PRISM IRSF TEST NUMBER DATABASE - The most effective IRSF detection tool available.
The PRISM International Revenue Share Test Number Database was initially made available in August 2013 to a number of CSP's on payment of a modest annual subscription.
From analysis of call records associated with IRSF incidents, it became apparent that preceding most attacks, test calls were being made to confirm that a country and number range could be reached from the device a fraudster was using, and the country he was calling from. These test numbers were generally taken from a schedule of test numbers available from an IPRN Resellers website or rate card. Once the calling availability is confirmed, the fraudster will then apply to the IPRN Reseller for one or more numbers to use for his IRSF activity. There would typically be a delay of between 30 minutes to 24 hours from the test numbers being called at the IRSF ‘call pumping’ activity starting.
Recognising the value of these test numbers as an early warning of an IRSF attack, Yates Fraud Consulting Limited initiated a project to analyse IRSF call records to test the value of using test numbers as an indicator of a new, or pending IRSF attack. YFCL then worked with FRSLAB (www.frslabs.com) and developed PRISM as a database of all known IPR Test Numbers that were available from IPRN Resellers. This database was initially made available to CSP's in mid-August 2013, and at that time contained 17,000 test numbers which had been obtained from 60 IPRN Resellers. Those CSP's using PRISM very quickly realised its value and PRISM has now become a critical component of their anti-fraud strategy.
Since August 2013, PRISM has continued to be improved by YFCL and FRSLABS and as at January 2022, it now contains over 6 million IPR test numbers from 232 countries, sourced from monitoring over 160 IPRN Providers, along with other sources of information. The Database numbers reached a total of 9 million in December 2021, however we have implemented a purging strategy where all numbers that have not been advertised for the previous 3 months or more are removed to try and maintain the database to a reasonable size. These numbers are constantly being changed by some IPRN Providers, so YFCL and FRSLABS are updating the PRISM numbers every 2 weeks to ensure these remain current, typically adding between 300,000 and 1 million new numbers to the database every month.
During the year Jan to Dec 2021, just under 10 million new numbers were added to PRISM, which follows 6.6 million new numbers being added during the same period of 2020, an increase in new numbers added of 49.25%. Between Jan - Dec 2019, 2.48 million new numbers were added so this represents a 300% increase in new numbers over the past 2 years.
The quantity of IPR numbers being provided for use each month by the IPRN Providers continues to increase, and the total numbers found advertised each fortnight now varies beween 2.5 million and 3 million.
We also now provide a PRISM/MRSN database which contains over 35,000 (as at 6 Jan 2022) Mobile Roaming Station Numbers which have been (and in some cases still are) advertised as International Revenue Share Numbers. If used, it is likely that these numbers will be hijacked and terminated on to an IVR. As at the 6 Jan 2022, almost 10,000 of these MSRN's were currently advertised. If these MSRN's are hijacked (or blocked) it is likely that a customer will be unable to receive inbound calls when roaming.
PRISM is now being used by over 65 Communication Service Providers across 5 continents, including some of the largest mobile operators in the world, other Mobile and Fixed network operators, MVNO’s, VoIP Operators and OTT Service Providers. All users of PRISM now regard the early warning the database provides of a new or pending IRSF attack as a critical component of their Fraud Management strategy, with most crediting PRISM for detecting between 75 and 80% of their IRSF attacks. We are frequently asked by non-PRISM users to assess what value PRISM could have been to help detect IRSF attacks they have suffered. A typical example (May 2018) where a carrier wished they had implemented PRISM earlier is;
The victim in this case is a provider of Fixed, Mobile and Broadband services. Following some network maintenance in May 2018, their network firewall was not secured adequately after the work was completed. This vulnerability was discovered by a hacker/fraudster and exploited.
Through this unauthorised access, the Fraudster/s discovered the office PBX along with the ability to dial out using their Directory Assist number. The Fraudster started making IRSF calls at 7.00am on a Saturday morning, and continued making multiple calls through the weekend until the fraud was discovered the following Tuesday morning. The compromised network access was then secured. During this 4-day period, over 14,250 calls were made to 37 Countries, with most (almost 14,000) terminating on the Belarus country code.
