │ │ └───┬────────────────┘ │ OUTGOING│ A TRUNK│ │WINK │ │ │ V Fig. 1 - Fraudulent Call Setup ───────────────────────────────────────────────────────────────── Page 8 PRACTICE 297-1001-132 RELEASE: 02.01 ───────────────────────────────────────────────────────────────── ┌───┐ /O\ Either before or after the │ original, normal call is │ answered, the perpetrator ┌─────┐ │ uses the blue box to place │BLUE ├────>│ a fraudulent call. │BOX │ │ └─────┘ │ This fraudulent call causes │ the office at the far end │ of the outgoing trunk to V wink, again, in response. ┌───────────┐ │ │ To the office at the far │ END │ end of the outgoing trunk, │ OFFICE │ the wink is normal. To the │ │ CAMA office, however, the │ │ wink is unexpected. └─────┬─────┘ │ It is this extra wink that │ invokes the blue box fraud CAMA │ testing procedure. TRUNK │ │ Without the Blue Box Fraud │ Detection feature, the CAMA │ office ignores the wink. │ │ │ │ V ┌────────────────────┐ │ CAMA │ │ OFFICE │ │ │ │ DMS │ │ 200 │ │ │ └───┬────────────────┘ │ OUTGOING│ A TRUNK│ │ │ │ │ WINK V Fig. 2 - The Extra Wink ───────────────────────────────────────────────────────────────── Page 9 PRACTICE 297-1001-132 RELEASE: 02.01 TESTING FOR FRAUDULENT CALLS 2.03 Triggered by the unexpected wink, the DMS-200 begins to test the suspected call. ───────────────────────────────────────────────────────────────── ┌───┐ /O\ To test the call, the DMS- │ 200 establishes a broadcast │ network connection from the ┌─────┐ │ suspected incoming CAMA │BLUE ├────>│ trunk to a reserved MF │BOX │ │ receiver (MFR). └─────┘ │ │ These MFR are reserved when V the feature is activated. ┌───────────┐ │ │ As long as the feature is │ END │ active, the reserved MFR │ OFFICE │ are not available for │ │ standard call processing. │ │ └─────┬─────┘ NOTE: The number of MFR set │ in reserve depends on the │ number of simultaneous CAMA │ ┌────────┐ fraud attempts expected. TRUNK │ │reserved│ For provisioning MFR refer │broadcast │ │ to 297-1001-450. ├──────────┤ MFR │ │connection│ │ Following is a description │ └──┬─────┘ of the events that occur │ │ after the MFR is attached. │ d│ │ i│ │ g│ │ i│ │ t│ │ s│ V V ┌────────────────────┐ │ CAMA │ │ OFFICE │ │ DMS │ │ 200 │ └───┬────────────────┘ │ OUTGOING│ TRUNK│ │ │ V Fig. 3 - The Reserved Multifrequency Receiver ───────────────────────────────────────────────────────────────── Page 10 PRACTICE 297-1001-132 RELEASE: 02.01 2.04 After attaching the MFR, the DMS-200 waits for one of the following events: EVENT EXPLANATION AND SYSTEM RESPONSE Wink Wink on the same trunk again. System Response: Reset the MFR timeout and continue to wait. Digits A fraudulent set of called digits has been received. System Response: Provide the charge utility with these digits and use the Automatic Message Account- ing (AMA) Event Information Digit to flag this call as a Blue Box call. Release the MFR. If the CUT option was specified from the MAP, dis- connect the call. Refer to Commands on page 14 for information about the CUT option. Call failure Mutilated digit(s) detected by the MFR. Several things could cause this: o the call may have released o there may be a real transmission problem o the perpetrator may be using SF pulsing. System Response: Release the MFR and assume no fraud has taken place. MFR Timeout The time allowed to detect possible fraudulent MF digits has expired. System Response: Release the MFR and assume no fraud has taken place. RECORDING FRAUDULENT CALLS 2.05 The DMS-200 performs the following actions after detecting a fraudulent call: o If the CUT option was not specified, replace the original digits in the charge buffer with the fraudulent digits. Note: If the perpetrator places more than one fraudulent call, only the last call appears in the charge buffer. Page 11 PRACTICE 297-1001-132 RELEASE: 02.01 o Set the AMA event information digit to mark the call as a Blue Box call. See 297-1001-119. o If the office is performing AMA recording for this call, gen- erate a log to alert the operating company office that a Blue Box call is in progress. See Logs on page 17. o If the ALARM option was specified at the MAP, generate a visual/audible minor alarm. DISPOSING OF FRAUDULENT CALLS 2.06 There are two options for disposing of fraudulent calls: cut the call or continue the call. Cut the Call 2.07 To cut a fraudulent call, the DMS-200 performs the follow- ing actions: o releases the MFR o releases the connection between the originating and terminat- ing agents of the call o processes the AMA information o deallocates the terminator o sets treatment for the originator. Continue the Call 2.08 If the CUT option was not specified, the DMS-200 releases the MFR and the call continues. The perpetrator is billed based on the fraudulent digits. 