Theft of long distance service, telecommunications services and toll fraud come in many different forms. Understanding your telecommunications system and the techniques used by the criminals are key to limiting your vulnerability to this type of crime.
Allstream conducts network monitoring on a 7×24 basis for its own internal efficiency and productivity needs. If, during the course of that monitoring, suspect traffic patterns are detected from a customer’s lines or services that may indicate Toll Fraud or hacking is taking place, Allstream will take commercially reasonable steps to mitigate the customer’s exposure to financial impact.
These steps may include:
- Notification of the customer and/or their Allstream Representative
- Temporary suspension of Long Distance Services in whole or in part until the Customer’s Premise Equipment (CPE) is sufficiently secured. This suspension may take place without direct consent from the customer in extreme circumstances
- Consultation with the customer on best practices to secure their CPE
The customer shall be wholly liable for all calls originating from their lines, services and/or CPE, regardless of who initiated those calls. If the CPE is hacked, the customer hereby accepts and acknowledges that said hacking resulted from a weakness or exposure in the CPE and did not result from any action or inaction taken or not taken by Allstream. The customer accepts complete responsibility for the maintenance and security of their own CPE, including but not limited to proper password management and restriction of unneeded international, Operator or Casual (1010) dialing unless otherwise specified in the contract. As such the customer accepts all responsibility for calls and any costs, charges or expenses resulting from those calls that result from their CPE security being breached or violated.
Allstream is not liable for any charges resulting from toll fraud or hacking incidents. Additionally, Allstream is not responsible or liable as a result of its fraud monitoring and/or network monitoring. Any detection of a fraud incident and subsequent notifications or actions taken by Allstream is done as a value-add service and not in accordance with any obligations under an agreement between Allstream and the customer. The network monitoring efforts are in no way to be understood or agreed to be an acceptance of responsibility on Allstream’s part for a toll fraud or hacking incident or charges that arise from the incident.
- Learn about your telecommunications system:
- Know the safeguards, the inherent defenses and security features
- Determine the vulnerabilities;
- Ensure staff are trained in safeguards and procedures.
- Evaluate old systems – replace/upgrade if necessary
- Know the access paths that open doors to fraud:
- IP Routers
- Open/Public Ports/Access
- Voice-Mail System
- Simple Passwords
- Direct Inward System Access (DISA)
- Remote System Administration (Maintenance Ports)
- Direct Inward Dialing
- Tie Trunks and Tandem Network Services
- Monitor and analyze your systems information:
- Study call detail records and review billing records (exception reports may provide a warning sign)
- Know your own calling patterns and review them;
- Review voice-mail reports
- Run IP access reports to determine unauthorized attempts to access your IP based phone system.
- Monitor valid and invalid calling attempts whenever possible
- Study your phone bill
- Know the signs of a security breach:
- Complaints that the system is always busy
- Sudden changes in normal calling patterns such as increases in wrong number calls or silent hang-ups, night, weekend and holiday traffic, 800 and WATS calls, international calling, and odd calls (i.e. crank/obscene calls);
- Toll calls originating in voice-mail
- Long holding times
- Unexplained 900 (Chat Line) calls
- High tolls for any unauthorized trunk extension
If you have an IP Enabled System:
- Hardware or software – inspect network traffic; deny/permit passage based on rules.
- Firewalls are extremely important. If the network enabled PBX is not behind a firewall, it will be hacked.
- Web/SSH access should be by whitelist only.
- The SIP traffic should be monitored by a program, automatically banning offending IP addresses that are SIP scanning the equipment for access.
- IP security programs comes installed on most IP PBX distributions these days. If not, ask your supplier if they have anything or any recommendations
Network Enabled PBX Systems:
- Make sure the software version of the PBX is a current supported version, long term support release where security patches are routinely developed. Also make sure that the core system is updated and patched for vulnerabilities that are discovered and published.
- If you have a software version that is no longer supported, update or migrate to an updated version, otherwise you will not be able to obtain security patches for current and future exploits.
