Telecom fraud, often referred to as phone hacking, is on the rise. According to a global fraud study by the Communications Fraud Control Association, fraud in all its forms cost the telecommunications industry between 3% and 10% of operators’ bottom lines.
Either way, digital channels are quickly becoming the avenue of attack behind a growing share of those losses.
This is not a new phenomenon. In 2012, two fraudsters were sentenced to prison for a $4,4-million VoIP fraud scheme and ordered to pay millions in restitution to victims. Legacy systems were as prone as newer Voice over IP (VoIP) systems, but the scale is far more extensive. Where your line may have been used fraudulently in the past, and incurred large expense, now automation and bots allow hackers to perform fraud on a massive scale, siphoning time, manpower and most of all, money. It is safe to say that VoIP hacking can, in fact, bankrupt a business – depending on the severity of the attack.
Jaymin Dave, of Wanatel’s technical department, shared his views on typical security vulnerabilities of a VoIP network: “Many VoIP security issues are like network security issues, and can result from either internal or external loopholes, as is the nature of passing data over the Internet. If your VoIP traffic is unencrypted, it is possible to tap in and capture voice packets (similar to data theft).
“VoIP, because it uses the Internet, can also serve as an entry point to your internal network if it is not secured properly. Also, denial-of-service attacks are possible just like an attack on your website or e-mail servers. Whilst it might not sound serious, a denial-of-service attack essentially may lead to severe damage to business operations. It may bring down your frontline protections, especially where a business does not practice multi-layer security.
“In fact, recent trends show that small businesses particularly do not adapt their firewalls and rely on smart routers as their frontline protection. Imagine hackers entering your internal network by finding a loophole in a frontline device, giving them open-book access to your entire organization, critical business processes and sensitive data. The immediate implications are evident, and the long term impact can be crippling,” adds Dave.
When it comes to fraud, he explains that there are many aspects. As many companies shift to virtual PBX or cloud PBX environments to support remote work, he warns of the increase in PBX fraud and how to take measures to protect against this.
“One of the most typical VoIP frauds involves hacking into a PBX. Fraudsters, or phreakers, are able to generate a significant amount of traffic, and hacking is used to perpetrate domestic and international revenue fraud.”
Phreaking is another name for abusing a company’s phone system. Many hackers, or phreakers, use a company’s phone system to make expensive calls and gain payment from third parties for doing so. For example, an attacker may gain access to the VoIP server and change the service plan and extension list to allow the attacker to use the system without detection and take advantage of premium services.
Alternatively, an attacker can use phreaking to lay the groundwork for a later attack. Employees are more likely to trust a phone call originating from an internal extension. This can be used in help desk scams and other attacks designed to steal user credentials or trick an employee into taking an adverse action.
“It’s true that like any Internet connection, or application, VoIP systems are vulnerable to a number of different attacks,” explains Dave. “However, many of the threats associated with VoIP systems can be mitigated with a few simple steps.
“Always keep your software up to date, and guard against unpatched vulnerabilities by ensuring that your VoIP provider includes software upgrades in their package. This is the first line of defense against attackers who are looking to gain unauthorized access to the system. Furthermore, prevent exposing your communications devices on an open Internet connection, avoiding any invitation to hackers to attempt a breach.”
Dave outlines that VoIP communications are not always encrypted by default. “This leads to eavesdropping and potential tampering. Take care that your provider offers encryption for VoIP, such as TLS or a virtual private network (VPN), to minimize exposure of sensitive data or tampering with important calls.”
The final point on his top three list is using strong authentication methods. “An attacker with access to a VoIP system can take a number of damaging and expensive actions against an organization. The use of strong authentication, including multi-factor authentication (MFA) when possible, helps to reduce this threat. By providing access to limited authorised profiles, businesses can reduce the risk of multi-point leaks of information through human error. Lastly, ensure that usernames and passwords are never saved or shared in an unencrypted manner. Someone, someday could gain access to such information.”
Using VoIP can improve flexibility and simplify a company’s communication systems and network environment. However, like any software, VoIP must be deployed and configured correctly to be secure against cyberthreats.
Dave concludes: “The responsibility of running a secure VoIP network lies with all parties in the supply chain. Security is a layered approach. We all need to be on our guard against attacks and fraudulent activity, and take all the precautions possible.”