Protect ya Neck, The VirtualPBX Security Serial – Phone Fraud
In this series of blogs we examine all topics under the information security umbrella. From corporate blunders to rogue state attacks to the occasional celebrity hack, we believe there is something for businesses and individuals to learn from any cyber security event. We also believe that, while experience is the best teacher, it’s even better to let other people make the mistakes for you.
We’re at it again, coming at you with a topic very important to us- telephone fraud. The ranges vary but overall phone fraud is an enormously costly drain on the telecom industry, totaling over $46 billion dollars in 2013 alone. Yes, that’s with a “b.” Another big reason why we care so much about this topic is because the majority of the fraud that is committed is done so against smaller and medium sized-businesses that lack the resources that larger organizations employ to protect their systems. That’s basically saying that criminal elements are attacking our family. We’re not okay with that, and so we’ve put together some best practices on how to protect ya neck. We do not take to kindly to attacks on our family.
Wait, Crime Isn’t New?
As long as there have been phones and realistic access to technology that would facilitate it, people have been committing crimes over and against the phone lines. Originally referred to as Phone Phreaking, the first widespread recognition of this type of offense was with the use of devices referred to as boxes and differentiated by their method of attack designated by colors. Criminals used everything from Red Boxes that would simulate the sounds of coins entering into early payphones to register false payments to the more widely known Blue Box that would emit a 2600hz tone to pirate the long distance capabilities of a targeted telephone number.
Broader Reach, Bigger Problem
Potentially, that is. Modern telecom evolved from relatively simple beginnings where tonal deceptions could be chaotic for telephone systems, and from that it also evolved away from those risks. Though these vulnerabilities were eventually identified and corrected, the new world of hosted telecom began to open up shortly thereafter, thus providing new territory for lawlessness to try and take hold. This virtual landscape continues to keep very close watch on its borders because, with an exponential increase in phone capabilities also came a spike in the potential area of effect that an industrious criminal organization could have. Most hosted telecom companies know this and have invested heavily in safeguarding their phone network to account for any potential threat, but this process is costly and requires nuanced, expert knowledge to execute. Where does that leave you? Unless you have a Concierge to guide you through the ins and outs of telephone security, we’ve put together a few pointers on how to stay safe.
Know Where the Exits Are At All Times
If you can ascertain how and where a thief will try and gain access to your network, you also know where to build your awareness. Here are a few of the most common types of attacks on modern telephone systems.
- PBX Registration Exploitations – This is when malicious attempts to register devices are made to your network. If they are successful they can remotely call out from your system racking-up charges.
- Hardware Attacks – VoIP phones actually operate with pared-down versions of many of the desktops and laptops that power businesses. If they are compromised, they can be programmed to route all calls through external, usurious numbers.
- The Long Con – Or short con, really, but this sounds better. Per usual, one of the greatest vulnerabilities for thieves is through your own employees. If not properly versed on phone security, your team can let slip vital information that can be used against the whole company.
These are the most common ways for VoIP systems to be attacked, and while the extent of damage is greater with these powerful networks, the opportunities for graft are abundant, too. With even a little bit of resistance, criminals are likely to give up quickly and move onto another, less well protected system.
Suit-Up In Armor
Not as dramatic as gearing up for a joust, but hoisting some protection will go a long way in defense of your telephone system. Taking these steps will prove to be a robust beginning layer of any comprehensive data-security plan for your company.
- Monitor device registration frequencies. Even with many mobile devices being used by your team in the field, you should always have a good idea of how many registries you’d have in total. Wild variations or spikes in that number could indicate that an attempt to breach your network has been made.
- Another way to protect devices on your network is to always make sure that they are behind a firewall.
- Update your billing contact information to the appropriate stakeholders. Often times, IT staff will be the initial employees on technical accounts whereas you may want a controller or AP manager to hold access to them after they’re established.
- Update your system preferences to reflect a minimum amount of access. Specifically, to combat against malicious auto dialers (especially prominent during election years), make sure that calls are routed after a period of time from the menu, otherwise they can cycle indefinitely and charge and crowd your network.
- Establish meaningful access restrictions to the administrator level of your phone network by granting admin authority only to the people who actually need it. Also, educate all employees on what their individual access means and the proper protocol for protecting it.
- Also, make sure to run the latest versions of all the software and firmware your company needs to keep moving. Updates often come out and are ignored when they don’t have noticeable changes. When that happens you’re potentially missing out on critical patches and corrections that though inconsequential to the function of a device, can be critical for keeping your walls higher than the criminals can reach.
- And finally, this one cannot be mentioned often enough. As unfortunate as it is to remind the world, STILL, the vast majority of hacks begin with poor password strength. Maintaining strong password protection is indispensably important to keeping your costs down and your information safe.
We’d love to tell you that your network is always going to be safe because nobody will ever try to hack you, but that’s just not responsible thinking. The best way to make sure that you stay safe in the long run is to do what you can in the short-term whenever you employ a new technology. Whether it’s a VoIP phone at your office or a new computer at your desk, begin that relationship with a healthy, thorough process of security protocol and you’ll find that your need for ongoing protection and damage control will likely be much less than if you hadn’t.
If you need any more specifics about this or another unified communications security topic, our data-security experts are always available to help. If you’ve gotten what you need today, make sure to pay it forward and share this with others who could use it.
Stay safe out there and remember to Protect ya Neck!