Comms Business have probably given more column inches to this devastating issue than any other magazine in the sector and yet we are still surprised at the lack of coverage in the mainstream media. Three of Comms Business clients have been hit in the last week for over £100,000 collectively which is a scary thought when you consider that money is coming straight off the bottom line. Below are just a handful of comments on PBX hacking from our LinkedIn group sparked by a BBC Radio 4 report.
Paul Carr
How can anyone claim this is not a serious issue for the industry? Why so many victims if current “security” practices are actually working?
The broadcast also features an unfortunate victim who was hacked over the Easter holiday weekend for £15,000 DESPITE have an alert system in place.
What measures are you taking to PREVENT this happening to your customers rather than just putting measures in place to limit the damage?
John Peck
We have a VPN based closed network. We helped a dialler developer with his business and allowed him to have an account outside of the network. Got hit in January and last week, never again. Dialler was calling Wi-Fi numbers owned by Sky Telecom. Contacted Ofcom who said they had issues 100,000 numbers to the company. Company website had no telephone number, we challenged Ofcom to call the number they had on account, phone was dead. If you going to attract any support to combat these crooks, Ofcom could do with washing the sleep from their eyes. Regulating what !!
Jason Horan
Hello. Forget in-house applications and such like. Specify, install and configure correctly in the first instance and you will be 99% of the way there. Analogy? Some one fits a new front door and forgets to install a lock.
Roger Ansin
Jason, thanks for your interesting view on this. If what you are saying is correct, then the UK telecoms industry is directly responsible for the loss of well over £1 billion of their customers money each year since you believe that this is due to sloppy installations – though 99% is not that flash if you are that 1%! The facts don’t back this perspective up, especially when a PABX secured to manufacturers specifications and locked down is used for toll fraud. We have a number of instances where a PABX is hit, is upgraded and “secured”, only to be hit again, often multiple times after that.
I have to defend installers and maintainers here. It is not due to sloppy installation and maintenance, it is because you are dealing with professionals who can make a lot of untraceable money by generating calls. If you stand between skilled professional criminals and a bunch of money you got to have something better than their tools to fend them off. To use your analogy it doesn’t matter if it is a locked door or a PABX – if there is enough untraceable money behind it they will break in if you continue to use conventional means.
Paul Taylor
Telecoms resellers are normally reluctant to talk to their customer about fraud, which is a big mistake, security of the network is paramount, most SIP carriers will now have some form of fraud protection in place.
Unfortunately it’s far harder for traditional carriers to protect against fraud. We have seen instances where we have closed the SIP trunks down and calls have continued to route over ISDN. It’s a problem without many of the answers.
I would recommend do as much as you can on the client network to secure it, if using ISDN make sure the carrier has some protection in place. SIP carriers due to the nature of the product will be able to offer far more protection. Its worth checking with the carrier to find out what fraud reporting/suspension is in place and get the response in writing.
John Haw
I love the passion displayed in this forum! Imagine, if a voice carrier actually stepped up to the plate and included fraud prevention on all hosted IP / SIP services as part of the overall bundle, they took responsibility for any frauds and made sure their partners couldn’t be hit.....
Paul German
I think the sentiment Jon is a noble one and will certainly de-risk the customer, and certainly has the potential to pull new customers to your business with the thought that they are completely protected. However I would consider two points before telling my customers that the carrier will absorb the risk around toll fraud.
The first being that the risk that you as a business now carry is not quantifiable. With toll fraud we are not just talking about down time but real costs that *someone* has to pay. If your customer or reseller isn’t paying then you are, and as a result absorbing that risk and cost on your own balance sheet. With the increasing costs around toll fraud this has the potential to unbalance even the largest of companies. We only have to look at the finance sector to see the dangers of carrying unquantifiable risk.
