Re: Sri Lanka to cut phone links to 13 countries to stop scams

[Nick FitzGerald <nick () virus-l demon co uk>]

aborg () mca org mt wrote:

<<snip>>
> I work for a regulatory authority and we've had numerous debates as to who
> should be liable for this problem. On the one hand, there's the consumer
> with a huge bill that he is unable/unwilling to pay (rightly so). On the
> other hand there is the telco with the "any calls you make you have to pay
> for" clause in their user agreement.  Both are unwilling to pay but IMHO,
> the telcos don't do enough to help prevent this problem.

In New Zealand (don't be fooled by the .uk Email address), the two 
major telcos have both (voluntarily, but after a deal of public outcry) 
implemented a form of "filtering" whereby they note any account without 
a previous history of making long DDI calls to certain "expensive" 
offshore locations known to commonly host these dialler hijackers' 
target numbers and they call the account holder within a day or so of 
the first such charges being rung up and ask if they knew they were 
making calls to whereever.  If the answer is "no" I think that both 
telcos explain that such charges have been made, how and why it happens 
and then waive the existing charges _if_ the account holder accepts a 
total ban on outgoing (DDI) calls to those countries, at least until 
the customer calls back, says they have fixed their dialler problems 
and they want to lift the dialling ban -- after that, the customer 
accepts responsibility for further charges for (DDI) calls to those 
countries.  The telcos also maintain lists of numbers that they are 
convinced (from their complaints dep'ts and the above call monitoring) 
are involved in such scams and simply blacklist those specific numbers 
for outgoing calls.  Customers who really do want to call any of the  
"suspect" numbers can, I believe, request to be be whitelisted from 
_all_ such filtering/monitoring.

With a total customer base of 3-4 million between them, this is 
probably a (just) manageable approach, but it may not scale well in 
larger markets...

> Having a regulator impose such a remedy forces the telco to increase his
> costs (through the operator assisted calling to foreign countries) and
> therefore take a closer look at the problem.

Surely the telco simply passes along the increased costs of operator 
assistance?  That is why operator-assisted calls are more expensive 
than DDI calls to the same place, isn't it?  Or is NZ just odd in 
having different pricing rates for DDI and operator-assisted calls?

If threatened with regulatory imposition of an outright DDI ban on 
calls to "suspect" countries, perhaps considering the NZ Telecom and 
TelstraClear (NZ) approach to such calls might be worthwhile.  It won't 
impose extra cost on those who legitimately want to call those 
countries, and may even produce something of a "warm, fuzzy" for your 
customers if you seem to be proactively prtotecting them from 
themselves (sadly, something more and more folk seem to want more and 
more these days as "modern technology" forges ahead without so much as 
a thought for how stupidly bad so much of it is because of how easily 
abusable it is...).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.