Telecom Fraud: The Cost of Doing Nothing Just Went Up

Emotive terms such as “cyber attack” and “cyber-terrorism” are always certain to generate plenty of media excitement, with science-fiction visions of malevolent hackers creating vicious computer viruses to rampage through cyberspace, doing unseen and untold damage to the infrastructures that support our way of life. However, while the reality of IT security is far more mundane than such science-fiction ideas, the threat to a network from malicious attack remains real and the consequences just as frightening. Every business is dependent upon information technology, which brings with it inevitable vulnerability.

Dark rumours of underground hacker networks and conferences give rise to the belief in a vast and growing number of aggressive, deliberately destructive hackers. Significantly, the methods these hackers adopt to gain unauthorised access to corporate resources are now also extending to embrace telecommunications systems.

The terrorist threat

The hacker phenomenon has a serious and far-reaching influence. Were communications on two continents ever disrupted by moving telecommunications satellites? Have computing resources belonging to government agencies ever been hacked? Have environmental controls in a shopping centre ever been altered via modem? The answer to all of these questions is yes. But, unlike other crime groups who receive high profile coverage in the media, the individuals responsible for these incidents are rarely caught.

As if that is not enough, unauthorised use of telecommunications facilities is the preferred methodology for people who sympathise or support terrorist organisations, and want their activities to remain invisible.

The French authorities studying the Madrid train bombings in March 2004, for example, are investigating whether the bombers hacked into the telephone exchange of a bank near Paris as they were planning their attack. The telephone calls involved were made by phreaking – a practice similar to hacking that bypasses the charging system.

Combating telephony fraud

The PBX is among the most susceptible areas to telecommunications fraud. Typical methods of fraudulent abuse involve the misuse of common PBX functions such as DISA (Direct Inward System Access), looping, call forwarding, voicemail and auto attendant features.

Another area popular for frequent fraudulent exploitation is the maintenance port of PBXs. Hackers often use the dial-up modem attached to such ports to assist in remote maintenance activities. When a PBX is linked to an organisation’s IT network – as is increasingly the case with call centres, for instance – a poorly protected maintenance port can offer hackers an open and undefended “back door” into such critical assets as customer databases and business applications.

When things go wrong

It is clearly important to balance the cost of securing your voice infrastructure from attack against the cost of doing nothing. The consequences from inaction can include:

  • Direct financial loss through fraudulent call misuse (internal or external)
  • Missed cost saving opportunities through identification on surplus circuits
  • Adverse publicity, damage to reputation and loss of customer confidence
  • Litigation and consequential financial loss
  • Loss of service and inability to dispense contractual obligations
  • Regulatory fines or increased regulatory supervision

The threat from within

As is the trend with hacking data networks, the threat to PBXs comes primarily from within. For example, an employee, a contractor, or even a cleaner could forward an extension in a seldom-used meeting room to an overseas number and make international calls by calling a local rate number in the office.

The perpetrator could likewise be the beneficiary of a premium rate telephone number in this country or abroad and continue to leave phones off the hook or on a re-direct to that number netting thousands of pounds in illicit gains in a weekend.

And, of course, let’s not forget about the new telecommunications technologies which are based around open communications via the Internet. These include IP-driven PBXs supported by all the adjunct devices, the deployment of CTS (Computerised Telephone Systems), CTI (Computer Telephony Integration) and Voice over IP. The introduction of these technologies means IT and telecoms managers need now to become even more alert to prevent new and existing threats that are typically associated with data networks, now impacting upon voice networks. Without diligent attention, telecoms systems are in grave danger of becoming the weak link in the network and utterly defenceless against targeted attacks by hackers.

So what practical measures can telecom or IT managers take to help prevent becoming a victim of telecom fraud?

One of the most effective approaches to improving the security of telephony systems includes conducting regular audits of:

  • Station privileges and restrictions
  • Voice and data calling patterns
  • Public and private network routing access
  • Automatic route selection
  • Software defined networks
  • Private switched and tandem networks
  • System management and maintenance capabilities
  • Auto attendant and voicemail
  • Direct inward system access (DISA)
  • Call centre services (ACD)
  • Station message detail reporting
  • Adjunct system privileges
  • Remote maintenance protection
  • Primary cable terminations and physical security of the site and equipment rooms

Other measures include reviewing the configuration of your PBX against known hacking techniques, comparing configuration details against best practice and any regulatory requirements that may pertain to your industry sector.

Ensure default voicemail and maintenance passwords are changed and introduce a policy to prevent easily guessable passwords being used. Make sure that the policy demands regular password changes and take steps to ensure the policy is enforced.

Installing a call logging solution, to provide notification of suspicious activity on your PBX, is a useful measure and one that can often give valuable early warning of an attack. In addition, review existing PBX control functions that might be at risk or which could allow errors to occur.

Be aware that many voice systems now have an IP address and are therefore connected to your data network. You therefore must assess what provisions you have to segment both networks. Security exposures can also result from the way multiple PBX platforms are connected across a corporate network or from interconnectivity with existing applications.

Research and investigate operating system weaknesses, including analytical findings, manufacturer recommendations, prioritisation and mitigation or closure needs – and implement a regular schedule of reviewing server service packs, patches, hot-fixes and anti-virus software.

Finally, formalise and instigate a regular testing plan that includes prioritisation of the elements and components to be assessed, and supplement this by conducting a series of probing exercises to confirm the effectiveness of the security controls used.