 Welcome everyone to the first talk in the morning. We are here to learn something new about exploring the fraud and telephony networks. The speakers today are Aurélien Francaillon and Mervie Chahine and they will give you a little bit of an understanding of the telephony fraud ecosystem so that you can learn a bit about what telephones can do. So give a warm hand of applause to Aurélien and Mervie. Thank you. Good morning everyone. Happy to see so many people working up for the first talk of the day. Happy to open the session today. So our goal in this talk is to give you first a broad overview of telephony fraud. What is telephony fraud, why it is important, how does it work and then we dive into a few topics. We're going into more detail. There'll be some new content, some things we've presented before but the goal is really to give an overview to dive into some of the difficulties there, some of the things on how you can analyze, how you can detect and especially what we care about understanding how does it work. So a small talk of myself. So my name is Aurélien Francaillon. I'm an assistant prof in Urecon, a small engineering school in the French river next to Nix. And my specialty is working on embedded system security as well in telephony fraud. Right now you can follow me on Twitter, Aurélsec and I'm actually hiring students, PhD students, engineers, feel free to get in touch in case of need. So hi everyone, my name is Mervie. I have been working the last almost five years with Aurélien on telephony fraud. First I started as a PhD and then I did one year of post-doc and starting from next year actually I will join SAP security research. Good, so telephony fraud. What's really interesting about telephony fraud is that telephony is like the oldest network we have today still running. So telephony started in 80s, 70s, the beginning of interconnections of phones. And since then, since 150 years, we kind of have backward compatibility. So it's kind of a big legacy. Another thing interesting for fraud is that everything is built. So almost every phone call you make, even if you have some plans or something, there is some bidding behind to check how much time you call, which number, which destination, all this is very complicated. And since the beginning, people try to make some free calls. So for example, to fraud some telephone operators, right? And do social engineering against them. And then today, so it's getting quite complicated. There are multiple technologies which get converged. You have voice over IPs since like 20 years, but no tons of applications. Those are interacting with the telephony ecosystem. So this is getting complicated with many different actors involved. Before, you had these state-owned operators like Orange in French for the telecom in Germany. But since 20 years, it's getting lots of operators, lots of interconnection and so on. Telephony fraud, telephony is not reaching like seven billion people. So it's really huge. And this generates a massive amount of data. Finding the fraud in there is not always easy. So let's look at the ecosystem, right? So at the beginning, you have a phone, right? So it may be a long line phone, an old analog line. It could be an analog line in a company with a PBX. Or it's most likely today, if you're in a company on the product network, it's an IP phone with an IPPBX. So those phones get connected through different connection links to your operator. And of course, you also have mobile phones, which as well gets connected through wireless to your operator network. So we don't care so much about the technical details of how these interactions work, but more how the calls are routed across operators, right? Because if you have a call from the same operator to the same operator, it stays on the network. But extremely often, you go over another operator because you call someone that's in another country or in another operator. So you have to get some interconnection between two operators. And then again, extremely often, you have to go through some transit operators because you are across multiple countries or they just don't have a direct link. Or for some random reason, price or someone that still go through a transit very often, you have multiple choices on some transit go through some other transit. And that's getting complicated. Sometimes you have 10 transit operators between the two callers. So of course, as we mentioned, your mobile phones today, they are computers and you have tons of applications also over IP and what is called OTT will come back to it. And these allow to interconnect with the telephony legacy telephony system that adds some complexity. And in the end, if you call mobile phone from a mobile phone, you may go through all this, right? All this complicated network on transit or you may also go directly between the two phones over the IP network that's extremely frequent today. So in all this ecosystem, now we have some fraud a bit everywhere. So for example, you may have your operator who's overcharging you something, this happens, this happens. And then you may have other cases where your phone gets stolen on your SIM card is abused to generate some calls to some premium numbers, right? And then you get extremely high charge at the end of the month. And sometimes it's even within a few hours before your phone line is cut. We'll talk about that in a bit. In some cases, I don't know if it occurs to you, you may have someone calling you from one country and you receive the call and then you see the caller ID which is changed. So your friend's calling you from, let's say, Russia, and then you get a UK caller ID. And that's a kind of awkward. Typically, this is done with a SIM box, which gets somewhere into the network to abuse some SIM cards. And this typically changes the caller ID. We'll see some examples of that as well later. Another thing that's extremely important today is unwanted calls, voice, spam, robot calls. Basically, they have robots that would just spam you a lot and everyone received some spam calls before. We'll talk a bit about this too. So in the end, there is fraud everywhere in these networks. And we need to kind of understand this because these frauds have some consequences. These consequences are important. So in terms of money, there is no good study about it. There is one study by CFCA which states that they do it annually. But overall, they claim that telephony fraud costs something like $4 billion a year. That's significant. But these numbers are not extremely reliable. But if you just look at the complaints from users, so it's about half a million users which complain to the FTC in U.S. about receiving some spam calls. Half a million per month. Half a million complaints per month. There is also a telephony service which basically happens to make emergency phone numbers unavailable that can have life-threatening consequences. So we rely on the system for us to need to work. And another thing as well is that more and more we rely on the telephone for using it as a trusted party, as a secure system, a secure mechanism so that we can use, for example, two-factor authentication. But we have seen recently some cases where two-factor authentication is abused. So you receive a text message on your phone to log in to your bank or confirm a bank transaction or access your Bitcoin wallet. There have been cases with Bitcoin wallet stolen because people just went to the shop or bribed some employees and they get the phone number attached to a new SIM card with their own and then they can get the reset password message and confirmation text message on the phone. So all these are actually abused in the wide. So because all this gets quite complicated, in fact, very often when some people talk or you check online, you find people talking about frauds and then they meet according to the technique, they say PABX frauds. There is no such thing as a PABX fraud, right? PABX can be abused, compromised, and they can be used to make a lot of different frauds. So we actually came up with a definition because we're scientists, so we have to come up with definitions, trying to help us to understand this in a proper way. So at the beginning we said that a fraud scheme is a way to obtain an illegitimate benefit by using a technique, right? It's important because, as I mentioned, techniques can be used in multiple frauds. In the end, these techniques, they are possible because there are weaknesses in the network, in the systems, and these weaknesses are present because there are some root causes which have been there for a long time and they are hard to fix. So to get a bit more concrete, here is an example with the callback scam. So you all receive these text messages, these calls, very short calls, which make your phone ring, say, there is no message, maybe you call back, right? So the goal of the fraudster is to, they will call lots of people and they will generate lots of one ring on many phones. They expect that some people call back and they will call back, but when calling back, they will call back a premium rate number. And this premium rate number will generate some cash for the fraudster. So this we can actually analyze in this taxonomy. So we can define the fraud scheme as a callback scheme. The benefit of the fraud is to obtain some revenue share from these premium numbers. Then the technique would be, multiple techniques can be used, but first, we see that some color edged spoofing can be used. There will be some weaknesses in the system. So basically, you can do color edged spoofing because there is no color edged authentication in these systems, in the telephony. There are some things ongoing to fix this, but it's still going to take a lot of time before it's completely there. And in the end, all these are possible because you have legacy networks and so on, right? So we can up with this classification layers and then we can make this a bit more complicated and we can just categorize the different classes of frauds and put it in there. Classes of frauds, classes of techniques and weaknesses and so on, and where to obtain benefits. And then we can get this to a lot more detail. I don't expect you to look in detail at this figure. We have a paper where we discuss all this, but we're going to use this as a thread of the talk. And we're going to talk about some specific parts of it. Maverick is going to start talking about international revenue shaft fraud or IRSF. So before explaining how this IRSF works, first I need to explain to you how a normal international phone call works. So let's say there is a caller in country A, he wants to call the callee in country B. So for this call, the caller will pay some amount of money to his operator. Let's say he pays $1. So it's most likely that there is no direct connection between these two operators. So the call needs to go through several transit operators. And what happens is that each operator, like operator A, he will have a rate sheet showing that for this destination, he can use several different transit operators to route the call. And each of them probably have different qualities and different prices. Of course, if he chooses a cheaper transit operator, he will keep more money for himself. But usually this decision is very complicated. So let's say operator A chooses T3 as the transit operator. Again, T3 will have multiple options. Let's say it chooses T4. And finally, T4 actually paid the international call termination fee to the destination operator. And the call is terminated on the stage destination. So what happens in case of international road is basically there is a fraudster who is generating calls on behalf of someone else. He can use stolen SIM cards, he can compromise the telephone system, he can use mobile malware, et cetera. And basically at some part of the call route, there is a transit operator that is a kind of shady fraudulent operator. And instead of sending this call to the legitimate destination, this operator can make a deal with a premium rate service provider and actually hijack the call and reroute the call to this provider. And of course, in this case, they don't have to pay any money to the operator B. Instead, they can keep this money for themselves and share between each other. And finally, our fraudster will also get some part of the revenue for each minute of the call that he generates. So we analyzed this fraud scheme basically from the perspective of these premium rate service providers. So actually, if you go online, make a Google search with the keyword international premium rate numbers. You will see many, many websites that are advertising those numbers. So they tell you that you can get a phone number for free. You start generating calls to this phone number and then you receive payments via several