Justin Cornish, VoIP Innovations Technical Services Representative
One of our Technical Services Representatives, Justin Cornish, has written a fantastic article on the importance of VoIP security. Continue reading below to find out what you can do to protect yourself!
You are rudely awakened at 4 A.M. by a call from an irate client stating that none of their calls are going through. Taking a quick peek at logging, you find roughly 100,000 calls placed since midnight to high cost destinations. As calls begin steadily flowing in regarding interrupted service, you commence a frantic ‘red-alert’ search for the cause of the issue in order to shut it down. Sadly, the damage has already been done, and now you are stuck with a bill of possibly thousands of dollars of fraudulent traffic (roughly $3000 being the low end average of a single event). You have been an unfortunate victim of a sad common practice known as International Revenue Sharing Fraud (IRSF).
One of the most common questions we see in regards to this sort of occurrence is “Why me?” Unfortunately, it isn’t just you. A rough estimate of about $40 Billion per year has been reported in reference to VoIP fraud. As networks steadily become larger and more complex, security of these networks becomes exponentially more complex and sadly, insufficient.
What is widely assumed to be some misunderstood teen sitting in Mom’s basement with nothing better to do (at least in this author’s humble outlook), is actually a much more elaborate scheme. In short, the assailant (hacker) strikes a deal with a local carrier in a high cost area such as many international mobile numbers and satellite phones. The deal being that if the hacker can successfully increase the traffic to that area (traffic pumping), he or she nets a percentage of the profits. Effectively turning your money, into their money, without breaking a sweat. And, as the calls cross international lines, it becomes all but impossible to track from a legal standpoint, leaving all involved parties to pack up and start scoping the next victim before the previous one is even aware of the issue.
As cliché as it may seem, the best approach regarding this sort of VoIP Security occurrences is that of a proactive one. Stop the attempt before it starts. With larger networks, it is nearly impossible to protect each and every access point. This is especially difficult for retail providers, wherein clients gain access through a variety of devices. Often the intrusion occurs at the smallest and regularly weakest point. Analog Telephone Adapters (ATAs) phones are time and again the simplest to crack. Not necessarily by design, but in practice. Setting the passwords for such devices to match the extension number, or something along 0000, 1111…, 9999 is common and extremely inadvisable.
This includes voicemail passwords. Recent studies show a voicemail password of 1234 covers almost five percent of all VM passcodes. Once a hacker locates such a device with an easily guessed password, he or she simply calls that number, leaving a voicemail with the handy ‘leave a call back number’ feature. Then logging into the device, they call back the IRSF number as many times as possible, for as long as possible. In this instance, as the call originates from the end user’s handset, the hacker is nearly impossible to detect.
Another common access point for hackers is via SIP phones connected to a Private Branch eXchange (PBX). Often, these SIP phones reside on the public internet and are frequently devoid of any sort of VoIP security measures. Similar methods of initiating the call fraud ensue, leaving the end user to foot the bill and working with local law enforcement in order to track down the criminals.
Often carriers or service providers have available options for international dialing. Such as denying it outright, and/or requiring a specific ‘code’ to be dialed in order to recognize the call as an international attempt. Ensure that only authorized clients have access to this service as needed. Additionally, it is common practice to enable a dial plan to automatically add the necessary prepend to send out international calls. Having the end user manually dial this code can at the very least delay a would-be hacker in his duties.
So how do we stop it and increase our VoIP security? Unfortunately this simply isn’t possible. VoIP is an ever popular market and it keeps growing. The ‘easy cash’ possibilities for a would-be hacker is simply too abundant to ignore. The basic principles remain, network security and password control. Ensure that only specifically authorized devices and services can receive or initiate calls. Then control the passwords on those devices as much as possible. Crank up the strength requirements wherever possible and require changes often. As annoying as that may be, when you realize that it may have just saved you a few thousand dollars, it becomes a bit more favorable.
Securing every last access point, while possible, is not always plausible. Some will slip through the cracks at some point. An indispensable tool to combat this is fraud detection software. Pouring over CDRs isn’t sufficient in catching these issues. As if the calls are logged, then the damage has already been done. Software can run in real time and be setup to look out for anything out of the ordinary and put a stop to it before it wipes out your bottom line and puts you or your clients under water.
History has proven that proactive solutions trump all else at every turn. In an industry where every second matters, waiting or putting things off for later simply isn’t acceptable. As the frequency and magnitude of VoIP related fraud continues to rise, security becomes an ever present requisite, with constant monitoring riding in at a close second.