PBX Fraud Information

Similar documents
Notice to our customers regarding Toll Fraud

Sprint Security Support Services for Schedule No. 11*

A Garda Síochána. PABX Fraud Explained

We will divide the many telecom fraud schemes into three broad categories, based on who the fraudsters are targeting. These categories are:

Best practices that can be used in reducing potential toll fraud risk include the following:

Online Security and Safety Protect Your Computer - and Yourself!

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

IP Office Intuity Mailbox Mode User Guide

IP Office. IP Office Mailbox Mode User Guide Issue 11b - (15 May 2010)

Providing Continuous Customer Service since 1976

IP Office Release 7.0 IP Office Essential Edition - Quick Version Embedded Voic User Guide

IP Office 6.1 Embedded Voic Mailbox User Guide

Frequently Asked Questions (FAQ)

TOLL FRAUD POLICY. Toll Fraud. Liability

Best Practices Guide to Electronic Banking

To receive money, just share your enrolled address or U.S. mobile phone number with a friend and ask them to send you money with Zelle.

David Morrow. Preventing PBX Fraud. -basic steps to help secure your PBX. prevention will always be cheaper than cure

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

IP Office Essential Edition PARTNER Mode M7100 Phone User Guide

Rogers Business Phone User Guide

Custom Calling Services

Digital Phone Features Guide

Technical Bulletin. Toll Fraud Reminder & Update

PCI Compliance. What is it? Who uses it? Why is it important?

HomePlan features and user guide

SADOS VOIP Phone System User Guide

Digital Voice Services Residential User Guide

IP Office Embedded Voic User Guide (Intuity Mode)

Contents. Section 1 Overview 1. Section 2 Setting up your System 13

DIGITAL PHONE FEATURES GUIDE

THE CAMPUS MESSAGE CENTER -VOICE MAIL AT USL TERMS & CONCEPTS

Electra Elite and InfoSet are registered trademarks of NEC America, Inc.

PARTNER Messaging System User s Guide

Digital Home. Information & FAQs

WE SEE YOUR VOICE. SecureLogix We See Your Voice

AT&T Business Voice Mail. Comprehensive Messaging Solution

Dialog 4220 Lite / Dialog 3210

Panasonic KX-TVS120, KXTVS120, TVS120, KX-TVS220, KXTVS220, TVS220, KX-TVS320, KXTVS320, TVS320

Subscriber s Manual KX-TVA50 KX-TVA200. Voice Processing System. Model

VOICE MAIL SUBSCRIBER USER GUIDE

CIBC FirstCaribbean Mobile App. FREQUENTLY ASKED QUESTIONS (FAQs)

Moving to a New Business Phone System

Telephone Answering: The system answers the telephone for you when you are either on the phone or away from your desk.

IP Office Platform. Using Voic Pro in Intuity Mode Issue 10a - (16 January 2015)

Governance Ideas Exchange

3CX Phone System User Guide

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Residential. Telephone. User Guide

for the iphone MAX Communication Server Release 8.5 Update 1

IT & DATA SECURITY BREACH PREVENTION

Train employees to avoid inadvertent cyber security breaches

IP Office Basic Edition Quick Mode T7100 Phone User Guide

HughesNet Voice Features Guide

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Managing your PBX- Administrator

Identity Theft, Fraud & You. PrePare. Protect. Prevent.

Part No. P CallPilot. Message Networking Set Up and Operation Guide

VoIP for the Small Business

WHITEPAPER MOVING TO A NEW BUSINESS PHONE SYSTEM

Exploring Cloud. Is moving your phone system to the cloud right for your business?

FREQUENTLY ASKED QUESTIONS

Voice Processing System S G UBSCRIBER'S UIDE. Please read before using. TVP200 VOICE PROCESSING SYSTEM KX-TVP200 MODEL KX-TVP200E.

CITADEL INFORMATION GROUP, INC.

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Welcome to Cogeco Home Phone. Extended Home Phone User Guide

The Cyber War on Small Business

IP Office Basic Edition

HOW A CLOUD COMMUNICATIONS SYSTEM UNIQUELY SUPPORTS YOUR MOBILE WORKFORCE

Phone banking Fast, reliable and convenient service by phone.

Multi-Factor Authentication FAQs

Avaya Hospitality Messaging Server 400 Staff Quick Reference Guide. Avaya Communication Server 1000

AT&T CLASSIC MAIL. Voice Messaging System Mailbox User Guide

MaxMobile Communicator User Guide

Collington Resident Phone and Voice Mail. Table of Contents

Brand New in WebLink. Configure Phones. Phone Directory

MaxMobile Communicator User Guide

CallPilot Mini Reference Guide

IP Office Release 9.0

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Desktop Reference Guide

Cyber Security and Cyber Fraud

IP Office. Embedded Voic User Guide (IP Office Mode) Issue 12a (26 February 2013)

IP Office Platform. Avaya IP Office Platform Embedded Voic User Guide (Intuity Mode) Issue 15b - (22 January 2015)

Digital Telephone User Guide

MaxMobile Communicator User Guide

Switchvox PBX User Manual

IP Office 4.2 Embedded Voic Mailbox

Unified Communications Manager Express Toll Fraud Prevention

Preventing fraud in public sector entities

YADTEL - Privacy Information INFORMATION WE COLLECT

Solutions Reference Guide. IP TalkSM. Voic & Navigator Web Portal

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Who We Are! Natalie Timpone

Evolution of Spear Phishing. White Paper

Challenges and. Opportunities. MSPs are Facing in Security

Home Phone Quick Start Guide. Review these helpful instructions to understand your Midco home phone service and its many convenient features.

