Friday, 19 December 2008

Customers need to be alerted about 'Dial Through Fraud'

We would like to remind customers about the re-emerging danger of ‘Dial Through Fraud’ (also known as PBX Hacking). ‘Dial Through Fraud’ occurs when fraudsters crack the protection codes needed to get into a company’s switchboard, and then dial outside lines at a company’s expense. Many companies have phone exchanges that let company employees ring in to the switchboard, and then by keying certain dialing codes, get an outside line to anywhere in the world. The company then pays the bill for the outgoing call. Therefore, anyone who cracks the protection around those codes can make unlimited calls at the company's expense.

Examples of this has appeared in The Guardian newspaper. In one case, a fraudster hacked into the telephone exchange of a firm in Kent and made international calls to the Philippines, Dubai, US and Italy, which led to call charges of £1,000. In a further case in Manchester, fraudsters used Voice over IP technology to hack into the telephone exchange, which meant in reality that their calls could have been made from anywhere in the world, and made international calls to 19 countries (including Afghanistan, Albania, Algeria, Ecuador, Egypt, Iran, Jordan, Lebanon, Morocco, Pakistan, Sudan, Serbia and the Republic of Yemen), which led to call charges of £2,100. Therefore, it is essential that companies try and protect themselves from such fraud.

We recommend these ‘15 Top Tips’ to help guard your business against the risks of ‘Dial Through Fraud’:

  1. Remove or de-activate all unnecessary system functionality including remote access ports. If you must have the latter, protect them with strong authentication techniques such as smartcards or tokens.
  2. Restrict the numbers that employees can dial: for example, bar calls to premium rate numbers, international numbers, operator numbers or Directory Enquiries.
  3. Review your PBX call logging/reporting records regularly to spot any increases in call volumes or calls to suspicious destinations.
  4. Bar voicemail ports for outgoing access to trunks if you can. Change your voicemail and DISA (Direct Inward System Access) passwords regularly and don't use the factory defaults or obvious combinations such as 1234 or the extension number.
  5. If access to trunks via voicemail is vital, then introduce suitable controls. Remove Auto Attendant options for accessing trunks too.
  6. Lock any surplus mailboxes until you have a user for them.
  7. Not using DISA? Then disable it completely.
  8. Restrict access to your core communications equipment, such as your communications room or master terminals.
  9. Only give individuals the appropriate and minimum level of system access they need to carry out a specific task.
  10. Change your security features - passwords, PINs etc - and re-set the password defaults whenever you install, upgrade, repair or maintain equipment.
  11. Treat all internal directories, call logging reports or audit logs as confidential. Destroy them securely when they're no longer needed.
  12. Avoid using tones to prompt for password/PIN entry: hackers find it easy to duplicate them.
  13. Implement formal processes to cover employee entry procedures, the issuing of pass cards, the vetting of new employees and when people change jobs or leave. For the latter, remember to revoke any access they might have had to your systems, mailboxes or buildings.
  14. Review your system security and configuration settings regularly. Follow up any vulnerabilities or irregularities promptly.
  15. Be vigilant against bogus callers: people who pose as a company employee and ask to be connected to a switchboard operator to get an outgoing line.

No comments: