VoIP's Most Common Security Breach Increasing: Toll Fraud
Is Toll Fraud Affecting Businesses?
According to Infonetics Research, a data networking and telecom market research firm, network security expenditure focused on intrusion detection and deterrence fell by 21% this year. This cut in IT security is partially responsible for the increase in toll fraud instances affecting VoIP phone systems. Toll fraud involves the hacking of a company’s phone system by a third party. Even though instances of toll fraud are on the rise, this fraudulent technique is not new. This practice of fraud initiated during the 1950s by hacking the telephone service providers directly to avoid paying for telephone service. This earlier version of toll fraud was generally done by a single hacker on a local level. Today, toll fraud is a billion dollar international industry that hacks not only phone service providers but businesses alike. The hackers or “tele-theives” steal minutes and resell them to customers wanting to make international calls.
Business VoIP is particularly vulnerable to toll fraud because of its intrinsic relationship to high speed internet connections. The internet offers hackers both an easier point of entry than a traditional landline based phone as well as the possibility to sell more minutes. Hosted systems that use Session Initiated Protocol (SIP) trunks for PSTN connectivity (as opposed to T1 TDM) have the capability to provide twice as many available minutes. This minute amount can be further maximized if the hacker calls are placed at non-peak hours.
Another reason VoIP services are gaining popularity amongst tele-theives is the sheer quantity of companies switching from landline based phone systems such as PBX to VoIP. VoIP security protocols are likely to be missed with new VoIP phone users as they are unfamiliar with the systems or do not recognize the potential security threats. The following three security oversights are mistakes that do grant hackers easy access to a VoIP network, but are not the leading form of entry: weak endpoint controls, lack of or inadequate VLAN separation for voice and data information, and basing security efforts solely on border controllers. The number one security related problem is linked to password encryption. The three most common password errors are:
- Not changing the default administrative password used during the installation process.
- Not creating sufficiently encrypted passwords for various extensions. (Typically this manifests in the form of passwords matching extension numbers.)
- Shutting off encryption for internal communications.
These three errors have clear solutions which is what makes toll fraud quite preventable. The first step towards preventing password related entry is to instill a thoroughly developed encrypted password procedure for internal and external communication points. Once the passwords have been updated, run a program to test the password encryption strength. A program such as SIPVicious tool suite with svcrack and svwar test password weaknesses and verify that no active extensions are without passwords. The SIPVicious tool also has the ability to identify unauthorized SIP devices using your VoIP network. Regularly running a penetration test prevents easy points from going unnoticed. VoIP security requires constant vigilance and regular monitoring.
Toll fraud is commonly discussed in terms of the end result, the expensive phone bill, but there are other more fundamental ways in which toll fraud affects a business’ profitability. Tele-thieves presence affects incoming and outgoing calls. It is difficult to be aware of the hackers’ impact for incoming calls. Incoming calls may receive a busy signal because all of the lines are in use. Constant busy signals affect customer service and potentially result in a loss in order volume.
For outgoing calls, the effect is more tangible. Toll fraud results in an increase in the data transferred over the network. This increase in data transfer can result in lower call quality with excessive static or can actually cause calls to be dropped. Further, employees may have to wait for an outside line to become available because the hackers are controlling extensions.
Therein, toll fraud not only affects a company when they receive a costly phone bill, it potentially impacts a month’s worth of work. A company more dependent on sales related to telephone usage will feel the adverse effects of toll fraud more strongly than another type of sales model. For example, toll fraud for a catalog based clothing company may more significantly impact sales while for a yoga studio it may be less severe.
Spending on IT security and vigilant protection efforts are the best prevention methods for avoiding toll fraud on a VoIP phone system.