Fraud Department Warning | Telephone System Security Guidance In discussion recently held with some of the other large Telco’s in New Zealand it was found that a number of businesses in New Zealand had been hit lately with PABX fraud/hacking. While this type of fraud has been around for a very long time now it seems that the would-be fraudsters are now back trying to hit businesses in New Zealand. In most cases PABX fraud can be avoided if the customer speaks with their PABX, and / or voicemail vendor, and requests that one or both facilities be audited to check for potential fraud weaknesses. PABX fraud has been occurring throughout the world for the past 10-20 years. The types of fraud perpetrated on our customers are usually nothing new, and often have previously occurred elsewhere in the world. New Zealand based PABX, and voicemail, vendors therefore should be well aware of the types of telecommunications fraud their product is vulnerable to, and should be able to apply permanent fixes to their respective product/s if an audit shows them to be insecure.
PABX Fraud (Private Automatic Branch Exchange)
What is PABX Fraud?A PABX is a computerised system that manages an internal telephone extensions network. It is a highly flexible system in that it can, if necessary, provide access to telephone services by dialing into the system from outside the PABX network. This service is called DISA (Direct Inwards System Access) and, if enabled, it permits employees to route national and international calls through the PABX with the cost of these calls being billed to the owner of the PABX. Access to this service requires the use of a PIN, however, this can be abused and may result in unauthorised calls costing thousands of dollars. Most PABX’s have engineering and maintenance access codes. If this access code is compromised the attacker will have total control of the system. NOTE: There is a large amount of information on the Internet relating to toll fraud, PABX fraud, etc. Go to Google and use the word PABX to find useful information about this type fraud.
How will I know if my PABX has been a victim of PABX Fraud?If your PABX has voicemail and is DISA enabled then it is susceptible to this form of fraud. Usually, the only indication that you will see is a substantial increase in your telephone bill. Detailed billing will assist in identifying any potential unauthorised calls, usually International calls but they can also be National and mobile telephone calls. Another indicator is where customers trying to dial in or employees trying to dial out, find that the lines are always busy. Audit your bill each month:
- Check your bill regularly and ensure you can account for all itemised calls
- Look for calls to international countries that you wouldn’t normally be doing business with.
- Look for calls being made outside of your business hours.
How can I protect my PABX from this type of fraud?If DISA is not required ensure that it is disabled. If it is required, the people who supplied, or who are maintaining your system, understand the full functionality of the PABX and they can help in configuring DISA properly. If automatic logging of calls is available, enable it. It may help in identifying the extension number being used to compromise the PABX and it may also identify the source of the external call. Regularly check the log records for repeated short duration calls to the same number. This could be an indication of an attempt to attack your system. PIN’s for voicemail, DISA and engineering access should, if enabled, be activated and changed regularly. If possible engineering access should only be permitted on a ‘call back’ basis; this will prevent unauthorised access to this privileged account.
- Never give out technical information about your system to callers - unless you are certain who is on the other end of the line.
- Do not allow your system administrator to maintain factory set passwords for maintenance of your system.
- Introduce a PIN and password management policy where employees are not permitted to use predictable PIN numbers such as the last digits of their DDI, sequential numbers like 1111, 0000, or incremental numbers like 1234.
- Ensure that PIN numbers are changed regularly, and supervisor and maintenance passwords are changed when the administrator, an employee, or a contractor leaves the business.
- Do not place a list of all your staffs names and contact numbers on your website or out on the Internet. You are providing the would-be fraud offenders with a list of all your company phone numbers that they can now try to hack into.
- Do not allow unlimited unsuccessful attempts to enter voicemail - configure the system so that 3 unsuccessful attempts results in call failure.
- Disable an administrator, contractor or employee's mailbox account when he or she leaves your company.
- Schedule regular PABX checks with your maintainer and form a regular risk mitigation strategy to limit any system vulnerabilities.
- Ensure that your PABX room is locked when not attended.
- Be alert to the overt signs of PABX fraud such as repeated calls of short duration, high numbers of inbound hang-up calls, unexplained increases in incoming calls where the caller hangs-up when answered, sudden increases in national and international usage, or changes in after-hours calling patterns or calls to unknown overseas numbers or countries.
