rwt-as logo
Story image

Intruder alert

01 Dec 2010

Phone fraud spans most, if not all, PABX. The market has demanded for smart PABXs; manufacturers have delivered – and now we face the unpalatable fact that the smartest PABXs are most vulnerable and the dumbest, the most secure.In July 2010, Telecom reported 20 business customers were attacked during the current year and that they had refunded all of them. TelstraClear also reported 20 of their customers had been attacked and that they had split the financial burden 50/50. Losses can range widely. The highest we are aware of locally, is $80,000.Who is at risk?Everyone! There is a very wrong perception that small to medium businesses with low telecommunications spend are of no interest to international hackers. In practice, nothing could be further from the truth. Hackers use publicly available information in telephone directories. They also use auto-diallers to search entire blocks of telephone numbers to find vulnerable systems to attack. They do not care who their victims are or where they are located, and smaller companies are likely to be less able to absorb any loss.Who is responsible?If you are unfortunate enough to suffer a loss, it would be nice to have someone to blame, but the problem is yours, not your telco’s. If someone breaks into your premises one night, getting past the security alarm you forgot to set and absconding with your stock, do you blame anyone else other than the criminal? Telcos must pay international carriers for calls whether they are fraudulent or not, but while your company is responsible for all charges incurred over your phone lines, it still pays to talk to your telco, as it may accept all or part of your loss.What are the signs?Look out for:

  • Staff or customers complaining the phone lines are busy and/or voicemail boxes are full;
  • Unexplained increases in incoming calls where the caller hangs up when answered;
  • An increase in national and international usage;
  • Lots of calls to the same number;
  • Changes in after-hours calling patterns, or calls to unknown overseas numbers or countries.
What is happening and how do they do it?Exploiting common vulnerabilities in what is usually rudimentary telephony system security, the fraudsters set up call diversions to a telephone number which is typically in a distant country (Somalia and Venezuela are common). Once access to the telephony system is gained, the main method of fraud is to sell cut-price phone call minutes to customers. Another method is to drive thousands of calls through to an international premium number (0900 numbers in NZ) which is set up for the purpose and which will remain in place until stopped.There are four access points by which attackers currently gain control of a PABX:
  1. The management port/application set up via which the system administrator can control the PABX. In older systems this is often via a DDI number to a modem, which makes it easy to attack. More recently, it is provided as a management application on the corporate IT network, so corporate security must be cracked first. We are not aware of attacks via this vector, and if it does happen, then the PABX is probably the least of your worries.
  2. DISA (Direct Inward System Access) – sometimes installed so staff can call a ‘backdoor’ number, receive ‘dial tone’ and then make calls which appear to be made from, and are paid for, by the company.
  3. Auto Attendant feature or equivalent.
  4. Voice mailboxes.
These last three are the most commonly attacked, as they are secured by no more than a four-digit PIN number – and PIN numbers can be very easy to break. Attackers will try as many times as it takes to get to the correct PIN number. Any solution must address these specific weaknesses:
  • The ability to remotely set up call diversions. This is really the key security weakness, and PIN numbers are the first and only line of defence against its exploitation;
  • Weak PIN numbers securing access;
  • Multiple attacks using computer-generated PIN numbers.
Best practice and what you can doAbility to remotely set diversionsThis is the key weakness. Unless absolutely essential, disable this feature in voicemail boxes and auto-attendant, etc. If you want to divert calls to a mobile when away from the office, then perform this action on your physical desk phone. Upon leaving the office, press the nominated button on the phone and calls are diverted to mobile. Upon return, press the button again and the diversion is cancelled. Should this need to be changed while still away from the office, get another person to make the change on the phone. An action at the desk phone is seen as secure, as it is in a nominally secure area.DISAUnless absolutely necessary, disable this feature.Management portWhere this is installed to allow your PABX maintainer to dial in to perform maintenance and MACs, there are a couple of robust options:
  • Ensure access via a DDI is removed. This means a call from your maintainer must now be internally transferred by a staff member, preferably the receptionist (who makes an excellent gatekeeper);
  • Permit it on a ‘call back’ basis only (the modem calls back to a known number only to establish a connection);
  • Do not allow factory-set passwords.
PIN NumbersIntroduce a PIN management policy which bans weak PIN numbers such as:
  • 0000 (specifically noted as it is commonly the factory default);
  • Sequential number such as 1111;
  • Incremental numbers such as 1234 (or the reverse such as 4321);
  • The last four digits of the DDI number.
Change numbers regularly and limit the number of attempts to a PIN number to three, before being locked out. This severely restricts the ability of an attacker to ‘brute force’ a PIN number by guesswork.General tipsNever give out technical information about your system to callers, unless you are certain who is on the other end of the line. Delete any unused mailboxes.It will help to have your system audited for potential fraud weaknesses. You can speak to your PABX, and/or voicemail vendor, or to an independent consultant for assistance.While it is almost impossible to completely secure your company against a determined attacker, you can carry out some very practical steps to harden your phone security to the point where your company is not worth the effort anymore. They will move on to an easier target, as there is no money to be made. After all, time is money in this business.