PBX Fraud - What is a Telco's Responsibility?

Forums › ICT Policies and Regulation › PBX Fraud - What is a Telco's Responsibility?

1 | 2 | 3 | 4 | 5 | 6

95 posts

Master Geek

Reply # 299838 17-Feb-2010 16:30
Good to see Maverick Likewise from a customer view point, if your Telco offers you any form of online billing/reporting system - set them up to warn you of expensive calls or other things you may consider abnormal on the account. It might mean the slight headache of increased email traffic but it could save yourself and your telco a bundle in charges. BTW all the analogies in this thread so far have been awful ;) I'm not proposing a better one either. (The closest relationship however would be "I have a wireless router, I didn't know my password of kitten was highly guessable, but at the same time you shouldn't have charged me for the 100 gigs of data that my connection did through you because I didn't do it on my computer" and even that has holes in it..)

maverick

3451 posts

Uber Geek

Trusted

WorldxChange

Reply # 300103 18-Feb-2010 12:39
Another docu from a Carrier and their take on PABX Fraud.... Note their response to FAQ 1 & 3 PABX Fraud (Private Automatic Branch Exchange) What is PABX Fraud? A PABX is a computerised system that manages an internal telephone extensions network. It is a highly flexible system in that it can, if necessary, provide access to telephone services by dialing into the system from outside the PABX network. This service is called DISA (Direct Inwards System Access) and, if enabled, it permits employees to route national and international calls through the PABX with the cost of these calls being billed to the owner of the PABX. Access to this service requires the use of a PIN, however, this can be abused and may result in unauthorised calls costing thousands of dollars. Most PABX’s have engineering and maintenance access codes. If this access code is compromised the attacker will have total control of the system. NOTE: There is a large amount of information on the Internet relating to toll fraud, PABX fraud, etc. Go to Google and use the word PABX to find useful information about this type fraud. How will I know if my PABX has been a victim of PABX Fraud? If your PABX has voicemail and is DISA enabled then it is susceptible to this form of fraud. Usually, the only indication that you will see is a substantial increase in your telephone bill. Detailed billing will assist in identifying any potential unauthorised calls, usually International calls but they can also be National and mobile telephone calls. Another indicator is where customers trying to dial in or employees trying to dial out, find that the lines are always busy. Audit your bill each month: Check your bill regularly and ensure you can account for all itemised calls Look for calls to international countries that you wouldn’t normally be doing business with. Look for calls being made outside of your business hours. How can I protect my PABX from this type of fraud? If DISA is not required ensure that it is disabled. If it is required, the people who supplied, or who are maintaining your system, understand the full functionality of the PABX and they can help in configuring DISA properly. If automatic logging of calls is available, enable it. It may help in identifying the extensions number being used to compromise the PABX and it may also identify the source of the external call. Regularly check the log records for repeated short duration calls to the same number. This could be an indication of an attempt to attack your system. PIN’s for voicemail, DISA and engineering access should, if enabled, be activated and changed regularly. If possible engineering access should only be permitted on a ‘call back’ basis; this will prevent unauthorised access to this privileged account. Prevention Strategies Never give out technical information about your system to callers - unless you are certain who is on the other end of the line. Do not allow your system administrator to maintain factory set passwords for maintenance of your system. Introduce a PIN and password management policy where employees are not permitted to use predictable PIN numbers such as the last digits of their DDI, sequential numbers like 1111, 0000, or incremental numbers like 1234. Ensure that PIN numbers are changed regularly, and supervisor and maintenance passwords are changed when the administrator, an employee, or a contractor leaves the business. Do not place a list of all your staffs names and contact numbers on your website or out on the Internet. You are providing the would-be fraud offenders with a list of all your company phone numbers that they can now try to hack into. Do not allow unlimited unsuccessful attempts to enter voicemail - configure the system so that 3 unsuccessful attempts results in call failure. Disable an administrator, contractor or employee's mailbox account when he or she leaves your company. Schedule regular PABX checks with your maintainer and form a regular risk mitigation strategy to limit any system vulnerabilities. Ensure that your PABX room is locked when not attended. Be alert to the overt signs of PABX fraud such as repeated calls of short duration, high numbers of inbound hang-up calls, unexplained increases in incoming calls where the caller hangs-up when answered, sudden increases in national and international usage, or changes in after-hours calling patterns or calls to unknown overseas numbers or countries. PABX Fraud Frequently Asked Questions 1. When I get hacked, who is going to pay for the calls? Your company is responsible for all charges incurred on your system not the carrier, the responsibility for the security of your PABX system is yours and you should take steps to protect your assets. 