MCI Accused of Long-Distance Call Accounting Fraud

drcobb writes "According to the New York Times, MCI is under investigation again. This time for spoofing SS7 point codes to avoid paying access tariffs. Federal prosecutors have opened an investigation in the United States and Canada into accusations that MCI, the nation's second-largest long-distance carrier, defrauded other telephone companies of at least hundreds of millions of dollars over nearly a decade, people involved in the inquiry said."

spoofing ss7?

[Anonymous Coward]

please.

What does spoofing ss7 point codes have to do with this?

Oh, you can't really spoof ss7 point codes, otherwise the return ( cells? ) have no way of getting back to you, so how do you expect to terminate a call? hmmm?

dumbass.

get some clue before you write about telephony related things.

oh, every facilities-based provider gets around getting billed for access, especially when you're talking about intrastate calls. ILEC will bill you roughly 3.5 cents a minute, new CLECs do the same thing, older CLECs charge more but will have to reduce their access costs.

for interstate calls, you're getting hit for half a cent a minute.

there is a document on this somewhere on the fcc site describing how the rates have to go down, and what the rates have to be for intra/inter state access charges.

get some clue.

Re:accounting?

[rfmobile]

Remember, though, that MCI was Worldcom. (Worldcom changed their name to MCI).

read the article - it states this began in 1994 at MCI before it was bought by WC.

Not exactly uncommon in telecoms...

[heironymouscoward]

(I am not a telecoms specialist, this is second-hand knowledge...)

Most billing systems in telecoms infrastructure work on trust to some extent. That is, billing is based on information such as the originator address, but many telecoms systems do not verify this kind of data except in a limited way.

In a general sense, once you are on a telecoms network, your partners trust you to play fair, but there is not a general paranoia. Historically this was because nationalized telcos had no reason to cheat.

This is a particular headache for SMS operators, since it is relatively easy for fraudulent operators to send SMS traffic with spoofed originating addresses. The traffic is either billed to the wrong parties, or at the wrong rate.

Obviously whenever this kind of fraud gets uncovered, people tighten up their security. But often the cost of doing this is so high that it's a last step, not a first one.

Think of unsecured email and you get a fair analogy.

Perhaps a telco insider has a better view?

CellSocket

[cameldrv]

You might want to look into getting a cellsocket. It's not exactly what you are asking for, but it's a cradle for your cell phone that charges the battery, provides an external antenna hookup, and plugs into your phone jack. You can then use regular phones in your house, and it will send the call through the cell phone.

Re:accounting?

[mandalayx]

right, then after the debacle, WC tossed the name and went back to MCI.

Re:Wow.

[Tsu Dho Nimh]

The billing is very automated, and relies on coding inserted by the equipment to settle the bandwidth charges on the backbone carrier networks. The investigation is looking into allegations WorldCom/MCI would sneak their calls into rival LD networks via small local-only networks, and even did what appears to be the equivalent of "relay rape" where possible so ATT Canada got hit with the LD charges.

Justice Department officials have evidence that MCI may, in effect, have "laundered" calls through small telephone companies, and even redirected domestic calls through Canada, to avoid paying access fees or shift them to rival long-distance carriers, according to people involved in the investigation.

Re:Tariffs are the single largest cost??

[Detritus]

A tariff is not a tax. It is a regulated price for a service. In this case, the long distance company pays a few cents a minute to the originating and terminating local carriers for access and use of their networks.

Phreaking for beginners

[BiggerIsBetter]

Nope, plaid box is taken. A plaid box [i12.com] is a a box for converting ma bell's pulse-phone lines to touch-tone lines.

More boxes [i12.com] than you can shake a handset at.

Re:So...

[Mister Transistor]

You as a customer wouldn't see any money out of em, anyway. They were cheating other phone companies out of their cut for originating or terminating the call. They were charging their customers the full tarriffed (sp?) rate, but not overcharging them. They were just lowering their overhead by fraudulent methods. Any fines or remuneration would be to the telcos they cheated. Sigh.

Re:Wow.

[Mister Transistor]

Acutally it wouldn't be quite that bad; all they need to check is the beginning and end of the call, and verify that the source and destination were correctly specified for the confirmed call from here to there... If the source and "here" don't match - fraud alert!

