Fraud Awareness and Prevention (PBX)
RingSquared attempts to notify customers when fraudulent activity is suspected or detected through our NOC, however, RingSquared is not responsible for identification of fraud. RingSquared encourages customers to review methods to identify fraudulent activity originating from their locations and to secure their PBX systems to prevent hacking. Since the financial implications fall to you and your customers, please use the following information as a resource for your business customers who could have vulnerable systems.
PBX Fraud Educational Information
Telephone Hackers Hit Where It Hurts: Your Wallet
Telephone hacking is unauthorized or fraudulent activities that can affect your telephone system, and potentially cost your business significant amounts of money and resources if they occur. Unfortunately, most of the times the owner of the PBX isn’t aware of the “hacking” until an enormous bill from their provider arrives or malicious events start occurring via their phone system.
Why does hacking occur?
Telephone hackers can infiltrate vulnerable PBX systems to make international and long distance calls, listen to voice mail or monitor conversations. Victims of hacked PBX systems unknowingly allow the hackers to “sell” the use of their telephone system to others or provide the hackers with an opportunity to maliciously reprogram the system.
How do hackers gain access?
Typically, hackers gain unauthorized access through the PBX’s maintenance port, voice mail (if voice mail can be accessed remotely) or the Direct Inward System Access (DISA) feature of a PBX.
Since most PBXs today are software driven, when configured improperly, allow hackers access the system remotely. PBX administrators usually manage via a PBX maintenance port, by interconnecting from their remote service centers via modem. By controlling this PBX maintenance port, hackers can change the call routing configuration, passwords and can delete or add extensions or shut down a PBX, all of which adversely impact business operations.
Some voicemail systems can be accessed remotely and programmed to make outbound voice calls. Hackers make use of this feature to forward calls to a “phantom” mail box that will give a dial tone, allowing them to make calls from anywhere, on your business account. Hackers can also gain access to your mailbox to listen to your messages, change your greeting or delete your messages.
DISA is a feature enabling remote users to access an outside line via a PBX with authorization codes. This is a very useful feature for employees who are on the road a lot or who frequently make long distance calls or need to access international call conference after business hours. By gaining access to this feature, hackers can make access on an outside line and make tolled calls at the cost of your business.
What can reduce my chances of being hacked?
Although no system is 100 percent protected, having a properly secured telephone system is the best way to prevent telephone hacking and mitigate the potential damage and cost that could be incurred by your business as a result. The following are some industry best practice guidelines that, if followed could help reduce the risk of telephone hacking.
Best Practices for Securing Your PBX System, Voice Mail and VoIP System
- Contact your equipment vendor immediately and have a proactive discussion on PBX and voice mail security.
- Familiarize yourself with the dangers of telephone hacking and the financial exposure you have to your toll provider.
- Educate staff that utilize your PBX on security procedures and ensure they have an appreciation for the importance of adhering to set procedures.
- Establish after-hours contact protocol so that appropriate personnel can be notified timely.
- Take time to evaluate your current settings and disable any features that are not in use.
- Do not use any default codes and passwords that come preconfigured in PBX and/or voice mail system. Be sure to change those settings as soon as possible after the PBX is installed and update them regularly.
- Choose random, lengthy passwords.
- Force password and authorization code changes for employees periodically.
- Ensure that only trusted system administrators know the administrator password and be sure to change passwords as soon as possible after any staffing changes.
- Do not keep extension active for former personnel or positions. If there are staff changes cancel the associated extension, including any associated features, access rights (i.e. LD/IDD) and codes and passwords.
- Restrict login attempts.
- Confirm no unauthorized or additional passwords exist in the system.
- Confirm that no easy, simple, common or repetitive passwords or account codes are used in your system. IE 11111.
- RingSquared can provide international account codes on your route. RingSquared can specifically set it up to have codes for either your domestic long distance or international calling.
Direct Inward System Access or DISA
DISA allows someone calling in from outside the PBX to obtain an “internal” system dial tone and dial calls as if from one of the extensions attached to the telephone switch.
- Disable DISA and/or establish secure account codes if possible.
- Limit the DISA access number and authorization codes to only employees that have a real need for such a feature.
- If possible, ensure the first few digits of the access number for DISA are different from the voice line.
- Disable the external call forwarding feature in voice mail, unless it is absolutely required.
- Remove/lock any inactive mailboxes.
- Lock out mailboxes after three unsuccessful password attempts.
- Disable Outbound Transfer/Dial/Pool Access in administrative programming (COS) for each mailbox.
- Require ALL users to change their voice mailbox passwords to 6 or 8 digit non-trivial passwords. This includes Administrative, General Delivery and System Manager Mailboxes.
- Deactivate unused features.
- Restrict message notification or out-dialing on voice mail boxes.
- Set up restriction filters and apply them to voice mail ports/DNs.
- Restrict/block international or long distance destinations to which your company does not require access. This can be blocked in the PBX and at the local switch and long distance switch.
- Restrict/block access to operator services.
- Block 1-900, 1-976, and 1010XXX and 101XXXX casual dialing within the PBX/Voice Mail system.
- Block third-party/Collect calls against the PBX DNs
- When an extension is no longer required, it should be canceled, along with associated features and access rights such as LD/IDD.
- Disable “Allow Redirect” option for all handsets.
- Do not allow remote access until confident it is secure.
- Set up restriction filters and apply them to lines and/or setup COS passwords to by-pass restrictions.
- Make sure systems are upgraded to latest patches.
- Disable remote access to any maintenance ports/modems.
If your customer premises equipment is improperly configured, it is possible that unregulated inbound SIP traffic will pass through your IP network/PBX and out of your SIP trunk group. This can allow Internet-based hackers access to local dial tone from the IP PBX/SIP trunk group without your knowledge.
- Contact your equipment vendor about running a security audit of your IP systems.
- Check the status of your firewall and/or other call processing software for errors or manipulation of setup.
- Verify the configuration of your IP PBX to ensure that WAN traffic is isolated from SIP Trunk solution.
- Block Internet WAN traffic from accessing the gateway via SIP (Port 5060) for TCP and UDP.
- Familiarize yourself with your business’ call patterns and monitor them regularly.
- Look for any suspicious call activity after hours, including weekends and public holidays.
- Invest in call accounting software or station message detail recording to review internal extensions for abnormal activity.
- Treat all internal directories, call logging reports and audit logs as confidential. Shred them when no longer needed.
li> Review the call detail on monthly invoices and report anything suspicious.
Equipment Room Access
- The PBX system should be kept in a secured location to which only authorized users have access.
- Verify any technician’s identity that requests access to your PBX equipment.