METHOD AND SYSTEM FOR PREVENTING ILLICIT USE OF A TELEPHONY PLATFORM

- Twilio, Inc.

A system and method for preventing illicit use of a telephony platform that includes enrolling a plurality of accounts on a telecommunications platform, wherein an account includes account configuration; at a fraud detection system of the telecommunications platform, receiving account usage data, wherein the usage data includes at least communication configuration data and billing configuration data of account configuration and further includes communication history of the plurality of accounts; calculating fraud scores of a set of fraud rules from the usage data, wherein at least a sub-set of the fraud rules include conditions of usage data patterns between at least two accounts; detecting when the fraud scores of an account satisfy a fraud threshold; and initiating an action response when a fraud score satisfies the fraud threshold.

Skip to: Description  ·  Claims  · Patent History  ·  Patent History
Description
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a divisional of U.S. patent application Ser. No. 13/949,984, filed 24 Jul. 2013, which claims the benefit of U.S. Provisional Application number 61/675,156, filed on 24 Jul. 2012, both of which are incorporated in their entirety by this reference.

TECHNICAL FIELD

This invention relates generally to the telephony field, and more specifically to a new and useful method and system for preventing illicit use of a telephony platform in the telephony field.

BACKGROUND

Telephone fraud has long been a problem for telephony systems. With the introduction of VoIP networks and Session Initiation Protocol (SIP) trunks, the opportunities for telephony fraud is even greater. The recent development of new telephony platforms that enable a wider range of developers to create useful products also enables nefarious parties to create programs that commit telephony fraud. As one example, toll fraud has become a common problem on telephony platforms due in part to easier access to disposable telephone numbers. Other forms of telephony fraud can result in chargebacks for telephony platform providers when the telephony fraud involves stolen credit cards. Yet other forms of telephony fraud use valuable resources for improper uses that would otherwise be used for legitimate applications. Telephony fraud can be damaging to users that fall victim to the telephony frauds, to the profitability of telephony platforms, and to the performance of legitimate telephony applications. Furthermore, as developers are more frequently building on top of other infrastructure, those developers may not have access to the raw information to prevent such illicit use of their applications. Thus, there is a need in the telephony field to create a new and useful method and system for preventing illicit use of a telephony platform. This invention provides such a new and useful method and system.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is a schematic representation of a system of a preferred embodiment of the invention;

FIG. 2 is a flowchart representation of a preferred embodiment of the invention;

FIG. 3 is a schematic representation of a preferred embodiment of the invention;

FIG. 4 is a schematic representation of a preferred embodiment of the invention for integrating a fraud scoring system with a data stream;

FIG. 5 is a flowchart depicting a variation of a preferred embodiment of the invention for updating received usage data upon receiving a trigger signal,

FIG. 6 is a flowchart depicting a variation of a preferred embodiment of the invention for calculating a fraud score from usage data associated with call history data;

FIG. 7 is a flowchart depicting a variation of a preferred embodiment of the invention for calculating a fraud score from usage data associated with message history data;

FIG. 8 is a flowchart depicting a variation of a preferred embodiment of the invention for calculating a fraud score from usage data associated with platform account data;

FIG. 9 is a table depicting a fraud rule set of an exemplary implementation of a preferred embodiment of the invention; and

FIG. 10 is a flowchart depicting a variation of a preferred embodiment of the invention for generating a fraud rule.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The following description of the preferred embodiments of the invention is not intended to limit the invention to these preferred embodiments, but rather to enable any person skilled in the art to make and use this invention.

1. System for Preventing Illicit Use of a Communication Platform

As shown in FIG. 1, a system for preventing illicit use of a communication platform of a preferred embodiment can include a communication platform 100 that includes a multitenant account system 110 and a fraud scoring system 120 communicatively coupled to operational components 130 of the communication platform. The system functions to apply various fraud-based heuristics across the accounts and/or subaccounts of the platform 100, monitor and measure the scores based on the heuristics, and alter operation of the account within the communication platform. Such a system is preferably capable of mitigating fraudulent behavior made on top of a self sign-up communication platform. In one scenario, the system can be applied to preventing illicit use within a single account. The system can additionally be extended to detect illicit use through cooperative use of multiple accounts. Another aspect is that the multitenant account system may include functionally for an account to create sub-accounts. Sub-accounts can be used so that a developer can develop a service on top of the communication platform and provide that service to end customers. The system can enable fraudulent behavior within the subaccount of an account to also be monitored for fraudulent behavior.

