COMPAQ Software Product Description ___________________________________________________________________ PRODUCT NAME: Compaq Fraud Management System, SPD 61.40.04 Version 6.1 DESCRIPTION Compaq Fraud Management System is a fraud detection, analysis, and decision support application for both fixed line and wireless telecommunications service providers. Fraud Management System detects and analyzes fraud and recommends fraud counteractions. Fraud Management System serves as an assistant to fraud management personnel. Fraud Management System detects fraud by reading and analyzing the same stream of call detail records that is used for billing purposes. As part of its detection function, Fraud Management System builds usage profiles and tracks current usage both at the service or customer level, and optionally at the individual number level (for services with multiple numbers). Fraud Management System detects anomalies within the data and automatically generates alarms. Fraud Management System then analyzes these alarms and identifies likely fraudulent behavior. This information is then presented to a fraud analyst in case form using a window-based graphical user interface. Fraud Management System can be customized by defining parameters based on the unique business and operator policies. Fraud Management System uses these parameters to prioritize fraud and define recommenda- tions for counter-actions. These parameters determine the behavior of the Fraud Management System's case management and decision support features in instances of suspected fraud. Fraud Management System can link definable actions to specific fraud types. Actions can be changed at any time, activated automatically, or suppressed if manual review is preferred. May 1999 AE-R0M5E-TE FEATURES Call Detail Record Handling Fraud Management System processes volumes of call detail records in accordance with the needs of the large telecommunication service providers. Call detail records are stored temporarily in a buffer. The size of the call buffer is determined by customer requirements as part of the installation process. Call detail records in the buffer are used to establish the chronology of calling behavior and provide quick access to immediate history. The buffer also protects against data loss in the event of an unplanned system shutdown. Data Reduction Fraud Management System eliminates extraneous data from the fraud management process. Data that is not relevant for fraud management purposes is filtered in two stages leaving only fraud-related data for detailed analysis and presentation to the users. In the first stage, the set of all call detail records is filtered to produce the subset from which the detection mechanism generates alarms. In the second stage, the Fraud Management System assesses the alarms to produce a still smaller subset of data that is arranged into cases. Detection Detection is achieved through a variety of techniques. Each technique can be tuned with user-accessible parameters to reflect the business policies of the operator. The detection techniques employed include: o Threshold - observed behavior is checked for breach of any of a series of thresholds for duration of calls, number of calls, or cost of calls. Thresholds are applied for operator-defined customer groups, for any types of calls desired by the operator. o Call Collision/Overlap - incidence of two or more concurrent calls from a single customer is detected. o Geography - detects unlikely travel times indicated by a series of two or more calls originated within a given period of time from geographically separate points by a single customer. 2 o Call Patterns - operator-defined values for any field or fields in the call detail record that indicate fraud. Any call detail record matching the specified pattern is detected. The operator can create, maintain or change patterns. o Service Patterns - operator-defined values for any field or fields in the customer data that indicate fraud. Any service record match- ing the specified pattern is detected. The carrier can create, main- tain, or change patterns. o Unknown Customer and Suspension Checking - detect calls made by an unknown customer, as well as any calls in violation of known suspension levels currently in place for a customer. o Profile Comparison - potentially fraudulent behavior is compared to the customer's normal usage profile to avoid false positive iden- tification. Profile comparison is conducted on an individual ser- vice level, and optionally at the number level (for multiple-number services). o Destination Tracking - the system keeps a history of calling pat- terns for each customer. Calls made to operator-specified country and area/city codes not within the customer's normal calling pat- tern are evaluated as indicators of potential fraud. o Black List Checking-the system compares all calls with up to five operator-defined black lists, including dialed digits, equipment number, etc. Any call that matches entries on the black lists is detected as an indicator of potential fraud. External Alarms Interface to allow Fraud Management System to analyze alarms gener- ated outside of Fraud Management System. Examples include SS7 surveil- lance systems, pre-call registration, subscriber credit scoring, etc. Integration with external systems is determined based on unique operator requirements. 3 Profiling Fraud Management System builds and maintains usage profiles for every customer of the operator. Profiles are based upon a period of observed behavior that is determined based upon operator requirements. o Service-level Profiling-The profile includes information about call frequency, call times, domestic or international calling, call duration, calls to specific codes, and wireless home/roaming behavior, as required and defined by the operator. o Number-level Profiling-Because subscribers in wireless GSM networks often have multiple numbers (for voice, FAX, data, etc.), Fraud Management System will optionally track usage at the individual number level within a given service. Partitioning Fraud Management System allows the installation to divide up the customer base into subsets that can be managed as a group. An operator may choose to define partitions based on region, market, or network. Additionally, customers for multiple (perhaps competing) operators can be maintained in the same Fraud Management System installation with complete data separation and confidentiality. Worklists Fraud Management System creates a set of cases of suspected fraudu- lent activity that must be reviewed by Fraud Analysts. An analyst will have a personal worklist, and may also share a worklist within a group of analysts. Fraud Analysts review cases that appear on their work- list. As cases of suspected fraud are created by the system, they are placed onto a worklist for the appropriate person or group, as spec- ified by the operator. An operator may choose to route a case to a par- ticular worklist for reasons of case specialization, security, etc. Rule Editor Fraud Management System relies on a rule-based system (often called an expert system) to perform the detailed analysis of a customer once any suspicious activity is detected. A graphical editor is provided 4 for the operator to view the rules pre-defined in the Fraud Management System, make changes to these rules, or define additional rules which customizes the analysis, findings, suggested actions, and worklist assignments based on the policies and procedures of the operator. Decision Support Fraud Management System compiles all data related to an instance of suspected fraud into a case. Based on parameters reflecting operator business policy, Fraud Management System prioritizes cases and recommends appropriate counter-action. These actions can be automatically or manually activated. Fraud Management System provides supporting details for its recommendation which the Case Manager can review on demand. 5 Customer Information System Interface Fraud Management System has an interface that allows it to read information directly from the customer administration or billing system. The customer information made available within Fraud Management System for use during case analysis can be customized. Operator-specific Parameters Fraud Management System conducts its detection, analysis, and recom- mendation tasks in accordance with system settings and parameters. Fraud Management System allows the operator to change settings governing detection techniques, detailed analysis, policies, and recommendations. Security Only defined users may have access to Fraud Management System. Access for all users is password protected. Fraud Management System provides four types of secured functional access: o Case Manager - basic analyst access. o Knowledge Manager - access to parameters that define fraud manage- ment policy. o System Manager - access to parameters for system configuration and application tuning. o Security Manager - access to user and security administration. INSTALLATION REQUIREMENTS Fraud Management System should be installed by qualified Fraud Management systems integration professionals only. The prerequisite systems integration activities and installation processes include steps for: o defining fraud management policies so they can be reflected in system settings and parameters o integration with a source of call detail records, including deploy- ment of software to perform call detail record format conversion 6 o integration with a source of customer or line information, such as a customer care or billing system o identifying, planning, and implementing any required integration and customization o user training and organizational acceptance HARDWARE REQUIREMENTS Platforms Supported Fraud Management System is installed on a central server that is accessible by desktop clients via TCP/IP. Server: Fraud Management System is deployed on 64-bit Compaq AlphaServer platforms. Supported platforms include any Compaq AlphaServer system running Compaq Tru64 UNIX. Processor and memory requirements are determined by several factors, including the size of customer base and call volumes to be processed. Desktop Client: The desktop device must be a Windows 98, Windows NT (Version 4 or later), or