PBX Fraud - What is a Telco's Responsibility?

Forums › ICT Policies and Regulation › PBX Fraud - What is a Telco's Responsibility?

1 | 2 | 3 | 4 | 5 | 6

637 posts

Ultimate Geek

Trusted

#295823 3-Feb-2010 20:11

jpollock: 1) Fails a reasonableness test. Is it reasonable that the Telco is profitting from someone who _STOLE_MONEY_FROM_ME_? Talk about an incentive to not investigate!
2) Isn't handled that way in other vendor/customer situations.

Credit card companies don't, power companies don't, health insurers don't, banks don't.

I don't completely agree.

The telcos certainly should implement protection of themselves - i.e. a bill 10X the norm should not be allowed, as maverick has said at least one telco implements credit control to protect themselves from this to avoid not getting paid.

However, I still take the view that the customer left themselves vulnerable. I don't blame Toyota if I leave my car unlocked with the keys in it and it is stolen; and I don't blame my bank if I leave my ATM card with PIN written on it lying around and all my money is withdrawn (especially as I only get a bank statement once a month).

I can sympathise with the customer and I am sure the telco will come to an agreement with them, but they failed to adequately protect themselves, and that is not the telco's fault.

AliExpress

Shop now on AliExpress (affiliate link).

jpollock

600 posts

Ultimate Geek

Trusted

#295927 4-Feb-2010 07:46

PenultimateHop:
jpollock: 1) Fails a reasonableness test. Is it reasonable that the Telco is profitting from someone who _STOLE_MONEY_FROM_ME_? Talk about an incentive to not investigate!
2) Isn't handled that way in other vendor/customer situations.

Credit card companies don't, power companies don't, health insurers don't, banks don't.

I don't completely agree.

The telcos certainly should implement protection of themselves - i.e. a bill 10X the norm should not be allowed, as maverick has said at least one telco implements credit control to protect themselves from this to avoid not getting paid.

However, I still take the view that the customer left themselves vulnerable. I don't blame Toyota if I leave my car unlocked with the keys in it and it is stolen; and I don't blame my bank if I leave my ATM card with PIN written on it lying around and all my money is withdrawn (especially as I only get a bank statement once a month).

I can sympathise with the customer and I am sure the telco will come to an agreement with them, but they failed to adequately protect themselves, and that is not the telco's fault.

Those are all bad analogies. :)

They all involve direct theft by the criminal from the victim. These thefts are international, indirect, facilitated by the network the carriers have designed, and _rely_ on the carrier collecting the stolen money from the victim.

I'm not sure a better analogy can be constructed, but I'll try.

Consider a situation where the criminal can steal money from you through an intermediary. I guess credit cards are the best analogy, because what these criminals are really stealing from you is your authorization to incur charges with the phone company.

Credit card companies were forced to absolve individuals from liability in the event of theft, and to keep them relevant on the Internet, they had to protect all losses due to fraud as well. I'm not sure how much of that is legislated, and how much is market driven.

The only difference between the CC and my phone is that the authorization on my home phone is limited to calls. My mobile phone has a much broader authorization, and is able to purchase movies, tv shows, parking, drinks, and if NFC takes off, much much more.

Remember the howls of protest when banks tried to limit their liability in the event that a customer's account was hacked through a keylogger? We're just not as concerned about PBX fraud because it is a company who has been attacked (although they're being hit by banking keylogger attacks to the same amounts, 100+k).

The tune will very quickly change as more people use VoIP endpoints with CPE, like WorldXChange. The first customer that has their Linksys endpoint hacked and used as a transit point for a VoIP termination fee scam will scream bloody murder.

As I think about it, it all comes down to trust. The problem is that these authorizations are currently blanket, unlimited authorizations. No one ever wants a blanket authorization. That's what leads to the huge mobile roaming data bills, and enables all of this fraud. EFTPOS cards have both hard and soft limits (2 daily limits, and then limited by the balance), Credit Cards also have soft and hard limits (fraud detection and balance). Why doesn't my phone account - something which is susceptible to the same frauds?

While the libertarian in me is saying "Dude, you signed the contract, take it like a man", my sense of fair play is screaming out, "Why is my phone company collecting money for a thief? Why are they making a profit from a crime?".

---
http://blog.jason.pollock.ca

keewee01

1736 posts

Uber Geek

Trusted

#295990 4-Feb-2010 11:19

jpollock:
PenultimateHop:
jpollock: 1) Fails a reasonableness test. Is it reasonable that the Telco is profitting from someone who _STOLE_MONEY_FROM_ME_? Talk about an incentive to not investigate!
2) Isn't handled that way in other vendor/customer situations.

Credit card companies don't, power companies don't, health insurers don't, banks don't.

I don't completely agree.

The telcos certainly should implement protection of themselves - i.e. a bill 10X the norm should not be allowed, as maverick has said at least one telco implements credit control to protect themselves from this to avoid not getting paid.

However, I still take the view that the customer left themselves vulnerable. I don't blame Toyota if I leave my car unlocked with the keys in it and it is stolen; and I don't blame my bank if I leave my ATM card with PIN written on it lying around and all my money is withdrawn (especially as I only get a bank statement once a month).

I can sympathise with the customer and I am sure the telco will come to an agreement with them, but they failed to adequately protect themselves, and that is not the telco's fault.

Those are all bad analogies. :)

They all involve direct theft by the criminal from the victim. These thefts are international, indirect, facilitated by the network the carriers have designed, and _rely_ on the carrier collecting the stolen money from the victim.

I'm not sure a better analogy can be constructed, but I'll try.

Consider a situation where the criminal can steal money from you through an intermediary. I guess credit cards are the best analogy, because what these criminals are really stealing from you is your authorization to incur charges with the phone company.

Credit card companies were forced to absolve individuals from liability in the event of theft, and to keep them relevant on the Internet, they had to protect all losses due to fraud as well. I'm not sure how much of that is legislated, and how much is market driven.

The only difference between the CC and my phone is that the authorization on my home phone is limited to calls. My mobile phone has a much broader authorization, and is able to purchase movies, tv shows, parking, drinks, and if NFC takes off, much much more.

Remember the howls of protest when banks tried to limit their liability in the event that a customer's account was hacked through a keylogger? We're just not as concerned about PBX fraud because it is a company who has been attacked (although they're being hit by banking keylogger attacks to the same amounts, 100+k).

The tune will very quickly change as more people use VoIP endpoints with CPE, like WorldXChange. The first customer that has their Linksys endpoint hacked and used as a transit point for a VoIP termination fee scam will scream bloody murder.

As I think about it, it all comes down to trust. The problem is that these authorizations are currently blanket, unlimited authorizations. No one ever wants a blanket authorization. That's what leads to the huge mobile roaming data bills, and enables all of this fraud. EFTPOS cards have both hard and soft limits (2 daily limits, and then limited by the balance), Credit Cards also have soft and hard limits (fraud detection and balance). Why doesn't my phone account - something which is susceptible to the same frauds?

While the libertarian in me is saying "Dude, you signed the contract, take it like a man", my sense of fair play is screaming out, "Why is my phone company collecting money for a thief? Why are they making a profit from a crime?".

I didn't think the analogies were that bad - OK, maybe you left your Toyota sitting in the dealerships carpark unlocked (whilst knowing that it's not a good idea to leave it unlocked and the dealership suggesting it be locked) and it then got stolen from their carpark.

I do sympathise with whoever is affect by PBX fraud, but at the end of the day they have an unsecured phone system attached to a public network and therefore they (or the provider who implimented it) are responsible for it and the activity on it. It all like trying to make the ISP's responsible because Jonny is illegally downloading music via them.

I would hope that a Telco would not use this sort of situation to profit, but it has to be remembered that they've incured costs from the fraud (billed by overseas Telco's or whatever) and therefore they have to try to recover that money from someone. Yes, in a totally fair world the overseas Telco/service they've had to pay the money to would help track down those responsible and recover the money, but reality is that's not likely to happen and therefore the NZ Telco has to recover what they can - and that will be from the customer. I imagine that the systems used to detect unusual activity are quite expensive so it may not be realistic to expect every Telco to have such a system, and especially if it is a Telco who offers services for a lot less than the big boys... as that is where the savings come from - not buying expensive management systems.

Two sayings come to mind - "Let the buyer beware", and "You get what you pay for".

maverick

3594 posts

Uber Geek

Trusted

WorldxChange

#296052 4-Feb-2010 14:02

As a side note Mycenius , would be interesed to hear what feedback you do get from Consumer rights groups, so wouldn't mind seeing how you turn out with the outcomes...

I think a lot of people will be interested in the proceedings and outcomes, especially since there are some pretty polarised views.

