There are more serious things than Bill Shock: modern telephone fraud
In the last couple of weeks we have seen a series of articles in our mainstream media about "bill shock". A "bill shock" happens when you travel overseas and get a surprisingly large bill on your mobile usage.
I do not have sympathy for people who claim "bill shock" because people know there are roaming charges involved when you travel. When you arrive in another country both Vodafone and Telecom send SMS warning users of different costs for voice and data connections. You signed a contract that says you have to pay for roaming costs.
I don't like the mobile data roaming costs as anyone else. I think our telcos simply make as much as they can - it's unbelievable a mobile operator in the U.S. can give their customers 5GB of mobile data for a fixed price, but charge visitors something that (adding up the margins) comes to $10/MB. The mobile data roaming prices are a joke.
But there's something else that local companies will have worry more and more with the adoption of VoIP solutions - the old telephone fraud.
Just to give you an idea, a company has a digital PBX. For some reason it's not completely secure and some crooks find it. These people then enter their own configuration in this digital PBX and create a "company" to sell cheap calls to China, Korea, South Africa. They sell some calling cards around and publish their "access number". Callers buy these cheap services, call the access number and after the dial tone enter the number they wish to call and get connected - all using the unsuspected company's digital PBX over their VoIP lines.
Companies may find this after a month or so, when the first bills come in. But by then they suffered under a constant stream of outbound calls and have to pay for it.
This is kind of tricks work with new digital PBX systems, but also with older ones. An unsecure route to an outside line, a non-secure voice mail access and things can be done, easily.
This is being discussed on Geekzone here, and shows an interesting series of questions:
- Should the telco monitor your usage and contact you if patterns change (a la credit card companies?)
- Should the telco be responsible for a misconfigured VoIP installation that their technicians are not involved with?
- Should an insurance be required for telephony services now?
- Should insurance companies charge less from companies using VoIP installed by certified technicians?
- Should the telco "forgive" the bill and simply pay for the calls that are not their problem in first place?
What do you think?
Other related posts:
Some New Zealand companies don't like user feedback
What is wrong with TiVo in New Zealand?
What mobile device to get?
Comment by digitaldivide, on 3-FEB-2010 15:43
Should the telco monitor your usage and contact you if patterns change (a la credit card companies?)
> I understand that Telecom New Zealand already does this. In 2003 there was an article discussing Cerebrus Fraud Detection. See:
http://www.embeddedstar.com/press/content/2003/3/embedded7478.html
Should the telco be responsible for a misconfigured VoIP installation that their technicians are not involved with? Should the telco "forgive" the bill and simply pay for the calls that are not their problem in first place?
> I would be surprised that you can select a supplier, who makes an error in Voip configuration, and then the Telco has to wear the cost.
I would suggest, you pay the bill and bill your supplier for their error in security.
A quality contract between you and your supplier should have defined this cost recovery, and what period it applies to. If your pin number is your extension number....
Comment by maverick, on 3-FEB-2010 19:07
This is a good discussion Mauricio, and obviously I am contributing to the thread 
, I do see both issues and the posters are generally making good points on both sides, I do see the issue for a customer that has been badly effected by not knowing what is happening and the cost being incured on their account through fraudulent activities , I also see the costs involved with calls for a carrier having to pay the upstream carrier for them as well.
I can only speak on behalf of WxC obviously but as stated in my post we have credit limits for that reason, this limits our and our customers liabilty in this type of case, also for a company that has had this occur to them we would generally discuss with the customer and work on a cost + basis, but each case would have to be dealt with on it's merits.
Due to my role and involment in the Telco industry and especailly on the VOIP side of things I have seen both sides of the new and old tricks, there are always cons and frauds going on as there are scum all over the world looking to take advantage, VOIP can make it a little easier for someone sitting in another country to conduct this type of fraud attempt... but only if there is a badly configured IP PBX... and sorry to say the worst offenders here are seen in the Asterisk users groups... 
, probably going to upset a few of the geeks out there with those comments.
Could go on for a while on the issue as thiefs are my pet hate, but overall the occurances seen by us over a 12 year period is very very low for this type of activity, we are always checking, looking at security, always reviewing and never trying to become complaciant with IP sercurity, there is always someone trying to find hole somewhere...
Comment by barf, on 9-FEB-2010 10:07
From http://www.theregister.co.uk/2010/02/03/voip_hacker_guilty/
By Dan Goodin in San Francisco
The Register
3rd February 2010
A Miami hacker has admitted he pocketed more than $1m by selling millions of minutes of voice over IP calls and surreptitiously routing them through the networks of telecommunications companies.
Edwin Andrew Pena pleaded guilty to two felonies in connection with the hacking spree, which spanned the years 2004 through 2006, according to court documents. He was apprehended last year in Mexico after skipping out on a $100,000 bond secured by the mother of his then girlfriend.
Pena appeared in US District Court in New Jersey on Wednesday and pleaded guilty to wire fraud and conspiracy to commit wire fraud and unauthorized access to a protected computer. He faces a maximum of 25 years in federal prison and fines of at least $500,000 at sentencing, which is scheduled for May 14.
Pena and cohort Robert Moore were arrested in June 2006 and accused of carrying out an elaborate scheme that routed more than 10 million minutes of VoIP calls over the networks of a dozen or so telecommunications providers without their permission. They breached the networks by using brute-force attacks that deduced the security telephone prefixes needed to gain access.
[...]
Comment by rphenix, on 9-FEB-2010 21:20
I would hope the VOIP Provider would come to the party of a loyal customer. Obviously they cannot wear the cost completely but perhaps they could charge the normal average amount the customer incurrs + cost for the remaining bill. I remember reading about this very subject on whirlpoolforums some pretty big bills out there 50K upwards! when the customer discovers.
Great to see WXC take a pro-active approach and put limits on the amount the customer can be charged.
Comment by maverick, on 17-FEB-2010 13:48
Put out by Telecom today
17-02-2010
New Zealand targeted for PBX fraudulent hacking attempts
What's happening?
Telecom's internal fraud team have confirmed that New Zealand is seeing an increased number of fraudulent hacking attempts into unsecured customer PBXs. We're advising you to contact your customers immediately to ensure their PBXs (traditional or IP) are appropriately secured.
What's the details?
We've been advised by Telecom's fraud team of an increased frequency of fraudulent hacking attacks on wholesale and retail customer PBXs. These types of attack are seemingly cyclical; with New Zealand last targeted on this scale two years ago. However, hacking into customer PBXs can happen at any time.
We recommend that you contact your customers immediately and highlight the risk of fraudulent attacks on unsecured PBXs. Most customer PBX maintenance contracts include a 'fraud/audit service' and the audit will check for unsecured voicemail boxes, maintenance ports, the use of manufacturer default passwords from factory settings (many of which are readily available to hackers online) and DISA lines (Direct Inward System Access).
You can also check your daily CDR reports looking for any unusual activity or calling patterns which may indicate fraud on your end users PBXs.
Add a comment
Please note: comments that are inappropriate or promotional in nature will be deleted.
E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.
Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments.
If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.
Comment by ejrg, on 3-FEB-2010 13:28
Thanks for a good business idea, now to find an unsuspecting mark ....... (tongue firmly in cheek) :-)