The communication platform 100 functions as the main infrastructure on which fraud is sought to be prevented or reduced. The communication platform is more preferably a telecommunication platform that facilitates synchronous voice communication sessions, synchronous video communication sessions, screen-sharing session, asynchronous text or media communication. In particular traditional telecommunication protocols such as telephone based networks (e.g., PSTN) or carrier based messaging (e.g., SMS or MMS) are of particular attention in the prevention of fraud. The ecosystem of traditional telecommunication protocols includes user contracts and network/carrier contracts to facilitate interoperability and functioning of the communication network as a whole. The communication platform 100 in some variations may provide a way for account holders to avoid the various contract related restrictions usually involved in using the network. For example, an account may be created and used through self sign-up, avoiding a contract lock-in or enrollment process. As described below accounts can additionally acquire and drop communication endpoints on-demand. The fraud scoring system preferably functions to ensure that such beneficial features are not leveraged in implementing toll fraud, spamming techniques, scams, or other illicit uses of the communication platform 100.

The communication platform 100 can provide any suitable service. In one variation, the communication platform 100 provides routing functionality. In another variation, the communication platform 100 may provide communication bridging between at least two protocols such as a PSTN device talking to a SIP based device. In a preferred embodiment, the communication platform 100 provides communication application functionality and/or API based integration to communication sessions, events, and resources. The communication platform preferably enables accounts to configure applications to be responsive to incoming communications. The communication platform 100 can additionally facilitate initiating outbound communications to be controlled by an application or connected to an agent. The applications are preferably internet hosted telephony instruction documents hosted externally by the developers (e.g., the account holder). The applications are preferably configured as URI mappings within an account that relate an endpoint with an application URI. The URI based applications preferably enable web developers to easily apply web-based application skills to building dynamic telephony applications. The communication application platform is preferably substantially similar to the one described in U.S. Pat. No. 8,306,021, issued 6 Nov. 2012, which is hereby incorporated in its entirety by this reference. The communication platform 100 may alternatively be focused on providing some features directed at a targeted use case. For example, the communication platform 100 may be a customer service platform used by customers to build call centers. The communication platform 100 may be a conference call service, a personal voicemail system, a notification service, a two-factor authentication facilitating service, and/or any suitable type of communication platform.

The multitenant account system 110 functions to manage and facilitate the accounts within the communication platform 100. As described above, the communication platform 100 is preferably a multitenant infrastructure in that multiple users can independently operate on shared resources of the communication platform. Preferably, any given account is prevented from impacting the resources of others within a multitenant system. The account system no preferably includes a user interfaced and/or programming interface (API) to create and manage an account. The communication platform will often involve paid use of communication infrastructure. The account system may include a billing engine that stores payment information of the account. Within an individual account, at least one endpoint is preferably assigned as a communication address. The communication endpoint is preferably a phone number, but may alternatively be a SIP address, a user name, or any communication address. The account system 110 or an endpoint service may additionally facilitate an account from acquiring new endpoints, porting outside endpoints for use within the platform, and/or canceling endpoints. The account system 110 can additionally manage operational configuration such as storing resources, references to resources, parameter settings, or other aspects used in account usage of the communication platform 100. Preferably, the configuration can store the application URIs mapped to endpoints of the account.

Additionally, the multitenant account system no can include a sub-account system such that a hierarchy of accounts can be created. A first account (i.e., a parent account) can preferably create or contain multiple sub-accounts (i.e., children accounts). Sub-accounts may be created through an interface by the sub-account holder or alternatively through an API by the parent account holder. For example, an application developer may create a customer service application, and then allow end users to signup as customers within his account. The sub-accounts will preferably operate within the scope of the parent account. The sub-accounts can be customized by the parent account and/or customized by sub-account holder. In one implementation, the sub-account system may functions similarly to the system and method described in U.S. patent application Ser. No. 13/167,569, filed 23 Jun. 2011, which is hereby incorporated in its entirety by this reference.

The fraud scoring system 120 functions to monitor, measure, and detect instances of illicit use that occur within or through the communication platform. The fraud scoring system 120 may predominantly focus on preventing continued illicit use of the communication platform 100 that is initiated by an account and/or a parent account of the communication platform 100. The fraud scoring system 120 can additionally identify and prevent illicit actions initiated by parties outside of the platform but occurring through the communication platform 100.

The fraud score preferably includes a set of fraud rules. The fraud rules are preferably conditions that either act as a metric upon which a score is based. The scores of the various fraud rules are preferably collectively analyzed to determine if fraud is occurring. A fraud rule in one variation is used in calculating a scalar measurement of one dimension or indicator of fraud. A fraud rule may alternatively be set of discrete conditions with an assigned score based on the determined condition. Preferably, this will be binary decision of assigning a fraud score or not. The fraud rules can target various aspects of communication and account usage and configuration. The fraud rules may simply evaluate indicators of fraud within an account or sub-account. Additionally, the fraud rules may include analysis across accounts/sub-accounts to detect patterns of illicit use implemented using multiple accounts. The fraud rules may be preconfigured or automatically generated based on algorithmically learned patterns in fraud or anomaly detection. The fraud scoring system no may additionally include an analyst-facilitated user interface wherein new rules can be created and issues can be manually ignored or acted upon, which functions to supplement automatic operation with human insight.