different payment methods. And they also give you a lot of support, whatever you need. This is an example of the money paybacks. For instance, if you start, if you generate call to this phone number in Belarus, you will be getting 10 cents for one minute of call. So one interesting thing was that those IPRM providers, they actually also have some test interfaces. And this is necessary because before you start the actual fraud, you need to make sure that the hijack works. So you first go to the test interface, you make several tests. You check if your call is hijacked in this route and if you will be able to receive payback or not. And actually, those test interfaces, they are advertised on social media, on Facebook, Twitter, with the user accounts, test user accounts, and so on. So once you go to one of those interfaces, you will see several phone numbers from many different countries. You can pick one of those numbers. You make your test call. And if the test call is successful, basically, you will see in the website in real time, if your call, the hijack was successful, and if you will be able to get some money payback from this call or not. So basically, what we did was to crawl those test portals for about three years, actually. In total, we have been collecting more than 1.3 million test numbers and 150k test call records. So the first interesting thing that we observed was that actually all the countries and territories in the world are affected by this fraud scheme. But some parts, some continents and countries are affected more, like African countries, Russia, some islands in South America, and so on. One important thing to note is that the test numbers that we collect, they are not used for the actual fraud scheme. So first, the fraudster goes to the test interface, makes several tests to several destinations, and if the test is successful, actually, he will obtain another number that will be dedicated to himself. But this number will probably be in a similar number range with the test call that he made. And actually, so the fraud actually will occur on similar numbers to the test numbers. So as an example, if this is a test number that you see on the test interface, most probably this number is hijacked in a range of 100 or 10,000 numbers, but we don't actually know the actual range of hijack. So in this picture, okay, it's a bit complicated. So here we see the whole number space of two countries, Latvia and Cuba. So in the y-axis, you see the first four digits, all possible four digit numbers, and in the x-axis, you see the last four digits. So if you actually move over the x-axis, these are the consecutive phone numbers. And if you move over the y-axis, you can see number allocations in the country by the type. First of all, W denotes the mobile number range. So in Latvia, for example, mobile ranges start with two, while in Cuba, mobile ranges start with five. So the first thing we observe here is that the spreadness of IPRNs are different in each country. In Latvia, the test numbers are more concentrated on five number ranges, but in Cuba, they are much more spread and much more random looking. The second observation we can make is that the dots, that you see, the red dots, they actually come from the number ranges that are not allocated by the regulator of this country. So actually, normally, those numbers that should not be used and should not be called by anyone, but they are still being abused for this fraud. And the last observation we make is that you are seeing some vertical lines in the graphic, and this is because the test numbers are most of the time selected from the beginning of these four digit number ranges. So once they hijack a range, probably they advertise the beginning some numbers from the beginning of the range as the test number, and maybe they use the rest for the actual fraud. Okay, so another thing that we analyzed was the behavior of different providers, if they behave the same way or they are different. So these are some statistics from six of the providers. You can see the first two of them are the most active ones. They change numbers very frequently, so an average advertisement duration for a single number is only four or five days, and every new day, they advertise almost 2,000 new phone numbers. Probably they do this because after some time, these phone numbers start getting blocked by operators, so by changing the numbers frequently, they make the test calls more successful. But the rest of the providers, they basically are more static. They advertise phone numbers for really long durations, and they actually advertise a few new numbers per day. So another thing we looked at was to check if two different, if one phone number is shared between multiple providers or not, and it turns out that among the more than one million numbers, only 70,000 of them are observed in more than one provider. But actually, if you ignore the last four digits and if you look for the number ranges, almost 80 percent of the number ranges have been shared across all the providers. So after making some observations on these numbers, of course, we want to focus on the solution. So from the perspective of a telecom operator, an operator only sees the call that I recorded that I recorded in his own infrastructure, so these records include the date, the source number, destination number, duration, some signaling information, et cetera. So it actually turns out to be very challenging to detect IRSF because operators have limited, like, the local view of the call, and they actually process a massive volume of traffic and phone numbers every day. And sometimes anomaly detection techniques does not actually work because the number of fraudulent calls can outnumber the legitimate calls for some of the source numbers. Also, operator has many different uses with different behavior. For example, an outbound call center that is making calls to many remote clients will not behave the same as some home user. So, of course, first naive approach to detect IRSF would be just to look for those test numbers and the number ranges that we collected. But this is not a good solution because this is incomplete. We cannot track all the IPRM providers in real time all the time. And also this is likely to bring some false positives because not all calls to suspicious numbers will be fraudulent. So our approach, our idea was using these test