When we think about network security, the telephone network is often overlooked as a target by attackers. One of the most common forms of attack on a telephony network is what is known as toll fraud. The Communications Fraud Control Association (CFCA) reports that in 2019, toll fraud caused US$28.3 billion globally in losses, corresponding to 1.74% of global telecom revenues.1 In this article, we look at how toll fraud affects both conventional telephony and modern VoIP systems, and what you can do to protect your business.
Types of toll fraud
A telephone system is susceptible to many different types of attacks. Toll fraud is a form of attack that involves the unauthorized use of an individual’s or a business’ telephony services and equipment to make long distance, international, or premium-rate number phone calls that are charged to the owner of the targeted system. Toll fraud can take several forms:
- Employees using their work phones for unauthorized long-distance and international calls to friends and loved ones, or to premium-rate numbers.2
- Attackers obtain remote access to a PBX via which they route their own personal calls, charging the owner of the PBX for those calls.
- Fraudulent businesses impersonating a small telco can gain remote access to a PBX through which they route their own customers’ calls. In the most ingenious cases, such fraudsters sell telephony service to their customers on a per-minute basis and route traffic via the compromised PBX, essentially at no cost to them, but incurring large costs for the targeted enterprise.
- An attacker can generate a significant volume of fraudulent calls from a compromised PBX to international numbers and premium-rate numbers for no other reason than to incur large costs on the telephone bill of the targeted company.
Each of the above cases is different, has a varying impact on the targeted company, and must be dealt with in a different way.
Toll fraud techniques
Because telephony networks have evolved from conventional to voice-over-IP networks, the methods used by toll fraudsters have also changed.
Traditional toll fraud
Toll fraud on traditional PRI circuits that terminate on a conventional PBX usually exploit a bad configuration on the PBX itself. Legacy PBXs have multiple features that are often complex to implement and that allow users to obtain an internal PBX dial tone by dialing a Direct Inward Dial (DID) number. This then gives the user the ability to call this DID, hear the dial tone and then make calls anywhere, which are initiated from the PBX and thus charged to the company. This is a legitimate function, but if it is not secured with a PIN or if it is compromised in some way, such a breach could be leveraged for toll fraud.
Additional methods on previous systems have involved technicians installing devices on PBXs that later allowed them to gain access to the PBX via the PSTN. This access was not only used to make fraudulent calls, but also allowed the PBX to be reconfigured remotely for the purpose of compromising the system. In the past, there were relatively few PBX specialists, which put them in a position where they could exploit their exclusivity to gain malevolent access for a third party.
For the most part, conventional telephony requires some physical access to the PBX, initially at least, in order to further develop a toll fraud strategy.
VoIP toll fraud
Because VoIP systems are interconnected with the data network—and ultimately with the internet—they are typically remotely accessible from almost anywhere. Thus, for VoIP, most toll fraud comes in the form of compromised systems by remote attackers, using techniques similiar to those of data hacking. This hacking will normally target the following:
- Scanning of ports - VoIP employs the SIP protocol, which uses TCP ports 5060 and 5061 by default. It is interesting to note that if one installs an internet-facing SIP server without any security precautions, one will immediately detect a whole series of TCP port scans on that port attempting to find an “unsecured” SIP port.
- Passwords – Both SIP trunks and SIP extensions use passwords to function. Weak or leaked passwords are vulnerabilities that are often exploited.
- Compromising servers – Just like any other network service (web, email, file server etc.) VoIP telephony depends upon the use of a SIP server. If an attacker gains unauthorized access to its operating system, then they can configure whatever they want.
VoIP vs. traditional telephony
One may imagine that more traditional telephony systems, being disconnected from other networks, are less susceptible to toll fraud than more modern connected VoIP systems. On the contrary, since security for conventional telephone networks has for the most part ceased development, enterprises that still rely on older systems may be more vulnerable than ever before to toll fraud. This is especially true for hybrid systems that use both VoIP and conventional technologies simultaneously.
VoIP systems may intuitively seem more vulnerable, but because the data networks upon which they are based are an extremely mature technology, highly effective security measures have been developed (and continue to be developed), that will keep your VoIP system safe. Thus, the most important step you can take to secure your telephony network from toll fraud is to migrate to a fully VoIP system.
Preventing toll fraud
Some of the most important steps you can take to protect yourself from toll fraud include:
- Make sure security precautions for the network as a whole—and not just for VoIP—are in place. This includes strong passwords for servers and SIP services, securing your Wi-Fi network, securing your remote users, ensuring that your network edge is protected using appropriate security appliances, and controlling physical access to your servers and data centers.
- Confirm you have a security policy that employees are aware of and sign as part of their employment procedures. Make sure to remind employees of their responsibilities and to train them in the correct use of company resources.
- Check you have blocked all premium-rate numbers internally on the PBX, and that you have employed a method of securing the use of international and long-distance calling, either with a personal code, or enabling such calls only on particular phones.
- Ensure that features such as gaining a dial tone via DID are disabled or appropriately secured.
- Verify that phones can only be used by authorized staff, not by guests, security, or cleaning personnel during off-hours by utilizing a personal PIN or disabling such calls when the business is closed.
- Whenever possible, upgrade from your traditional telephony system to a fully VoIP system, which will give you all of the most up-to-date security measures, as well as some of the most cutting-edge user features available today.
Your rights and responsibilities
If you do become a victim of toll fraud, you may find yourself out on a limb. The contracts you sign with most telcos include clauses that exempt them from any liability, especially if it occurs from a lack of precautionary measures on the business’ part.
Be sure to have an open and candid conversation with them about the issue. Talk with your telco and get their advice on the most appropriate measures to protect yourself from toll fraud, and make sure you understand where their responsibility ends and where yours begins when it comes to dealing with toll fraud.
The last thing a business wants is to be surprised by an abnormally high telephone bill at the end of the month. Be sure to avoid such a situation by first understanding what toll fraud is and then by taking the necessary steps to mitigate it.
- CFCA Fraud Loss Survey 2019 press release
- Premium-rate numbers are telephone numbers via which certain services are provided, and for which higher than normal per-minute charges are incurred. As such, the use of these numbers by attackers can often be a very expensive and damaging source of toll fraud. Unlike normal numbers, a part of the call charge goes to the provider of the service, supplying the primary source of revenue for that business. Common services that use premium-rate numbers include tech support, directory inquiries, weather forecasts, TV show competitions, and adult chat lines. Most premium-rate numbers are of the form 1-900-###-#### and can typically charge anywhere from 50¢ to several dollars per minute.
You may also like: