subject: Avoid VOIP Hackers and Fraud [print this page] Avoid VOIP Hackers and Fraud Avoid VOIP Hackers and Fraud
Just because your company has a state-of-the-art VOIP system does not mean you are immune to huge losses from criminal telephone hacking. VOIP fraud is a very real potential problem for your company and can be devastating. Unfortunately, we are seeing signs that VOIP phone fraud is on the rise.
Last week, a distraught CEO from a small Manhattan company called us for help for just this problem. He reported that his company's Cisco VOIP telephone system had been hacked and billed for long distance calls to Cuba to the tune of $45,000 in just three days.
Our telecom fraud investigation revealed that hackers had apparently gained access to their phone system due to insufficient security features. The criminals were able to dial in locally to the company's number and obtain dial-tones on their trunk lines, allowing them to make numerous outbound calls to Cuba.
We actually found two problems that led to the huge losses. First, the company had received poor maintenance support from their VOIP system installer. Some features that were activated by default from the factory should have been restricted. Secondly, the company had very poor response from their long distance carrier who actually alerted the customer about unusual calls going from the customer's network to Cuba.
Although the long distance provider initially warned the customer, the provider was then slow to cut off the traffic and botched being about to stop only the calls to Cuba. The carrier instead cut off all long distance service, which prevented the customer from doing business.
As a result of our investigation, we recommended that the client seek restitution from both the VOIP maintenance company and the long distance company for both the fraudulent charges and the lost business.
To get a better handle on avoiding this kind of problem in the first place, I spoke to an authority on the subject: Brian McDaniel, Principal of McDaniel Telecom Network Security Group. According to Brian, if companies practice the following guidelines, this kind of VOIP fraud could be eliminated:
Ensure that all manufacturer default passwords for system administration are changed promptly, using lengthy and complex alphanumeric passwords.
Lock out administrative access ports after three successive invalid access attempts.
Configure the system to send an alert of the lock-out to system administrators.
Ensure that all remote access to system administration portals is secured with encrypted challenge/response authentication.
Ensure that all VOIP system administration ports are on a secure subnet, with Access Control Lists allowing only specific IP addresses necessary for maintenance and administration.
Ensure that all multi-media and voice messaging interfaces to call managers or PBXs are appropriately restricted.
Ensure that access to system speed dialing is controlled by business need and that no list entry dials trunk access codes or uses feature access codes to increase a caller's permissions.
Review and control all thru-dialing and out-calling from adjunct equipment. Do not allow default entries in restriction/permission lists.
Set and enforce standards for complex passwords for voice message mailboxes. Require period password resets for these mailboxes. Regularly check for default passwords in end-user mailboxes.
Check transfer restrictions in all integrated peripheral and adjunct equipment. Block access to ARS codes and trunk access codes.
Check endpoint targets for keyed entry and time-out transfers in call processing mailboxes and auto attendants.
Verify all off-net target endpoints in ACD vectors and VDNs.
Protect often-abused features with forced account codes, authentication codes or barrier codes.
As with any crime of opportunity, hackers are lazy. If they attempt to break into your VOIP system and run into the safeguards listed above, there is a good chance that they'll move on to an easier target.