numbers in a different way. For instance, we compute some IRSF likelihood for the destination number, depending on the distance of this number to the known test numbers. Or we can compute some, again, likelihood score for the destination country that relates to the ratio of IPRNs advertised from this country and the test call logs observed to this country. And finally, we combined this with some statistics from the call records, like how many seconds have passed since the last call from the same source number, or how frequently the source number calls this particular destination number. So we were lucky to obtain some call records from a small European operator, and we were able to evaluate this approach, actually. So the dataset we obtained includes four different IRSF cases. Three of them are compromised telephone systems used for IRSF, and one of them is a stolen SIM card again used for IRSF. So in total, we have 3,000 fraudulent calls in this dataset, and 150K legitimate calls. And what we did was actually by using the features that I described before, we trained the random forest algorithm to classify the calls as fraudulent or benign. And actually, of course, these are preliminary results, but it turns out that this approach works better than the naive approach of just looking for test numbers. So we actually achieved much better accuracy and much less false positives. But currently, we are working on a much bigger dataset to be able to evaluate this approach better. Okay, so the next fraud scheme that we will talk about is called Interconnect Bypass. Actually, it will be one form of Interconnect Bypass fraud. Okay. So one form of Interconnect Bypass is some fraud technique where you will root calls in a normal way. You will get the calls over some routes, which is not the normal or the most likely route or the most quality route. And you will do this to obtain some benefits. So this is a general way there are multiple techniques. We will talk in particular about Over the Top Bypass on some study we did a few years ago. So basically what is called Over the Top, so you probably heard this a lot before, Over the Top is in a way the way that telecom operators call services which run on top of their network and which competes with their network services like telephony or messaging, right? So there are tons of applications you recognize, probably most of the icons there. And these are basically competing with traditional telecom services and providing some other services too. It's huge today, right? It was sort of like billions of users. The thing is these services they in general need to make some revenue too, right? So they are very cheap or free, but they still have to make some revenue. So typical ways of making a revenue is advertisement or selling some stickers or games, etc. And one way that is used more and more is to actually provide some interaction with telephony systems. In particular we can think of Skype in or Skype out, which is very popular, it's been there for years. Skype in basically allows you to buy a phone number and get people to call this phone number that would reach your Skype account and would ring on your computer or anything you want. And Skype out is from your Skype account, you can call some international numbers everywhere in the world, so I'm sure many of you already use these services. And these are perfectly fine. However there is what is called oddity bypass, which we'll describe in more detail, which is not so fine. I'll show you why. So essentially an oddity bypass call is occurring over an international call. So like before you see you have a caller, a callee, an operating operator, some transit operator and some terminating operator. And there is some revenue share along the way, so you pay something to your operating operator for him to route your call to the destination. In oddity bypass case it could be a call generated from a mobile or online, it doesn't really matter. But the callee, the number you call, is basically a smartphone that has this oddity application and that has a SIM card with a phone number attached. So basically what happens here is that this transit operator is going to make an agreement with the provider of this service, of this oddity application, and they will route the calls over the IP network. On the call that you generate to this mobile phone number, plus 336 in France, for example, right, is not going to ring on the normal phone interface but is going to ring on these oddity applications. So maybe this occurred to you already before. And this occurs in general over international communications. So the big advantage of this is that the transit operator doesn't pay anything anymore to the terminating operator, but he pays a lot less to the oddity provider, which makes some revenue and then is keeping a lot more, a bigger share of the revenue. So it's increasing its revenue on basically the transit operator and the oddity operator are very happy about it. This has some consequences for the caller, which is going to have some potential quality problems. You pay for something, for some quality of service as an operator, but you get something else. You may pay for premium routing and get something that's similar to VoIP quality, right? For the callee, it's the same. Sometimes you have quality problems. The call don't reach. You don't have the voicemail or the call forwarding which are working because the voicemail and the call forwarding are actually handled by your terminating operator, your mobile operator. And there are some other problems. The main problem, of course, is for the terminating operator because he's losing a lot of money. All the international calls, a big part of the international calls don't go through his network anymore and he's not paid anymore for those calls. So to study this, we actually made a small experiment. We actually took eight phones with some SIM cards that we put in eight European countries. So those phones were actually controlled over SSH. They're basically routed Android phones. So we get them to some friends in eight countries. And then we generate calls to some phones which are in France and which include SIM cards from this operator. And the home country operator is actually giving us the call data records that correspond to the calls we generate to those numbers. So in the end, we generated like 15,000 calls on this small test network