Telephone fraud has been going on for a long time. It became prevalent in the 1960s, when DTMF (Dual-Tone Multiple Frequency) dialing was being introduced to replace pulse dialing from then-current rotary phones.
Crafty individuals educated themselves and fabricated handheld red, black, and blue boxes that could generate the necessary tones to alter the target phone system’s behavior. Soon they were placing calls around the globe for “free” from a local payphone. Instead of spending 30¢ per minute to talk to someone outside their dialing area, they could use that 30¢ to buy a gallon of gas, 3 cups of coffee, or 3-6 chocolate bars. In other words, long-distance telephone service was outrageously expensive.
This practice came to be known as phreaking: phone, frequency, and freak. All of the hip hackers were into it.
By the mid-1980s phone companies had pretty well eliminated access to these control tones from a normal telephone, but the computer-age was upon us. The phreaks evolved from phone-hackers into computer-hackers. Suddenly, PBX (Private Branch Exchange) systems for Enterprises changed from analog to digital and hacking PBXs became all the rage. As more companies caught on and secured their PBXs the fad faded.
Nowadays hackers are going after the PBXs in Mom-and-Pop businesses and SMBs because nobody is informing the owners about the need to secure their systems. If you think you don’t have a PBX, think again. That VoIP (Voice over Internet Protocol) service you installed is a virtual PBX.
These hackers gain access to a system without even knowing who owns it, and the strategy is to log in at night or on weekends when they assume usage is low and no one will notice. With high-speed computers they’ve been known to generate 220 minutes’ worth of phone calls per minute. In one case they hacked a taxi company and, while the hack was spotted quickly because taxis are 24-hour operations, the telephone company took 5 long hours to agree to disable the service. During that time, hackers charged up $14,000 in billing, which the victim taxi company had to pay.
How does it work?
The hackers set up a premium (1-900) phone number in another country that charges a high rate per minute. They then hack into an unguarded local PBX, placing thousands of calls per hour to their premium number. It is an incredibly easy fraud since international telephone agreements stipulate that all international telephone calls will be paid for. This must be so because the calls cost the carrier money, and denying them payment, even for carrying a fraudulent call they are unaware of, would compromise the whole international billing system.
And who pays? The owner of the Hosted PBX system, of course! This is usually a condition upon which they can possess a PBX system in the first place and must agree to pay for all calls generated by it.
What can I do?
Protect yourself. First of all, as you can see from the above example, there’s very little incentive for the telephone company to help you when you’re PBX has been hijacked. They’re making a great deal of money so any forthcoming solutions may be slow.
There are a number of simple steps you can take. First, limit the number of administrator accounts to your Hosted PBX system and change those passwords often. People are often the weakest security link, so train them accordingly. Restrict access to international calls and toll service calls, if possible. Make sure your system is secured with multiple redundancies and 24/7 monitoring through a reputable provider that actually staffs experts to watch the performance of your network, day and night.
Surprisingly, there are no laws to protect you against telephone fraud in the same way you are protected against credit card fraud. Assuming something like that is in place to protect you is just the first step on the road to financial ruin. If someone runs up a quarter of a million dollars in telephone bills on your system one weekend, you are going to have to pay.
Take some time today to talk to your IT specialists to find out how your PBX is protected. Consult with your Hosted PBX VoIP provider to make sure strategies are in place to protect you. And most of all, think about your reputation since most of these Premium telephone numbers are identified with fun names like ‘Hot Sex’ and ‘Psychic Hotlines’.
Wait until the newspapers get a hold of that!