Recently I asked this question as it became a front-of-mind topic of discussion around my peers, colleagues, and clients and it appears toll-fraud is still one of the largest IT security threats many c-level execs haven’t heard of, or don’t pay much attention to.
How did toll-fraud become a network security threat?
Allow me to explain; For those unfamiliar, Toll-Fraud & Phone Hacking is a multi-billion dollar industry with monetary damages more than double that of Credit Card Fraud.
Do I have your attention now?
Toll Fraud can be simply explained as any instance where a subscriber attempts to defraud the telephone company, the telephone company attempts to defraud a subscriber, or a third party attempts to defraud either of them.
Sadly, toll-fraud has been a part of the telephone system almost from the beginning.
According to the survey the 2011 top 5 fraud loss categories reported by operators were: CFCA.
$4.96 Billion (USD) – Compromised PBX/Voicemail Systems
$4.32 Billion (USD) – Subscription/Identity Theft
$3.84 Billion (USD) – International Revenue Share Fraud
$2.88 Billion (USD) – By-Pass Fraud
$2.40 Billion (USD) – Credit Card Fraud
So how did toll-fraud become a network security issue?
The answer is simple. VoIP!
VoIP is now the most prevalent form of voice communications and as the acronym suggests, it is Voice OVER IP, meaning the calls terminate over the network. With this in mind, network security professionals must add another service to their list of networked services to protect. Requiring them to implement policies and procedures that mitigate breaches and theft of service.
Unfortunately toll-fraud is typically a security risk many IT professionals learn about after it is to late.
Network Security Engineers need to understand network services, protocols, port-numbers, etc. However, telephony has become a suite of applications now known as Unified Communications. Simply protecting the edge with firewalls & access-lists is not enough. Some common forms of toll-fraud include
SIP Scripts – attempt to register as a phone or trunk to your Internet facing PBX
This is extremely common and can cause major monitory damages. If a script detects open ports Voice services on a public IP, they will launch an authentication attack which will attempt to make repeated calls, usually to a third-world country’s local exchange or call-center charging $2 – $4/min per call. In this case the scripts are set to hang-up after the largest charge and dial again continuing the processes until your phone carrier detects it, or you get one heck of a surprising phone bill. To fully feel the potential effects of this, multiply the above per minute charges by the maximum number of calls your phone system can make at once.
Hacking Voice-Messaging or voice-mail systems – After compromising users “pin” numbers, thus allowing the criminal to access the users private voice mails, make unauthorized calls from that user extension and make international calls through the voice-mail platform. Imagine someone having access to your executives voice-mails. What could they learn or damage could they cause?
Compromising Soft-Phones - This falls into a well-known security venerability basically capturing wireless traffic and learning a user’s authentication information. Here again the hacker, could easily re-create the soft-phone account and would be able to eavesdrop on phone calls, and make unauthorized calls on your account as they see fit.
As CTO of a cloud Unified Communications company it is part of my job to plan for the unexpected. This includes the design and implementation of systems to mitigate these types of large financial losses that could happen when you’re able to make tens of thousands of calls at once. It’s an ongoing challenge and unlike other types of network security risk, the product/services available to combat/mitigate toll-fraud are extremely limited.
Throughout my career I have supported and consulted with many companies who have experienced toll-fraud of some kind. By the time their phone company realized their clients service was compromised and notified the client there were already substantial financial damages.
So why didn’t these Telco’s just disable their service?
Depending on the carrier they may or may not have real-time toll-fraud mitigation techniques in place, maybe they didn’t detect the abuse until the next day, or your system was compromised on the weekend? Sometimes it’s politics in the contracts, not allowing them to take the service down without prior written notice. It can be a number of reasons, the focus here is not telecom policies it’s understanding the risk and doing what you can to mitigate that risk in the first place.
What is the policy of your telecom provider in the event of excessive toll-fraud? If you don’t know, I suggest that you find out by reviewing your contract terms or speaking with a representative of your provider. Better to find out before something happens than when it may be too late.
So what can I do to mitigate toll-fraud?
Like all security risks, mitigating toll-fraud requires a full-understanding of the technology and where you are most exposed.
When designed properly, VoIP can be much more secure than copper-based phone systems and PBX’s. Start by consulting your Unified Communications or PBX provider about best practices; align their recommendations with your business objectives and your corporate security policy . Also, work with your security consultant as they may have a different approach to mitigating toll-fraud; especially if you are moving to or considering migrating to Unified Communications.
If you believe you are experiencing toll-fraud, disconnect or disabled the compromised services until you are sure the threat is mitigated. Call your provider right away and tell them you suspect toll-fraud on your account and have them disable services.
VoIP is here to stay and the benefits of Unified Communications far outweigh the risks. While the toll-fraud attacks like all internet security risks will continue to happen and potentially become more sophisticated, there are ways to greatly reduced your risk by partnering with a Cloud Unified Communications company that is offering a bundled Unified Communications service, QoS, and secure data services including a full solution with best-practice toll-fraud mitigation techniques in place