The set of fraud scores can include a wide variety of rules that use a variety of data sources. The data sources may include communication history such as involved endpoints, duration of the communication, content of the communication, frequency of the communications, geographic information of the communication, and other logged information. Some of the conditions may be based on static configuration parameters (i.e., how the account is setup). If an entity is implementing illicit behavior across multiple accounts similar resources are preferably used, and thus similarities of account settings across multiple accounts may be a sign of suspicious abnormal behavior. Other conditions may be based on usage of the account.

Another data source may include billing information such as the number of credit cards on the account, the number of accounts that use a particular credit card, number of names used on credit cards of an account, number or frequency of changes to billing information, country of IP address matched against credit card country, geographic region diversity of billing address, and other billing related information. The billing data source may be from a billing system of the communication platform. Outside data sources may additionally or alternatively be used. For example a data source with stolen or flagged credit card information can be used.

Yet another data source can include endpoints of an account. Patterns in endpoints may relate to the variety of owned or used endpoints by an account, variety of endpoints of incoming communication, variety of endpoints in outgoing communication, number or percentage of communications that are international, types of endpoints (e.g., short codes, mobile numbers, landlines, business numbers, etc.)

In the variation where the communication platform is a communication application platform, the application configuration can be another data source used in fraud rule conditions. Preferably, an application parameter is set within an account to reference the application resource (e.g., a document with the communication instructions). The application parameter is preferably a URI string that points to an application server of the account holder. The number of times the URI is used in different accounts may be the basis of a fraud rule condition. The application parameter may alternatively be a binary data file or executable code, and the raw application resource can be compared to other. For example, a cryptographic hash or fingerprint may be generated and used in comparing applications across accounts or sub-accounts. While static application configuration may be used, applications may be able to redirect application state control to other URIs and thus the fraud rule condition may be based on the URIs that are used throughout the processing of a communication session.

Similar to the fraud rules based on application configuration, media resource usage can additionally be used. If two or more accounts or sub-accounts, are using the same media resources, then those may be assumed to be operated by the same entity.

In addition to the data source, the time period in which the pattern is detected, age of the account, number of accounts, percentage of usage that is not flagged as suspicious and other qualifying conditions may provide additional context to the data source conditions.

The fraud scoring system 120 is communicatively coupled to the operational components 130 of the communication platform 100. The operational components 130 of the communication platform can include any servers, databases, processors or other resources that either define account configuration, account usage, or other aspects of the account within the platform. Preferably, the operational components include a call router that processes communication. In particular, the call router controls and facilitates the execution of a telephony application during a communication session. The various operational components 130 may additionally be used in enforcing some response to detection of illicit behavior by an account or sub-account.

2. Method for Preventing Illicit Use of a Communication Platform

As shown in FIG. 2, a method for preventing illicit use of a communication platform in accordance with a preferred embodiment may include enrolling a plurality of accounts in a telecommunications platform block S110, at a fraud scoring system, receiving usage data of a telephony platform component block S120, calculating a fraud score from the usage data block S130, detecting when fraud scores of an account satisfy a fraud threshold block S140, and taking action when a fraud score satisfies a fraud threshold block S150. The method functions to enable heuristic based identification and prevention of telephony fraud. The method is preferably used to prevent illicit use cases in voice or video calls, short message service (SMS) messages, multimedia messaging service (MMS) messages, Fax, or any suitable form of telephony communication. The method can additionally be applied to IP based communication or proprietary communication channels such as SIP, Video conferencing, screen sharing or other suitable communication mediums. The method is preferably performed by a fraud scoring system which is a preferably a sub-component of telephony application platform such as the telephony platform described in U.S. patent application Ser. No. 12/417,630, filed 2 Apr. 2009 and titled “System and Method for Processing Telephony Sessions”, which is incorporated in its entirety by this reference. Integration into a telephony platform preferably enables the gathering of usage data from a plurality of various telephony platform components. The telephony platform components are preferably those components that facilitate calls or messaging such as call databases or SMS databases, but may alternatively include components facilitating telephony application setup or operation such as account or credit card databases. The telephony platform is preferably a multitenant platform with multiple user accounts and optionally sub-accounts that independently use the platform. The telephony platform can be a self-sign up service, and the programmatic interface into the telephony platform can make it appear more appealing for illicit use. Entities can be freed of the hassle and complexity of arranging long-term contracts or other agreements that normally act as a barrier to telephony based fraud. The method is preferably applicable to preventing toll fraud in a telephony platform but may additionally or alternatively be used to prevent terms of service violations, denial of service attacks on a telephony platform or an outside system, suspicious behavior, credit card fraud, phishing attacks, and/or any suitable type of illicit use of a telephony platform.

