Telephone hacking and fraud
The migration of corporate telephone networks from traditional PBXs to internet protocol (IP)-based systems was heralded as a revolution.
Voice over IP (VoIP) phones offer increased functionality, better usability, reduced overheads and a move away from proprietary systems to those based on industry standards.
However, many companies have overlooked one major factor in this migration; new opportunities for hackers.
Breaking into a traditional phone network was virtually unheard of – the returns on the effort involved made it a low priority on hackers’ lists. But an IP-based phone network is familiar territory for hackers; the operating systems are known quantities, the payback from such fraud is significant, and the majority of companies which install such systems have no idea of how vulnerable they are if they fail to put the correct security policies in place.
The implementation of IP-based phone systems and the use of mobile phones for corporate communications has lured many companies into a false sense of security. What are the dangers, and what can companies do to ensure that they remain safe?
At the most basic level, IP networks can be compromised simply through basic theft of call-time. The majority of employees consider personal calls a perk of the job, but it is a perk that directly hits the bottom line. No one can doubt the usefulness of call-forwarding, but employees who forward their landlines to mobile numbers for convenience are effectively asking their companies to pick up the tab: a local call to a landline becomes a mobile-rated call billed to employers, not the employees.
Some employees have taken this a stage further, and set up premium rate numbers for forwarding office calls. Even if the company has barred UK premium rate numbers, it is unlikely that it will be familiar with overseas ones. This can be even more costly, since unlike the UK, many countries do not cap premium rate charges. Although telephone usage is recorded by most companies, analysing this is both labour-intensive and often only done after the fact. This can be combated by instituting a whitelist of permitted forwarding numbers, based on employee need and function.
However costly, these are isolated incidents. More worrying are those attacks which actually take control of the phone network. If this happens, stolen call-time is only the beginning. If a phone system is overridden, hackers have access to every phone in the company and every IP package passing over the network.
Unfortunately, taking control of a phone network is often far easier than hacking into a data network. Many companies simply forget to reset passwords after installation, offering the perfect backdoor to hackers. To enter the network, hackers can dial a range of numbers owned by a company – such a range is usually obvious to calculate from a single published number – and then attempt to break into the network through voicemail.
If the company has neglected to set a limit on the number of password/PIN guesses, it is simply a matter of trial and error to access private messages – with all of the information those messages may hold – or to get deep into the workings of the network. Often it is even easier, since many companies forget to reset passwords from their factory defaults. In the rush to implement IP-based networks, companies seem to have forgotten the basics of security that are normal business practice for data networks.
Password management, applications to prevent repeated logins and denial of service attack, even firewalls and anti-virus software, are just as important for a phone network. The use of mobile phones – especially smartphones – must be carefully controlled, since they are effectively part of the network outside of physical corporate security.
When preparing to migrate, the functionality of the system and the business needs of employees must be factored in to the risk assessment and the resultant security policy. And, once installed, usage of the network should be monitored for aberrant or anomalous behaviour.
The telephone, now part of the office furniture, can be as much of a security risk as an unguarded desktop PC – and must be treated as such. As Craig Pollard, head of security products and services at Siemens Communications, says: ‘Without diligent attention, telecoms systems are in grave danger of becoming the weak link in the network and utterly defenceless against targeted attacks by hackers.’
Analystview…
Mobile phones need to be included in the security policies of the organisation, since it is just as important to tackle the cultural aspects as it is to provide technological security solutions.
The growing sophistication of mobile phones presents problems for IT managers. New technologies can open up the device to attack. Perhaps more worrying is the increasing storage capabilities of the latest generation of smartphones where corporate information can now be held. Organisations must put in place strong authentication procedures and encryption to protect the data and the phone from unauthorised access.
Mark Blowers, senior research analyst,
Butler Group
Recent interest in IP-PBX voice telephony systems and the increased use of voice over IP (VoIP) technology in converged enterprise environments has sparked a renewed interest in voice systems among hackers.
Hackers have usually attempted to steal long-distance services in traditional private branch exchange (PBX) environments. Hackers are now also attempting denial of service attacks and the exploitation of call override features to take control of, and in some cases disable, corporate PBX and voice mail systems. To avoid these attacks, IT executives should develop and implement security plans that will mitigate the chances of a hacker’s success.
Robert Frances Group
Casestudies
Coventry University Enterprises
The increased use of mobile devices to communicate with corporate networks poses new risks. Smartphones and other handhelds can contain considerable company information – and offer an easy way into telecoms networks. Orange and Quocirca have discovered that more than 40 per cent of businesses do not feel that employees’ handheld devices are sufficiently secure.
Coventry University Enterprises takes security very seriously. Smartphones used by employees have 128-bit secure socket layer encryption, and a secure password policy has been rolled out for accessing data from mobile devices.
Pharmaceuticals industry security
A leading European pharmaceuticals company was the victim of a global
premium rate fax-back scam, which defrauded it of more than $250,000 (£137,000) over a single weekend, and exposed just how easily any company can fall victim to a telephone-based fraud activity. The fax-back scheme involved use of a premium rate phone line set at £75 a minute. Siemens Communications investigated the incident, and was able to stop the fraud from reoccurring.
The home page of the Telecommunications UK Fraud Forum, which promotes the exchange of information related to telecoms fraud.
The Communications Fraud Control Association offers a forum for intelligence sharing to help reduce or prevent losses caused by telecoms fraud.