In her October 19th NY Times article, Phone Hackers Dial and Redial to Steal Billions, Nicole Perlroth paints a frightening picture for businesses. In it, Ms. Perlroth describes how business phone systems can be hacked and quickly amass thousands of dollars in charges — usually costly International calls – and the hacked business is usually liable for those charges.
Is this just a single case study or hyperbole? Unequivocally, no. While stolen credit cards have been making recent headlines, telephone fraud has been quietly occurring for many, many years. Connecting phone systems to the Internet has only made it easier.
Securing a customer-premise based phone system is the sole responsibility of the customer. But what about Evolve IP’s Hosted PBX and, more specifically, Evolve IP’s Hosted PBX customers? Let’s first consider the preventative measures and then detection and mitigation.
When it comes to security, the best defense is usually a good offense. Evolve IP goes to great lengths to provide the most secure IP phone system platform possible. By securing things up front you lower your risk to fraud. Simple things such as using complex passwords and making devices unreachable from the Internet, by way of a proxy or firewall , will go a long way. Evolve IP uses multiple devices and methods to help secure phones from the Internet at business locations. However, it’s also important that users that have a phone in a small remote office or home location consider how to secure the phone with a firewall, and ensure it is not accessible from the Internet. Additionally, our default settings are to disallow International dialing unless explicitly required by a customer and then we recommend only allowing it for specific users unless every user in a location needs to make International calls. We also block calls to high-risk (high fraud) countries; special arrangements are made for customers that need to call these countries for legitimate business reasons. Furthermore, we limit the number of concurrent calls or forwarded calls a user can make, and will adjust this setting on an as-needed basis.
Another common type of fraud is to hack a voicemail box and either  place calls out from the voicemail system or  call forward that line to an International number. To defeat this type of fraud, we have disabled the ability to make calls or change the call forwarding through voicemail and voicemail boxes will get “locked out” if an incorrect password is entered too many times.
DETECTION AND MITIGATION
We believe in a defense in depth approach and therefore have multiple systems monitoring call patterns for fraudulent behavior, and we are always looking for ways to add to and improve the detection of fraud. If our systems detect suspicious activity they will alert our Network and Security Operations Center and, if severe enough, the systems will take automated action to disable the users that are generating those calls.
WHAT YOU CAN DO
Again, prevention is the key. Encourage your users to be security conscious. Encourage the use of complex passwords. Do not store or post passwords where others can see them. Do not share passwords. This advice holds true for any computer system or application, not just phones.
If you have phones at users’ homes ensure that they are behind a firewall and are not exposed to the Internet. While our default configuration is to disable remote access to these devices, it is always best to place them behind a layer of security.
If you have any premise based phone systems, have their security checked immediately and audit them regularly.
Security threats are always emerging. Evolve IP takes fraud prevention very seriously and we are always working to improve them because no single security measure is infallible forever. Some of our fraud prevention policies and best practices have not always been popular, but they have always been in the best interest of protecting our customers because, as the NY Times article reports, a single attack can cost you tens or even hundreds of thousands of dollars in just a few days.