The method is preferably capable of addressing internal telephony fraud (i.e., fraud performed by account holders on the telephony platform) and/or external telephony fraud (i.e., fraud attempts originating on outside systems but occurring through the telephony platform). The method is preferably capable of detecting coordinated illicit behavior performed across two or more accounts of the platform. Additionally or alternatively, the illicit behavior of a single account can additionally be addressed. The method preferably uses a heuristic based approach using rules defined in a rule set of the fraud scoring system. Rules used in the method can preferably be crafted and maintained by fraud analysts, which functions to enable analysts to use their unique insight into fraud scenarios to automatically detect future scenarios using the fraud scoring system. The method additionally can automate the detection and actions taken by fraud analysts for a system. The method may additionally include Bayesian learning, neural networks, reinforcement learning, cluster analysis or any suitable machine learning or algorithmic approaches to facilitate identifying illicit use cases. Preferably a combination of automatic fraud rule generation and fraud analyst input is used in during the method of the fraud scoring system. The method is preferably capable of identifying a wide variety of illicit use cases as defined in the rule set. When illicit use of the telephony platform is matches a rule, the fraud scoring system preferably acts to prevent that instance of illicit use from continuing.

Block S110, which includes enrolling a plurality of accounts in a telecommunications platform, functions to setup, configure, and instantiate multiple entities within the platform. An account within the telephony platform preferably has a unique identifier or uniquely identifying characteristics. Fraud detection is preferably detected within individual accounts or through two or more accounts that share usage data patterns (which often indicate a single entity is coordinating both accounts to distribute the signals of illicit behavior across multiple accounts). Enrolling an account may be initiated by a user through a user interface, but an account and/or a sub-account may alternatively be configured programmatically through an API such as a REST API of the platform. The enrollment may additionally include within one account, enrolling at least one sub-account that is managed by the first account. The sub-account (i.e., the child account) will often be an end customer of a service of the primary/parent account holder. For example, a customer care application may create a parent account, and within that account each end-customer is given a sub-account so that usage, data, and configuration can be independently managed. The parent account holder preferably manages these accounts. Sub-accounts are preferably created and managed through an API. The method can be particularly useful for systems that use sub-accounts in that, individual sub-accounts may be performing illicit behavior and the account holder may not have sufficient data when operating on top of the platform to detect the illicit behavior. The fraud detection service can be a beneficial service in promoting app developers to build on top of a platform.

Basic configuration of an account preferably occurs during enrollment but can be completed at a later time. Enrolling an account preferably includes an enrolling-account assigning at least one communication endpoint address to the account. Preferably, at least one phone number is associated with an account. Multiple phone numbers can additionally be configured. The communication endpoint may alternatively be a SIP address, email address, username, or any suitable address identifier used in routing communication to a destination. An assigned endpoint may be purchased/selected from the platform, ported from an existing system, or added to the account in any suitable manner.

The enrolling account additionally configures application resources. Preferably, an endpoint will be mapped to an application URI, which will be an external, internet-accessible resource that provides communication instructions for a communication session. Multiple application URI's may additionally be configured for different communication states or events. For example, there may be a primary application URI for incoming calls, an outgoing application URI that takes control of outgoing communication sessions, a fallback application may be used for when errors occur, there may be different application URIs for different mediums (e.g., voice, video, SMS, MMS, fax, eats.), different application URIs for different regions or originating endpoints. Each endpoint assigned to an account can additionally be uniquely configured. The configured application resources may alternatively or additionally include media files used in an application such as an application executable binary, instruction file, playable audio or video, or other suitable media resources.

The enrolling account may additionally configure billing information. The billing information will preferably include at least one credit card, but may alternatively be any suitable payment mechanism such as a bank account, links to an outside account with credit/points. The payment mechanism information will preferably include an account identifier (e.g., a credit card number), billing name, billing address. Multiple payment mechanisms may be setup.

