Toll Fraud Prevention and Accountability
What is toll fraud?
Toll Fraud is the unauthorized use of your phone lines, equipment, or services to make long-distance calls that are charged to you. Toll fraud is an illegal activity similar to computer hacking. It is a global, industry-wide problem totaling over a billion dollars annually. Toll fraud takes many forms including fraud involving mobile phones, calling cards, pay phones, and long-distance fraud on calls placed through phone systems (PBX hacking). It is a large enough problem that many of the major providers of long-distance telephone service have a separate department specifically for identifying and handling toll fraud issues.
Notice to United Telephone Association, Inc. and United Communications Association, Inc. (UNITED) customers regarding Toll Fraud
- Beware of Toll Fraud.
- Toll Fraud is a crime against you. UNITED isn’t responsible for your Toll Fraud.
- You need to take steps to protect yourself from Toll Fraud.
- UNITED DOES NOT WARRANT THAT ITS PRODUCTS ARE IMMUNE FROM OR WILL PREVENT TOLL FRAUD. UNITED WILL NOT BE RESPONSIBLE FOR ANY CHARGES, LOSSES, OR DAMAGES THAT RESULT FROM TOLL FRAUD.
Identify Computer Systems that Require Protection
- Create a list of all equipment and define the degree and nature of their vulnerabilities.
- Establish the economic impact or other impacts if the equipment is affected, disconnected, or damaged.
- Set priorities on computers with the highest vulnerability and/or impact.
- Structure vulnerability reduction plan.
- Create emergency and contingency plans.
- Check with your PBX/SIP Gateway vendor for possible vulnerabilities or risks.
- Document the results of all the above.
Passwords should include Upper & lowercase letters one number and one character (for example: JaneJohnJoined87!)
- Consider the minimum length to be at least 16 characters that require the use of special characters, upper and lower case letters, and numbers.
- Define how often the password must be changed based on the importance of the safeguarded information.
- Define policies regarding the blocking or closure of an account (peers) by entering a certain number of times a password is entered incorrectly. AVOXI recommends blocking after 3 failed attempts.
- Determine whether the passwords are administered by each end-user or by the information technology (IT) staff or both.
Create a Standard Operating Procedure (SOP) for passwords
- Although it may seem obvious, passwords are one of the best weapons you can use in the battle against toll fraud. If you’ve picked a simple password that includes your name or other public information, or even kept the factory-set default password for your PBX, you’re leaving yourself open to attack.
- First and foremost (and we can’t stress this enough), always reset the default password on your PBX. When you create a new one, be sure to include a combination of lower and upper case letters, special characters, and numbers. You should also ensure that your password is at least 8 characters long.
- It’s also a good idea to change your PBX’s password whenever an employee who previously had access leaves your company. (It’s not personal – it’s just best practice.)
Set up a firewall
Session Initiation Protocol (SIP) is often used with firewalls that help to protect VoIP phone systems from fraud. A SIP-based firewall, which inspects both voice and data packets as they pass through your network, can be used as a filter for fraudulent calling.
Implement international calling restrictions
Many VoIP phone systems can be configured to restrict international calling entirely, or to allow secured access. If your business makes a lot of international phone calls, consider adding an extra layer of security, such as an authorization code that must be inputted before placing an international or long distance call.
If you’re not sure how to add this extra precaution, contact your VoIP service provider for assistance.
Educate Employees about Computer Use and best practices
- Inform the network administrator or IT staff(s) about any irregular behavior such as reduced speed of the data network or depreciation of call quality.
- Follow the policies and guidelines established in the security plan.
- Inform employees about Phishing and about the possible injury from disclosing passwords or other personal or business information.
Monitor call logs daily or weekly if possible
This is another simple but important step in preventing toll fraud. Most VoIP phone system interfaces allow you to track incoming and outgoing calls; be sure to look at these on a weekly (if not daily) basis.
If your business is primarily domestic, any international call should be a red flag. Businesses that do make a lot of long-distance calls should be aware of the countries where toll fraud most often occurs.
According to the CFCA’s 2013 Global Fraud Loss Survey, the top five countries where toll fraud terminates are:
- Sierra Leone
Back Up… Back Up… Back Up… ALL Your Configurations
- Maintain updated database backups and data restoration procedures—well documented.