we built. And then we do some measurements. So the first surprise is that about 80% of the calls, in some cases, up to 80% of the calls go over the OTT network. And this is huge. 80% being hijacked, in some cases, is pretty important. There are six out of the eight countries where there was some hijack, where there was some bypass. The most surprising thing, in fact, was that there are multiple fraud schemes which call in. And this is quite funny. So for example, we see some boxing on OTT bypass to call in. We generate a call from UK, from some phone number in UK. And then we have, so we first, I would say first, we expect the call to terminate on the SIM card, on the phone here, to go over some transit. And then we expect the mobile termination with the same number as we called. So we expect to see this number to ring. In fact, we see sometimes that the numbers, they go over a SIM box. And then they don't show up as a, we receive the call, we generate, but we don't receive it with the caller ID, which is from UK, but from Russia. So basically there are a SIM box in the middle with a Russian SIM card, which could be maybe a stolen SIM card or fraudulent SIM card. And we see about 16% of SIM box bypass. But then we also see some plain OTT bypass, like before, like I mentioned before. So there we see just the, basically what we observe is that the phone is not ringing on the mobile network, but we see the OTT application to ring. And then we see the proper phone number, no problem, but we have 36% of these to occur. And then the most funny part of it is that we also see the some calls which go first over the SIM box, and then they go over the OTT bypass. So in this case, it means you see your phone ringing on the OTT application with the Russian number. And it's like, who's calling me? And that's kind of weird. So in the end, we reach this 80% fraud with like all possibilities, and that can get quite confusing for the user. So in the end, so we have a paper where we describe a lot more details on experiments we completely conducted. We don't really have time today. But in the end, these frauds can lead to quite several financial loss for the operators. There are some call establishment problems which we measure. And basically you can get your phone to ring, I mean the caller here, your phone ringing for one minute before your phone actually rings. And this is problematic because maybe after one minute you just drop the call so you never actually unswear. You won't have a chance to unswear. And then there are some quality problems. But in fact, if you look at this, there is zero benefit for the user. So that's I think that's the main problem. Someone's making some benefit, you have some quality problems, but no benefit for the user. Something's wrong. Okay, so with this, I'm going to let me talk about some interesting topics on Telephony Voice Spam On Scams. So actually I think Voice Spam is a bit more particular compared to the previous stuff we talked about because this is something that I think everyone in this room experienced at least once in their lives. So what is Voice Spam? We can define actually a spam call as any type of unwanted or abusive phone call. So this has been a problem since several years and there are many solutions around, like caller ID, blacklist, applications, whitelist, do not call lists, et cetera. But none of them are actually working well. We are still receiving a lot of spam calls. So some people come up with alternative solutions. For example, they say that the permanent solution would be to pretend to be deaf or a child. Or there are people who actually try to throw back the scammers and they spend, for example, these guys spend two hours talking with a Windows technical support scammer. So of course, these are also some type of, some sort of solutions. But they are not very efficient because if you spend two hours with the scammer, you are also spending your own time. So you waste the telemarketers time or spammer's time, but you don't, you shouldn't waste your own time. Okay. So this is end. So I, you have seen Lenny already. So Lenny, the guy that you just heard is a, is a kind of a defensive chatbot that is created to, to defend against voice permits. So the creator of Lenny is anonymous, but it is actually working surprisingly well. It is working very well in dealing with various type of spammers. And it has growing popularity online. You can find the YouTube page. There's a public deployment of this chatbot, basically, that people are forwarding their calls. And you can find many different call recordings of Lenny dealing with several type of spammers. So how this chatbot works. So let's say there's a spammer calling a user. What the user does is basically either on his mobile phone or on his landline phone, he transfers this call to the telephony server that is hosting Lenny. He can either create a conference call or call transfer or make, just make a setup call forwarding. And basically here, the user will leave, from leave the call or just mute himself. And after this point, Lenny will be interacting with the spammer. This chatbot is actually made up of just a set of pre-recorded voice audio files. And the script that is running those recordings once the caller stops speaking. So as you see, there is no speech recognition, no artificial intelligence, nothing advanced. But this chatbot is working very, very well. And we think that the reason that it works so well is because of the conversational quality of those recordings. Another nice thing about this is that it actually acts as a high interaction Hanyupot for voice spam. So as I said, there is a YouTube channel playlist that you can find many recordings of Lenny online. So what we did was actually, we chose 200 of those recordings randomly. And we made them transcribed with a commercial transcription service. It corresponds to almost 2,000 minutes of phone calls. Then, basically, of course, we analyzed those transcriptions in detail. So the first thing we saw was that in these 200 phone calls that you can find almost 22 different types of spam. Some of these are more on the legitimate side. I mean, according to the regulations of the corresponding country, which is the United States in this case, these calls are legitimate like political or fundraising calls. Some of them are more like in the gray area because, for example, the telemarketing