Phone fraud – the cost of doing nothing

Convergence of voice, video and data onto a single network presents great opportunities for the Enterprise. These opportunities also bring ever changing challenges for the IT department – especially as voice becomes another application on the converged network.

The threat of telephony fraud has become significantly more sophisticated. Recent years have seen a fourfold increase in fraudulent activity, with the International Forum of Irregular Network Access estimating that the total cost of telephony fraud worldwide has grown to $80 billion.

This growth can partially be explained by the fact that traditional PBX-based systems have become increasingly targeted by employees or contractors using legitimate features on a switch for illegitimate purposes. Organized crime gangs are also targeting PBXs and using voice communications for criminal activities.

Organizations must therefore remain vigilant to the fraudulent telephony practices that target both traditional PBX and IP based systems, or they will continue to count the costs. Some examples of such practices include:

The abuse of corporate call forwarding - this is an increasingly common practice where an employee forwards their work number to a personal mobile or overseas number, during out of office hours. Friends are then told to call the work line number over a weekend, for example, and the cost of the mobile or overseas call is picked up by the organization.

Additionally, there have been instances of people establishing premium rate phone numbers and then diverting office lines to this number. Calls to the office line, charged at local rate, are then diverted to the premium rate number and the organization is charged accordingly. While some organizations block UK premium numbers, they usually do not know overseas premium rate numbers and increasingly fraudsters are using numbers from areas such as the US or the Middle East. This type of theft, while initially seeming petty, can obviously have a significant effect on corporate telephony costs.

The courier scam – it has been reported that motorcycle couriers, working for gangs of organized criminals, are arriving at receptions with parcels requiring a signature. When the receptionist cannot find the required individual, the fake courier asks to use the phone to check the details, connecting to an overseas premium-rate number billing US$500 a minute. In this case the receptionist has given permission for the phone to be used and there is little or no recall for the organization.

PBX hacking - fraudsters can break into a traditional PBX if the switch is not properly configured and password usage is not effectively monitored. Should a hacker compromise the PIN and password number on a PBX, they can break into a company's telephone system and make anonymous and free telephone calls. By simply raiding an organization's bins, a criminal could potentially locate a company directory not properly disposed of and assume the identity of a trusted employee. Once they have assumed a false identity, fraudsters could access the internal directory and gain access to other individuals' PIN numbers by posing as maintenance workers.

Fax lines can be similarly exploited in fraudulent money gaining schemes. Fraudsters terminate a premium rate number at a fax machine, or a PC with fax software installed and its modem's data transmission rate set as low as possible. Having breached the target BPX, the fraudsters will then "loop" out of it and place calls to the fax machine or fax-enabled PC, racking up large bills to the premium rate number. This type of approach is an attractive scam, not least because fax calls are less likely to be associated with fraud and so will escape the notice of network managers.

The threat to IP networks

The rapid uptake of IP-based systems, with the convergence of voice and data networks, has given rise to a different set of vulnerabilities. These threats are the same as those that affect any IP network including viruses, denial of service attacks, presence theft and interception of communications. Since converged networks handle increased amounts of traffic and support a greater number of applications, the potential damage a hacker can cause also increases. Were a hacker to intercept even a limited number of packets, they could potentially use the information to access confidential data or use stolen credentials to access the voice network.

The recent bombing in Madrid was an example of terrorists using false telephone identities. High-tech investigators from international policing organizations believe that the terrorists dialled into a switch in Paris, transferred out to another local switch (called "looping") to hide their tracks and dialled out, placing a call to the mobile phone that proved to be the detonation device for the bomb. By dialling through three switches they covered their trail, a process that would have been made very difficult had stringent security controls been in place.

Combating the threat

Preventative measures do exist to combat telephony fraud. Voice is a critical application and needs to be treated as such. This means practising good network management, including:

  • ensuring that the switch is configured properly and password management processes are in place.
  • having a system to ensure employee PIN numbers and passwords are regularly changed.
  • putting in place rules for assigning permissions, analysing roles and deciding the call access required, e.g. who is able to make international calls.
  • establishing a system for managing the life cycle of individual identities. As soon as an employee leaves the organization their extension, voicemail, passwords and PIN numbers should be de-activated.
  • assigning a number outside your DDI range (or a non-geographic number) for your maintenance port and set the number of rings to 7 or 8 to minimize risks from war dialling (a program which systematically tries to locate numbers associated with corporate modems by testing each extension on the corporate phone system in turn).
  • applying the principles of data management for IP-based systems. Use firewalls, intrusion detection, proper encryption, segmented voice traffic and other good practices such as good password management.
  • ensuring that staff understand the risks, the reasons for preventative measures and their responsibilities. Carry out training, penetration tests and monitor activity – analyse phone bills and look for signs of attack.
  • Businesses must be alert to all threats and remain permanently alert. Too many companies are making life too easy for hackers. Many companies use their web sites for recruitment and in the case of vacancies in IT. They list the systems in which they want candidates to be proficient, which tells hackers exactly what systems are in place. These details should not be displayed and organizations should have a policy for shredding hard copy information relating to the phone system, such as telephone directories.

    These simple processes and management checks will help to form part of an organization's armory to minimize the threat of telephony fraud. To effectively combat such threats, organizations must regularly audit their voice and IT infrastructure to assess its vulnerability to fraudulent activity – only then can the necessary processes and tools be put in place. It is also essential for businesses to communicate the threats internally to raise awareness amongst employees and promote best practice. Without diligent attention and effective internal communication on best practice, telecoms systems are in grave danger of becoming the weak link in the network and utterly defenceless against targeted attacks by hackers.

    The author is head of security solutions at Siemens Communications

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.