Cyber security tips and self-assessment for business

MaxMobile Communicator User Guide

Employee Security Awareness Training

Transcription:

PBX Fraud Information Increasingly, hackers are gaining access to corporate phone and/or voice mail systems. These individuals place long distance and international calls through major telecom networks using local systems. Your business could be a victim of this type of fraud and would be responsible for all phone charges. Many business customers have not kept existing systems secure, or, have other vendor-based support that could pose a security threat. As the owner of your phone system it is important that you take measures to ensure proper security. We have created this document to help you protect your business from fraud. Telephone Hackers Hit Where It Hurts: Your Wallet Telephone hacking is unauthorized or fraudulent activity through a telephone system and can potentially cost businesses significant amounts of money and resources. Usually the owner of the PBX isn t aware it s happening until an enormous bill from their toll provider arrives or malicious events start occurring via their phone system. Unfortunately the owner of the telephone system is responsible for toll charges, not the provider. Why do these activities occur? Telephone hackers can infiltrate vulnerable PBX systems to make international and long distance calls, listen to voice mail, or monitor conversations. Victims of hacked PBX systems unknowingly allow the hackers to sell the use of their telephone system to others or provide the hackers with an opportunity to maliciously reprogram the system. How do they do it? Typically hackers gain unauthorized access through the PBX s maintenance port, voice mail (if voice mail can be accessed remotely) or the Direct Inward System Access (DISA) feature of a PBX. Some hackers call in on toll free lines intended for customer use; some use stolen calling cards; and some will even impersonate someone else to social engineer their way into your system. Most PBXs today are software driven and, when configured improperly, can allow hackers to access the system remotely. PBX administrators usually manage the system using a PBX maintenance port by interconnecting from their remote service centers via a modem. By controlling this PBX maintenance port, hackers can change the call routing configuration, alter passwords, add or delete extensions, or shut down a PBX, all of which adversely impact business operations.

PBX Fraud Information Some voicemail systems can be accessed remotely and programmed to make outbound voice calls. The hacker will search for voice mailboxes that still have active default passwords or have passwords with easy sequence combinations; i.e., 123456. Hackers use the outbound calling feature to forward calls to a phantom mail box that will give a dial tone. This allows them to make domestic or international calls from anywhere on your business account at your expense. Hackers can also gain access to your mailbox to listen to your messages, change your greeting or delete your messages. DISA is a feature enabling remote users access to an outside line via a PBX with authorization codes. This is a very useful feature for employees who are on the road a lot or who frequently make long distance calls or international conference calls after business hours. By gaining access to this feature, hackers can access an outside line and make domestic or international toll calls at the expense of your business. How will you know if hackers are/have been in your System? You may notice lights on phone lines that are lit up without anyone using the phone system. You may also be notified by your toll provider that there is suspicious/unusual usage associated with your phone numbers. Unfortunately though, you may only find out you have been hacked when you receive a bill for international calls made from one or more of your lines that were not dialed by anyone in your company. What can you do about it? As the owner of a telephone system, it is your responsibility to secure your system to prevent unauthorized access. Having a properly secured telephone system is the best way to prevent telephone hacking and mitigate the potential damage and resulting costs to your business. The following are some industry best practice guidelines that, if followed, could help reduce the risk of telephone hacking. You may have to consult your equipment vendor to assist in securing your system security efforts.

Best Practices for Securing Your PBX System Education 1. Familiarize yourself with the dangers of telephone hacking and the financial exposure you have to your toll provider. Remember, it is you as the owner of the telephone system who is liable for fraudulent usage and associated toll charges, not your toll provider. 2. Educate staff that utilize your PBX on security procedures and ensure they have an appreciation for the importance of adhering to set procedures. 3. Establish after-hours contact protocol so that appropriate personnel can be notified in a timely manner. 4. Take time to evaluate your current settings and disable any features that are not in use. Authorization Code/Password 1. Do not use any preconfigured default codes and passwords. Be sure to change those default settings as soon as possible after the PBX is installed and update them regularly. 2. Choosing complex, random passwords of at least six to eight digits, will make it more difficult for a hacker to detect. 3. Don t use obvious passwords such as address, birth date, phone number, or repeating or successive numbers, i.e. 000000, 123456. Don t use sequential, ascending or descending numbers or any part of the telephone number for your passwords. 4. Force password and authorization code changes for employees periodically. 5. Ensure that only trusted system administrators know the administrator password and be sure to change passwords quickly after any staffing changes. Eliminate the advertising or publication of default passwords. 6. Do not keep extensions active for former personnel or positions. If there are staff changes cancel the associated extension, including any associated features, access rights (i.e. LD/IDD) and codes and passwords. DISA 1. Limit the DISA access number and authorization codes to only employees that have a real need for such a feature. 2. If possible, ensure the first few digits of the access number for DISA are different from the voice line.