2. Who are these people and why are they stealing calls? Today, highly skilled, technologically sophisticated criminals who have little fear of being detected, let alone apprehended or prosecuted perpetrate communication theft from remote distances. These criminals conduct a growing business selling access to communications systems all over the world. 3. Why don't the carriers write off these charges? Today, fraudulent calls are placed over many different inter-exchange Carriers (IXC); each carrier must pay that portion of the call handled by them. When the call is placed to an international location the domestic carrier must pay the foreign carrier regardless of the fraud. You the end user control access to your PABX system not your telecommunication provider so you are responsible for the charges incurred. 4. Why is identifying or stopping the fraudulent calls the customer's responsibility? Only the customer can differentiate legitimate calls from fraudulent ones. The carriers do not have access or permission to work on your PABX, the vehicle that hackers use most to conduct their activities. 5. How will the hacker find my system? Criminals pay for a PABX maintenance port number and password. Hackers 'scan' using auto-diallers to find systems equipped with modems. Your Company's telephone directory listing or your 0508 / 0800 service advertising make you known to the hacker. 6. How do I justify the expense of corrective action when we have not suffered a loss? Past performance is not an accurate indicator of present threats. The equipment and the motivation to perpetrate this criminal activity did not exist years ago. Educate your managers about the pitfalls of not protecting your Corporate assets and enlist their support by implementing a Corporate policy on unauthorized access as your first step. 7. How does a hacker gain access to my system? Hacker’s use computerized calling programs, automatic diallers, and sophisticated software to break your systems security and pass codes. Hackers attempt to gain access in the following order: Phone Mail / Voice Mail 2) Automated Attendant 3) Remote Access or Direct Inward Service Access (DISA) 4) Remote Maintenance/ Administration Port. 8. Why is it important to protect my Maintenance/Administration Port? This is the most important port on your PABX system. Hackers gain access to your system software and control your Voice Mail, DISA and other PABX features through the maintenance port. 9. How do hacker know which CBX / PBX type and brand of Voice Mail I am using? Hackers identify the type of PABX by the Login procedure used for each system. They know the pass codes for each vendor PABX. Hackers also recognize the various Voice Mail and Phonemail systems by the default digitized voice recordings. 10. How does a hacker use my Voice Mail? Through your Voice Mail the hacker is able to use your PABX "trunk-to-trunk connections" feature to access your long distance network. 2) Your Voice Mail might also be used as a "bulletin board" to distribute stolen credit card and other hacker related information. 3) They may change your greeting to "Hello!...pause....Yes, I'll accept the charges to Zaire." 11. I understand why a larger user must be concerned, but I'm a small business / or in a rural community. Why should hacker activity concern me? Hackers use auto-diallers to search entire area codes to find systems to hack, they do not care who or where their victims are. No one is safe, and smaller companies may be less able to absorb the average loss ranging from $10,000 to $100,000.00 plus dollars per incident. 12. What happens when a hacker finds my Maintenance / Administration Port? Hackers use manufacturers default passwords or computer generated, craker programs until they find a usable password. They then enter a system unlawfully and make software changes that allow unauthorized calls. Information on how to use your altered system is then sold to "call sell operators" who sell calls over your system to whomever wishes to place calls. These calls are typically made from public telephones (pay phones) in large metropolitan cities. 14. What is different about this theft from other forms of fraudulent activity? There are three major differences with this case: The call is processed as data, not voice. An international organization is required to: find the victim, set up the call, collect the money and manage the administration in a foreign location. The theft or scheme has migrated and expanded in form and severity. 15. What can we do to protect ourselves from these crooks and con artists? As with your personal lives, the better informed you are to the risks the better protected you are. Stay on top of the current threats (visit www.scamwatch.govt.nz), add policy on security, secure your system configuration, set-up a team approach to security and service & work with your equipment vendor. Do not let management or your Company be taken by surprise. This is one disaster that is very predictable and equally preventable. Remember that you will be a victim and that you and only you control the severity of these attacks. Hackers and Phreakers are much easier to stop from breaking in than they are to evict. Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