The calls that were switched onto another LD carrier would be much more difficult to backtrace, because they would all show origination from whatever local office they were transferred through. They most likely had forged source information that showed the origination as the local office that they were first illegally transferred to. That's a double whammy, not only are they getting out of termination tarrifs, but they are actually using their competitor's infrastructure for free and charging the termination fee to them to boot! Wow.

How it really works

[ZPO]

Here is how something like this typically works.

First, how is it supposed to work. SS7 pointcodes are like the IP address of a telephone switch. Messages are routed through an SS7 network that runs between switches to route calls, identify the source and destination information, and generate billing data. There are rather simple ways to conceal the origin of these calls. The ILECs (who own the InterLATA tandems) have gotten their friends, the state PUCs, to continue with quite high orig/term interconnection tarriffs. This is a huge source of revenue for them. The original concept was to pay for the large upfront expenditures to install the interlata tandems with the breakup of AT&T and the entrance of the new (at the time) IXCs. Those switches (and the required capacity upgrades) have been paid for hundreds of times over. When you consider $.05/min long distance and the orig/term fees are $.03-.04/min for both ends you see the IXC isn't exactly making much. Its a little present to the ILECs from the PUCs.

Many companies are doing this today via what is known as the "enhanced service provider exemption". In short, this states that Inter-LATA traffic which is carried across an enhanced services network (VoIP, VoATM, VoFR, etc) is not subject to InterLATA termination fees at the distant end of the call. The rules are pretty vague here and there doesn't appear to be a minimum percentage in the quantity of calls which must be handled by the enhanced services network or a percentage of the overall call distance that must be handled by the enhanced services network. What you get is folks that buy some to handle perhaps a T1s worth of trunks, place them next to each other in the rack, and route a few calls through it within a single office. Under the current rules they now operate an "enhanced services network" and are thus exempt from paying the orig/term InterLATA tarriffs. There is at least one large calling card provider (especially catering to the Hispanic population in the US) that does exactly this. The company then finds a friendly CLEC to allow them to dump their calls into the local network via MF (tone signalled, non-SS7) trunking and the origin of the call will appear to be a local number.

In the old days (pre-1999) there were several companies doing this without bothering to claim the enhanced service provider exemption. I've personally seen companies locate in a CLEC colocation facility and house nothing but a patch panel in a closed cabinet. MF trunks from IXCs (long distance carriers) are brought in on one side, and MF local-access trunks head out the other. This is also known as "dump and term".

When you're MCI (WorldDom) this becomes trivially easy. MCI owns at least 2 CLECs. WorldCom bought Brooks (I ran local operations in 2 cities for Brooks) shortly before the MCI deal. They also bought MFS several years before that. It would be a very simple matter to use an intermediary in each LATA to launder the traffic via MF trunks back into their MFS/Brooks switches and then pass them off to the ILEC (incumbent local exchange carrier) as what appear to be local calls. There isn't any high-tech SS7 munging required here.

This could also be accomplished via some sexy work with SS7 on a switch. It would be like NAT and would rewrite the originating point code and phone number to a local one. The same SS7 hardware would take the messages coming back and rewrite them to go to the proper switch. We do NAT with IP addresses every day. Its not a large stretch to imagine doing it with SS7. I don't see much of a need to though. There are much simpler ways to accompish it.

Hell, if MCI/Worldcom doesn't mind the exposure just run the MF trunks between local and LD switches without the intermediary. It opens up a huge liability hole, but it may have been deemed acceptable.

Re:Wow.

[scoove]

all they know about is "administration"

Even that is a stretch. Having dealt with various Worldcom entities for more than a decade as a carrier customer, I'd argue that it's hard to claim that there was any organized administration.

Ebbers was a rabid M&A man, and he did an exceptional job in keeping the acquirees off balance; e.g. MFS Datanet acquisition (Crowe and other MFS executives got to play "co-CEO for a day" and experienced all the usual Ebbers tricks).

Unfortunately, the consequence of this structural imbalance was a balkenized company. I've been on conference calls where MFS people accused MCI folks who were accusing LDDS folks who were blaming Worldcom folks, and so on (all in front of the customer). One unified company? Not.

In fact, things were so bad in 1998-2000 that circuits would routinely be lost or even killed by incompatible systems. We had DS3s from Washington to NYC which were originating and terminating feature group D circuits (for local phone calls from Bell Atlantic to the carrier I worked for) that one Worldcom system would label incorrectly (putting a code on the circuits that indicated it was temporary), and another started killing off when so many months passed without a change in the code to a permanent status.

