cart Shopping Cart    You have 0 items    Checkout
0800 999 010
tagline.gif

How to prevent PBX fraud/hacking

Recent discussions between telecommunications companies have shown that a number of businesses in New Zealand had been hit lately with PBX fraud/hacking. This type of fraud has been around globally for the past 10-20 years, however there seems to be a concerted focus on attacking businesses in New Zealand at the moment.

PBX fraud can generally be avoided if the client asks their PBX and / or voicemail vendor to audit both facilities and check for potential fraud weaknesses. 

The types of fraud perpetrated have often ocurred previously elsewhere in the world, so New Zealand based PBX and voicemail vendors should already be aware of the types of telecommunications fraud their product is vulnerable to, and should be able to apply permanent fixes if an audit shows their product to be insecure.

What is PBX Fraud?

A PBX is a computerised system that manages an internal telephone extensions network. It is a highly flexible system in that it can, if necessary, provide access to telephone services by dialing into the system from outside the PBX network.

This service is called DISA (Direct Inwards System Access) and, if enabled, it permits employees to route national and international calls through the PBX with the cost of these calls being billed to the owner of the PBX. Access to this service requires the use of a PIN, however this can be abused and may result in unauthorised calls costing many thousands of dollars. Most PBX’s have engineering and maintenance access codes, and if these are compromised the attacker will have total control of the system.

There is plenty of information on the Internet relating to toll fraud, PBX fraud, etc. Go to Google and use the words PBX, PABX, toll fraud to find useful information about this type of fraud.

How will I know if my PBX has been a victim of PBX Fraud?

If your PBX has voicemail and is DISA enabled then it is susceptible to this form of fraud. Usually, the only indication that you will see is a substantial increase in your telephone bill. Detailed billing will assist in identifying any potential unauthorised calls, which are usually International calls but they can also be National and mobile telephone calls.

Another indicator is where customers trying to dial in, or employees trying to dial out, find that the lines are always busy.

Audit your bill each month:

  1. Check your bill regularly and ensure you can account for all itemised calls
  2. Look for calls to international countries that you wouldn’t normally be doing business with.
  3. Look for calls being made outside of your business hours.

How can I protect my PABX from this type of fraud?

  1. If DISA is not required ensure that it is disabled. If it is required, ensure that the people who supplied the PBX or who are maintaining your system understand the full functionality of the PBX and that they can configure DISA properly.
  2. If automatic logging of calls is available, enable it. It may help in identifying the extensions number being used to compromise the PBX and it may also identify the source of the external call.
  3. Regularly check the log records for repeated short duration calls to the same number. This could be an indication of an attempt to attack your system.
  4. Ensure that the PIN’s for voicemail, DISA and engineering access are activated, and changed regularly.
  5. If possible engineering access should only be permitted on a ‘call back’ basis; this will prevent unauthorised access to this privileged account.

Prevention Strategies

  1. Never give out technical information about your system to callers - unless you are completely certain who is on the other end of the line.
  2. Do not allow your system administrator to maintain factory set passwords for maintenance of your system.
  3. Introduce a PIN and password management policy where employees are not permitted to use predictable PIN numbers such as the last digits of their DDI, sequential numbers like 1111, 0000, or incremental numbers like 1234.
  4. Ensure that PIN numbers are changed regularly, and supervisor and maintenance passwords are changed when the administrator, an employee, or a contractor leaves the business.
  5. Do not place a list of all your staffs names and contact numbers on your website or out on the Internet. You are providing the would-be fraud offenders with a list of all your company phone numbers that they can now try to hack into.
  6. Do not allow unlimited unsuccessful attempts to enter voicemail - configure the system so that 3 unsuccessful attempts results in call failure.
  7. Disable an administrator, contractor or employee's mailbox account when he or she leaves your company.
  8. Schedule regular PBX checks with your maintainer and form a regular risk mitigation strategy to limit any system vulnerabilities.
  9. Ensure that your PBX room is locked when not attended.