ronindanbo

177 posts

Master Geek

Reply # 300132 18-Feb-2010 14:13
Mycenius: If there was fraud on my Credit Card (or Farmers Card, or whatever) my Credit Card Company would advise me immediately and block the activity; I used to work for a Bank and I can tell you that this only happens IF they notice it, many occasions of note have occured where the Bank has had to act reactively rather than pro-actively. Incidentally you will only be credited back under certain criteria for this as banks have very strict rules about CC Fraud hence having card insurance is a good idea. Mycenius: If my water usage at my home is considered unusually high the Council advise me (usually via letter to check for leaks) and if it's exceptionally high will come on site immediately to check; etc; etc I currently work for a council and have IT talks with alot of councils around the country and I can possitively say I have never heard of this happening so you are lucky enough to live in an area where the local council sees this as it's responsibility just as some are lucky to be in a Telco that sees monitoring of overseas calls as thier responsibility. Push comes to shove desipte having a Labour Government that expoused the ideals of blaming others for your woes there is really no excuse for any business to not actively monitor this type of issue. If the PABX isnt secure enough then why did you buy it - most probably due to saving money? then you only have yourself to blame. This really is a familiar story around most businesses they only see the short term benefits without taking notice of the long term drawbacks it is a very common problem in this country.

robjg63

868 posts

Ultimate Geek

Reply # 300363 19-Feb-2010 13:05
We seem to have had our PABX hacked over the last week. The techo cant quite work out what they were trying to do, but fortunately for us, our PBX doesnt seem to support some of the more lucrative functionality they are trying to use. Anyway - they have set it up to dial a local (Auckland) number, and when I rang that number it says its a conference call number and I need to enter a PIN. So I tried ringing Telecom (our Telco) and eventuatlly got hold of someone who said "Oh - another one" - I have him the number that our system was repeatedly dialing - but he said that wasn't useful to him and to try the "Call investigation centre" - I finally got a helpful bod there - but she said sorry - that isnt our area but I will find someone for you. I got onto another person who checked and said "that isnt a Telecom number so we cant do anything about it and dont know which Telco that number would be with" - so dead end. I'm not blaming Telecom - I can see their point of view - but I have a number that is probably being used for dodgy purposes and cant report it to anyone.... PITA! ----------------------------------------------------------------------------------------------- Nothing is impossible for the man who doesn't have to do it it himself - A. H. Weiler

maverick

3451 posts

Uber Geek

Trusted

WorldxChange

Reply # 300366 19-Feb-2010 13:13
The carrier that the belongs too can generally be found here at the NAD http://www.nad.org.nz/register_index.php You could perhaps look here and then phone the company that administers the number Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

robjg63

868 posts

Ultimate Geek

Reply # 300371 19-Feb-2010 13:23
Thanks Maverick - I have had a look through that and it looks to be a block of Telecom numbers - but they said it wasn't one of theirs. Maybe ported somewhere else??? Its an Auckland number that starts with 357. Maybe the hackers have been trying to hack someones conference call number via our number? ----------------------------------------------------------------------------------------------- Nothing is impossible for the man who doesn't have to do it it himself - A. H. Weiler

maverick

3451 posts

Uber Geek

Trusted

WorldxChange

Reply # 300374 19-Feb-2010 13:32
PM the number to me and I will see if I can find out through my contacts Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

savag3

179 posts

Master Geek

Subscriber

Reply # 300386 19-Feb-2010 14:09
robjg63: Thanks Maverick - I have had a look through that and it looks to be a block of Telecom numbers - but they said it wasn't one of theirs. Maybe ported somewhere else??? Its an Auckland number that starts with 357. Maybe the hackers have been trying to hack someones conference call number via our number? This should be reported to the police. They will have able to find out who the number belongs to and what might have happened.