PABX Fraud Frequently Asked Questions
- When I get hacked, who is going to pay for the calls? Your company is responsible for all charges incurred on your system not the carrier, the responsibility for the security of your PABX system is yours and you should take steps to protect your assets.
- Who are these people and why are they stealing calls? Today, highly skilled, technologically sophisticated criminals who have little fear of being detected, let alone apprehended or prosecuted perpetrate communication theft from remote distances. These criminals conduct a growing business selling access to communications systems all over the world.
- Why don't the carriers write off these charges? Today, fraudulent calls are placed over many different inter-exchange Carriers (IXC); each carrier must pay that portion of the call handled by them. When the call is placed to an international location the domestic carrier must pay the foreign carrier regardless of the fraud. You the end user control access to your PABX system not your telecommunication provider so you are responsible for the charges incurred.
- Why is identifying or stopping the fraudulent calls the customer's responsibility? Only the customer can differentiate legitimate calls from fraudulent ones. The carriers do not have access or permission to work on your PABX, the vehicle that hackers use most to conduct their activities.
- How will the hacker find my system? Criminals pay for a PABX maintenance port number and password. Hackers 'scan' using auto-diallers to find systems equipped with modems. Your Company's telephone directory listing or your 0508 / 0800 service advertising make you known to the hacker.
- How do I justify the expense of corrective action when we have not suffered a loss? Past performance is not an accurate indicator of present threats. The equipment and the motivation to perpetrate this criminal activity did not exist years ago. Educate your managers about the pitfalls of not protecting your Corporate assets and enlist their support by implementing a Corporate policy on unauthorized access as your first step.
- How does a hacker gain access to my system? Hacker’s use computerized calling programs, automatic diallers, and sophisticated software to break your systems security and pass codes. Hackers attempt to gain access in the following order:Phone Mail / Voice Mail 2) Automated Attendant 3) Remote Access or Direct Inward Service Access (DISA) 4) Remote Maintenance/ Administration Port.
- Why is it important to protect my Maintenance/Administration Port? This is the most important port on your PABX system. Hackers gain access to your system software and control your Voice Mail, DISA and other PABX features through the maintenance port.
- How do hacker know which CBX / PBX type and brand of Voice Mail I am using? Hackers identify the type of PABX by the Login procedure used for each system. They know the pass codes for each vendor PABX. Hackers also recognize the various Voice Mail and Phonemail systems by the default digitized voice recordings.
- How does a hacker use my Voice Mail? Through your Voice Mail the hacker is able to use your PABX "trunk-to-trunk connections" feature to access your long distance network. 2) Your Voice Mail might also be used as a "bulletin board" to distribute stolen credit card and other hacker related information. 3) They may change your greeting to "Hello!...pause....Yes, I'll accept the charges to Zaire."
- I understand why a larger user must be concerned, but I'm a small business / or in a rural community. Why should hacker activity concern me? Hackers use auto-diallers to search entire area codes to find systems to hack, they do not care who or where their victims are. No one is safe, and smaller companies may be less able to absorb the average loss ranging from $10,000 to $100,000.00 plus dollars per incident.
- What happens when a hacker finds my Maintenance / Administration Port? Hackers use manufacturers default passwords or computer generated, craker programs until they find a usable password. They then enter a system unlawfully and make software changes that allow unauthorized calls. Information on how to use your altered system is then sold to "call sell operators" who sell calls over your system to whomever wishes to place calls. These calls are typically made from public telephones (pay phones) in large metropolitan cities.
- What is different about this theft from other forms of fraudulent activity? There are three major differences with this case: The call is processed as data, not voice. An international organization is required to: find the victim, set up the call, collect the money and manage the administration in a foreign location. The theft or scheme has migrated and expanded in form and severity.
- What can we do to protect ourselves from these crooks and con artists? As with your personal lives, the better informed you are to the risks the better protected you are. Stay on top of the current threats (visit scamwatch.govt.nz), add policy on security, secure your system configuration, set-up a team approach to security and service & work with your equipment vendor. Do not let management or your Company be taken by surprise. This is one disaster that is very predictable and equally preventable.