Block S120, which recites at a fraud score system receiving usage data of a telephony platform component, functions to collect data used to calculate a fraud score. The usage data is preferably data collected and maintained independently from the fraud score system. The usage data thus typically reflects operational metrics of a telephony platform. For example, a call history database may store records of when calls where made and what the destination endpoints were for those calls. In this example, the primary purpose of the call history database may be for analytics but the data may additionally be used for calculating a fraud score. Alternatively, usage data may be collected with the explicit intent to measure data pertinent to calculating a fraud score. The fraud scoring system is preferably coupled through a network to a telephony platform component. More preferably the fraud scoring system is coupled through a network to a plurality of telephony platform components as shown in FIG. 3. A telephony platform component is preferably a machine that provides the usage data. The telephony platform components coupled to the fraud scoring system may include call history databases, messaging history databases, account databases, credit card hash databases, account databases, client device information databases, IP address databases, phone number databases, credit card or spending databases, API logs, and/or any suitable machine containing data useful for calculating a fraud score. The fraud scoring system is preferably configured to actively initiate communication with the telephony platform components, and the platform components preferably respond with any requested usage data. Alternatively, the coupled machines may independently send usage data to the fraud scoring system through a subscription or push-based service.

The fraud scoring system preferably refreshes usage data periodically. For example, fraud score system may receive new usage data from at least a subset of machines every half hour. In another variation, telephony platform components may send usage data continuously, when new data is collected, or for any suitable reason. In yet another variation, a fraud scoring system may be integrated into a data stream. In this variation data would preferably not need to be replicated or sent through a separate fraud scoring system. A fraud scoring system can preferably subscribe to designated data streams as shown in FIG. 4 but may alternatively be integrated into a data stream in any suitable manner. The fraud scoring system may additionally poll or actively request update usage data from components. Additionally or alternatively, a variation of a method of a preferred embodiment may include updating received usage data upon receiving a trigger signal Block S122 as shown in FIG. 5, which functions to enable fraud checking programmatically. In response to a trigger signal, the fraud scoring system preferably actively initiates the transmission of usage data from a telephony platform component to the fraud scoring system. The trigger signal is preferably an instruction associated with an application programming interface (API) call. The API call preferably causes usage data to be updated, a fraud score to be calculated, and action to be taken if appropriate. The API call may alternatively trigger a subset of the above steps. A telephony platform is preferably configured to send an API call to update the fraud scoring system when events occur that have a high correlation to fraud. For example, an API call to update the fraud scoring system may be sent before, while, or during updating an account, performing a credit card transaction, detecting high account concurrency, or during any suitable event. A fraud score API may additionally be used to perform other interactions with the fraud scoring system. For example, a fraud score API may trigger any suitable steps of the fraud scoring method; may create, edit, delete, or otherwise augment fraud rules, usage data, usage scores, fraud actions, or other parameters of the fraud scoring system; and/or interact with the fraud scoring system in any suitable way.

Block S130, which recites calculating a fraud score from the usage data, functions to process usage data to generate a metric that reflects the likelihood that illicit use of the telephony platform is occurring. Fraud scores are preferably calculated for a set of fraud rules. The set of fraud rules are used to calculate a set of fraud scores (e.g., measure or indicators of fraud). Additionally, fraud thresholds can define when particular types of actions are taken. A fraud rule preferably includes a usage condition, a usage data time window, and an account age condition. The fraud rules may additionally be conditions within a single account or pattern conditions across multiple accounts. The usage conditions are particular patterns in usage data (e.g., account configuration or communication history). The usage conditions are preferably particular patterns such as some threshold on the number or percentage of events or resources that would trigger activating the fraud rule (e.g., assigning the defined fraud score for that rule). The usage condition can additionally specify conditions found across multiple accounts. For example, a usage condition may be for identical/corresponding billing information configured in more than three accounts. The usage data time window is the window that is used to define what data is analyzed. Some exemplary time windows could include the past 24 hours, the past week, the past month, the past year, or across all data (e.g., no time window). The account age condition may define for how long the rule is monitored for an account. Some illicit use scenarios may only be seen with new accounts. For example, the account age condition may configure a fraud rule to apply to an account for the first week after the account is created. If the conditions of the fraud rule are satisfied a defined score is preferably assigned. These fraud scores are preferably stored per account. If the fraud rule is defined for condition patterns across multiple accounts, the fraud score is preferably assigned to each account. The fraud score is preferably a numeric value but may alternatively be a label or any suitable construct to communicate fraud likelihood. In this document we treat high fraud scores as indicating a greater likelihood of illicit use, but any suitable relationship may be defined. A fraud score is preferably associated with at least one key/identifier. The key may be an account, sub-account, an endpoint (e.g., a phone number), a credit card hash, or any suitable key. A plurality of fraud scores (e.g., one per fraud rule) is preferably calculated to monitor various entities and approaches to performing fraud in a telephony platform. For example, a series of fraud scores may be calculated to monitor accounts for one form of telephone fraud, while another series of fraud scores may be calculated to monitor credit card abuse across accounts. The fraud score is preferably indicative of activity during a specified time window, but may alternatively be an aggregate value (preferably factoring in older fraud scores to reflect multiple time windows). Calculation of fraud scores may additionally involve creating associations between subsets of the received usage data. Associations can be made based on user accounts, credit cards used to pay for accounts, endpoints or endpoint prefixes, source or destination carriers, and/or any suitable parameter that can be used to associate various data points in the usage data.

