PBX Fraud - What is a Telco's Responsibility?

Forums › ICT Policies and Regulation › PBX Fraud - What is a Telco's Responsibility?

1 | 2 | 3 | 4 | 5 | 6

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#295681 3-Feb-2010 12:25

Out of interest was this a VoIP based PBX using SIP connectivity or a traditional system?

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Note that to use Quic Broadband you must be comfortable with configuring your own router.

maverick

3594 posts

Uber Geek

Trusted

WorldxChange

#295683 3-Feb-2010 12:29

My quess would be based on the orig post that it was a traditional system with no or poor password access when calling in to a inbound number/s for VM or extented dialling (ie 0000 1234) etc and once in you had access to setup call forwarding.

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

https://www.facebook.com/wxccommunications

AndrewTD

292 posts

Ultimate Geek

Trusted

Lifetime subscriber

#295691 3-Feb-2010 12:52

Mycenius:
...
In the case I am referencing this is not the case - the PBX was configured as securely as possible for the model/type of PBX. There is a common misconception that all PBXs & VM systems can be configured to prevent this which isn't the case...

...

Since not all PBXs and VMs can be secured safely in a way to guarantee this can't happen there is always the possibility of it happening (and contrary to what's been said here you'd be lucky if 25% of PBX systems are of newer types with the enhanced security & functions referenced)... Also contrary to some comments above not all PBX's & VM systems have adequate logging facility nor is it practical to access them nor reasonable to expect people to do so on a daily basis... As per Ol'3eyes comment blocking VM from International is a option, but only if the system has the functionality, and some/many don't (e.g. you can only block all outgoing calls from VM, or block all tolls, or in some cases can't block any at all).

I think the above two comments are a strong justification for getting a new PBX that can be adequately secured.

Phone call fraud is a growing thing, and is getting a lot more publicity these days. There really is very little excuse for ignorance of this.

Any responsible business owner should be aware of the risks of running an insecure PBX. And if they don't want to carry that risk, they should upgrade/replace their PBX with a secure one.

And yes, Telcos and the ICT industry in general should (or would be well advised to) do more to warn the public of these risks, and what they need to do in general terms to mitigate the risks.

[Disclosure: I don't sell PBXs, but I do benefit when people in NZ buy Polycom phones.]

kind regards Andrew TD

maverick

3594 posts

Uber Geek

Trusted

WorldxChange

#295695 3-Feb-2010 13:01

I also may add that each Telco will address these tyes of issues in different ways with differnt systems, WxC for example has credit limits for all customers and they will automatically suspend when hitting that limit, others may only look at commercials only or have methods for tracking usagel, I can only speak for WxC but Telcos will try and minimise fraud but the end responsibilty has to lie with the customer.

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

https://www.facebook.com/wxccommunications

jpollock

600 posts

Ultimate Geek

Trusted

#295712 3-Feb-2010 13:27

AndrewTD:
I think the above two comments are a strong justification for getting a new PBX that can be adequately secured.

Phone call fraud is a growing thing, and is getting a lot more publicity these days. There really is very little excuse for ignorance of this.

I don't think that it is reasonable to expect that every business person with a PBX (which is most of them) is able to keep up with the news enough to determine whether or not they need to replace their PBX.

That this sort of fraud is happening is as a result of a reduction in the trustworthiness of the core telco network.

The core network puts a lot of trust in the values in the messages going back and forth. However, this trust is no longer valid - reference all the VM hacks that are performed by CLI spoofing. Better yet, research the huge VoIP transit fraud that happened a few years ago.

So, if the carriers themselves are unable to protect their own equipment from these attacks, how can we expect some poor plumbing company without a dedicated IT staff and a 10yr old PBX to figure it out?

You can't.

They wouldn't be able to figure it out even if they did have a dedicated IT staff. Because the PBX and the phone system are in the "it just works" pile, and they've got actual problems to fix.

We are on the inside of this market, and we read these stories every day. _We_ have no excuse, and it should be up to _us_ to protect and inform our customers.

It sounds like there is a market opening here. :)

So, features that a telco could offer:

PBX security audit - maintain a list of model/security issues, and pass them on to your customers with PBXs.
Secure call forward setup - called party white list for the outbound line.
Daily call logs - real-time billing, informing the customer of their previous days calls by email.
Charge limit - limit the outstanding balance to 150% of the previous billing period (or average, or whatever) - someone calls them when they hit 125% (or 2 std dev, or whatever).
Fraud detection - detect strange calling patterns (like Visa/Mastercard's velocity checking).

There are plenty more, and they all make your customers more "sticky", and increase the likelihood of a customer service interaction with them.

It's like before ISPs added inline spam and virus detection.