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

https://www.facebook.com/wxccommunications

Mycenius

106 posts

Master Geek

ID Verified

Lifetime subscriber

#296068 4-Feb-2010 14:32

Hi Maverick - no worries. I will try and follow up with any further info when (and if) available.

As mentioned at the end of the day its certainly not about bagging any Telco's specifically or anything - its more about what a customer could or should be able to expect as reasonable support/pro-active assistance? The case I have had experience with has seen the Telco be pretty helpful and understanding after the event (i.e. with the costs & such like).

I'm just still a bit bemused there was no rudimentary warning 'at the time' when the activity and account charges went unnaturally through the roof, not necessarily immediately but even after 1-2 weeks of the activity, when there had been nearly a years worth of costs on the account in under 14 days...

jpollock

600 posts

Ultimate Geek

Trusted

#296070 4-Feb-2010 14:37

keewee01:
I didn't think the analogies were that bad - OK, maybe you left your Toyota sitting in the dealerships carpark unlocked (whilst knowing that it's not a good idea to leave it unlocked and the dealership suggesting it be locked) and it then got stolen from their carpark.

I think you need to try harder. The dealership isn't profiting from the theft.

How about, you have just bought the car, and signed the loan papers. Before you can walk out the door, the car is stolen off of the lot. The dealer then turns to you and says, "Pay up. 100% now, because the asset is no longer available to cover the loan."

Not only that, but this is a repeated occurrence across multiple dealerships.

Yeah, that's a good car analogy.

---
http://blog.jason.pollock.ca

keewee01

1736 posts

Uber Geek

Trusted

#296080 4-Feb-2010 14:57

jpollock:
keewee01:
I didn't think the analogies were that bad - OK, maybe you left your Toyota sitting in the dealerships carpark unlocked (whilst knowing that it's not a good idea to leave it unlocked and the dealership suggesting it be locked) and it then got stolen from their carpark.

I think you need to try harder. The dealership isn't profiting from the theft.

How about, you have just bought the car, and signed the loan papers. Before you can walk out the door, the car is stolen off of the lot. The dealer then turns to you and says, "Pay up. 100% now, because the asset is no longer available to cover the loan."

Not only that, but this is a repeated occurrence across multiple dealerships.

Yeah, that's a good car analogy.

And you know that the Telco is profiting form it? (I would expect them to have some profit on it, but not grossly).

The majority of what they will be asking the customer for is not for themsleves - they are passing on a charge which has been levied against them by someone else!!! Don't forget that. Your comments suggest that the entire amount being asked for by the Telco is going straight into their coffers as profit and this is simply not true. Telecom, by wiping lots of dollars in the cases that involve them, are taking a big financal hit (mind you they can afford to). A lot of other companies can probably not afford to as the margins are slim as it is.

maverick

3594 posts

Uber Geek

Trusted

WorldxChange

#296094 4-Feb-2010 15:32

jpollock:

How about, you have just bought the car, and signed the loan papers. Before you can walk out the door, the car is stolen off of the lot. The dealer then turns to you and says, "Pay up. 100% now, because the asset is no longer available to cover the loan."

Yeah, that's a good car analogy.

It's all good because he had to get insurance before he was able to purchase the car

, and I bet he will have no problem demanding the money off the insurance company as he has to pay the car dealer...thank god for insurance

sorry just a bit of humour to a serious subject

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

https://www.facebook.com/wxccommunications

Zippity

683 posts

Ultimate Geek

#296109 4-Feb-2010 16:00

Most of the end users HAD been previously warned of this fraudulent activity.

It was up to THEM to take the necessary preventative action.

If they didn't, they can hardly cry "help" to their telco.

jpollock

600 posts

Ultimate Geek

Trusted

#296114 4-Feb-2010 16:22

keewee01:

The majority of what they will be asking the customer for is not for themsleves - they are passing on a charge which has been levied against them by someone else!!! Don't forget that. Your comments suggest that the entire amount being asked for by the Telco is going straight into their coffers as profit and this is simply not true. Telecom, by wiping lots of dollars in the cases that involve them, are taking a big financal hit (mind you they can afford to). A lot of other companies can probably not afford to as the margins are slim as it is.

I never claimed it was all the telco's profit. Are they profiting? Yes, absolutely, definitely, 100%.

Most vertically integrated telcos will be able to hide profits in other divisions. Although, "hide" implies conscious effort, which isn't warranted. For example, would TNZ be removing the charge for crossing the Southern Cross cable from the fee? No? Then they've just profited from the fraud. If not them, then the carrier that they are using for international interconnection (who is their supplier).