As described, fraud scores are preferably calculated to generate metrics that reflect the likelihood of fraud. These metrics may be associated with various parameters or combination of parameters of a telephony platform. Block S130 preferably includes calculating a fraud score from usage data associated with call history data Block S132, calculating a fraud score from usage data associated with messaging history data S134, and/or calculating a fraud score from usage data associated with platform account configuration data S136, but any suitable usage data may alternatively be used in calculating fraud score. Correspondingly, the block S130 preferably includes at least one fraud rule of the set of fraud rules including identifying communication-application configuration shared between at least two accounts, identifying shared patterns of media resource usage in two accounts, detecting shared billing information across two or more accounts, detecting communication history patterns across at least two accounts, and other suitable fraud rule conditions that are defined for patterns in usage data between multiple accounts.

Block S132, which recites calculating a fraud score from usage data associated with call history data, functions to create a fraud score based on patterns in calls occurring on the telephony platform. Several different parameters of a call may have been measured and included in the usage data. For example, call duration, account(s) associated with a call, call destination endpoints, caller endpoints, carrier origin of a call, destination carrier, frequency of calls, number of concurrent calls for an account, or any suitable parameter of call data. Such call related usage data can preferably be used to calculate fraud scores based on various heuristics. In one variation, high call concurrency (i.e., multiple calls occurring on the telephony platform simultaneously) for a new account is indicative of illicit use of the telephony platform. A fraud score that reflects this is preferably calculated from such data. In this variation, the fraud score preferably has a direct relationship to concurrency and an inverse relationship to the age of the account. In another variation, numerous call endpoints matching designated prefix patterns may additionally be an indicator of illicit use. A fraud score that reflects this is preferably calculated. Preferably, a fraud rule is defined for each communication history condition or set of conditions. Additionally, audio or video of a call may be used in calculating a fraud score. For example, white noise analysis of a call may be included in or extracted from usage data. White noise analysis may enable the fraud scoring system to detect if a phone call had anyone on either side of a call. In this example, a long silent phone call may be associated with illicit use of the telephony platform, and the white noise detection could be used to calculate a fraud score that reflects this heuristic.

Block S134, which recites calculating a fraud score from usage data associated with messaging history data, functions to create a fraud score based on patterns in messages occurring on the telephony platform. Messaging history data may include any data related to SMS, MMS, or other suitable messages communicated through the telephony platform. Calculation of a fraud score may include the use of usage data analogous to the usage data described above for call data, such as message endpoints, account(s) associated with a message, message frequency, message frequency as a factor of account age, carrier origin of a message, carrier destination of a message, or any suitable parameter of a message or messages sent through the telephony platform. Message content and message conversations conveyed in usage data of the messages may additionally be used to calculate a fraud score. In one variation, messages replying to account messages that instruct the sender to stop sending messages (e.g., a message with the message ‘STOP’) preferably contribute towards a higher fraud score. Accounts that receive a higher percentage of stop-messages are more likely to be practicing behavior that is undesirable to users. In an alternative variation, if a large number of spam-like text messages are delivered to endpoints matching a prefix and no stop-messages are received, this may also be an indicator of illicit behavior (e.g., a nefarious user may be trying to terminate as many text messages to a particular carrier).

Block S136, which recites calculating a fraud score from usage data associated with platform account configuration data, functions to use metrics collected from the telephony platform that do not directly relate to voice, video or messaging. Usage data associated with platform account configuration data may include information pertaining to user accounts, credit cards, endpoints, client devices, telephony application URI's, or any suitable platform account data. The configuration data preferably includes communication-application configuration, which includes variables and resources used in customizing and defining the application(s) of the account. One fraud rule may be defined for a condition of identifying communication-application configuration shared between at least two accounts. If multiple accounts have the same application configuration, then this can be used as a signal that the two accounts are used for the same task. Outside entities may set up multiple accounts to perform the same task to avoid detection, but identical application configuration can be a signal that the accounts are managed by the same entity or two cooperating entities. Preferably, applications are defined by application URIs that are associated with/mapped to communication endpoints. String comparisons of the URIs can be performed to identify matching applications used in multiple accounts. In some situations, some application URI's may be whitelisted so that they can be used in multiple accounts. In a similar, variation the actual application media resources consumed during execution of an application can be used to indicate similar functionality. A communication platform may transfer application state to various application URIs during a communication session. These application URIs can be similarly tracked and compared. Also media such as the instruction documents (telephony instructions in an XML document), audio files, video files, and other resources can be fingerprinted or otherwise processed to create an identifier that can be used to detect similar or identical media resources. Fingerprinting data preferably includes creating an identifier of the content of the media file. The fingerprint identifier can be preferably easily compared to other fingerprint identifiers in other accounts to determine if identical or substantially similar media is used. A fingerprint identifier preferably functions so that media can be matched despite variations in the encoding of the content. For example two images of the same picture but of slightly different dimensions and size ratios can be shown to be matching. Alternatively, the raw file may be compared. Media resource usage during communication sessions can also be used as signals of illicit behavior. For example, an image sent over MMS by one account may be fingerprinted. A second account additionally sends an image of MMS and the image is similarly fingerprinted. The fingerprint identifiers are then compared, and if they indicate the image content matches, this may trigger a fraud rule around two accounts sending identical images over MMS. Media fingerprinting can similarly be applied to audio, video and other suitable media mediums.