calls, you are never sure if they actually get the user consent in a proper way. And some of the calls are complete scam calls. Like the tech support you just heard. There are several vacation scams, Nigerian scams and so on. But the nice thing is that Lenny is effective against all type of such scams. So, of course, we went over in detail to those transcriptions and we analyzed how different spammers interact with Lenny. So there are several interesting things here. So, first of all, I should say that Lenny never terminates the call. So he never says bye. He always keeps talking. But at some point, the caller needs to, of course, stop, like, terminate the call in some way. So, some of them actually try to do this in a proper way. Try to say bye. But some of them are not polite. They are rude and they just hang up. So if we, for example, look at the ratio of people who hangs up, you can see that the scammers are much less polite compared to, for example, the donation calls. You can also see that the scammers, the average call duration for scam calls is much shorter than the rest of the calls. Because once the scammer understands that he won't get any money, he just hangs up the call. He doesn't want to waste too much money. And finally, we found that the scammers use bad words, cursed words, much more than the rest of the scammers. Okay. So I have been saying that Lenny is very effective. Why I'm saying this? Because basically, okay, so in this, the 200 phone calls that we analyzed, the average call duration was 10 minutes. Actually, over all the playlists that all the recordings available on YouTube, the average call duration was 10 minutes, which is quite high. And during these 10 minutes, actually, there are 58 conversation turns between Lenny and the spammer. And actually, the spammer hears the recordings almost two times. So he actually hears the repeated recordings, but they somehow do not realize that they are listening the same thing over again. And one other interesting thing was that only in 5% of the calls, Lenny was explicitly recognized as a bot or as a recording. So what we did was actually we collaborated with a social scientist who is specialized on conversation analysis topic. And we get a subset of these transcriptions that we get. We analyze them further with some conversation analysis technique. So now I will make you listen, actually, the first four turns of Lenny in isolation just to look at it in more detail. This is Lenny. Second one. Sorry, I can barely hear you there. Yes, yes, yes. Oh, good. Yes, yes, yes. So as you see, they are very simple, very brief lines, but actually they are designed as possible speech turns. They have some details that are specific to natural speech, like there are hesitations, self-repetitions, and some of the turns initiate a new action. For example, in the second turn Lenny says, I can barely hear you there, which makes the caller actually repeat his previous turn. But some of the turns are responsive. For example, the fourth one, good SSS, depending on the context, it can mean acceptance, like approval. So depending on the context, it can mean several different types of responses. So this is an example to show you how these simple lines work when they are how well they fit in one conversation. So this is a type of an example of a credit card scam call. So as you see, the caller immediately entered the call with the reason of the call. He directly says why he is calling, and then he finishes his turn with a question. This looks like a question, but actually the preferred answer here is a yes. So he expects the callee to say yes. But actually Lenny breaks this flaw by asking, saying that he is not able to hear, and as a result, the caller, as you see, just partially repeats his first query, and then asks the question again. And by chance, because Lenny is designed so well, actually the next answer of Lenny is yes. So the conversation continues very well, like nothing weird happened, basically. So Lenny is, as I said, very simple looking chatbot with pre-recorded fixed turns, but actually it is really sophisticated due to the flexibility of the turns, its closeness to natural speech, the coherency of the character and the turns, and so because this guy is an old guy, of course he will have some hearing issues, so it sounds very coherent to the caller. And also it has a very good ability to control the conversation somehow, sometimes leading the caller to adjust to himself. So in conclusion, of course, this is a very specialized chatbot. It is working very well in this narrow context of spam calls, but of course it will not work in different contexts, probably. But we think that use of such chatbots can be an effective way to at least to slow down the voice spam campaigns. Okay, so. Thank you. So with this, we're going to conclude. Just saying that overall, Telephone 4 is likely to remain a significant problem. There are weaknesses that are here and that are difficult to fix, right? So I mentioned, for example, voice, color identification. There are some attempts to fix it with protocols like STIR and IETF protocols, but it's going to take some time. And every time we add a new layer of technology, it's going to bring new vulnerabilities. Forster are quite smart and they have strong incentives. Basically, I mentioned in the beginning that Telephone, there are a lot of things which are built, because there is money. There are lots of ways to gain some benefits from it, gain some money out of it. So we hear a lot about surveillance in or hijack of calls, etc. So there are many security problems with diameter or things like this or 2G security and so on. But this can also be abused for extracting some revenue from this by a fraudster, right? So these people have strong incentives and they move very fast, on the typically hidden in some different countries in the world with like flexible regulations. In the end, it's also interesting to understand that fighting fraud can be costly. So Telecom operator will not fight fraud if that's more getting more expensive than the actual loss or perceived loss, right? In the end, sometimes it's good to be as good than the competition, right? So if you are worse than competition, maybe you need to do something. But if you are the same as competition, maybe you are fine. Okay. So with this, I will thank you and I will take questions. Thank you. So we have