Poorly secured VoIP systems present a number of significant risks to businesses, consumers, ITSPs and carriers. The most common and expensive attack on business phone systems is Toll Fraud which, according to the Communications Fraud Control Association (CFCA), cost customers US $38 billion in 2015 alone.
Fortunately, there are some simple steps VoIP users can take to improve overall security and protect their business and customers against the risks of Toll Fraud.
What is Toll Fraud?
Toll Fraud begins with a fraudster gaining unauthorised access to your telephone system. Once connected these hackers use their access to make calls on your services, usually to high-cost international destinations, at your expense.
Toll Fraud hackers are motivated by financial gain and there are several ways a profit can be generated through unauthorised use of your phone system:
- Premium Rate Numbers – these are similar to 1900 numbers in Australia which charge the caller a fixed rate per minute such as adult chat lines, technical support and horoscopes. In the case of Toll Fraud, the destinations called are usually international and exist purely for generating profit through compromised phone systems. The hacker makes calls to their own premium rate numbers using your VoIP service, you pay for them and they pocket the profit.
- Phone Cards – this tactic involves a fraudster selling phone cards with heavily discounted international calling rates. When the buyer uses the card, calls are routed through compromised VoIP systems. The seller makes a profit on the sale of the card but incurs no cost. The business with the compromised system is left holding the bill.
- Scamming – in this case the fraud is designed to reduce cost and provide anonymity. Many of the scam calls claiming to be from the tax office, bank or technical support company are made through a compromised phone system enabling scammers to minimise the expense of their fraud and hide from authorities. The profit is generated through a successful scam of the person called, not the Toll Fraud itself.
What you can do to protect yourself
1. Start with your firewall
If your PBX does not need to be accessible on the internet then it shouldn’t be. Ensuring that your firewall does not allow any access to your PBX from the internet will reduce your risk significantly. Many service providers and PBX systems will operate perfectly well with no custom port forwarding or firewall configuration. However, if your service provider requires port forwarding for normal operation ask them to provide a list of whitelist IP addresses that should be allowed to connect. Unless absolutely necessary you should always deny access to your phone systems control panel from the outside world.
If external access to your system is required there are some other common firewall features that you might like to consider implementing to minimise your risk:
- Geo IP Blocking – many commercial and open-source firewall products will allow configuration of inbound rules that only allow access from IPs originating in certain countries. If it’s unlikely your Australian PBX will need to be accessed offshore, consider limiting access to only AU IP addresses.
- Intrusion Detection – some firewall products have intrusion detection sensors which can match detect and block VoIP hacking attempts and protect against zero-day vulnerabilities that haven’t been patched in your PBX software before they pass through the network.
You may also wish to consider publishing your PBX on non-standard ports (ie: not UDP 5060).
If your PBX management console is web based, HTTPS is an absolute must to prevent man-in-the middle attacks to obtain passwords.
We always recommend considering a VPN as an alternative way to provide remote access to your systems including the PBX rather than making them accessible from the internet.
2. Enable account lockout
Most common phone system platforms are able to detect repeat failed login attempts and block the offending IP address for a period of time. These tools significantly slow down a brute force attack and may result in the hacker giving up before a valid set of credentials are found.
3. Use strong credentials
Strong credentials are crucial to fending off brute force login attempts on your PBX. We recommend all passwords (extensions, SIP trunks, administrator logins, etc) be at least 16 characters long and include upper case letters, lower case letters, numbers and symbols. They should be entirely random.
We also recommend that usernames and extension numbers are not in the 100-199 or 200-299 range. These are common default configurations in many PBX systems and are often the first to be tested by potential fraudsters looking for a weak credential.
4. Speak to your service provider
PBX security and preventing unauthorised access to your phone system is always the responsibility of the end user. However, many service providers are able to offer some configuration or restrictions to your service which will reduce your risk of Toll Fraud.
While we can’t go into all the details of our security protocols at Caznet, we do the following amongst much more:
- International calling is disabled by default. We can enable it at any time, just ask.
- When international calling is enabled, we maintain a list of high-risk international destinations which we continue to block unless you ask us to enable them.
- Limits on the number of calls you can make over any given period.
- Advanced monitoring which can detect unusual call behaviour.
- Restricting the IP addresses your SIP Trunks are accessible from.
5. Limit access to international routes
If your users don’t need the ability to make international calls, don’t allow them. This is often done most easily by configuring your dial plan and outbound routes so that international phone numbers are not matched. Different PBX software implements these settings differently so speak to your service provider or phone system vendor for help.
If you do need international calling, a few things we recommend you consider are:
- Do all extensions need to be able to make these calls? Can you limit it to only those that actually require it?
- Does your PBX allow for a route password or authorisation code before the call is made and can you enforce this in your business?
- Can you limit which international destinations are allowed to be only those actually required? Some destinations are more expensive and carry a higher risk of Toll Fraud.
- Some phone systems can notify administrators when a call is placed on a high-cost route. If this feature is available and international calls are not common, these notifications could alert sysadmins to a problem before it becomes expensive.
6. Limit access to outbound routes
Correctly configured outbound routes can reduce your risk of Toll Fraud. You should:
- Configure your dial plans so they only match full and properly formatted phone numbers as opposed to wildcards or ‘accept all’.
- Limit access to outbound routes to valid extension numbers which should be allowed to dial out and enforce correct caller IDs.
- Most premium rate number toll fraud occurs on weekends and throughout the night when the victim is less likely to notice. Where outbound calling is only required during business hours, disallow all calls outside of those hours. Important note: be sure to always allow access to emergency services numbers.
- Implement a route password for high-cost routes (such as international calls).
7. Lock down your voicemail
Voicemail mailboxes should require a pin number. Unless absolutely essential access to a mailbox should only be allowed from the extension it belongs to and ‘dial through’ features should be disabled.
8. Update your software and hardware
One of the most important things you can do to ensure the security of any network attached device or system is…. Updates, updates, updates! The same goes for your VoIP business phone system. Any quality PBX and handset vendors will release regular updates to their products which will include feature upgrades, bug fixes and most importantly security fixes.
You should update your PBX software and handset firmware regularly to ensure the latest security issues are addressed.
9. Disable call forwarding
A common premium number toll fraud tactic is to configure call forwarding (on the PBX or handset) to an expensive destination. The fraudster then generates calls to the PBX, which are then automatically forwarded to the destination through your phone service at your expense.
If you can, disable call forwarding options anywhere they are not absolutely necessary.
10. Monitor your systems
Despite all of the above, your system may still be exposed to undiscovered or unplanned vulnerabilities which toll fraudsters could take advantage of. Your last line of defence is regularly monitoring logs and reports so that you can identify a breach in your systems security before it costs you a fortune. Some of the things you should keep an eye on:
- Your phone bill and call history.
- Security logs, in particular those which track login events.
- Current connections and their IP addresses.
- International call history.
- Calls outside of normal business hours or when your offices are empty.
- Configuration changes.
Many systems are able to generate automated reports and alerts which can be emailed directly to sysadmins. These tools can bring attention to potential problems quicker.
What are the top international destinations for Toll Fraud?
Any country that has expensive calling rates is a likely destination for toll fraud. Some of the top destinations for toll fraud currently are:
Caznet is an Adelaide based telecommunication services provider specialising in VoIP office and business phone systems, data centre, business internet, private cloud and enterprise networking for the small to medium business market and education.