- Print and store in safe places the current settings for all network computers.
- If possible, photograph the equipment and connections and store them in a safe place.
- Use the information to restore the network and its components in case of unauthorized or mishandling of equipment.
Protect Phone System with Specialized Security Equipment/Software
In large environments, it is advisable to use physical firewalls. In small- to medium-sized businesses, it is possible to use software-based firewalls or to take advantage of the existing router(s) to implement firewall functions.
Implement at least one of the following services:
- Proxy servers—where it is considered necessary to implement. You can define bandwidth policies and permits for Internet use or outside the company network.
- AAA (Authentication, Authorization, Accounting) Servers—RADIUS can be used (free) or TACACS+ (owner).
- SysLog Servers—in companies with a large number of computers to centralize the logs into a single monitoring point.
- IPS or IDS Security—devices to detect early alerts from unusual network behavior and possible threads.
Create and USE Security Features on ALL computers
- Disable all unwanted services or protocols in routers, firewalls and other network computers that are not in use and can become accessible to attack (for example: H.323, SIP, CDP, services TCP, UDP, RTP, ICMP, FTP, VNC, TFTP)
- Use security protocols such as IPSec VPNs such as, PPTP, L2TP.
- Use SSH (Secure Shell) protocol instead of Telnet.
- Use NAT to hide the IPs of the company.
- Encrypt the links using recognized encryption schemes such as DES, 3DES or AES. And use the keys of at least 128 bits.
- Avoid the use of most DHCP (Dynamic Host Configuration Protocol), avoiding the assignment of IP addresses automatically.
Ensure Appropriate Setup and Monitoring for Your PABX, PBX, or Switchboard
- Restrict access to international networks from the unauthorized internal PBX extensions.
- Establish an administrator to authorize extensions or users with special permissions (international calls); document and store in a safe place.
- Use PINs for telephone services—highly recommended in some cases.
- Do not place telephone services in areas without monitoring or within the reach of people outside the company.
- Establish a plan of frequently monitoring records such as CDRs, logs, and bills generated by your PBX and your provider to verify and scan for unauthorized calls.
- For international calls, maintain current documentation of the common destinations of the company (country, number of remote offices, home offices, and suppliers) and periodically compare the PBX records. In case of major differences, take appropriate action and follow the procedures outlined in the safety plan.
- Restrict or remove unused categories, such as DISA (Direct Inward System Access) that can be used by unauthorized users for fraudulent actions or for immoral/unethical usage.
- Generate alarms when detecting national or international traffic during nonbusiness days and hours.
- When detecting an irregular event or a variant in calling behavior, immediately inform your provider
What to Expect from Your Provider
The best VoIP providers conduct round-the-clock fraud monitoring. Using detection rules allows your provider to suspend service immediately if there is an indication of fraudulent activity. Analysis of a customer’s call patterns, unusual international calls—in volume or location, and other aberrations provide indications of fraudulent activity. AVOXI incorporates fraud monitoring and customer notification of suspected activity as part of its service to help its customers keep their VoIP connections safe. For the best security, businesses need to be aware of potential risks and understand their role in preventing toll fraud.
Protecting Your VoIP Phone System from Toll Fraud
Although VoIP providers are making great strides when it comes to security, it’s still important for businesses to be aware of any potential risk, and understand the part they play in preventing toll fraud.
- The financial consequences of PBX Hacking generally kick off a frantic blame game, ultimately:
- The enterprise will demand that someone should be held accountable.
- The Carrier in question is legally entitled to collect their fees and the enterprise is legally responsible to pay the bill.
- Legal advice sought by the enterprise generally encourages them not to challenge a case that they cannot win.
- The VAR (PBX Vendor) argues that they cannot be held accountable for security breaches because they configured the PBX to their client’s specification while also providing self-administration tools and training. The responsibility of network security always lies with the enterprise.
- The Police struggle to investigate due to a lack of cross-border regulation and international language barriers, resulting in zero prosecutions.
The vast majority of reported cases result in:
- Very few prosecutions
- Accountability is never established
- Enterprise has to agree to a settlement with the carrier
- The overall experience leaves the enterprise highly frustrated, financially exposed, and vulnerable to further attacks.
- The trustworthy relationships established between Carrier, VAR (PBX Vendor), and client are often strained beyond breaking point.