Amazingly, Worldcom couldn't restore the circuits. They claimed that once a circuit was killed, the only solution was to create a new circuit. This took weeks (with disrupted traffic), only to go through the same problems three months later when the new circuits would get knocked down. Suffer a half-year of this abuse and you'll see all of your local long distance customers disappear as this carrier did.

I always suspected anticompetitive practices behind the activities, and surprisingly it's not difficult to construct. Looking at the practices as a business "denial-of-service attack", minor decisions (like not funding and fixing compatibility problems between systems that only affects carrier customers) end up having strategic value. Combine that with a "we're too large to respond, investigate or care" attitude, e.g. Worldcom billing's inability to figure out how to properly credit, and you've got a pretty effective strategy (Qwest is another notorious "goof and refuse credit" player - if you've got the attorneys and the size, I guess they feel the need to use them to stall customer refunds). This was one literally hundreds of experiences of this nature with Worldcom.

It'll be interesting to see of the Feds look into Worldcom's "leaky PBX" operations, where they routinely dumped international calls into foreign telephone networks without paying settlement. By obtaining local phone lines to a office PBX, and back-ending the PBX with international circuits (often satellite links on the office building), Worldcom would sneak traffic in and dump it without paying any per-minute rate - much similar to some of the local termination abuse claims being investigated now.

In Worldcom's defense, many carriers also employed leaky PBX.

*scoove*

Re:Wow.

[isdnip]

I'll explain *specifically* what I witnessed myself, as a recipient of these calls.

My home phone rang, and I read the caller ID. It was an unfamiliar local number, showing no name, just the city. The caller, however, was in another city. He was making an ordinary LD call using his local phone company (no VoIP hacks) and MCI as the LD company. I specifically noted this on two different occasions, with the caller's real locations on opposite sides of the country (NY and CA).

The local number at my end belonged to Focal, a CLEC. So my local carrier, AT&T, saw the call as a local one from a Focal subscriber. I presume it had a Focal point code (Signaling System 7 network address; these are three-octet numbers, like 005.103.204). Thus AT&T did not see the call as MCIs, and did not see the call as long distance. Focal may have owed them a little fee for local termination, if anything, but not the fee that applies to long distance termination.

Under the current FCC rules, the rate that a carrier pays for a half-call depends on whether the call was toll or local or ISP-bound. And don't ask about VoIP's status, which is fuzzy. Having different rates for the same thing invites fraud. But in MCI's case, it was blatant -- the incorrect CallerID gave the whole thing away.

Re:How it really works

[ZPO]

You're absolutely correct. Now that you remind me I think the calling card operator was using PRIs. In that particular case they were running the PRIs back to another state to be terminated in their switch. Their initial install had been done before I took over the market in question. When they went to add another 28 PRIs I (under advice of counsel) asked the sales rep to get a signed statement from them that they were operating a network which qualified under the "enhanced services exemption" rule. That was not a happy sales rep!

I'm not a big fan of the origination/termination tariffs for LD calls. If you look at the pricing on LD plans you'll almost always see a lower rate for interstate than intrastate. Its the same LATA tandem terminating both calls on exactly the same hardware. The difference is what the PUC has granted the ILEC (RBOC) on intrastate calls ($.025-.05/min) vs. what the FCC has set as the rate for interstate calls (?? ~$.005/min). An average of $.03/min starts adding up rapidly when you've got millions of channel/minutes per day. There is no technical difference so the only difference is regulatory.

Take it another step and look at the traffic settlements of most CLEC/ILEC interconnection agreements. The ILECs screamed until they got them put into the interconnection agreements. They expected a huge profit center. When the CLECs started signing up all the ISPs the ILECs screamed about "abuse of their network" amazing the difference in "fairness" to the ILEC mind between depositing the checks and having to write them. Even with settlements, they are pretty low. IIRC, $.0002-.0005/min for direct EO term, higher plus mileage for access tandem termination. It varies for each interconnection agreement. If the IXC owns a CLEC and terminates the call either directly to the EO (end-office - also known as LSO) or even via the access tandem then why should the interconnection tariff be 5-10 times higher? Its all in the regulation folks. I'm not sure what the solution is, but I'm very sure its not more regulation.