As hackers continually learn more and more sophisticated techniques, business organisations need to take appropriate steps to prevent against both cyber-attacks on their web-based servers and toll fraud attacks on their business telephone systems. The consequences of not doing so can result in loss of personal information, leading to employee or customer vulnerability. It can also have shocking financial repercussions, not only through fines, as Talk Talk recently discovered, but through the miss-use of phone lines, leading to huge telephone bills.
The Information Commissioner’s Office (ICO) recently fined mobile and broadband operator, Talk Talk, for failing to protect the personal details of its 4 million UK customers from cyber-attack. The fine, at £400,000, is a hefty one, however, the ICO says the attack was preventable.
Hackers used a technique known as SQL Injection to access the Talk Talk database. This is a code injection technique that allows attackers to spoof identity, tamper with or destroy data and even become administrators of the database server. A well-known technique, SQL Injection has been around for over 20 years and there are ways of defending against it. Talk Talk had already experienced two previous attacks whereby hackers tried to gain access using this technique, highlighting vulnerabilities in the company’s server.
Not all records on the Talk Talk database had encryption protection and hackers managed to gain access to the personal details of 150,000 customers. This included names, addresses, dates of birth, email and telephones numbers. Of these, 15,000 held confidential financial information.
It is important to be aware of the vulnerabilities of any system you deal with, taking steps to protect against hacking. This includes telephone systems, which if not protected, are open to attack and can result in huge financial losses.
Toll fraud on telephone systems
Any business with a telephone or PBX system is at risk from toll fraud carried out by phone hackers (known as ‘Phreakers’). The fraudsters hijack a PBX system by breaking the PIN code on the voicemail then configure it for their own use. They use access codes and online password cracking technology, enabling them to infiltrate your telephone system. Once access has been gained the Phreakers are able to make outbound calls to anywhere in the world, the cost of which falls to the owner of the phone line connected to the PBX system from where the call has originated from.
Phone Phreakers are organised criminal gangs, linked to terrorist organisations. Typically they sell phone services in developing countries to customers who do not own their own phone line and they deal in cash, which is virtually untraceable.
What you can do to protect your system:
• If the access on the outside line, via Voicemail, is absolutely necessary, then suitable restrictions need to be set up on any extension that must have this type of connection.
• In the same way that you would never dream of using the word “password“ as your password, be sure to change the security settings and the passwords on your telephone system from the default or factory settings.
• Change voicemail DISA (Direct Inward System Access) passwords regularly and protect them and your access codes from unauthorised use.
• Remove or de-activate any telephone system functionality you don’t need, including remote access ports.
• Remove redundant mailboxes.
• Immediately deactivate access codes and voicemail passwords of people who leave your business.
• Keep an eye on your monthly phones bills for anything that looks unusual.
• Carry out regular audits of your telephone systems including privileges and restrictions.
• Restrict access to equipment and hardware and limit access to systems.
• Restrict the numbers that employees can dial, for example, bar calls to premium rate numbers, international numbers, operator numbers or Directory Enquiries.
• Implement policies and procedures to minimise risk.
• Protect yourself with a Fraud Monitor, Fraud Monitor Keeps a close eye on your account throughout the month and alerts you of any unusual activity when it happens.
• Programme your telephone system to disallow access after three individual attempts, in the same way as entering the wrong PIN at the cash machine.
• Never publish the remote access phone numbers that connect callers to your voice mail system.
• Call logging, if not already in place, should be immediately set up on any system where fraud is suspected. But it will need to be professionally programmed or it may miss certain call types.
• DISA (Direct Inward System Access) is a feature no longer sold but an old office exchange could have the feature still present. Ensure that this is disabled.
• If your business has networked its telephone exchanges, be aware that dial-through-fraud hackers could potentially ‘breakout’ from one site to another via this route.
• Ensure interactive voice response (Press 1 for sales, 2 for support etc.) and auto attendant options for accessing outside lines, are removed.
So many companies are unaware of or ignore the risk of toll fraud attacks, with devastating financial consequences. However, complete 24-hour protection can be setup with a simple low cost solution.
MF Communications offer customised toll fraud protection to best suit your business needs and requirements.
Activity is monitored 24/7 and any suspicious call activity detected instantly, resulting in either one of two automatic alerts: an ‘alert only’ email sent to designated recipients, or in more severe cases an ‘alert and block’ which prevents any further call activity until the system is reset. The emails provide information explaining why the call is suspicious. Once checked, if the call activity is legitimate, the restriction can be lifted and your business communications continue as normal.
For peace of mind, and to find out more about how MF Communications can provide 24/7 complete security against future toll fraud attacks, please email us for more information or call 01892 514687 and ask to speak to one of our UK business consultants.