questions from the audience. Please line up at the mics. I see a hand at microphone 2, please. I wanted to ask the calls that get routed through the apps. The damage to the end user might be very minor, acceptable, nearly net positive. But what I don't understand, it's very transparent to the end user. He actually realizes which app he's being called on. So there is a way to track this back and it should be very evident. I thought when you were putting up the numbers, I was expecting .8%, 2%, like hiding it in the trees. That's the forest, it looks like. Why don't they massively intervene and stop it? So your question is one, so you expected it not to be 80 but 0.8%. So I think it depends how you look at it, right? If you look at the calls from this source to this destination, if you have the phone with the application installed on your registered on the IP network, then you may have very high levels but overall in the world traffic, it may be very low. It may be as well very high for some termination. So if you have a SIM card for a country where you have 40 cent termination rates, not like France or Germany where you have like maybe two cent termination rates with even the European regulation was very low. But if you have very high termination rates, there in these countries, you may have a lot more of this bypass, right? And the other thing is yes, of course, the user will notice it because it's not going to ring on the normal, say, Android, the other interface, but it's going to ring on this application. So you may not notice it if you maybe expect this person to call you on this application or if you don't check if they actually call from the application or from the normal mobile. It's going to look awkward if it's like your grandmother calling from the long line and that's ringing on this new fancy application you have. But there it's going to be obvious, yes. So yes, it is obvious. It's easy to detect for the own user. Actually, it's something you can deactivate if you go search very far in the settings, which are checked in by default. But the thing as well is that for the operator, it's very hard because the operator doesn't see the call, the termination operator doesn't see the call at all anymore. And that's the difficulty for the operator itself. Okay. Microphone 4, please. Hi. Thank you for the talk. Do you have any stats on what apps are used for OGTG? So yes, but all lawyers don't want us to mention it. But if you Google online, we'll find it easily. So no worries. Just Google for it. You will know. Okay. Thank you. A question from the internet, the signal angel. Yes. The internet wants to know with the callback spam where the router is hijacked, who's pay thank for that? Is it the provider or the end user? So who's pay, if you have the callback spam, so you get a call, you call back, so you as a user, you call this premium number. And then this premium number will be supposedly registered by the fraudster. So you pay for the callback. And then the part of this cost of the call that you pay will be given back to the fraudster, if that may be a good answer. Okay. Microphone 1. Yeah. What application did you use in your own study to get those rates? Or if you're not willing to tell it, would we be able to find it somewhere? To generate the calls? You mean the test calls? No, no. You did a study on the OTT bypass with those percentage rates of like 80% in Spain. What application was that? Okay. So this is the... Did we use to generate the calls or sales for the test calls? I think he is asking for the application that is doing the bypass. Yes. That's what... same answer as before. All of you don't want us to mention it. If you go get it, you will find it. Multiple applications or...? So, multiple applications. So we know of one of them. So we did all these experiments on one application only, but we are not sure if they are more doing the same thing, basically. Okay. Microphone 5, please. Regarding the Simbox fraud, where are those SIM cards coming from? Sorry, the echo is bad. Where are the SIM cards coming from and how do the frauds avoid paying for the calls? Because I would assume calling from a SIM card would not be cheaper than routing the call legitimately. So where are the SIM cards coming from? Basically, there are multiple ways. They can use stolen SIM cards, but this is, I think, I would say, less likely. There are some countries, actually, that you can obtain SIM cards without giving your identity, this kind of thing. So in those countries, it is much easier to obtain a large number of SIM cards. And mostly, they abuse the SIM cards. Let's say there's an operator that is making a promotion. He says, okay, calling from Russia, let's say to this country, from my network, it will be very cheap for the next few months, let's say. So then they are more likely to abuse this type of law tariffs and promotions from the operators. There are also sometimes some bugs in the numbering plans. So the operator may actually they have to have for every destination or cost, and sometimes they have some mistakes. So if they have a mistake in the numbering plan, and they will charge you, if say, to call Zimbabwe, you will maybe call the same as Germany because they made a mistake in the in this table where they put the phone number destination on the price. So if a fraudster finds this, and finds that he would pay like, say, five cents instead of paying 35, he's going to buy these SIM cards, buy 20 of them, put them in SIM boxes, and he's going to sell this traffic for cheaper than the normal rates. I think that was the second part of the question as well, but maybe we omitted. Okay. Thank you. Google has developed a very sophisticated chatbot for phone calls. Would that be a suitable lany 2.0? Yes. So I think the thing with the Google's chatbot is that they have to say that it is, I mean, they have to say that it is a chat route. Okay, there are. So probably they could be used for this as well. But I think they have been designed for something else. So I think there is already from Google, there is a service that actually answers your spam calls. I don't have much knowledge about it, but there is also the chatbot that makes, for example, makes reservations for you. Definitely it is a much complicated and better artificial intelligence. I think it will work well if it is also combined with some conversation analysis techniques. The thing as well is that so far, there are also these, let's say Alexia or Google Home, etc. When you talk to them, you know you are talking to a bot. If they have a voice that's kind of synthetic, it's fine because you know you're talking to a bot. If you think of Lenny, he has a human voice. It's a good actor who's actually speaking this. It's hard to recognize this voice as fake because it's a real one. Just the conversation is fixed and it's done, but as Lenny is just unswerving, turns, he's not driving the conversation to anything smart. It's working quite well. Maybe if these bots would become a lot better in voice quality, like this conversational organization of the discussion, then maybe they could be used as well, similar way as Lenny, but so far it's not yet there, exactly, I think. I have another question about the OTT. How do they know that the OTT application is actually installed on the colleagues device? How do they know that? Also, does this scam require the OTT application to actually be actively participating in the scam and to be kind of complicit in it, or are they just like an unknowing bystander in the scam? So the way it's working is the OTT service provider is actually advertising a call termination on the two operators. Then when they agree on a deal, you will have the operator who's going to basically say, oh, I receive on my networks on my incoming traffic for calling this termination, say, I don't know, South Africa, right, South Africa. And then you look at your red sheets and you say, okay, I have, I have going through, I don't know, Dutch Telecom that much per minute. I'm going through orange, orange that much and so on. And then you have many, many, maybe you have 20 different possible routes and you will say, okay, I have also this OTT operator. And the thing is you will be only able to carry over the call to this OTT operator if on the other hand, you have the phone which is having this application activated, only if it's running, only if you're on the IP network. For this, basically, the thing is that on many OTT applications today, you register on the OTT application with your phone number. So first, the same phone number for the actual SIM card and for the application. Second, the OTT operator is kind of having a heartbeat thing so he knows the phone is active and the application is active and can ring or not. At this point, the telecom operator is going to try to route the call if this is already checked, let's say. The operator is going to try to route the call over the OTT network. If it's working, it's ringing and it's fine. Sometimes it's not going to succeed so it's going to fall back to another network. So it's going to route the call on the OTT application only because they have a prior deal with it for it and it's going to be only if the application is active and then it's going to ring maybe and if it doesn't work, it doesn't connect, then they will fall back to another route. That's at least understanding how it should work. There is also a patent if you want to read patentes. In the first scam case, how do the fraudulent operators make sure they get the call and not somebody else and how are there lists or efforts to keep lists of fraudulent operators? So they actually there is no way to make sure that you will get the call and that's why actually there are there are there is those testing interfaces that the fraudster makes several calls to several destinations to see one that is working. So most of the time if the operators use like transit operators which are large ones like orange for example it has international careers are very huge so and it is very less likely to have fraud in that network but if some small or fraudulent transit operator is on the call route then you are more likely to end up in the fraudulent route. Yes so I mean they never make sure that they will get the call they just hope that the call will go over them. And if it doesn't work they just test another number in another country another destination they would test until they see the number to appear on this test interface so they say okay no I know this number are going to be hijacked or I can make some cash out of it and then you just use this you get a new number that you will generate cash on this provider we know that when they see this number it's you generated the calls. And actually the call routing is very dynamic so maybe today there is the hijack works and tomorrow maybe it won't work because the operator started to use a different route. Hey do you have any statistics on how to say on kinds of scam being done like and who's and do you have any idea about the people behind those scams because I know for a fact that in some countries there is quite popular scam from prison like prisoners calling and saying like your daughter got in traffic accident you have to pay this and this. Yes so in terms of scams I don't have much idea I mean for telemarketing for instance there are many call centers running the telemarketing campaigns all the time but in terms of scams I am not really sure who will be behind the call. If you look globally on telephony frauds so you can refer to the CFC S3D which is not maybe perfectly accurate but that gives an idea on the classify the big frauds by how much they cost or how much in fact operators claim they cost to them. So that's why it's not perfectly good 100 percent accurate nothing will be perfectly accurate but you see IRSF as a very big one you see a simbox as quite big as well on things like this so I think you can't get very detailed about this then who are the people doing this I think it depends a lot so you have in fact operators frauding each other a lot apparently you have people who just like run their small fake companies and put simboxes somewhere or just advertise so you have one person companies a lot of telecom operators are in fact one person company doing this on the side job having a server in a telephony server in a place where you have you have no tax for example and that's just running and they get some mixing some legitimate traffic with some fraud traffic and then they just make some few some benefits that call their roots on this kind of things so it's a fairly complex ecosystem and I wouldn't be able to just point one kind of people for this. So unfortunately we don't have any more questions so let's give a big hand of applause for our speakers thank you