Windows 95 display. The desktop clients access the server's database using ODBC technology. Disk Space Requirements Disk requirements are determined on an operator by operator basis. SOFTWARE REQUIREMENTS o Server operating system: Compaq Tru64 UNIX Version 4.0E or later o Client operating system: Microsoft Windows 98, Windows NT V4.0, or Windows 95; with Internet Explorer 4.0 o Database software: Informix Dynamic Server V7.3 or Oracle 8 o ODBC software: OpenLink Software, Inc. ODBC Enterprise Edition V3.0 (license only) 7 SOFTWARE LICENSING This software is furnished only under a license. This product does not provide support for the Compaq Tru64 UNIX License Management Facility. A Product Authorization Key (PAK) is not required for installation or use of this version of the product. The following terms supersede the standard Concurrent Use License terms: The telecommunications provider (company using the software) must purchase a single Concurrent Use License for Fraud Management System for each of their customers being analyzed, such that the number of Con- current Use Licenses is always equal to or greater than the number of customers. A customer is a wireless subscriber or a user of a fixed line or service, who has purchased the services of the provider. The Concurrent Use License permits the provider to deploy the Fraud Management System onto any number of systems. Each Concurrent Use Update License for a subsequent version of the product requires an underlying initial Concurrent Use License. GROWTH CONSIDERATIONS The minimum hardware and software requirements for any future version of this product may be different from the requirements for the current version. DISTRIBUTION MEDIA CD ROM (write once compact disc) YEAR 2000 READY This product is Year 2000 Ready. Year 2000 Ready is defined: "Year 2000 Ready" products are defined by Compaq as products capable of accurately processing, providing, and /or receiving date data from, into and between the twentieth and the twenty-first centuries, and the years 1999 and 2000, including leap 8 year calculations, when used in accordance with the associated prod- uct documentation and provided that all hardware, firmware and soft- ware used in combination with such products properly exchange accu- rate date data with the products. SOFTWARE WARRANTY This software is provided by Compaq with a 90 day conformance warranty in accordance with the Compaq warranty terms applicable to the license purchase. ORDERING INFORMATION Software Licenses: Fraud Management System for Compaq Tru64 UNIX Concurrent Use Licenses (tiered by number of telecommunications providers' customers): QL-5HHAM-3C Concurrent Use License to 25,000 subscribers QL-5HHAM-3D Concurrent Use License to 50,000 subscribers QL-5HHAM-3E Concurrent Use License to 75,000 subscribers QL-5HHAM-3F Concurrent Use License to 100,000 subscribers QL-5HHAM-3G Concurrent Use License to 150,000 subscribers QL-5HHAM-3H Concurrent Use License to 300,000 subscribers QL-5HHAM-3J Concurrent Use License to 500,000 subscribers QL-5HHAM-3K Concurrent Use License to 750,000 subscribers 9 QL-5HHAM-3L Concurrent Use License to 1,000,000 subscribers QL-5HHAM-3M Concurrent Use License to 1,250,000 subscribers QL-5HHAM-3N Concurrent Use License to 1,500,000 subscribers QL-5HHAM-3P Concurrent Use License to 2,000,000 subscribers QL-5HHAM-3Q Concurrent Use License to 3,000,000 subscribers QL-5HHAM-3R Concurrent Use License to 5,000,000 subscribers QL-5HHAM-3S Concurrent Use License to 9,000,000 subscribers QL-5HHAM-3T Concurrent Use License to 17,000,000 subscribers Fraud Management System for Compaq Tru64 UNIX Concurrent Use Update Licenses (tiered by number of telecommunications providers' subscribers): QL-5HHAM-5D Concurrent Use Update License to 50,000 subscribers QL-5HHAM-5E Concurrent Use Update License to 75,000 subscribers QL-5HHAM-5F Concurrent Use Update License to 100,000 subscribers QL-5HHAM-5G Concurrent Use Update License to 150,000 subscribers QL-5HHAM-5H Concurrent Use Update License to 300,000 subscribers QL-5HHAM-5J Concurrent Use Update License to 500,000 subscribers 10 QL-5HHAM-5K Concurrent Use Update License to 750,000 subscribers QL-5HHAM-5L Concurrent Use Update License to 1,000,000 subscribers QL-5HHAM-5M Concurrent Use Update License to 1,250,000 subscribers QL-5HHAM-5N Concurrent Use Update License to 1,500,000 subscribers QL-5HHAM-5P Concurrent Use Update License to 2,000,000 subscribers QL-5HHAM-5Q Concurrent Use Update License to 3,000,000 subscribers QL-5HHAM-5R Concurrent Use Update License to 5,000,000 subscribers QL-5HHAM-5S Concurrent Use Update License to 9,000,000 subscribers QL-5HHAM-5T Concurrent Use Update License to 17,000,000 subscribers Media and Documentation Sets: QA-5HHAA-H8 Media (CD ROM) & Hardcopy Documentation Kit QA-5HHAA-GZ Hardcopy Documentation Only Kit [TM] AlphaServer is a registered trademark of Compaq Computer Corporation. [R] UNIX is a trademark of the Open Software Foundation. [R] Windows 98, Windows NT, Windows 95, and Internet Explorer are trademarks of Microsoft Corporation. © 1999 Compaq Computer Corporation. All rights reserved. 11