- When calls are forwarded but not seen in the Graphical User Interface of the PBX administration, check the telephone system database.
- Identify the section that deals with call forwarding for any numbers or addresses that are possibly call forwarded. Attackers will mask their call forwarding in the database where most people never look.
- Seriously consider consulting a certified professional for any installation, maintenance or security audits.
- Do not allow public access to the system. Access should always be through multi-factor authentication VPN.
- Access from public IP’s and ports should be by whitelist only.
When Network Enabled PBX Systems are Hacked:
- If the web interface is exposed to the public internet, then it will not matter how complicated the login password is for the administration, the attackers will just exploit the code on the interface to gain access and then dump every password.
- In the event of a security breach it may be necessary to rebuild the system over again including formatting the disk or downloading the factory image if you have a trusted backup
Tips for All Systems:
- Use account codes for all toll calling or at a minimum High cost (International, Caribbean)
- Use random generation and maximum length for authorization codes and passwords
- Deactivate all unassigned authorization codes
- Do not allow generic or group authorization codes
- Restrict access to specific times (business hours). Block all toll calls at night, on weekends and on holidays
- Restrict unneeded dial strings at the PBX level.
- Restrict call forwarding to local calls only or ideally remove it completely
- Block all Operator Assist (0+), Conference or 3-way calling and 10XXXX calling from your PBX if this service is not necessary
- Block, limit access or Require attendant assistance to overseas calls
- Establish policies on accepting collect calls and providing access to outside lines
- Educate switchboard operators and employees about "social engineering" (i.e. con- artists trying to obtain calling access or transfers through a PBX)
- Secure equipment rooms (lock up all telephone equipment & wiring frames)
- Run periodic security audits to check for exploits in the PBX
- Frequently audit and change all active codes
- Restrict Toll Free dialing from areas where there is no business requirement (this likely will need to be done through your Carrier).
- Do not allow pass-through dialing
- Eliminate trunk to trunk transfer capability
- Restrict all calls to 900, 976, 950 and 411
- Restrict all possible means of out-dial (through-dial) capability in your voice mail system
- Consider allowing only attendant-assisted international calling
- Analyze call detail activity frequently for unusual activity
- Disable DISA (Direct Inward System Access) if possible. If not possible, use maximum number of digits for DISA code
- Deactivate unassigned voice mailboxes and DISA codes
- To combat Social Engineering, make sure that system administration and maintenance telephone numbers are randomly selected, unlisted and that they deviate from normal sequence of other business numbers
- Use multiple levels of security on maintenance access
- Do not allow unlimited login attempts to enter system. Program PBX to terminate access after third invalid attempt
- Enable system lock-out feature on voicemail – this allows only X attempts at password before someone is locked out
- Monitor Call-Forwarding activities
- Shred anything listing PBX access numbers, passwords or codes
- Never divulge system information unless you know who you are actually communicating with
- Test all PBX voice menus to ensure there’s no unintended routing or access exposure to outside lines or internal systems
- Send e-mail reminders to all employees to change passwords on their voicemail periodically
- Frequently change default codes/passwords on voice mailboxes
- Do not use “alpha” passwords that spell common words or names
- Delete/change all default passwords
- Immediately deactivate passwords and authorization codes to known terminated employees
- Change all passwords when there are personnel changes
- Delete all ex-employee voicemail boxes and email access
- Establish controlled procedures to set and reset passwords;
- Change passwords regularly; MOST SYSTEMS HAVE FORCED PASSWORD CHANGES
- Use maximum length passwords for system manager box & maintenance ports;
- Prohibit the use of trivial, simple passwords (i.e. 222, 123, your last name, LOCAL number etc.);
- Limit the number of consecutive log-in attempts to 3 or less;
- Change all factory installed passwords;
- Block access to long distance Trunking facilities, and collect call options on the auto attendant;
- Block or preferably Delete all inactive mailboxes;
- Limit your out-calling;
- In systems that allow callers to transfer to other extensions, block any digits that hackers could use to get outside lines, especially trunk access codes;
- Conduct routine reviews of the status of your system and system usage.