Tag Archives: phone

TollFraud

Toll Fraud: A Network and Security Threat

Recently I asked this question as it became a front-of-mind topic of discussion around my peers, colleagues, and clients and it appears toll-fraud is still one of the largest IT security threats many c-level execs haven’t heard of, or don’t pay much attention to.

How did toll-fraud become a network security threat?

Allow me to explain; For those unfamiliar, Toll-Fraud & Phone Hacking is a multi-billion dollar industry with monetary damages more than double that of Credit Card Fraud.

Do I have your attention now?

Toll Fraud can be simply explained as any instance where a subscriber attempts to defraud the telephone company, the telephone company attempts to defraud a subscriber, or a third party attempts to defraud either of them.

Sadly, toll-fraud has been a part of the telephone system almost from the beginning.

According to the survey the 2011 top 5 fraud loss categories reported by operators were: CFCA.

  • $4.96 Billion (USD) – Compromised PBX/Voicemail Systems
  • $4.32 Billion (USD) – Subscription/Identity Theft
  • $3.84 Billion (USD) – International Revenue Share Fraud
  • $2.88 Billion (USD) – By-Pass Fraud
  • $2.40 Billion (USD) – Credit Card Fraud

So how did toll-fraud become a network security issue?

The answer is simple. VoIP!

VoIP is now the most prevalent form of voice communications and as the acronym suggests, it is Voice OVER IP, meaning the calls terminate over the network. With this in mind, network security professionals must add another service to their list of networked services to protect. Requiring them to implement policies and procedures that mitigate breaches and theft of service.

Unfortunately toll-fraud is typically a security risk many IT professionals learn about after it is to late.

Network Security Engineers need to understand network services, protocols, port-numbers, etc. However, telephony has become a suite of applications now known as Unified Communications. Simply protecting the edge with firewalls & access-lists is not enough. Some common forms of toll-fraud include

SIP Scripts – attempt to register as a phone or trunk to your Internet facing PBX
This is extremely common and can cause major monitory damages. If a script detects open ports Voice services on a public IP, they will launch an authentication attack which will attempt to make repeated calls, usually to a third-world country’s local exchange or call-center charging $2 – $4/min per call. In this case the scripts are set to hang-up after the largest charge and dial again continuing the processes until your phone carrier detects it, or you get one heck of a surprising phone bill. To fully feel the potential effects of this, multiply the above per minute charges by the maximum number of calls your phone system can make at once.

Hacking Voice-Messaging or voice-mail systems – After compromising users “pin” numbers, thus allowing the criminal to access the users private voice mails, make unauthorized calls from that user extension and make international calls through the voice-mail platform. Imagine someone having access to your executives voice-mails. What could they learn or damage could they cause?

Compromising Soft-Phones - This falls into a well-known security venerability basically capturing wireless traffic and learning a user’s authentication information. Here again the hacker, could easily re-create the soft-phone account and would be able to eavesdrop on phone calls, and make unauthorized calls on your account as they see fit.

As CTO of a cloud Unified Communications company it is part of my job to plan for the unexpected. This includes the design and implementation of systems to mitigate these types of large financial losses that could happen when you’re able to make tens of thousands of calls at once. It’s an ongoing challenge and unlike other types of network security risk, the product/services available to combat/mitigate toll-fraud are extremely limited.

Throughout my career I have supported and consulted with many companies who have experienced toll-fraud of some kind. By the time their phone company realized their clients service was compromised and notified the client there were already substantial financial damages.

So why didn’t these Telco’s just disable their service?

Depending on the carrier they may or may not have real-time toll-fraud mitigation techniques in place, maybe they didn’t detect the abuse until the next day, or your system was compromised on the weekend? Sometimes it’s politics in the contracts, not allowing them to take the service down without prior written notice. It can be a number of reasons, the focus here is not telecom policies it’s understanding the risk and doing what you can to mitigate that risk in the first place.

What is the policy of your telecom provider in the event of excessive toll-fraud? If you don’t know, I suggest that you find out by reviewing your contract terms or speaking with a representative of your provider. Better to find out before something happens than when it may be too late.

So what can I do to mitigate toll-fraud?
Like all security risks, mitigating toll-fraud requires a full-understanding of the technology and where you are most exposed.

When designed properly, VoIP can be much more secure than copper-based phone systems and PBX’s. Start by consulting your Unified Communications or PBX provider about best practices; align their recommendations with your business objectives and your corporate security policy . Also, work with your security consultant as they may have a different approach to mitigating toll-fraud; especially if you are moving to or considering migrating to Unified Communications.

If you believe you are experiencing toll-fraud, disconnect or disabled the compromised services until you are sure the threat is mitigated. Call your provider right away and tell them you suspect toll-fraud on your account and have them disable services.

VoIP is here to stay and the benefits of Unified Communications far outweigh the risks. While the toll-fraud attacks like all internet security risks will continue to happen and potentially become more sophisticated, there are ways to greatly reduced your risk by partnering with a Cloud Unified Communications company that is offering a bundled Unified Communications service, QoS, and secure data services including a full solution with best-practice toll-fraud mitigation techniques in place.

Email and Phone Graphic

Voice or Email, Which is More Important?

Well, neither, ehem, I mean both would be the right answer.

Email and Voice are still the key communication tools for the enterprise.

It has been that way and will likely stay that way for the foreseeable future.

This past week at Enterprise Connect, perhaps the most formidable event for Unified Communication in the enterprise, business leaders and tech leaders alike all paid homage to the tools of old and had a swearing in ceremony for the tools of “What is Next.”

A 3 person tech panel including technology leaders of General Motors, Fuji and Robert Half all proclaimed the end of the PBX era. In fact they stated emphatically that they would not be purchasing another PBX.

You heard it…well, there. I’d like to say I’m first to coin this, but unfortunately in this case I’m just reporting the news.

But let me tell you what this means.

Cloud. Is. The. Future.

So then does Voice or Email still rule the roost?

Ironically, at this point yes.

Like all outgoing trends, there is still the maturity point in any technologies life cycle and then as new technologies come along they intersect and eventually the new technologies pass by the old.

This has happened to faxes and printing as e-everything has replaced it.

This is happening to text and email as Social and Unified Communications become more and more prevalent.

Next victim?

Never easy to know for sure, but it is looking more and more like the phone sitting on your desk.

What will replace it?

Social, Check. Mobile, Check. Collaboration, Check.

What we will see not only the large enterprises yearning for, but small and medium companies alike are solutions that allow collaboration of content, video and voice on a single platform that is accessible to the masses.

The expectation will be that it can be made affordable so that organizations of all sizes will have a low cost of entry and a high return on their investment of time and money.

But don’t think for a moment that the traditional tools are going away.

People still need email and still need phones.

Just like telepresence has yet to displace the airline industry, the old tools have a place in this world.

However, for anyone making their living selling voice alone, it may be time to consider a new business.

And out of curiosity, anyone making a lot of money selling email solutions?

Breaking News, This Just In: The PBX is Dead, There are no suspects, but Unified Communications is wanted for questioning.

Are you ready to build a bulletproof business on Cloud Based Unified Communication Services? Visit us here to learn how!