By: Colin Ayer, Ph.D
Your telecom costs were already too big for your burgeoning business, but being slapped with a $20,000 bill because you weren’t paying attention to abuse of your own telecom infrastructure hurts your profit margins even more. How did they do that and how do you stop it?
As the world increasingly moves toward IP communications and hosted PBXs, VoIP services have become a fertile hunting ground for fraudsters who attack your business, steal your telecom services, and rack up bills you’d rather not pay. This is being done by organized, tech-savvy telecom fraudsters who illegally access your PBX, either by stealing credentials, through an unsecured maintenance port or via an unprotected Direct Inward Dial (DID) account. These fraudsters can then steal expensive long-distance service, re-sell that service to third parties, or just pump their own traffic to an International Revenue Share Fraud number, using your enterprise PBX as a gateway. What makes this type of fraud so detrimental is that it is often discovered long after the fact, alerted only by a highly-inflated phone bill. The criminals are careful to break into your PBX after everyone has gone home for the weekend, and are constantly searching for a new system to tamper with when the next weekend rolls around. VoIP systems like yours are constantly being probed for open ports and other security weaknesses. Perhaps even more damaging are the potential legal ramifications of disputing fraud-related charges with your carrier or other partner, debating over which party is ultimately responsible. This wastes your time and money, and can negatively affect your partner relationship.
Why has this type of fraud increased over the past several years, and why have companies deployed new technology to help fight it? Because the move to VoIP and the global reach of the internet has made it all too easy for the perpetrators to reach and cause damage to enterprises all over the world while also making themselves very hard to track down and prosecute. While the larger carriers commonly have expensive and complex fraud protection systems in place to alert them to fraudulent activity, smaller businesses often use local carriers, which may not yet have been the target of an attack and who probably don’t have those sophisticated fraud detection solutions in place. PBX hacking is one of the most popular methods of perpetrating telecom fraud. In 2013, hacking of IP PBXs was used in schemes that siphoned off $3.6 billion of global telecom revenue, with an additional $4.4 billion related to more traditional PBX installations, according to the bi-annual survey from the Communications Fraud Control Association. Unfortunately, legal action isn’t always the most effective remedy to combat fraudsters. Attempting prosecution is not only very costly, it is very difficult to find and prosecute criminals who are hiding behind multiple layers of internet redirection across multiple international borders.So if legal action isn’t the answer, what is the best way forward? An ounce of prevention is worth a pound of cure (said Ben Franklin) and there are several simple and effective ways to safeguard both your business and your profit margins:
The strength of your security is determined by the weakest link. Go through the entire security chain looking for weaknesses. How did those phones get provisioned? Don’t use TFTP which can send unencrypted passwords across your network. How did the passwords get chosen? If your PBX can enforce strict password rules, make sure it does. I bet those phones have a web interface, probably admin/admin will do the trick! Is your local network physically secure? Are you sure? Keep your network infrastructure current with all the latest security updates and patches. Put rules in place on who can call which numbers when. Premium Rate, really? Fraudsters target companies at the weekend when nobody is looking. If your company never calls (pick your favorite expensive per-minute calling destination), then make sure this is noted and alerting rules are put in place.