In one variation, calculating a fraud score from usage data associated with credit card data preferably involves comparing hashes of credit card numbers. By comparing billing information within and across accounts, the fraud scoring system functions to check diversity of payment mechanism. Payment mechanisms are preferably not shared across numerous accounts. This can be a signal that one entity is setting up multiple accounts for some reason. Within an account the payment mechanisms preferably have little diversity. If several credit cards with multiple names and addresses may be a sign that stolen credit cards are being used. As an example, a plurality of new accounts created and set up using the same credit card may be an indicator of illicit use. Credit card hash records for new accounts are preferably compared to identify credit cards used multiple times. In this variation, a credit card used multiple times for different accounts would preferably contribute to a higher fraud score. Similarly, many telephony applications allow accounts to set up an application to handle calls or messages by specifying a URI. In one variation, if one URI is configured for a plurality of new accounts, then this may indicate illicit use as it indicates one entity is setting up multiple accounts for the same purpose.

Block S140, which recites detecting when fraud scores of an account satisfy a fraud threshold, function to monitor and assess when a scenario of illicit behavior is occurring based on the fraud scores. Block S140 preferably includes storing/recording the fraud score. As described above, the fraud scores are preferably indicative of a fraud score for a particular time window, but may alternatively be an aggregate metric. The fraud scores are preferably stored such that an associated account, endpoint, application, and/or any suitable key may be referenced when retrieving data. In one variation block storing of the fraud scores is optional, and assessment can be performed directly after calculating fraud scores, without persistently storing fraud scores. Preferably, the same set of fraud rules are used in calculating fraud scores across all the accounts/sub-accounts. Fraud thresholds can define when particular types of actions are taken. In one implementation, the fraud scores associated with an account or sub-account are preferably summed, and if the total fraud score is above a define fraud score threshold a response is made in block S150. Additionally, there may be different levels of fraud thresholds. For example a fraud threshold may be defined for fraud scores from 20-50, a second fraud threshold for 51-75, and a third fraud threshold for scores over 76. These three fraud thresholds can define three levels of actions taken in block S150. The fraud reaction can alternatively be based on the fraud scores of a particular fraud rules. For example, specific fraud rules (when satisfied or for certain scores) may define a reaction of flagging an account or throttling an account, while some fraud rules may define more severe illicit behavior and can initiate automatic termination of the account.

Block S150, which recites taking action when a fraud score satisfies a fraud threshold, functions to react to fraud scores that indicate illicit behavior. The reaction to a fraud score may include flagging the account, throttling communication of an account, requesting additional billing information, notifying account holder, notifying an analyst of the communication platform, performing additional fraud detection analysis on the account, blocking particular actions on the account, or performing any suitable action. In a sub-account variation, the parent account of a sub-account is preferably notified of the sub-account illicit behavior. The notification can be an email notification, a message within the communication platform web platform, or notification made through the API of the communication platform. Account holders may have multiple sub-accounts using their service provided on top of the communication platform. By performing the fraud regulation by sub-accounts, the communication platform can avoid taking action against the account itself since many sub-accounts may be using the communication platform in a proper manner. This functions to simplify and abstract the fraud prevention aspect away from account holders such that the communication platform can handle illicit use detection. A fraud scoring system preferably includes a set of fraud rules (i.e., a rule set) stored using any suitable schema. The rule set preferably enables various heuristics to be configured and/or updated to keep current with the latest fraud attempts. Fraud score patterns may include thresholds for a particular fraud score or alternatively a group of fraud scores. Some exemplary fraud score patterns may include taking action when there are more than a specified number of international calls lasting longer than a specified amount of time, when an average length of international calls is greater than a specified amount of time, when greater than a specified number of outbound SMS messages to a classification of prefixes (e.g., UK prefixes) are made, when more than a specified number of unique credit cards are added to an account, when the credit cards of an account use more than a specified number of zip codes, when one credit card is used on more than a specified number of accounts, when one IP address is used across more than a specified number of accounts, when the account balance is more than a specified amount for an account and the age of the account is less than a specified number of days, when the answer rate of outbound calls is less than a specified percentage and/or when any suitable pattern is satisfied, As shown in FIG. 9, rule sets may be dependent on measured metrics in combination with a threshold, time period for the metrics, and account age. Alternatively, any suitable parameters may be specified to determine a rule set. Fraud score patterns may alternatively be trending patterns from a time series of related fraud scores. Fraud reactions preferably include suspending an account, blacklisting credit card numbers, blacklisting application URI's or IP's, rate-limiting services provided to an offending account, remove or adjust services provided to an offending account (e.g., remove international services), flag the account for a human fraud analyst to investigate, and/or any suitable course of action. The fraud reaction is preferably signaled to the telephony platform, and the resulting reaction preferably alters behavior of the telephony platform to prevent a suspected case of illicit use of the platform. There may additionally be different level of responses based on the severity of the fraud score, and fraud reactions may be applied in stages if the fraud score does not subside.

