Channel 4 recently reported a news story about a complex phone hacking scam which cost a local authority £30,000. The scam involved hackers using “war dialling” software allowing them to access the organisation’s voicemail and then somehow to make calls using their exchange. The calls to premium rate numbers were made on Christmas Day and Boxing Day, and what made this so lucrative was that the revenue generating numbers were owned by the hackers themselves. The local authority was contractually obliged to pay the bill and has subsequently secured their system and is now urging others to do the same.
Victims of phone system hacking and fraud on this level can be large organisations or small to medium sized businesses, or public sector but the National Fraud Intelligence Bureau is warning schools, charities, and medical and dental practices to be vigilant due to a rise in reports of targeted hacking in this sector. Toll fraud usually happens at a time when the organisation is most vulnerable, in other words when the office is closed but the phone system is not –late at night or in the early hours or bank holidays and weekends. These attacks happen mainly due to flaws in the security configuration of the system. VoIP based systems may be extra especially vulnerable because they are connected to computer networks and can therefore be exposed to an increased amount of attack vectors. With call fraud totalling at up to £900 m in the UK in 2014, quite often the first time the victim is aware if it is when he or she receives their bill.
Protecting a VoIP system
The reality is that a VoIP System does represent a secure telephony solution if you take the following simple steps:
• Use strong passwords and change them at regular intervals; it might sounds obvious but change any default passwords. This should be implemented across all extension endpoints, management interfaces logins, SIP Trunks, and the voicemail system.
• Disable external access to the voicemail system. If access from outside is essential to running the business, ensure that users change their passwords regularly
• Make sure the voicemail system doesn’t allow a caller to press buttons and reach a dial-tone
• If you do not call international and premium numbers ask your telecoms provider to restrict them.
• When the business is closed you could consider asking your provider to disallow certain outbound calls.
• Ensure that access and rights are revoked from members of staff who leave, and provide the minimum level of access necessary on an individual employee basis.
• Ensure that you regularly review call logs and bills and act promptly if you spot any irregular activity.
• Ask your service provider if they offer fraud monitoring services in the form of spend thresholds and monitoring irregular call activity. Remember, fraud monitoring is not fraud prevention, and should be considered as a warning for you to investigate.
• When selecting a telecoms service provider, look out for any additional levels of security they offer in the form of firewalls and call encryption. Preventing unilateral eavesdropping is always a good idea. Your Service provider might have a special secure solution
• Do not connect your phone system to the Internet without fully understanding the consequences of doing this and carrying out a risk analysis
• Do not use a VoIP SIP Trunk provider that mandates the use of Public IP addresses on your phone system
• Do not use a VoIP SIP Trunk provider that recommends setting up port forwarding. This is the same as putting a public IP address on your phone system and makes it reachable from the Internet.
• If you have remote extensions that use the Internet to reach the main office PBX then use a VPN or consider outsourcing the remote extensions to a Service Provider
• Make sure the phone system software is kept up to date. This is known as software patching
What happens next?
For more information email email@example.com or call our solutions team on 01869 222500