Fraud Management in the Simwood API

Simon Woodhead

Simon Woodhead

15th May 2012

We have today made live some new experimental functionality in the Simwood API that we hope will greatly help you manage the pervasive risk from your customers’ or your own systems being hacked. As a business we do not want to make money from traffic you didn’t intentionally send; it sours relationships and nobody gains in the long run. We greatly prefer to work with customers to either prevent compromise in the first place or identify when it has occurred as soon as possible.

Some of the ways we currently do this are:

– Our IP Reputation service ThreatSTOP which will block access to known suspicious sources of traffic at your firewall. It is an invaluable layer of protection particularly given Simwood is a source of VoIP specific data from our Honeypots and Darknet. For a free 30-day trial, please contact us.

– If your system is unfortunate enough to be compromised there are certain behaviour patterns which we try to identify. Many of you will have had emails from us advising of suspicious calls that we blocked. Despite our best efforts we cannot block everything and if a system has been compromised it is only a matter of time before successful calls are made.

– Our API (and portal) gives a near real-time insight into account activity and, notably, reports on account balances and recent activity. Many customers have integrated balance and channel usage data into their own monitoring solution and already report exceptions. However, this data is always historic and we see increasing tendency for attacks to be shorter and more intense to overcome such solutions. Whilst channel usage may show a spike, until calls finish you have no way of knowing whether the spike was innocent or not.

We recommend customers monitor the value of calls in progress. As compromised systems invariably call high cost destinations, the cost of calls in progress will likely spike more than the channel usage which may in fact not change at all – 1000 calls to the USA is very different to 1000 calls to Somalia. However, we recognise that this is not technically possible for many customers.

Therefore, our API now has new functionality. It can return the total estimated value of calls currently in progress on the Simwood network, but not yet finished and therefore not yet billed. This single measure alone could be integrated into your monitoring to identify a deviation from normal and indicate an attack.

Beyond this, it will also summarise the value and number of in progress calls by destination. You may therefore wish to monitor at this level and establish thresholds for each destination. Having done so you can trigger workflows and escalate anomolies as required.

We aim to complete this calculation continuously and the API will always return the latest data; historic data is not available. How frequently it updates will depend on the overall volume of calls in progress and will range from a few times per second to every minute or so. For those who wish to use this data extensively, we can push new values to a URL on your systems from where you can log or analyse the data real-time.

Please consult the API documentation for further information on this.

We hope you find this change useful and very much look forward to your comments.

Related posts