Additionally or alternatively, a method of a preferred embodiment may include generating a fraud rule block S160 as shown in FIG. 10, which functions to produce a fraud score based on collected data. In one variation, a fraud score set is preferably predominately generated by fraud analysts. This preferably enables fraud analysts to apply unique insight into fraud attempts to enable automatic detection. In a variation that implements block S150, at least a subset of the fraud rule set is generated through analysis of the data. As mention above Bayesian learning, neural networks, reinforcement learning, cluster analysis or any suitable machine learning techniques may be used to extract rules to identify fraud scenarios. The generating of a fraud rule may be active or reactive. Active generation of a fraud rule will preferably automatically generate a rule based on observed data. Reactive fraud rule generation preferably generates a fraud rule after a fraud scenario has happened. Data from the time of the fraud can preferably be replayed such that a fraud rule may be generated that would have set the fraud score to reflect the occurrence of the fraud scenario.

An alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a fraud scoring system. The fraud scoring system preferably includes a fraud rule set and a fraud scoring API. The fraud scoring system is preferably integrated into a telephony platform capable of facilitating voice, video, or message communication. The computer-readable medium may be stored on any suitable computer readable media such as RAMs, ROMs, flash memory, EEPROMs, optical devices (CD or DVD), hard drives, floppy drives, or any suitable device. The computer-executable component is preferably a processor but the instructions may alternatively or additionally be executed by any suitable dedicated hardware device.

As a person skilled in the art will recognize from the previous detailed description and from the figures and claims, modifications and changes can be made to the preferred embodiments of the invention without departing from the scope of this invention defined in the following claims.

Claims

1. A method comprising:

enrolling a plurality of parent accounts in a telecommunications platform;
within a first enrolled account, enrolling at least one sub-account that is managed by the first account;
at a fraud detection system of the telecommunication platform, receiving sub-account usage data of the sub-accounts of the telecommunications platform, wherein the usage data includes at least configuration data of the sub-account and communication history data;
calculating fraud scores of a set of fraud scores from the account usage data;
when the set of fraud scores of a sub-account satisfy a fraud threshold, programmatically notifying the corresponding parent account through the communication platform.

2. The method of claim 1, wherein receiving sub-account usage data comprises collecting application media configuration; and wherein for a first fraud rule, detecting a sub-account using application media files identical to media files used by at least a second sub-account.

3. The method of claim 2, wherein detecting a sub-account using application media files identical to media files used by at least a second sub-account comprises calculating fingerprints of media files encountered during a communication session; and identifying corresponding media file fingerprints in two sub-accounts.

4. The method of claim 2, wherein receiving sub-account usage data comprises collecting application uniform resource identifiers (URIs) mapped to communication endpoints of a sub-account; and wherein for a first fraud rule, detecting corresponding application URIs configured in at least two sub-accounts.

5. The method of claim 2, wherein receiving sub-account usage data comprises collecting payment mechanism configuration of the sub-account; and wherein in response to a first fraud rule, detecting diversity of payment mechanism in a sub-account.

Patent History
Publication number: 20140226803
Type: Application
Filed: Apr 15, 2014
Publication Date: Aug 14, 2014
Patent Grant number: 9270833
Applicant: Twilio, Inc. (San Francisco, CA)
Inventors: Adam Ballai (San Francisco, CA), Robert C. Hagemann, III (San Francisco, CA), Daniel Zarick (San Francisco, CA)
Application Number: 14/253,316
Classifications
Current U.S. Class: Fraud Detection Or Control (379/114.14)
International Classification: H04M 15/00 (20060101);