---
http://blog.jason.pollock.ca

Regs

4064 posts

Uber Geek

Trusted

Snowflake

#295715 3-Feb-2010 13:31

I think that it should be the customer's responsibility to choose a telco that provides the services they require. If they want a dirt cheap telco with no additional services- then thats what they get. If they wish their telco to 'manage' their account - e.g. by reporting on potential fraud through CPE - then they need to buy the service from a provider that offers this, perhaps at a premium.

If a customer is renting/buying pbx from telco and has had it professionally installed by that telco or one of its service agents, and it is hacked or compromised in some way, then that is a different story than a customer that deploys their own equipment.

Perhaps this is an opportunity for telcos to further enhance the value they provide and differentiate themselves from others in the market?

would you expect a software vendor to monitor your machines for potential misuse of their installed software? not without a service agreement in place.

does the excuse of - 'someone hacked my wifi' - still work for people with large broadband usage bills? I guess there are capped cost options now so vunerable people should probably be on those plans.

Credit card companies are a poor comparison as they are directly responsible for the security of the system and it is often through no fault of the consumer when fraud occurs. If your Telco was hacked and calls made through your account which didnt come through your own systems tehn this would be a different story and i would expect that the telco would have more/all the responsibility.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Regs

4064 posts

Uber Geek

Trusted

Snowflake

#295723 3-Feb-2010 13:40

jpollock:
So, if the carriers themselves are unable to protect their own equipment from these attacks, how can we expect some poor plumbing company without a dedicated IT staff and a 10yr old PBX to figure it out?

perhaps all companies with a PBX and no dedicated support staff should all be using a centrex type model instead of an on-premise PBX. Or mabye should be forced to take a service contract for that PBX that guarantees it is kept serviceable. I guess that Insurance companies could start offering "Communications" insurance.

I expect that we will see a lot more of the 'centrex' sort of solution again with hosted VoIP PBX solutions and compatible broadband solutions (e.g. FTTP).

I suppose we could always pass a law forcing telcos to babysit clients... but this would increase the cost of business for everyone as the telcos would have to up their charges.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

wellygary

8218 posts

Uber Geek

#295726 3-Feb-2010 13:50

This is not exactly a new problem.

Its been happening since the invention of PBXs,

http://marc.info/?l=isn&m=1007...

and before that with blue boxing

While it is nice to think a Telco should wear the cost of any major fraud, I do really think that the PBX owner is the one responsible, and if there is a poor install that permits it then they should go the provider.

I mean, if you had an external electrical socket installed on your property, and you found your neighbour had run a long extension cord over to it and was running his spa pool off it would you expect the electrician or your power company to pay up?

maverick

3594 posts

Uber Geek

Trusted

WorldxChange

#295728 3-Feb-2010 13:53

Some people would yes

,

But it is a serious question, one I can assure you all Telco's will and do take very seriously, we honestly do not see a lot of this at all ourselves but we are very aware of it, I have seen the attempts to do exactly what appears to have been done here, but we had some systems in place ourselves that picked it up and we saw attempts from multiple comprised NZ PABX systems trying to access our network and in particular a compromised Voicemail owner who though 0000 was a good password to use,

We ourselves do not allow International call forwarding from Voicemail, we do not allow easy passwords and set random ones for our customers on initial setup, but we still have customers try and change them to 00000 & 12345 etc.... We also as said have credit limits for all customers, each carrier will have to try and deal with their potential liabilities in the best way they see fit as if the custy gets frauded then generally the Carrier is going to take a hit as well so it is always in their best interest to do what they can with the resources and monitoring facilities that hey have.

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

https://www.facebook.com/wxccommunications

AndrewTD

292 posts

Ultimate Geek

Trusted

Lifetime subscriber

#295730 3-Feb-2010 13:55

I like the list of features that jpollock suggested.
I align more with Regs view that Telcos could offer these as added extra options, for a fee.
As jpollock comments - a plumber isn't and shouldn't be interested in the tech details of a PBX - but I would posit that a plumber (any business) can and should select a PBX and a telco based on more than just - 'what's the cheapest I can get' approach. They should look at all the usual factors such as :-

does it do what I want

how much will it cost me

are the companies selling this (PBX supplier / telco) responsive, reliable, etc

what's the after-sales service like

what sort of support contract is there

and add to that list

what's my backup scenario if the PBX/Telco service stops working (i.e. redirect to cell phones, etc)

what's my exposure to telephone fraud. How do I mitigate that.

That last point is probably the only one that many businesses don't think about now. The rest are fairly common sense. Although one could argue that the "backup scenario" one doesn't get enough attention either. (Techo's tend to be more acutely aware that anything technical can and will break/fail at some point. Although there's a whole lot of Telecom XT users that are now acutely aware of that.)

So, Teleos and PBX suppliers should do their buying public a service and explain the issue of telephone fraud to their clients up front, and of course explain how great their particular offering is at minimising that risk.