Had PRISM been used by this CSP, and they had a procedure in place to receive and react to fraud alerts over a weekend, then there is no doubt that this IRSF attack would have been detected before the fraudster/s had the opportunity to make use of this PBX vulnerability for more than one hour.
Of the 14,250 calls made, most to known IRSF destinations, there were 562 unique numbers called in 37 destination country codes. Almost 14,000 of these calls were to 336 Belarus numbers. All 562 called numbers were checked against the PRISM database, and 371 of these (66%) were an exact match. An additional 103 called numbers (19%) were matches to the last digit, with many of these being a continuation of a range which had been matched in the ‘100% match’ category.
It should be noted that some of the countries called are not considered a high risk for IRSF, and it is unlikely that these destinations would be receiving any targeted monitoring through a CSP’s FMS. However, had PRISM been utilised by this Operator, every call in to the 371 numbers that were a 100% match with a PRISM number would have generated a fraud alert.
With multiple calls to many of these numbers, a total of 759 fraud alerts would have been generated from a PRISM number match, during the 4 days of this fraud. Over 20 of these would have been generated during the first hour of the fraud. Had these alarms been generated, and investigated, a further 6375 calls would have been identified as a partial match with PRISM (to the last digit).
Further analysis of PRISM discovered that 304 of the numbers that generated an exact match between the IRSF and the PRISM numbers, along with another 41 of the partial numbers (61% of the total), had been advertised by two known IPRN Providers, so it is likely these two have provided the numbers used in the attack. This is valuable information to support any LEA investigation.
The losses associated with this attack could have been prevented through a very small investment in this valuable fraud prevention tool. Most PRISM customers acknowledge that they have recovered more than the annual access cost to PRISM through the first IRSF case detected. We have many similar case studies where using PRISM could have avoided substantial losses from IRSF or Wangiri Fraud.
We have also been providing pro-bono services to various Law Enforcement Agencies (LEA's) over the past 5 years, to assist them with IRSF investigations and in every one of the 50 plus cases we have reviewed for these LEA's, the fraud could have been prevented, or losses significantly reduced, had PRISM been used by the Telco victim.
For further information on PRISM go to the White Pages TAB and open the PRISM Introduction and PRISM FAQ files.
PRISM 'WILDCARD' DATABASE
In addition to PRISM, a second database has been developed to capture the number ranges these 9 million numbers represent, by replacing the last 2 digits of each PRISM number with wildcards. This 'Wildcard' database contains over 20 million numbers and has become a valuable detection tool for Wangiri Fraud, recognizing that most IRSF or Wangiri Fraud attacks will utilize a range of numbers made available to fraudsters.
PRISM NEW NUMBERS DATABASE
Some users prefer to download only the new numbers located each fortnight, so a separate download function is provided to download only the new numbers - numbers that are not already in the database.
All these PRISM database downloads can be automated through the use of our PRISM REST API, which is available along with every subscritption. All PRISM users are notified by email when each fortnightly number update is available to download.
Communication Fraud Control Association (CFCA) Fraud Loss Surveys since 2013 have confimed that IRSF is the highest impact fraud to Telecommunication Service Providers and has been during each of the 5 surveys completed to date. The most recent survey, completed in November 2021, puts the loss to the industry for that year at $US6.69 billion.
While other providers of IPRN databases are starting to enter the market, PRISM is without doubt the most complete and proven IPRN Database available, and does not require the purchase of any other vendor specific solutions to support it. PRISM can be used in association with any in-house or vendor supplied FMS, providing it has the ability to manage a 'B' number hotlist.
Our trusted partners and PRISM users include:
for further information on PRISM, click here for the PRISM FAQ document (or go to the White Papers section), or complete the Contact form for further information and you will be contacted within 24 hours.