I would expect that all carriers have in their agreements the ability to dispute charges. Otherwise, they end up being open to some serious fraud along the lines of the current sales tax frauds that are happening in Europe.

Make no mistake, carriers are making money on these frauds. It's not all going to the thief, just the same as the SMS scams on Vodafone.

As for the car analogy, you don't have to take fire and theft insurance (might be different on a lease/loan?), so :P

---
http://blog.jason.pollock.ca

barf

643 posts

Ultimate Geek

#297337 9-Feb-2010 11:05

http://www.theregister.co.uk/2.../

By Dan Goodin in San Francisco
The Register
3rd February 2010

A Miami hacker has admitted he pocketed more than $1m by selling millions of minutes of voice over IP calls and surreptitiously routing them through the networks of telecommunications companies.

Edwin Andrew Pena pleaded guilty to two felonies in connection with the hacking spree, which spanned the years 2004 through 2006, according to court documents. He was apprehended last year in Mexico after skipping out on a $100,000 bond secured by the mother of his then girlfriend.

Pena appeared in US District Court in New Jersey on Wednesday and pleaded guilty to wire fraud and conspiracy to commit wire fraud and unauthorized access to a protected computer. He faces a maximum of 25 years in federal prison and fines of at least $500,000 at sentencing, which is scheduled for May 14.

Pena and cohort Robert Moore were arrested in June 2006 and accused of carrying out an elaborate scheme that routed more than 10 million minutes of VoIP calls over the networks of a dozen or so telecommunications providers without their permission. They breached the networks by using brute-force attacks that deduced the security telephone prefixes needed to gain access.

Sniffing the glue holding the Internet together

old3eyes

9110 posts

Uber Geek

Subscriber

#297362 9-Feb-2010 12:50

barf: http://www.theregister.co.uk/2.../

By Dan Goodin in San Francisco
The Register
3rd February 2010

Pena appeared in US District Court in New Jersey on Wednesday and pleaded guilty to wire fraud and conspiracy to commit wire fraud and unauthorized access to a protected computer. He faces a maximum of 25 years in federal prison and fines of at least $500,000 at sentencing, which is scheduled for May 14.

Now if he had done it in NZ he would have got community service or home detention at worst..

Regards,

Old3eyes

richms

27914 posts

Uber Geek

Trusted

Lifetime subscriber

#298737 13-Feb-2010 22:04

Nahh, if he did it in NZ he would have a job offer ;)

Richard rich.ms

maverick

3594 posts

Uber Geek

Trusted

WorldxChange

#299795 17-Feb-2010 14:36

Info released today

17-02-2010

New Zealand targeted for PBX fraudulent hacking attempts

What's happening?

Telecom's internal fraud team have confirmed that New Zealand is seeing an increased number of fraudulent hacking attempts into unsecured customer PBXs. We're advising you to contact your customers immediately to ensure their PBXs (traditional or IP) are appropriately secured.

What's the details?

We've been advised by Telecom's fraud team of an increased frequency of fraudulent hacking attacks on wholesale and retail customer PBXs. These types of attack are seemingly cyclical; with New Zealand last targeted on this scale two years ago. However, hacking into customer PBXs can happen at any time.

We recommend that you contact your customers immediately and highlight the risk of fraudulent attacks on unsecured PBXs. Most customer PBX maintenance contracts include a 'fraud/audit service' and the audit will check for unsecured voicemail boxes, maintenance ports, the use of manufacturer default passwords from factory settings (many of which are readily available to hackers online) and DISA lines (Direct Inward System Access).

You can also check your daily CDR reports looking for any unusual activity or calling patterns which may indicate fraud on your end users PBXs.

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

https://www.facebook.com/wxccommunications

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#299823 17-Feb-2010 16:00

It's certainly a timely reminder especially if you're running Asterisk as well.

If you're not running something like fail2ban you should be.

Do not allow anonymous inbound SIP connections unless you truely understand the security implications of doing this. Also make sure all extension passwords are secure and ultimately should be locked down to your local network unless you need to use a remote extension.

If you want to really lock things down you could also lock down inbound SIP traffic on port 5060 to the IP address of your VoIP provider. This isn't without it's possible issues (ie your provider could change IP's) but means nobody can connect via SIP to your box.

1 | 2 | 3 | 4 | 5 | 6