1 Technical Bulletin Bulletin Authorisation Detail Author Andrew Kenyon Authorisation Wilf Wood Date 24/01/2011 TB Number TB - 11001 Description Toll Fraud Reminder Toll Fraud Reminder & Update Toll fraud or using dial through methods to make premium rate and international calls through unsecured PBXs and in particular via unsecured voicemail systems is a constant threat. It was estimated by the US government that it cost US businesses $55 million in 2009 alone. Often referred to as Theft of Service it is the responsibility of the customer, PBX administrator and the reseller to follow and adhere to the manufacturers guidelines on toll fraud prevention for their PBX to remain secure. This kind of attack usually happens outside normal business hours. Fraudsters can make huge amounts of calls, often running up bills of thousands of pounds per day until identified and stopped. Because the network supplier has allowed these calls legitimately, to you, they will charge for these calls. Toll fraud can have serious financial impact on businesses if not identified and stopped. The primary defence is reducing the risk of such attacks in the first place. By following good practice and ensuring normal password etiquette is maintained as well as turning off any services or features that are not required, this will minimise the opportunity for an attack to take place.
2 Key Generic Points to Deter Toll Fraud 1. Toll Restriction block or restrict premium rate and international calls on: a. Extensions b. Trunks c. Mailboxes d. MAKE SURE ALL SERVICE MODES ARE CATERED FOR DAY/NIGHT ETC. 2. Passcodes change passcodes regularly (at the very least, change the defaults for): a. Remote IP extensions b. Mailboxes (including any group mailboxes, administrator and virtual mailboxes) c. PC based softphones d. Main system admin 3. Reporting Deploy a call management solution. Unusual call patterns can be reported upon to the customer immediately, therefore a large bill at the end of the month can be avoided. Samsung s OfficeServ Call Reporting Software can be configured to report on such fraudulent call attempts. 4. DISA If Direct Inward System Access is in use, it is vital that the DISA service is password protected. Samsung PBXs are equipped with several DISA security measures: a. DISA access password protection (should be changed from default value) b. DISA service block upon incorrect password attempts c. Password and extension number combination required to access the system Indicators of Fraudulent Attempts to Access Your System 1. Unusual Phone Ringing Patterns a. A system phone that does not normally ring or receive incoming calls, may ring once during daytime hours indicating that fraudsters are trying random numbers within the system 2. Strange, foreign language or non-business related voicemails and silent calls a. Often, during fraudsters first attempts to dial through your system, they will get the dialling sequence wrong and inadvertently leave messages in random mailboxes. This is a sure sign that your system is being targeted b. If an abnormal amount of silent calls are received, where upon answer there is no response, this can be a sign of the system being targeted
3 What can you and your customers do to deter toll fraud? Please use the following information on how to properly configure the system to deter and remove the threat of toll fraud. Four Golden Rules to Help Combat the Threat 1. Change passcodes and passwords regularly a rule of thumb is that if a PBX service or device has a passcode, then it s there for a reason and open to being accessed fraudulently. So change it, regularly! 2. Manage the system user database remove any unused: a. Extensions virtual or physical (TDM, IP and Analogue) b. Mailboxes including group and virtual 3. Manage Toll Restriction levels A catch all approach is to restrict expensive premium rate numbers from being dialled. This is easily achieved through the Samsung Toll Restriction and Class of Service tables. Such restrictions can be seen to be restrictive to users don t forget that you can restrict calls during out of hours periods only, if users need to be able to make such calls during normal business hours. a. Be sure to include all digits and wild cards in any Toll Restriction plan including meta characters such as * and # 4. Follow the configuration rules for installing a voice mail system, specifically making sure all services that are not required such as external divert, external notification are disabled unless the customer specifically requests this functionality.
4 Below is the definitive guide to securing the OfficeServ PBX range Securing the SVMi Voicemail System ECLASS: Change these fields to N (No) Remove any exception codes from here Note that the menu above is for Standard ECLASS, makes sure that ALL ECLASS tables are changed.
5 MCLASS: Change these fields to N (No) Remove any exception codes from here Note that the menu above is for Standard MCLASS, makes sure that ALL MCLASS tables are changed.
6 Carrying out the settings shown in the above examples will block all dialling out and call backs via your SVMi voicemail. It is also essential to delete any unused extension blocks and mailbox blocks. For example any virtual or group blocks that are not in use should be removed. If toll fraud via your SVMi is suspected, you can use the activity log (activity.log) to trace the calls. For even further security you can assign a restricted Toll Level to the SVMi ports via the OfficeServ system s programming tools. Securing against localised Toll Fraud staff based fraudulent use In order to take full advantage of the OfficeServ Toll Restriction (call barring) tables, please use this guide as a reminder of best practices. This bulletin pays particular attention to the * and # keys, which should both be taken into account when building any Toll Restriction plan. Just barring digits 0 ~ 9 should not be considered adequate in any plan. Example of bad practice Imagine a BT customer requests that all international numbers are barred from all extensions. We should immediately consider digits 00 and the international operator 155, international directory enquiries 153 and 141 to restrict the outgoing CLI, the last three are well known methods of overcoming PBX baring tables. These codes should be entered as normal into a Toll Restriction plan and should be entered into MMC 702 see screen shot on MMC 702 below: We are using a COS with a Toll Level of B assigned in this example. The above example would successfully toll restrict 00, 155 and 153 calls from the associated extensions assigned to the relevant Class of Service.
7 But it would not restrict a user that prefixes the international call with a * or a #. For example a user could dial 9 - #00 followed by the international number and the call would not be restricted. The same can be said for the * key. So to ensure that your toll plan is secure please use the following screen shots of MMC 702 and MMC 704 as a guide. MMC 704 (Wild Character) is used to make call barring very flexible (screen shot above). In this scenario for barring * and # we need to use one of the wild characters (X, Y and Z). In default all digits assigned to Y and Z are set to NO, so we must set * and # to yes against for example Y and then enter Y into MMC 702 as shown in the screen shot below: Also as shown in the figure above, the * character can be directly entered into MMC 702, but the # key cannot and needs to be assigned via the wild character, in this case Y. And again the Y character must have the relevant Toll Level set to YES, in this case B. Using MMC 704 correctly, to restrict * and # should be considered best practice when building your toll plan.
8 VoIP Security Measures Ensure that any remote maintenance ports are restricted often ports need to be opened on a Firewall to allow remote maintenance and configurations to be made to the PBX ensure that only the preferred maintainer s Public IP address has been allowed access via this port Delete unused ITP/SIP Extensions/Wi-Fi phones any unused ITP/ SIP Extensions/Wi-Fi phone accounts should be removed ITP/SIP Extensions/WIP phone passcodes any used or active ITPs/Wi-Fi/SIP Extensions should have their passcodes changed from the default Port forwarding VoIP connections require port forwarding rules to be put in place on a Firewall. To ensure that only authorised users and services are allowed through, only allow port forwarding from authorised IP address i.e. Your SIP provider s IP address. If in doubt about protecting your customers PBX against fraud, please follow the four golden rules: 1. Toll Restrict your system including the trunks 2. Install the Samsung Call Reporting Solution to ensure that any unusual call patterns are spotted early, and reported to the appropriate persons 3. Change ALL passcodes regularly 4. Disable unwanted functions on the system and voice mail