2.09 When the subscriber disconnects the call, the system gen- erates a log and turns off the alarm if the ALARM option was specified. Page 12 OPERATIONAL MEASUREMENTS BLUE BOX FRAUD DETECTION DESC 1001-132 NTP PRACTICE 297-1001-132 RELEASE: 02.01 3. OPERATIONAL MEASUREMENTS 3.01 The Operational Measurement BLUEBOX is associated with the Blue Box Fraud Detection feature (see 297-1001-114 for more information). The CI command OMSHOW BLUEBOX will display the contents of each field. 3.02 BLUEBOX has the following fields: FIELD DESCRIPTION BBWinks Number of unexpected winks detected on incoming CAMA trunks. These winks could indicate fraudulent calls. BBAttach Number of successful MFR attachments to suspected trunks. BBDetect Number of fraudulent calls detected. Page 13 MAN-MACHINE INTERFACE BLUE BOX FRAUD DETECTION DESC 1001-132 NTP PRACTICE 297-1001-132 RELEASE: 02.01 4. MAN-MACHINE INTERFACE 4.01 The Blue Box Fraud Detection feature is activated by a CI command issued at the MAP. The same command can be used to query the status of the feature. The following section describes the syntax and options of the commands. COMMANDS ┌───────────────────────────────────────────────────────────────┐ │ │ │ │ │ │ │ │ ┌ ┌ ┐┐┐ ┐ │ │ BLUEBOX │ │ACT [nmfr [timeout │ALARM│││ │ │ │ │ │ │CUT │││ │ │ │ │ │ └ ┘┘┘ │ │ │ │ │CLR │ │ │ │ └ ┘ │ │ │ │ └───────────────────────────────────────────────────────────────┘ activates, clears, or queries the status of the Blue Box Fraud Detection feature. Activating the feature reserves the specified number of MFR. Clearing the feature returns the MFR to the common pool. Where: ACT activates the Blue Box feature and reserves the speci- fied number of MFR. CLR deactivates the Blue Box feature and returns the MFR to the common pool. nmfr specifies the number of MFR to be reserved. o Range: 1 through 3. o Default: 1. timeout specifies the number of seconds the MFR will wait for digits. o Range: 5 through 35. o Default: 30. ALARM specifies that an audible/visual alarm will be generated when a Blue Box call is detected. CUT specifies that fraudulent calls will be disconnected. If this parameter is not specified, the fraudulent call will continue. Page 14 PRACTICE 297-1001-132 RELEASE: 02.01 Notes: 1. The activation parameters are position-dependent. That is, nmfr must be specified before timeout; both nmfr and timeout must be specified before ALARM or CUT. 2. The BLUEBOX command issued without any parameters queries the system for the feature status. Examples 1. Activate the Blue Box feature using only the default parame- ters. The user inputs the following CI command: BLUEBOX ACT The system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 1 MFR reserved, timeout set to 30 seconds. 2. Activate the Blue Box feature and reserve two MFR. The user inputs the following CI command: BLUEBOX ACT 2 The system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 2 MFR reserved, timeout set to 30 seconds. 3. Activate the Blue Box feature and reserve three MFR with a timeout of 22 seconds. The user inputs the following CI com- mand: BLUEBOX ACT 3 22 The system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 3 MFR reserved, timeout set to 22 seconds. 4. Activate the Blue Box feature with the ALARM option. Reserve one MFR with a timeout of 30 seconds. The user inputs the following CI command: BLUEBOX ACT 1 30 ALARM The system responds with the feature status and parameters: Page 15 PRACTICE 297-1001-132 RELEASE: 02.01 Blue Box Feature Status: Active. 1 MFR reserved, timeout set to 30 seconds. Detection will report alarm. 5. Activate the Blue Box feature with the CUT option. Reserve two MFR with a timeout of 25 seconds. The user inputs the following CI command: BLUEBOX ACT 2 25 CUT The system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 2 MFR reserved, timeout set to 25 seconds. Detection will cut off call. 6. Determine the status of the Blue Box feature. The user inputs the following CI command: BLUEBOX If the feature is not active, the system responds with: Bluebox Fraud Detection Feature Status: Inactive. If the feature is active, the system responds with the fea- ture status and parameters: Bluebox Fraud Detection Feature Status: Active. 2 MFR Reserved, timeout set to 35 seconds. Detection will cut off call. 7. Deactivate the Blue Box feature and return the MFR to the common pool. The user inputs the following CI command: BLUEBOX CLR The system indicates command execution with the response: Bluebox Detection Feature Cleared. Page 16 PRACTICE 297-1001-132 RELEASE: 02.01 ┌───────────────────────────────────────────────────────────────┐ │ │ │ │ Q │ BLUEBOX │ │ │ │ └───────────────────────────────────────────────────────────────┘ queries the system for the syntax of the BLUEBOX command. Example: Display the BLUEBOX command syntax. The user inputs the following CI command: Q BLUEBOX The system responds with the following syntax diagram: Parameters for Bluebox Fraud Detection Parms: [<Active Status> {CLR, ACT [<Number of MFRs> {1 TO 3}] [<Timeout Value> {5 TO 35}] [<Notification Option> {ALARM, CUT}]}] ALARMS 4.02 If the ALARM option is specified, a minor office alarm is activated whenever a Blue Box call is detected. The office alarm is deactivated at call disconnect. LOGS 4.03 The following six logs are associated with the Blue Box Fraud Detection feature: o AUDT118 o EXT106 o TRK151 o TRK152 o TRK153 o TRK154. Page 17 PRACTICE 297-1001-132 RELEASE: 02.01 4.04 The following is a brief description and example of each log. See 297-1001-510 for more detailed information. LOG DESCRIPTION AUDT118 The Audit subsystem generates this log when Blue Box Fraud Detection feature data is inconsistent with the corresponding MFR data. The identified MFR cannot be used for fraud detection until the problem is cleared. Example: AUDT118 APR12 12:00:00 2112 FAIL BLUEBOX MFR LOST CKT RCVRMF 1 EXT106 The External Alarms subsystem generates this log when a fraudulent call is detected and when that call discon- nects. Example: *EXT106 MAR14 12:00:00 2112 INFO BLUEBOX ON CALL DETECTED *EXT106 MAR14 12:05:00 2113 INFO BLUEBOX OFF CALL DISCONNECTED TRK151 The Trunk Maintenance subsystem generates this log when the Bluebox Fraud Detection feature is activated. Example: TRK151 APR11 12:00:00 2112 INFO BLUEBOX DETECTION ACTIVE # OF MFRS = 2 ALARM ENABLED CKT RCVRMF 0 CKT RCVRMF 1 CKT RCVRMF 2 TRK152 The Trunk Maintenance subsystem generates this log when the Bluebox Fraud Detection feature is deactivated. Example: TRK152 APR04 12:00:00 2112 INFO BLUEBOX DETECTION CLEARED TRK153 The Trunk Maintenance subsystem generates this log when the Bluebox Fraud Detection feature is active and a fraudulent call is detected. Example: TRK153 APR16 12:00:00 2112 INFO BLUEBOX CALL DETECTED IC TRUNK = CKT RTP2W 1 CALLING # = 9197811199 OG TRUNK = CKT CARY2W 2 CALLED # = 61247418888 CALLED # REPLACED BY 3152651234 CALLID = 123456 TRK154 The Trunk Maintenance subsystem generates this log when the Bluebox Fraud Detection feature is active and a fraudulent call is disconnected. Page 18 PRACTICE 297-1001-132 RELEASE: 02.01 Example: TRK154 APR11 12:00:00 2112 INFO BLUEBOX CALL DISCONNECT CKT APEX2W 1 CALLING # = 6133628669 2 CALLED # = 6124741888 CALLID = 123456 Page 19 F0184 BLUE BOX FRAUD PREVENTIONN NTX044AA CAMA FDM ┌────────────────────────────────────────────────────────────────────────── ────┐ │ DMS ALL BCS27 Feature Description Manual │ 890120 │ ├────────────────────────────────────────────────────────────────────────── ────┐ │ Package NTX044AA04 CENTRAL AUTOMATIC MESSAGE ACCOUNTING (CAMA) │ │ Feature set ADMINISTRATION │ │ Feature BLUE BOX FRAUD PREVENTIONN │ │ Feature no F0184 │ ├────────────────────────────────────────────────────────────────────────── ────┐ │ │ │ │ │ │ │ DESCRIPTION │ │ ----------- │ │ │ │ "Blue Box" fraude prevention depends upon an in-band signalling link (SF) │ │ being present in an end-to-end call connection. This signalling link is │ │ relealsed by the calling party using a blue box before or after the called │ │ subscriber answers. The signalling link is then re-seized by the calling │ │ party and a new destination directory number outpulsed (MF) using the blue │ │ box. This operation, except for the wink start or delay dial signal, is │ │ transparent to the offices preceding the in-band signalling link. │ │ │ │ In order to detect this type of fraud, DMS-200 will detect a seocnd pro- │ │ ceed to send signal from the incoming SF unit at the distant office, i.e. │ │ a signal having a nominal duration of 200 msec. (greater than 75 msec. and │ │ less than 2 sec.). Upon detection of the second proceed to send signal, │ │ DMS-200 will connect an MF receiver to the incoming CAMA trunk for a pe- │ │ riod of 30 sec. If digits are not received within this 30 sec. period, │ │ the second number is entered on tape, together with an identifying code. │ │ │ │ At this point the call may be dropped or allowed to proceed, the operating │ │ company having the necessary data to correctly bill the call. There is no │ │ danger of the fraudulent call proceeding after time-out of the DMS-200 MF │ │ receiver, as the MF receiver at the distant office will time out after 25 │ │ sec. If this occurs, the fraudulent call must re-instate his call, in │ │ which case the detection is repeated. │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├────────────────────────────────────────────────────────────────────────── ────┐ │ Section B Available Features NTX044AA04 Feat: F0184 │ Page 1093 │ └────────────────────────────────────────────────────────────────────────── ────┘