Hi you are now in The Loop / December 2008

BT Wholesale
 
The Loop - The Industry talk that you really want to hear

Market Knowledge

Fraudsters return to Dial Through Fraud/PBX Hacking: 15 Top Tips to help beat off attacks

As if all the panic headlines weren't enough, now there's another worrying threat for business owners to lose sleep over.

The spectre of 'Dial Through Fraud' or PBX Hacking is back to haunt Communications Providers and their customers as fraudsters resuscitate this once-favoured method of making money.

What's at risk with Dial Through Fraud (DTF) is customer equipment where employees can dial in and enter special codes to get an outside line. Hackers hit their victims by cracking the protection around these codes, so enabling anyone to log in and make unlimited calls to virtually any destination they choose at the company's expense.

Judy O'Keefe, BT Wholesale's Head of pan BT Financial Risk and Revenue Protection, comments: "We're keen to help our customers and their end-users to protect themselves against this call minute theft. We know that it can often be difficult to identify the perpetrators - and almost impossible to recover the money you've lost. So the emphasis has to be on making business customers aware of the risk - and then on helping them to take the right preventative action."

As a key starting point, there's a free service from BT Wholesale to help customers to spot unusual call traffic or calls to odd destinations. This service gives you access to un-priced Call Data Records (CDR) files six times a day and to rated billing CDR files once a day, 365 days a year. This data is available through our Data Exchange and Distribution Server (DEDS).

And use this checklist of 15 Top Tips to help your business customers to guard against the risks of DTF:

  1. Remove or de-activate all unnecessary system functionality including remote access ports. If you must have the latter, protect them with strong authentication techniques such as smartcards or tokens.
  2. Restrict the numbers that employees can dial: for example, bar calls to premium rate numbers, international numbers, operator numbers or Directory Enquiries.
  3. Review your PBX call logging/reporting records regularly to spot any increases in call volumes or calls to suspicious destinations.
  4. Bar voicemail ports for outgoing access to trunks if you can. Change your voicemail and DISA (Direct Inward System Access) passwords regularly and don't use the factory defaults or obvious combinations such as 1234 or the extension number.
  5. If access to trunks via voicemail is vital, then introduce suitable controls. Remove Auto Attendant options for accessing trunks too.
  6. Lock any surplus mailboxes until you have a user for them.
  7. Not using DISA? Then disable it completely.
  8. Restrict access to your core comms equipment, such as your comms room or master terminals.
  9. Only give individuals the appropriate and minimum level of system access they need to carry out a specific task.
  10. Change your security features - passwords, PINs etc - and re-set the password defaults whenever you install, upgrade, repair or maintain equipment.
  11. Treat all internal directories, call logging reports or audit logs as confidential. Destroy them securely when they're no longer needed.
  12. Avoid using tones to prompt for password/PIN entry: hackers find it easy to duplicate them.
  13. Implement formal processes to cover employee entry procedures, the issuing of passcards, the vetting of new employees and when people change jobs or leave. For the latter, remember to revoke any access they might have had to your systems, mailboxes or buildings.
  14. Review your system security and configuration settings regularly.  Follow up any vulnerabilities or irregularities promptly.

  15. Be vigilant against bogus callers: people who pose as a company employee and ask to be connected to a switchboard operator to get an outgoing line.

 

GET MORE >

To find out more about our free service for detecting unusual call traffic, contact your BT Wholesale account management team.

WLR Service Provider? Pass traffic via Wholesale Calls? Help to protect yourself and your customers by taking advantage of our SPHUR reporting tool. Find out more here.

Terms and Conditions |  BT Wholesale |  BT.com |  © British Telecommunications plc 2010