The second point, and one which I firmly believe, is that any security is the responsibility of the end user or the customer. This point has been made above and we as an industry have to apportion blame and responsibility in the right areas and customers must be made aware of risk and advised of available steps to mitigate that risk so they can make an informed decision on how to proceed.
The approach of carriers accepting and managing the risk is like one of the car manufacturers including full risk free insurance for the life of the vehicle ownership as part of a new car the deal.
It may serve as an incentive to get the customer to buy the car but as its risk free the drivers of these vehicles often become higher risk. This is because *its someone else’s problem* if they have an accident or write the car off as they haven’t paid for their insurance and won’t have the risk of higher premiums in subsequent years which in itself deters many of us from driving poorly.
Being secure is always going to have a cost tied to it and will always be the responsibility of the user of the service, we cannot simply absorb this risk to get customers to buy our products or services.
Investment in security is justified through understanding the value of a risk of using a product or service and making a decision to mitigate that risk through steps such as insurance or technology.
If I were a gambling man then I would predict an increase in claims against your business for fraudulent call activity. Its the “no win, no fee” approach....people have got nothing to lose, there’s only upside if their claim is successful.
Chris McAndrew
Many of the above posts are talking about damage limitation. People seem to be approaching this problem from the viewpoint that the hacker already has access to the system.
If that is the case, then there are many additional options open to the hacker other than toll fraud, eavesdropping, injecting their audio into telephone calls, changing system messages, possibly even crashing the system or corrupting the programming database.
Hackers will also take these options, particularly if they can’t make their toll fraud calls, so, perhaps we should also be looking at this from a defensive position and making it as difficult as possible for the hacker to gain a foothold.
Perhaps recognising the calling pattern of a wardialler might be a starting point…
Matthew Hattersley
PBX hacking is as old as the hills and anyone who watches their firewall lots with an open 5060 port will see an almost constant flow of attack attempts. So yes Ian, its all about damage limitation and mitigation where possible.
Although you can protect yourself with fancy flow based tracking, the best thing you can do is ensure your provider is willing to only accept SIP traffic from a fixed IP and firewall your PBX to the hilt. Don’t even allow remote management. It’s really not that complex.
Final hint, only turn on the features you really use. I still remember the old TAPI style hacks. Fun and games for office pranks, until someone exploits for gain.</technical perspective>
Jason Horan
No system is, nor can be, 100% secure and anyone who suggests such is talking nonsense. And you cannot place the burden of responsibility upon the supplier, though you should expect competency! We do work in the security space and our T’’s&C’s explicitly state the above however we do our utmost to secure a customers systems, whether that be voice, data, video etc. Start from a point of everything closed, then use business cases to open up on a case by case basis. More problems are going to surface as SBC’s become the norm for b2b SIP requirements, we are seeing this. I reiterate, start from a paranoid position then the most that tends to happen is DDOS attacks. Remember also, of course, 80% of data theft/malicious intent is from inside!
Iain Sinnott
Plenty of very interesting points over the last couple of weeks which for me has clarified the challenge our customers (end users) face and where they need help from all of us. Two tasks stand our; make sure PBX hacking can’t kill our business with one big bill; prevent fraud attacks from interrupting the normal operation of the business. Those of use offering a credit lock are naturally focusing our attention on the first challenge (notwithstanding the layers of protection we are placing around our Cloud clusters), whilst those promoting ‘hacking prevention’ are addressing the second challenge (whilst substantially reducing the chance of the big bill).
Businesses who consider that the threat of extensions or lines being suspended as a result of credit locks being triggered by fraudulent activity is unacceptable may require the additional physical protection. Those who install a physical hacking defense many well seek the second level of comfort given by a credit lock. What is certain is all businesses should be having this debate in their boardrooms this week, so the best thing we can all do is promote the need for them to examine their options.
Whilst each business owner/board must take responsibility for the security of their IT and communications tools their inability to do so is a cry for help or a buying signal. They want a product which lets them communicate to the world but protects them from harm. Between us we can do that.