What you ought to know about VoIP Fraud

What You Ought to Know about VoIP Fraud

VoIP Communication is a common feature in corporate and personal life nowadays.  Most large concerns use it as a matter of course as part of their corporate integrated communications platform.

In the past, communications costs were inflated by unauthorised calls and other activities designed to get around telephone security policies. It’s no different today in VoIP Communications.  People still try to make unauthorised calls inside the organisation, and people try to hijack the company communications networks to make their calls.  Nothing really new, except that it’s now digital.

The first thing to do is to define VoIP fraud.

Simply put, VoIP Fraud is the unauthorised use of communication services resulting in a benefit to the fraudster and an unexpected cost to a third party.  The third party could be a service provider or the customer.

Many VoIP frauds are a continuation of a previous PSTN analogue fraud, but with a digital flavour. Some, because of the new technologies are entirely new.  Some use hacking techniques, but the bottom line is that someone is attempting to gain a financial advantage at someone else’s expense.

Fraud Types

Call Transfer Fraud

Call Transfer Fraud

In PSTN days it was possible to break into a telephone junction box, and then physically connect a handset to someone’s phone line.  The fraudster could then make international calls, charge an unsuspecting caller a fee, and have the bill ultimately paid by the real owner of the line.

The digital equivalent is where a hacker penetrates a VoIP PBX. In a similar way to that of PSTN days, the fraudster then offers callers discounted international calls. The calls go through the hacked PBX and are essentially free until they need to break out at the far end. The unsuspecting PBX owner is later presented with a bill by the foreign VoIP operator.

Usually, the hacker will get away with this since it will take some time for the fraud to come to light.  It is also difficult to pursue the matter across international boundaries.

Revenue Sharing Schemes

Revenue Sharing Schemes

Many service providers operate a scheme whereby companies can charge a premium call rate for using numbers to specialised services.  The income from these calls is usually shared between the two service providers.  The fraud is usually that the basic service provider gets no income from the premium rate service provider.

Call Forwarding

Call Forwarding

A variation on the revenue sharing  fraud is to forward a call supposedly to a local number to an international number.  This inflates revenue sharing income at the cost of the unsuspecting caller and service provider.

Value-Added Services

Value-Added Services

A fraud that depends on the digital world is that of unauthorised subscriptions to value‑added services. Often smart device users want to use different ringtones, listen to music and watch media clips which they download to their device.

Although strictly speaking, not a VoIP fraud, the caller who uses these services unwittingly signs up for a monthly subscription service charged to their VoIP number.  If the caller uses a corporate phone account, the costs, which can be substantial accrue to the company.

How to Limit VoIP Fraud

How to Limit VoIP Fraud

Remember, in a VoIP system, credentials are linked to an individual, not a handset.  In the past, you could borrow the managers phone to make an unauthorised long-distance call. No more.

Make sure that all users of your corporate VoIP system have valid credentials. Thereafter assign call limits to individuals and groups of individuals.   For example, if you have no need in your organisation to make international calls, block all international calls.

Other things:

  • Change the default credentials on your PBX.  It is surprising how many don’t, making it easy for hackers to break into your PBX.  They often do a network search looking for the default credentials. If they find a PBX, the games are on.
  • Make sure that your corporate network security policies include your VoIP system and PBX.  Remember that a VoIP system is a digital network system just like the rest of your server environment.  Apply appropriate security measures.
  • Make sure that your VoIP service provider is equally secure so that hackers cannot gain admin privileges to your and other VoIP systems.  Some have been seriously compromised in the past.
  • User Education.  Include VoIP aspects as part of your overall programme to educate your users against malware and hacking attacks. Hackers use social engineering techniques to find out user credentials.
  • Proactive Measures
    • Be vigilant with regular audits. Review usage logs for unusual activity.
    • Consider carrying out a penetration test on your PBX once in a while.
  • Compliance.  Sometimes security is not an option where confidentiality of information is a legal requirement.  Compliance is often good due diligence.

These examples of VoIP fraud are just a few of the ways in which increasingly sophisticated fraudsters try to separate corporates and individual from their hard-earned.   As are the recommendations as to how to thwart them.

What Is Telephony Denial of Service and How to Prevent It

What Is Telephony Denial of Service and How to Prevent It

Most, if not all, large businesses use VoIP as their prime communications medium, usually because of the cost and functionality benefits it confers. As the market has developed, the ability to adopt a VoIP solution has extended to smaller businesses. However, as with other IT areas, VoIP has attracted the attention of miscreants, thieves and hackers intent on stealing information and disrupting business operations.

A new discipline, VoIP Security, has grown up to counteract these efforts.

In the larger IT environment, one particular thorn in the flesh has been Denial of Service (“DoS or DDoS”) attacks. These are intended to prevent normal communication with the organisations systems and services by flooding the organisations IT interfaces with large amounts of data, preventing authorised traffic from getting through. In a cloud environment, or for an Internet-based sales or service provider, this could be fatal.

It has happened and in a big way. In March of 2019, the VoIP systems of TelePacific systems were subject to a DDoS attack which brought their systems down.  

DDoS Attack

The DDoS attack came from the Internet in the form of a large number of invalid VoIP registration requests. The outcome of the attack was large-scale service disruptions for a few days in late March when the usual daily level of 34 million requests for VoIP connections suddenly dramatically increased to 69 million and flooded the TelePacific systems, removing the ability to place calls.

It cost the company several hundred thousand dollars in customer credits. When the dust had settled, the services provider, a facilities and services company based in California and Nevada, boosted its security measures to mitigate against a similar DDoS attack in the future.

For this and other unreported attacks, VoIP Security now needs to consider how to detect and prevent DDoS attacks on the organisation’s voice and video communications systems.

The first step is to define what a DDoS attack in the communications environment is. Once we know what it is, we can then develop countermeasures.

DDoS in the VoIP Environment

DDoS in the VoIP

The first thing to understand is that the VoIP systems IP protocols are exactly the same as and have the same weaknesses as the wider network IP protocols, which incidentally weren’t designed to support voice and video.

As a result, DDoS attacks in the VoIP environment have exactly the same intent and techniques as general DDoS attacks – denial of service. Because VoIP uses the same communications protocols as other network traffic, many general DDoS exploits can be easily applied to VoIP systems.

It is important to consider DDoS as one of many potential security risks that could arise in a VoIP environment, and that a properly setup VoIP security environment will guard against most DDoS attacks.

There are general security weaknesses that need to be addressed:

  1. Spam, or in the VoIP world, Spam over Internet Telephony (“SPIT”);

    Spam

    A real problem, and an increasing one in the VoIP world. Large volumes of SPIT can act as a form of DDoS attack, flooding the phone system and preventing normal communications. SIP connections are particularly vulnerable to being clogged with SPIT.

  2. Spoofing, or in general attempts to steal data; and

    Spoofing

    While not strictly speaking DDoS relevant, spoofing can be used as part of a DDoS attack to mask the origin of the attack, and cover while an attempt is made to steal data.

  3. Authentication.

    Authentication

    All networks, including VoIP networks, need authentication to prevent unauthorised access and potential misuse and theft of information. Rejecting unauthenticated traffic can go some way to reducing the DDoS traffic clogging up the system.

DDoS and VoIP Security

DDoS and VoIP Security

A general security profile that will mitigate against most DDoS attacks is made up as follows:

  1. Separate voice and data traffic. This can help to stop attacks on the general systems leaking over into the VoIP systems. A DDoS attack on the general system may not incapacitate the VoIP system, though it will be affected.   Use encryption and VPN as part of the authentication environment. You may need a separate Internet connection purely for VoIP traffic.
  2. If you are a small business, the temptation is to buy cheap and cheerful hardware and software. Don’t, these systems are often very insecure and can provide an easy entry point into your systems.
  3. Use encryption and VPNs on your VoIP network. Many proprietary systems from major manufacturers already require the use of VLANs and natively support encryption. You should also definitely use encryption if you run VoIP between buildings and remote sites.

Technical considerations will also include:

  1. Opening only those server and router ports and activating only those services needed to support VoIP.
  2. Restricting access to VoIP servers to systems administrators.
  3. Logging and monitoring all access to the server.
  4. Implementing an intrusion detection system to detect any attempts, malicious or otherwise to gain entry to the VoIP network.
  5. Implementing a defence-in-depth security strategy. It should include multiple layers, incorporating dedicated VoIP specific firewalls.

While it is not possible to defend entirely against DDoS and other malicious attacks against VoIP system, common sense and the application of standard network security will go a long way towards mitigation and prevention.

How to protect VoIP from scammers

How to protect VoIP from scammers

VoIP for Business provides a range of benefits, including substantial cost-savings that make it a must-have for most businesses.  However, as with most IT advances, VoIP has attracted the dark side of the developers.   Hackers and scammers are using VoIP for Business as a way to steal data and execute hacking exploits.

As with other types of malware attacks, business need to be aware of how these exploits are executed and what preventative measures they can take.

The first thing to understand is that most successful hacking attacks are by having users provide sensitive information. Scammers are becoming more sophisticated, and they are increasingly using VoIP to steal personal and company data or just cause mischief.Continue reading

Reasons why Cloud VoIP can help your Business

Reasons Why Cloud VoIP Can Help Your Business

The benefits that VoIP for Business can bring to your business are undeniable.  Add to that Cloud VoIP, hosted or on-site  and you have a winning combination that can add significantly to your business profile.

Depending on the size of the business, either implementation can be applicable.  However, having said that, a cloud-based approach can fit more easily with an existing cloud-based environment, either on‑site or hosted.

Before choosing a particular approach, it is best to consider firstly whether on-site or hosted VoIP is better suited to the business, and secondly, whether a Cloud-based architecture is appropriate.Continue reading

Identifying and defending your system from vulnerabilities

VoIP Security: Identifying and defending your system from vulnerabilities

First we had viruses, then rootkits, now we have ransomware.  One thing is certain, the next bit of malware technology is currently under development and be with us soon. Even systems like VoIP are under attack and are being used as portals to gain access to corporate information. 

What kind of threats are currently being seen in VoIP systems and how are they to be countered? 

The first thing to understand that because VoIP is based on IP technologies it is vulnerable to all the malware and attack techniques that are inflicted on IP networks.  The second is that VoIP goes over the Internet, and while you can contain and manage IP security in your internal closed corporate network, you are at the mercy of third-party service providers of varying quality in their security systems.  The third, and one often forgotten, is that all devices in the VoIP network are IP devices and are therefore vulnerable to all the threats found with other IP devices. That must be factored into the overall data and voice protection scenario.Continue reading