If you have been in the telecommunications industry for long enough you would have heard of voice call hacking. In the good old days when there were only circuit switched services namely, PSTN and ISDN, voice call hacking was a big problem.
There was one make and model of PBX that was known to be vulnerable. That PBX included remote maintenance via dialing-in on a telephone number reserved for that purpose. Hackers would find out or guess the number ranges in use on the PBX and then program a computer to dial every number in the range(s) until they identified the remote maintenance number. Then they hacked whatever pin or similar security code was used at which point they could take total control of the PBX. Normally, they used the PBX to switch calls to international destinations. A couple of African countries figured prominently as well a couple of countries in Asia.
In some cases, the hackers set-up calling card businesses off the back of a hacked PBX.
To give you an idea of the seriousness of this issue I can describe a couple of cases within my direct experience.
In one case a large corporate customer was hacked between Christmas and New Year. The hackers only had the use of the PBX for a couple of days but ran up a bill of $800k. One of the employees of the corporation had been set up with an alert on his mobile that would have warned him of unusual usage; however, he had turned it off. The employee got fired and the corporation paid the bill in full. In another case I was directly involved in, a small business ran up a bill of $400k due to hacking. This debt was compromised because it would have sent the customer broke.
Then, there was the case of the customer who hacked himself. We detected unusual call traffic which looked like hacking. Various attempts were made to contact the customer to get his permission to bar all calls. All efforts to contact him failed. It was decided to bar the service without the customer’s approval. An account manager was sent out to the customer’s premises, and bingo, it was vacated. It then came out that the customer was signed-up without anybody meeting him. It all became clear at that point – the customer was the fraud.
When IP voice came on the scene, SIP and VoIP, some people claimed it couldn’t be hacked. Unfortunately, this is not true, any network can be hacked and there is now plenty of material on the web relating to IP voice hacking.
So, what should you do?
- Ask your provider about alerts. Alerts are built by studying the calling patterns that occurred in real hacking cases and then setting up programs that look for calling patterns that resemble the cases of actual hacking. If the alert logic is good and the alert operates in real time hacking should be identified quickly and stopped.
- Carefully address the network security arrangements with help from security experts. A TEM professional can be useful for independent 3rd party review.
- Certain types of call can be barred eg. all international.
- On a different angle it might be possible to insure against the risk.
A TEM professional can be useful as a source of independent 3rd party knowledge to help ensure the customer obtains the right balance of risk and cost. Would you like a no-obligation audit of your existing contracts and how you can improve your security posture, reducing your potential liabilities? Contact us today.