TaCode Fraud Control

TaCode Tuesdays: Fraud Control in Voice and SMS Applications [Part 2]

Welcome back to TaCode Tuesdays! This is the only place you can find snippets of code for use in your very own text/voice apps, along with a weekly dose of taco puns. I’m a developer here at Zang and not only am I a big fan of tacos (if that wasn’t already apparent), I’m also a fan of open source. My goal is to share a new app idea each week that you’re free to use “as is” or modify and use as the basis for your next app
Last week, I started to talk about Fraud Control within your own iOS SMS and voice apps—you can check out Part 1 here and as always, if you’d like to learn how to get started on Zang, take a look at our very first post

Anyways let’s get get right back to it—we’re picking up after step 2, where I detailed how to setup your ATS (App Transport Security) enabled networking code.
3. Setup your RESTful API call
3.1 Create a Swift method for HTTP ‘POST’ using ‘NSURLSession’.
‘NSURLConnection’ was already deprecated in iOS 9 and has been replaced by ‘NSURLSessionDataTask [[NSURLSession sharedSession] dataTaskWithURL:completionHandler: NSURLResponse. Note that NSError’ is not required if you target iOS 8.

// Zang API: Block Destination
// URL: https://api.zang.io/v2/Accounts/:{AccountSid}/Fraud/Block/:CountryCode.json
// Where: CountryCode.json – is your list of restricted items for outbound calls and SMS to some destination
 
func postData() {
     // Initialise session with Zang
     let postEndpoint: String = “{https://api.zang.io/v2/Accounts/:{AccountSid}/Fraud/Block/:CountryCode.json}” <– call to Zang
     let url = NSURL(string: postEndpoint)!
     let session = NSURLSession.sharedSession()
 
     //Fill up the necessary parameters
     let postParams : [String: AnyObject] = [“MobileEnabled”: “true”,
          LandlineEnabled: “true”,
          SmsEnabled: “true”
     ]
 
     // Make the request
     let request = NSMutableURLRequest(URL: url)
    // Set type of method in this its http POST
    request.HTTPMethod = “POST”
    request.setValue(“application/json; charset=utf-8”, forHTTPHeaderField: “Content-Type”)
//swift error handling using do-catch, be mindful that pedantic type of error handling //similar to ‘Java’ is not recommended.
//the idea behind defining your own error types is to let you centralize things on your //code.
;”>do {
          request.HTTPBody = try NSJSONSerialization.dataWithJSONObject(postParams, options: NSJSONWritingOptions())
          print(postParams)
     } catch {
          print(“bad things happened”)
     } catch Default { print(“ unrecoverable error”)}
 
// We fetched the information from the web service and wanted to be notified when it’s finished. Swift provides the ‘completionHandler’
 
     session.dataTaskWithRequest(request, completionHandler: { ( data: NSData?, response: NSURLResponse?, error: NSError?) -&gt; Void in
          // ensure we get the response
          guard let realResponse = response as? NSHTTPURLResponse where
               realResponse.statusCode == 200 else {
               print(“Not a 200 response”)
               return
          }
 
          // Parse the JSON thats been fetch coming from the RESTful API
          if let postString = NSString(data:data!, encoding: NSUTF8StringEncoding) as? String {
               // prints out the response data coming from the Zang API
               print(“POST: ” + postString)
               self.performSelectorOnMainThread(“updatePostLabel:”, withObject: postString, waitUntilDone: false)
          }
 
     }).resume()
}

strong>3.2 Below is the expected result of a successful web service call to Zang ‘Block destination’ API

     {
          “blocked”: {
          “is_lock”: false,
          “mobile_enabled”: true,
          “landline_enabled”: true,
          “date_updated”: “Wed, 05 Nov 2014 15:14:34 -0000”,
          “country_code”: “HR”,
          “sid”: “FRbf8890849dc9b2ff6540bebYzLnD823jLmn”,

          “country_name”: “Philippines”,

          “date_created”: “Wed, 05 Nov 2014 15:14:34 -0000”,
          “sms_enabled”: true,
          “country_prefix”: “+63”
          }
     }

Other than this, you can also code your application to have an outbound call threshold upon reaching a certain monthly spend. The threshold can be in a form of an alert wherein an in-app notification or an email can be sent informing the customer that their account is close to consuming its full credit line. Outbound calls can also be automatically cut once the pre-defined threshold has been reached. But this is another topic for a future blog.

Network Security

Hardening network security through voice and data firewalls, penetration testing, and adoption of industry standards in security is our last recommendation to protect your voice and SMS applications from fraud

Voice firewalls logs monitor and control all inbound and outbound activities on a per call basis through a call access control (CAC) that is user-defined. Through this solution, data and network penetration, attacks on telephony systems and other infrastructure, unauthorized internet sessions, long distance abuse, and other forms of line disruption can be prevented. The diagram below shows how this is implemented.

Figure 1: Network Architecture – Voice and Data Firewall

This network architecture shows how Voice and Data firewall can be implemented together with Zang PaaS to securely run a voice and messaging application – or any application for that matter which makes use of Zang APIs. Essentially, the Voice and Data firewall works as an additional layer of protection to perform real-time security for voice/unified communications (UC) and modem connection backdoors through unsecured phone lines. According to Gartner 2016 magic quadrants, industry leaders in Voice firewalls are: AhnLab, Check Point Software Technologies, Cisco, and Dell SonicWALL.

Protection is Crucial

Protecting voice and messaging applications from fraud can be challenging most especially at the age of cloud computing. There are generally three ways to secure your systems and applications: through PBX, trunk line, and network hardening. Some of the safeguards can be acquired from PaaS or software as a service (SaaS) offerings such as network and data firewalls; but some security measures have to be native to your application, like block listing or white listing through certain APIs like those offered by Zang. Another thing that you can do is establish secure application business rules like preventing calls from premium numbers and disallowing switch-to-switch voice mail transfer. Regardless of the method, it’s crucial that you take the steps to protect your voice and SMS applications from fraud.

Well, that’s it for now! If you have any thoughts about the app or just want to share your own taco-related thoughts, you can comment below. I’ll be back in TWO weeks with another installment of TaCode Tuesday.