A2Billing, blind transfer and fraud

If you use A2Billing and allocate SIP account details to your customers you want to ensure that they are not able to do blind transfers.

The way a2billing works is that when a SIP customer makes a call the a2billing.php script is run, and the billing process started. Once the call is complete the a2billing script generates the A2Billing call record. It does not rely on the Asterisk CDR records at all.

However, if the SIP customer does a call transfer (blind transfer / SIP REFER message) while the call is in progress then it’s possible for them to make a call to a more expensive destination, which a2billing does not ‘see’. This way you can end up with very short calls to inexpensive destinations in your A2Billing CDRs, but very long expensive calls in your calls providers CDRs!

Worse is the fact that if FreePBX is also installed on the same machine it sets the default transfer context (TRANSFER_CONTEXT) to from-internal-xfer, which allows the call to happen.

The only solution I’m aware of at the moment is to add –

allowtransfer=no

to /etc/asterisk/sip_custom.conf. Setting “allowtransfer=no” on the individual customer SIP account does not appear to work, at least not with Asterisk 1.8.4.

If in doubt please test and ensure that your A2Billing customers cannot do blind transfers.

 

7 thoughts on “A2Billing, blind transfer and fraud

  1. Ubunter

    Hello,
    Pay attention, that asterisk 1.8, when you turn to realtime, asterisk is not reading any more the sip.conf file, so, update the DB cc_sip_buddies, and add a new faild as allowtransfer=no…
    Also add the W in the dialcommand, to ignore any transfer request. We use this dialcommand: ,60,LIW(%TIMEOUT(absolute)=3600%:60000:30000))

    Regards,

  2. DSA

    W: Allow the calling user to start recording after pressing *1 or what defined in features.conf

Comments are closed.