Best Practices for Securing Your PBX System Voice Mail 1. Disable the external call forwarding feature in voice mail, unless it is absolutely required. 2. Remove any inactive mailboxes. 3. Check your recorded announcement regularly to ensure the greeting is indeed yours. Hackers tend to attack voice mailboxes at the start of weekends or holidays. 4. Consider disabling the remote notification, auto-attendant, call-forwarding and out-dialing capabilities from voicemail if these features are not used. Toll Calls 1. Consider restricting international or long distance destinations to which your company does not require access. Restrictions should also include 1-900 calls and 1010 casual dialing within the PBX/Voice Mail system. While you can request this of your phone company, you should also set these restrictions up in your phone system. 2. Regarding international blocking: it is important to understand that if your provider blocks international calls, this will not block calls to certain locations outside the U.S. but still within the North American Numbering Plan (i.e. they have an area code and are dialed like any other toll call. These locations include Canada, Puerto Rico, US Virgin Islands and other Caribbean countries such as Jamaica and the Bahamas. Fraud to these countries is on the rise, and the best way to prevent them is a secure system and strong passwords. For a current list of NPAs in the North American numbering plan, visit www.nanpa.com/area_codes Extensions 1. When an extension is no longer required, it should be canceled, along with associated features and access rights such as outbound toll and international dialing. Ongoing Monitoring 1. Familiarize yourself with your company s call patterns and monitor them regularly. 2. Look for any suspicious call activity after hours, including weekends and public holidays. Equipment Room Access 1. The PBX system should be kept in a secured location to which only authorized users have access. 2. Verify any technicians identity that requests access to your PBX equipment.

Additional FAQS When I get hacked, who is going to pay for the calls? Your business, not your Long Distance Carrier, is responsible for all charges incurred on your system due to fraud (including toll fraud), abuse, or misuse of services, whether known or unknown, and whether or not your Long Distance provider takes any actions to stop or block Toll Fraud. The responsibility for the security of your PBX system is yours and you should take steps to protect your assets. Why don t the carriers write off these charges? Today, fraudulent calls are placed over many different inter-exchange carriers (IXCs); each carrier must pay that portion of the call handled by them. When the call is placed to an international location the domestic carrier must pay the foreign carrier regardless of the fraud. You, the end user, control access to your PBX system, not your telecommunication provider, so you are responsible for the charges incurred. Why is identifying or stopping the fraudulent calls the customer s responsibility? Only the customer can differentiate legitimate calls from fraudulent ones. The carriers do not have access or permission to work on your PBX, the vehicle that hackers use most to conduct their activities. How will the hacker find my system? Criminals pay for a PBX maintenance port number and password. Hackers scan using auto-dialers to find systems equipped with modems. Your company s telephone directory listing or your toll free service advertising make you known to the hacker. How do I justify the expense of corrective action when we have not suffered a loss? Past performance is not an accurate indicator of present threats. The equipment and the motivation to perpetrate this criminal activity did not exist years ago. Educate your managers about the pitfalls of not protecting your corporate assets and enlist their support by implementing a corporate policy on unauthorized access as your first step. How do hackers know which PBX type and brand of Voice Mail we own? Hackers identify the type of PBX by the Login procedure used for each system. They know the pass codes for each vendor PBX. Hackers also recognize the various Voice Mail and Phonemail systems by the default digitized voice recordings.

Additional FAQS We are a small business, why should hacker activity concern me? Hackers use auto-dialers to search entire area codes to find systems to hack, they do not care who or where their victims are located. No one is safe and smaller companies may be less able to absorb the average loss ranging from $10,000 to $100,000.00 plus dollars per incident. What can we do to protect ourselves from these crooks and con artists? As with your personal life, the better informed you are the better protected you are from the risks. Stay on top of the current threats, establish and follow a policy on security, secure your system configuration, setup a team approach to security and service, and work with your equipment vendor. Do not let management or your business be taken by surprise. This is one disaster that is very predictable and equally preventable. Remember that you will be a victim and that you, and only you, control the severity of these attacks. It is much easier to prevent an attack than to recover your system from hackers. TDS Reminder: Businesses with privately owned voice systems are responsible to ensure the devices are properly secured before activation AND are responsible for all charges incurred through the system. It is recommended to contact your Voice Mail or PBX vendor to have your system evaluated by a professional and take the necessary steps to prevent against possible fraud. TDS Telecom and TDS Metrocom are the registered trademarks of Telephone and Data Systems, Inc. and licensed to TDS Telecommunications Corporation. Other product and company names mentioned on the Site may be trademarks of those respective owners. All materials are provided for noncommercial personal use only. Copyright 2017, TDS Telecommunications Corporation, All Rights Reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback