How to reduce the risk of phone system compromise

Keeping your phone system secure can save your business thousands of dollars and hours of lost productivity. One of the biggest reasons to ensure your system is secured is toll fraud. The unauthorised use of phone lines is one of the most costly things to telcos and their customers alike. There are some simple steps which can be taken to ensure your business is better protected to minimise the risk of becoming a toll fraud victim.

What is toll fraud and why is it so costly?

According to the international body for fraud risk management and prevention, the Communications Fraud Control Association (CFCA), it is estimated that toll fraud cost telecommunications providers and their customers AU$55.7 billion in 2015.

Toll fraud is when an unauthorised person, or persons, is able to access a phone system and make fraudulent long distance calls from your account or calls to premium rate numbers. It’s also referred to as VoIP fraud or phone card fraud and can be carried out in several different ways. This includes international revenue share, call termination hijacking, the use of illegal phone cards or private branch exchange (PBX) hacking. PBX hacking is thought to be the type of toll fraud most pertinent to Australian businesses.

Typically hackers search the internet for compromised routers and PBX systems via a script written to look for vulnerabilities in a business’s firewalls, such as open ports and where information can be extracted. Hackers then buy phone numbers in poorly regulated jurisdictions, such as some African countries or former Eastern Bloc countries.

The criminals can on-sell the information about the compromised accounts and also on-sell call minutes at discounted rates via the purchased numbers. Alternatively, they can establish their own premium rate information service lines through the hijacked PBX system.

The hackers run up huge costs, which are charged to the affected customers by their telecommunications provider. All phones are at risk, but it can often go undetected for longer within a company or larger business. It is almost impossible for telecommunications companies to detect the fraud, as they are lost among the network of legitimately billed international minutes.

By the time the large bill is received, it is too late. The lucrative fraud has been committed, the customers are generally liable to pay and the criminals have packed up and moved on before the fraud has even been detected.

Thankfully, toll fraud and phone system compromise doesn't have to be something you or your business faces. There are some easy steps which can be taken to minimise the risk of toll fraud, both on your personal network as well as within your business’s.

Step 1: Use a Managed Firewall

Telecommunications companies are very adept at configuring firewalls to minimise the chances of toll fraud or another breach. You might have a great all-round IT manager within your business, but since telecommunications providers face this problem daily, they have valuable expertise. Ask their advice in configuring your firewall, or better yet, use a managed firewall for your organisation.

Step 2: Minimise visibility

If managing your own firewall, reduce ports exposed to remote access as much as possible. As this is generally the way hackers find their way in. minimising the possible access areas is going to make your PBX more secure.

Step 3: Use Strong Passwords

This point cannot be stressed enough. The most effective measure to take against PBX hacking or other cyber crime is to use complex and varied passwords. If you have difficulty remembering a complex password, use a password keeper software such as KeePass to keep track of them or use a memorable phrase with substituted numerical, capitalisation and punctuation variations. Change regularly and do not write your passwords down on paper or in a notebook.

Step 4: Check the ISDN configuration

SIP (Session Initiation Protocol) is a great technology for business communications. It cuts down on call costs and when utilised within a well-configured IP network, can deliver better security than Internet telephony options.