maverick

3451 posts

Uber Geek

Trusted

WorldxChange

Reply # 300388 19-Feb-2010 14:14
Still looks to be with Telecom Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

robjg63

868 posts

Ultimate Geek

Reply # 300404 19-Feb-2010 14:35
maverick: Still looks to be with Telecom Really? They didnt think it was. Well thanks for checking for me.... ----------------------------------------------------------------------------------------------- Nothing is impossible for the man who doesn't have to do it it himself - A. H. Weiler

webwat

1260 posts

Uber Geek

Trusted

Reply # 300438 19-Feb-2010 16:03
[1] If the PBX is maintained by a service company or under a support contract, it would be reasonable for the customer to place the blame on them. If the customer owns the phone connection then they are responsible for whatever calls are made through it, whether or not the PBX was serviced professionally. The telco is responsible for connecting and paying termination fees for those calls, to whichever country you wish to call. The PBX provider/servicer is probably not liable for fraudulent abuse unless there is some guarantee in your contract. Both the PBX provider and telco probably make efforts to reduce fraud, but no guarantee that every abuse will be picked up before you get the bill. Its still the PBX owners responsibility to check call summaries etc. So.. a fraudster abuses your PBX, your PBX abuses the telco, some overseas telco gets lots of calls from your compromised PBX. Your telco might be able to argue the case with the destination telco, but that would take ages and involve some pretty vague international law (and maybe interpol). They might also be able to build a blacklist of problem number ranges, and would make some effort at credit control but some newer telcos might be still developing their fraud monitoring systems. If your PBX cannot be locked down then its time to get another one — there are some cheap Asterisk ones around these days. Get an PBX expert to check that its secure, but even a really good IP PBX might have some unknown vulnerability that could be abused oneday so keep it behind a secure firewall! Monowall is one you can build from an old PC for free. Your telco or ISP should be able to tell you or the police where each call originated from, depending on whether they originated as landline or VoIP, and track down the fraudster from that. They may have hidden the caller ID from your PBX but they cant hide everything, so dont give up. Qualified in business, certified in fibre, stuck in copper, have to keep going ^_^

freitasm

BDFL
43751 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 300923 22-Feb-2010 10:29
This "free long international call" service may be worth a look at? The domain name was registered just a couple of weeks ago, by an American "business person". Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

Mycenius

92 posts

Master Geek

Reply # 300989 22-Feb-2010 13:48
maverick: As a side note Mycenius , would be interesed to hear what feedback you do get from Consumer rights groups, so wouldn't mind seeing how you turn out with the outcomes... I think a lot of people will be interested in the proceedings and outcomes, especially since there are some pretty polarised views. Hi Maverick - a quick follow up to your query - FWIW we have looked into this further including the T&C's for the service provided and so on; and we are having some further discussion about with the Telco... But basically I don't have any clear cut answer, outcome, or conclusion Maverick - which I think is what you expected or suspected... As I may have mentioned we have had assistance from the Telco to help lessen the impact on the business regardless, and in no way was this thread intended to bag the Telco, but likewise it would be foolish for a business not to at least explore all avenues to mitigate the impact, etc, etc. P.S. BTW I have also heard through the grapevine there have reportedly been several other fraud incidents of the type I have been dealing with recently around NZ (although have not been able to confirm any details first hand).

keewee01

IT Professional
1218 posts

Uber Geek

Subscriber

Reply # 301019 22-Feb-2010 15:01
Mycenius: P.S. BTW I have also heard through the grapevine there have reportedly been several other fraud incidents of the type I have been dealing with recently around NZ (although have not been able to confirm any details first hand). There were some cases reported in the main stream media over the weekend, or late last week. Or was it in some industry rags. Anyway, I remember ready an article that gave some example of how much PBX fraud had cost some companies recently and the police were saying that incidents of the fraud were on the rise.

Mycenius

92 posts

Master Geek

Reply # 301026 22-Feb-2010 15:12
Thanks Keewee01 - I'll have to have a look out for those... The incident I'm involved with has been reported at the time, and the Police have stated they intend to investigate, but it is currently 'in the queue' indefinitely due to no (CID) staff being available to assign it to for investigation...

1 | 2 | 3 | 4 | 5 | 6