How Bell Canada is keeping tabs on telecom fraud
Telecom fraud is keeping Gaétan Houle busy these days. Over the course of the last year the problem has increased almost 20 per cent thanks to the recession and an increase in the involvement of organized crime.
“Where telecom fraud is going right now is phenomenal — the recession
has increased the volume of telecom fraud significantly,” says Houle,
vice-president of corporate security at Bell Canada. “In North America
we’re looking at between US$72 and $80 billion a year in
telecommunications fraud loss.”
Those numbers are based on a 2009 survey conducted by the
Communications Fraud Control Association. Bell has seen an increase in
several kinds of fraud this year, including a new type where hackers
will actually open up Bell interconnection boxes in residential streets
and with electronic devices connect several lines in parallel.
They were able to stay below Bell’s radar by spreading the fraud over several lines at once.
“It took us a while to pinpoint how this was happening. It increased
our total fraud by a factor of six until we discovered and cut the line
before it started,” he says.
Criminal gangs are increasingly using phone hacking as a way of setting
up their own cut-rate telephone services which they sell on the black
market, from other criminals to illegal immigrants and refugees.
Generally speaking, he says, telecom fraud is up 15 to 20 per cent. In Canada, the victims have mainly been customers that have been
defrauded by hackers looking to steal identities through subscription
and ID theft.
“These are people who will show up at our stores or call 310-Bell with
no intention of paying for services. They will use a false identity and
when we bill them we never receive any money back — it’s subscription
fraud and by far the most prevalent type of fraud,” he says.
The second most popular type of telecom fraud is not as well known but
represents about 20 per cent of all fraud Bell deals with — PBX voice
“A lot of small companies have a PBX and don’t have the knowledge to
secure it properly and it gets attacked by hackers who will make long
distance calls overnight to countries abroad,” explains Houle.
A hacker making a long distance call is usually connected to organized
crime. They will put a PBX in front of that PBX and essentially sell,
at a cut rate, long distance calls abroad to criminal networks using
small company’s systems and only realize they’ve been defrauded when
they receive their bill. This year a small law firm made headlines when
it was defrauded by over $200,000 in one weekend alone.
“The company was accusing us of having insecure networks but we were
able to prove to them that it was their PBX that was not secure,” says
Houle. “Small companies who get defrauded that way get their bill and
they can’t pay. If we take them to court to force them to pay they go
bankrupt so either way we don’t get paid.”
The only recourse is for Bell, Telus and other telephone companies to
get better at detecting these types of fraud and this is what Houle and
his team are focused on right now.
“We are also going one step further and will be providing security awareness campaigns for our customers,” he says.
Spam also remains a huge headache for Bell and its customers.
“Right now the number of spam messages is out of control. About 93 per
cent of all emails sent to Bell Internet customers through Sympatico
are spam or virus messages. We filter that before it reaches the
customer, but still there is a lot of spam going on. We are the victims
of spam and so are banks where hackers will use our brand. They tell a
customer there is something wrong with their account and tell them to
go to that link and enter their password and this goes on all the
time,” he says.
When Bell knows this kind of spam is going on it blocks the web address
individuals are being directed to, but it takes a while for that to
“There’s always a couple hundred people who will fall into the trap so
we are investing in new equipment on brand protection and we are
considering offering that service to our customers such as the banks,”
Houle, who has a bachelor of electrical engineering from the Royal
Military College and the CISSP certification, is responsible for all
aspects of security for Canada’s largest telecommunications company.
“It’s one throat to choke as we like to say,” says Houle from his office in Montreal.
He is one of few in the country who hold both physical and IT security within the portfolio of corporate security.
He came to Bell from European Aeronautic Defence and Space (EADS) where
he was responsible for all aspects of security. Before that he was
Chief Security Officer at Bombardier Aerospace for four years. His
background is with Foreign Affairs and DND; he began his career in the
Canadian Armed Forces where he was a Captain specializing in
“At Bombardier, physical security and IT security were separated. Given
my background, after a year I went in as head of IT security and then
they gave me physical security. Four years later when I left they
couldn’t find anyone to replace me and separated the two again,” says
As many say, tough economic times often produce opportunities to
acquire new skills when organizations downsize. For Houle, that was
certainly the case. He says gaining the skills required to handle both
physical and IT security under one group came as a result of tough
economic times when he worked for the federal government.
“It’s very difficult for people to gain experience in both. In my case
it wasn’t a choice. When I was in charge of IT security at Foreign
Affairs, (Prime Minister) Jean Chrétien reduced the workforce in the
public service by thousands and people around me lost their jobs. I
inherited corporate security and it was either sink or swim. I looked
at it as an opportunity and they put more on my plate but it was a
learning experience for sure,” he says.
At Bell he is responsible for IT security, physical security, telecom
fraud detection, security investigations, access control and identity
management, fraud detection, business continuity, emergency response,
records management and working with law enforcement agencies.
“Law enforcement agencies really depend on us — we receive on average
about 250,000 requests a year to support their investigations to do
wire taps and respond to warrants,” he says.
Unfortunately, many big police districts refuse to pay for these services.
“I have 12 people dedicated to supporting law enforcement,” he says.
His total staff count within the corporate security department is 142 — about 50 are unionized, the rest are management.
“I’m surrounded by top guns. I’ve been in security 24 years and they are the best I’ve ever had.”
Apart from wrestling with telecom fraud, his other main challenge these
days includes planning the security requirements for the
telecommunications infrastructure required at the 2010 Winter Olympics
“My responsibility is to secure the telecom infrastructure supporting
the Olympics and that includes IP security and the Olympic portal.
During the Turin Winter Olympics four years ago the portal went down
for 26 hours — it was hacked, so we want to make sure that doesn’t
happen,” he says.
The Vancouver 2010 Winter Olympics will be the first 100 per cent IP
Olympics — creating an opportunity for hackers to make their point.
“The focus is big on IT security and we’ve entered into all levels of
testing. We are also dealing with access management and we don’t want
to be in the position of managing keys at the Olympics. Some of our
partners like the VANOC technicians will need a fully electronic access
management system,” he says.
As a critical infrastructure body, Bell is working closely with the RCMP in pre-event exercises.
“We will be deploying about $18 million worth of communications
equipment just for the Olympics so we have an interest in ensuring we
can recoup this equipment and make sure it doesn’t get stolen or lost.
We have developed a security awareness program just for the Olympics
and so if there is a breach of security, who do you call? And that has
to be intertwined with our partners,” he says.
Bell is also developing a large program for executive protection for
the 1,000 VIP guests they will be hosting and housing at the games.
“There have been some activists targeting the big partners such as RBC,
Bell and so on so we’re working closely working with CSIS and the RCMP
to be ready. We expect some vandalism but it won’t be big enough to
disrupt telecommunications, but there will be a lot of protests. For
the most part though, all they want to do is be in front of the camera
— the list of groups that will protest are fairly known and not
terrorists, just activists.”