It is in the interests of Telco's to explain the risk of telephone fraud to the market in general (mitigates their credit risks), and in the interests of PBX suppliers to develop/explain fraud mitigating factors of their PBX - as a competitive differentiator.

kind regards Andrew TD

Bung

6359 posts

Uber Geek

Subscriber

#295740 3-Feb-2010 14:16

I mean, if you had an external electrical socket installed on your property, and you found your neighbour had run a long extension cord over to it and was running his spa pool off it would you expect the electrician or your power company to pay up?

Make the analogy relevant. What if the telco had a junction box outside your property and people were making calls from your cable pair? Would you expect the telco to insist that somehow you must have been responsible?

Zippity

683 posts

Ultimate Geek

#295741 3-Feb-2010 14:16

Most customers were indeed previously advised of this loop-hole - whether they elected to do anything about it was their choice.

jpollock

600 posts

Ultimate Geek

Trusted

#295744 3-Feb-2010 14:33

I mean, if you had an external electrical socket installed on your property, and you found your neighbour had run a long extension cord over to it and was running his spa pool off it would you expect the electrician or your power company to pay up?

This happens all the time with marijuana grow operations. Telcos tend to be unique in their non-interest in investigation and their intense desire to collect.

Although, grow ops typically bypass their own meter, instead of stealing from the neighbour - it's not unheard of though:

http://network.nationalpost.com/np/blogs/toronto/archive/2008/07/04/police-officers-charged-in-drug-bust-released-on-bail.aspx

So, in that situation, is it _your_ fault that your neighbour tunneled through the foundation and stole power from you?

That's a pretty cold position to take.

---
http://blog.jason.pollock.ca

Regs

4064 posts

Uber Geek

Trusted

Snowflake

#295787 3-Feb-2010 17:56

I mean, if you had an external electrical socket installed on your property, and you found your neighbour had run a long extension cord over to it and was running his spa pool off it would you expect the electrician or your power company to pay up?

is quite a different scenario to:

So, in that situation, is it _your_ fault that your neighbour tunneled through the foundation and stole power from you?

You would argue that the power socket wasnt adequately secured in the first instance.

If you were in a commercial building with different tenants on different floors, and someone from another floor jacked your power - who do you think would be responisble here? I doubt that the power co would accept any responsibility. As a tenant you could potentially go the landlord for failing to take precautions in securing the wiring, unless you did the fitout yourself in which case responsibility would be your own.

We take out insurance for fire, theft, accidental damage, public liability - sounds like an insurance would be the likely solution to me. Of course, an insurance company wont likely pay out if you dont lock the front doors (and they can prove it) so, why would they pay out if you didnt treat your phone system like your computer systems and patch the holes.

Check out the recent CIO article on "Cyber Insurance": http://cio.co.nz/cio.nsf/depth/F982BE098F967D5ACC2576B900056F2B

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

jpollock

600 posts

Ultimate Geek

Trusted

#295797 3-Feb-2010 18:29

Edit: Stand back, you might need a raincoat and umbrella to take care of the flying spittle.

The comment was that it was the individual's sole responsibility for all charges incurred through the use of their phone line.

My point is that this view:

1) Fails a reasonableness test. Is it reasonable that the Telco is profitting from someone who _STOLE_MONEY_FROM_ME_? Talk about an incentive to not investigate!
2) Isn't handled that way in other vendor/customer situations.

Credit card companies don't, power companies don't, health insurers don't, banks don't.

It's even in the Telco's best interest to _NOT_ chase after the victim for the full sum - it's too damn expensive to get them to pay.

Should the Telco be out of pocket? No. Is it solely the victim's responsibility? Again, no, it's shared between the Telco (for not preventing it, or notifying that it was happening), the criminal and the victim.

I'm not a lawyer, so I couldn't say what the ratios are. However, if I was smacked with a 100k telephone bill, one that was 10x what my usual bill was I would most certainly be talking to a lawyer. If the Telco wasn't negotiating? If it was my business? I'd:

1) Go to the press
2) Sue
3) Blog about it.
4) Declare bankruptcy.
5) Try to claim against your business assets insurance, and let them argue with the Telco.
6) Change carriers.

All of that is to attempt to make the Telco more interested in being "reasonable".

100k is a lot of money for a small business. I remember when a small company I was working for had someone steal 400k from the accounts in a year. The cash flow alone almost put the company under.

For full disclosure, I had TelstraClear bill my credit card for NZ$8000. My usual phone bill at that time was NZ$40. The bill was obviously a billing fault (the lines were all "Telco Charges" with an amount, no destination number), but do you know how _hard_ it was to get them to reverse the charge? The line from the customer support guy was "You had ample time to argue the charge before we billed your credit card, since the credit card was billed, the charge is considered to be accepted". I was overseas at the time. It took 2 months to get sorted out.

So, no, 100k phone bill when the regular bill is 10k completely totally and utterly fails the reasonable test, and it is _way_ past time that carriers accepted responsibility for their part in these frauds.

---
http://blog.jason.pollock.ca

1 | 2 | 3 | 4 | 5 | 6